_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 80 September 17, 2007 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of "Endpoint Security" by Mark S. Kadrich o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calender o New calls-for-papers * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: During a recent visit to a department store I encountered two fairly ordinary household items that astonished me: a lamp and a coffee mug. The lamp was "mp3" and the mug was "usb", and at first I thought this was an amusing coincidence of acronyms. Even more amusing was the fact that the lamp really was MP3 capable because it had built in speakers and an iPod cradle, and the coffee mug had a USB connector for drawing power from a computer to keep the mug warm. I imagined sets of fine china with Bluetooth connectors, Tupperware with memory cards, and the whole lot of them engaging in a cacophony of protocols, spam messages, and intrusions into the cell phones and hearing aids of dinner guests. Is this a nightmare or a glimpse of the future? Perhaps answers lie in one or more of the papers in the forward-looking research conferences announced in this issue of Cipher. Or perhaps clues to amelioration lie in the book "Endpoint Security" reviewed by Richard Austin. What is clear is that our path leads to a world so intricately connected with communications and processing that the concept of a tree falling in the forest without observation may become unthinkable --- someone will eventually see it on YouTube or Google Earth. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin June 20, 2007 ____________________________________________________________________ Endpoint Security by Mark S. KadrichAddison-Wesley 2007. ISBN 0-32-143695-4 Amazon.com $54.99 Bookpool.com $29.95 Security professionals must face the fact that our networks are acquiring new types of endpoints at a frightening pace. They range from PDA's to smartphones to network-attached printers to even network manageable power strips. And, unfortunately, as Kadrich is quick to point out, these devices are all about features and functionality with little attention being focused on securing them before they attach themselves to our networks. His second chapter, "Why Security Fails," provides an excellent summary of the reasons why security fails ranging from a check-the-box mentality ("if I do this, then I will be secure") to the fact that vendors always position themselves to stop the last threat (rather like the military is often criticized for planning to fight the last war). Chapter 3 presents his idea of what is missing using the surprising analogy of the flush toilet and its control system. He points out that we need to approach the process of network security as a process control problem by identifying control points (routers, VPN gateways, etc) and establish control processes that integrate signals such as failed logon attempts, IDS alerts, etc and business processes such as user termination, software decommissioning and so on. He defines (yet another) new way of diagramming networks to reflect the control system analogy. While we need a new network diagramming standard like we need another compliance initiative, thinking about the denizens of our network infrastructures from a process control perspective is a source of useful insights. Chapter 4 (Missing Link Discovered) introduces the proposed components of a solution that predictably includes network access control (NAC), But Kadrich also includes what is often the missing link in NAC decision making: host integrity. The basic concept is that a device must demonstrate a defined level of trustworthiness before it is allowed to join a more trusted part of the network. If the device cannot demonstrate integrity of its operating system, and a valid system configuration (anti-virus, firewall rules, etc), it will not be granted access. Additionally he makes the important point that the device needs to be remotely manageable so that remediation can be performed. For example, if a host is missing a critical patch as required by the integrity/configuration standards, it can be automatically installed as part of the NAC process. The next two chapters flesh out the underlying components of the NAC process with a discussion of network capabilities and details on how to create a secure baseline for hosts. In chapter 7 (Threat Vectors), the general ways an endpoint can be attacked are presented to prepare for a more in-depth look at threats and defenses for common software environments (Windows, OS X and Linux) in their own chapters. The chapter on OS X is especially recommended as security discussions of this increasingly popular operating system are rather rare. Chapter 11 (PDAs and Smartphones) provides a good overview of these very common endpoints and their software (Windows Mobile, Symbian, Palm, Blackberry and Mobile Linux). One could have wished for more detail but that would easily have doubled the size of the book and taken it further afield from its focus on endpoints in general. Chapter 12 covers the important topic of embedded devices which include things ranging from a network-attached printer to the SCADA systems that run railyards and power plants. Kadrich notes that this is mainly an awareness chapter as there are almost no tools to implement anything approaching a NAC solution for them as yet. The final chapter is devoted to brief case studies that illustrate the book's concepts and how they should be applied in practice. In summary, "Endpoint Security" is a good overall look at the problems presented by the proliferating variety of endpoints seeking to attach to our network infrastructures. The presentation is concept-based which can be frustrating when one is seeking specific guidance but it more keeps the book from becoming mired in product details and quickly dated by their changing features. Practicing security professionals would be well advised to read the advice in this book and use it in examining just where the endpoints of their networks lie. If you're like me, you will find a few surprises along the way. ----- Richard Austin recently retired as the storage network security architect at a Fortune 25 company and currently earns his bread and cheese as an itinerant university instructor and security consultant. He welcomes your thoughts and comments at rda7838@kennesaw.edu ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 9/13/07- 9/15/07: Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS), Petersburg, Russia; info: spiiran@mail.iias.spb.su; http://www.comsec.spb.ru/mmm-acns07/ 9/14/07: Workshop on Visualization for Computer Security (VizSEC); Sacramento, CA; http://vizsec.org/workshop2007/; Submissions are due 9/15/07: Wireless Network Security (WiSec); Alexandria, VA; http://discovery.csc.ncsu.edu/WiSec08/; Submissions are due 9/15/07: Handbook of Research on Secure Multimedia Distribution (Handbook-Secure-Multimedia); http://www.igi-pub.com/requests/details.asp?ID=224; Submissions are due 9/17/07- 9/21/07: Security and Privacy for Communication Networks (SecureComm), Nice, France; http://www.securecomm.org 9/18/07- 9/21/07: New Security Paradigms Workshop (NSPW), North Conway, New Hampshire; http://www.nspw.org/ 9/20/07: Workshop on Network and System Security (NSS), Dalian, China; info: wanlei@deakin.edu.au; http://nss2007.cqu.edu.au 9/21/07: Workshop on Security for Mobile Wireless Communications (SeMIC); Bangalore, India; http://www.comsware.org/workshop_SeMIC08.htm Submissions are due; info: llazos@u.washington.edu; 9/21/07: Network and Distributed System Security Symposium (NDSS); San Diego, California; http://www.isoc.org/tools/conferences/NDSS08; Submissions are due 9/25/07- 9/27/07: Dependable, Autonomic and Secure Computing (DASC), Columbia, MD; info: mike.hinchey@usa.net; http://www.DASC-conference.org/ 9/25/07: Financial Cryptography and Data Security (FC); Cozumel, Mexico; http://fc08.ifca.ai; Submissions are due 9/26/07: Workshop on Security and Trust Management (STM), Dresden, Germany; info: stm07 at item.ntnu.no ----- 10/ 4/07: Workshop on Embedded Systems Security (WESS), Salzburg, Austria; http://netsys.ece.upatras.gr/emsoft07/ 10/ 4/07-10/ 5/07: Anti-Phishing Working Group (APWG); eCrime Researchers Summit (APWG), Pittsburgh, PA; http://www.ecrimeresearch.com/2007/cfp.html 10/ 4/07-10/ 5/07: European Conference on Computer Network Defence (EC2ND), Crete, Greece; http://2007.ec2nd.org/ 10/ 8/07: Asynchronous Circuits and Systems (ASYNC); Newcastle upon Tyne, UK; http://async.org.uk/async2008/; Abstracts are due 10/ 9/07-10/12/07: Information Security Conference (ISC), Valparaiso, Chile; info: info@isc07.cl; http://www.isc07.cl 10/11/07-10/12/07: Nordic Workshop on Secure IT Systems (NordSec), Reykjavik, Iceland; http://www.ru.is/nordsec2007/ 10/15/07-10/17/07: Secure Information Systems (SIS), Wisla, Poland; http://www.imcsit.org/ 10/28/07-10/30/07: Autonomic Computing and Communication Systems (AUTONOMICS), Rome, Italy; http://www.autonomics-conference.eu/ 10/28/07: Workshop on Privacy Aspects of Data Mining (PADM), Omaha, NE; info: padm@cimic.rutgers.edu; http://cimic.rutgers.edu/~padm 10/29/07-10/31/07: Workshop on Security (IWSEC), Nara, Japan; info: info@iwsec.org; http://www.iwsec.org/ 10/29/07: ACM Conference on Computer and Communications Security (CCS), Alexandria, VA; http://www.acm.org/sigsac/ccs/CCS2007 10/29/07: ACM Digital Rights Management Workshop (DRM), Alexdrandria, VA; http://www.cse.uconn.edu/~drm2007 10/29/07: Information and Communications Security Standards and Regulations (StaR_SEC), Alexandria, VA; info: StaR_SEC_2007@aegean.gr; http://www.aegean.gr/StaR_SEC_2007 10/29/07: Workshop on Visualization for Computer Security (VizSEC), Sacramento, CA; http://vizsec.org/workshop2007/ ----- 11/ 2/07: Digital Identity Management (DIM), Fairfax, VA; (no proceedings); http://www2.pflab.ecl.ntt.co.jp/dim2007/ 11/ 2/07: Workshop on Recurring Malcode (WORM), George Mason University, VA; http://www.auto.tuwien.ac.at/~chris/worm07.html 11/ 2/07: Computer Security Architecture Workshop (CSAW), Fairfax, VA; http://www.rites.uic.edu/csaw 11/ 2/07: Workshop on Scalable Trusted Computing (STC), Alexandria, VA; http://www.cs.utsa.edu/~shxu/stc07/ 11/ 2/07: Formal Methods in Security Engineering: From Specifications to Code (FMSE), George Mason University, Fairfax, VA; http://www.fmis.informatik.tu-darmstadt.de/fmse07/ 11/ 5/07-11/ 6/07: Trustworthy Global Computing (TGC), Sophia-Antipolis, France; http://www-sop.inria.fr/everest/tgc/tgc07 11/17/07: Symposium on Identity and Trust on the Internet (IDtrust); Gaithersburg, MD; http://middleware.internet2.edu/idtrust/2008/; Submissions are due ----- 12/ 2/07-12/ 6/07: ASIACRYPT, Kuching, Sarawak, Malaysia; info: asiacrypt2007@iacr.org; http://www.swinburne.edu.my/asiacrypt2007/ 12/ 9/07-12/11/07: Asian Computing Science Conference, Focusing on Computer and Network Security (ASIAN), Dohar, Qatar; info: asian07@qatar.cmu.edu; http://www.qatar.cmu.edu/asian07 12/10/07-12/14/07: Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida; http://www.acsac.org/ 12/16/07-12/20/07: Information Systems Security (ICISS), Delhi, India; http://siis.cse.psu.edu/iciss07 ----- 1/ 6/08: Workshop on Security for Mobile Wireless Communications (SeMIC), Bangalore, India; info: llazos@u.washington.edu; http://www.comsware.org/workshop_SeMIC08.htm 1/14/08: Applied Cryptography and Network Security (ACNS); New York, NY; http://acns2008.cs.columbia.edu/; Submissions are due 1/28/08- 1/31/08: Financial Cryptography and Data Security (FC), Cozumel, Mexico; http://fc08.ifca.ai ----- 2/10/08- 2/13/08: Network and Distributed System Security Symposium (NDSS), San Diego, California; http://www.isoc.org/tools/conferences/NDSS08 2/11/08: Australasian Conference on Information Security and Privacy (ACISP); Wollongong, Australia; http://www.uow.edu.au/conferences; Submissions are due ----- 3/ 4/08- 3/ 6/08: Symposium on Identity and Trust on the Internet (IDtrust), Gaithersburg, MD; http://middleware.internet2.edu/idtrust/2008/ 3/16/08- 3/20/08: Symposium on Applied Computing, Track on Trust, Recommendations, Evidence and other Collaboration Know-how (SAC-TRECK), Ceara, Brazil; info: Jean-Marc.Seigneur@trustcomp.org ----- 3/18/08- 3/20/08: Symposium on Information, Computer and Communications Security (ASIACCS), Tokyo, Japan; http://www.rcis.aist.go.jp/asiaccs08/ 3/31/08- 4/ 2/08: Wireless Network Security (WiSec), Alexandria, VA; http://discovery.csc.ncsu.edu/WiSec08/ ----- 4/ 7/08- 4/11/08: Asynchronous Circuits and Systems (ASYNC), Newcastle upon Tyne, UK; http://async.org.uk/async2008/ ----- 6/ 3/08- 6/ 6/08: Applied Cryptography and Network Security (ACNS), New York, NY; http://acns2008.cs.columbia.edu/ ----- 7/14/08- 7/16/08: Australasian Conference on Information Security and Privacy (ACISP), Wollongong, Australia; http://www.uow.edu.au/conferences ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since E79) ____________________________________________________________________ VizSEC 2007 4th Workshop on Visualization for Computer Security, Held in conjunction with IEEE Vis 2007 and IEEE InfoVis 2007, Sacramento, California, USA, October 29, 2007. http://vizsec.org/workshop2007/ (Submissions due 14 September 2007) The VizSEC 2007 Workshop on Visualization for Computer Security will provide a forum for new research in visualization for computer security. In many applications, visualization proves very effective to understand large high-dimensional data. Thus, there is a growing interest in the development of visualization methods as alternative or complementary solutions to the pressing cyber security problems. However, while security visualization research has addressed the development of applications, there has only been limited coverage of user needs and designing visualization to support those needs. To address this shortcoming, the theme of this year's workshop will be on applying user-centered design to VizSEC research, focusing on integrating users' needs, visualization design, and evaluation. We solicit papers that report results on visualization techniques and systems in solving all aspects of cyber security problems. Topics include, but are not limited to: - Visualization of Internet routing for security - Visualization of packet traces and network flows for security - Visualization of security vulnerabilities and attack paths - Visualization of intrusion detection alerts - Visualization of application processes for security - Visualization for forensic analysis - Visualization for correlating events - Visualization for computer network defense training - Visualization for offensive information operations - Visualization for feature selection - Visualization for detecting anomalous activity - Deployment and field testing of VizSEC systems - Evaluation and user testing of VizSEC systems - User and design requirements for VizSEC systems - Lessons learned from VizSEC systems development and deployment ------------------------------------------------------------------------- WiSec 2008 1st ACM Conference on Wireless Network Security, Alexandria, Virginia, USA, March 31 - April 2, 2008. http://discovery.csc.ncsu.edu/WiSec08/ (Submissions due 15 September 2007) As wireless communications are becoming ubiquitous, their security is gaining in importance. The ACM Conference on Wireless Network Security (WiSec) aims at exploring attacks on wireless networks as well as techniques to thwart them. Topics of interest include, but are not limited to: - Naming and addressing vulnerabilities - Key management in wireless/mobile environments - Secure neighbor discovery - Secure PHY and MAC protocols - Trust establishment - Intrusion detection, detection of malicious behavior - Revocation of malicious parties - Denial of service - User privacy, location privacy - Anonymity, prevention of traffic analysis - Identity theft and phishing in mobile networks - Charging - Cooperation and prevention of non-cooperative behavior - Economics of wireless security - Vulnerability and attacker modeling - Incentive-aware secure protocol design - Jamming - Cross-layer design for security - Monitoring and surveillance - Computationally efficient cryptographic primitives ------------------------------------------------------------------------- IFIP-DF 2008 4th Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto, Japan, January 27-30, 2008. http://www.ifip119-kyoto.org (Submissions due 15 September 2007) The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in the emerging field of digital forensics. The Fourth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network forensics - Portable electronic device forensics - Digital forensic proceses and workflow models - Digital forensic case studies - Legal, ethical and policy isues related to digital forensics ------------------------------------------------------------------------- CT-RSA 2008 RSA Conference 2008: Cryptographers' Track, San Francisco, California, USA, April 8-11, 2008. http://ct-rsa08.cs.columbia.edu/ (Submissions due 18 September 2007) The RSA Conference is the largest, regularly-staged computer security event, with over 350 vendors, and thousands of attendees. The Cryptographers' Track (CT-RSA) is a research conference within the RSA Conference. CT-RSA has begun in 2002, and has become an established venue for presenting cryptographic research papers. The conference proceedings will be published in Springer's Lecture Notes in Computer Science (LNCS) series and should be available at the conference. Special academic discount for registration will be available, as well as a waiver for speakers presenting papers accepted to CT-RSA 08. Original research papers pertaining to all aspects of cryptography are solicited. Submissions may present applications, techniques, theory, and practical experience on topics including, but not limited to: - public-key encryption - symmetric-key encryption - digital signatures - hash functions - cryptographic protocols - tamper-resistance - fast implementations - elliptic-curve cryptography - quantum cryptography - formal security models - network security - e-commerce ------------------------------------------------------------------------- NDSS 2008 15th Annual Network & Distributed System Security Symposium, San Diego, California, USA, February 10 - 13, 2008. http://www.isoc.org/isoc/conferences/ndss/08/cfp.shtml (Submissions due 21 September 2007) The symposium fosters information exchange among research scientists and practitioners of network and distributed system security services. This year's symposium continues our theme of "theory meets practice" so we encourage submission both from traditional academic researchers as well as industrial practitioners of applied security with innovative insights. Submissions are solicited in, but not limited to, the following areas: - Integrating security in Internet protocols: routing, naming, TCP/IP, multicast, network management, and the Web. - Intrusion prevention, detection, and response: systems, experiences and architectures. - Privacy and anonymity technologies. - Network perimeter controls: firewalls, packet filters, application gateways. - Virtual private networks. - Security for emerging technologies: sensor networks, specialized testbeds, wireless/mobile (and ad hoc) networks, personal communication systems. - ID systems, peer-to-peer and overlay network systems. - Secure electronic commerce: e.g., payment, barter, EDI, notarization, timestamping, endorsement, and licensing. - Supporting security mechanisms and APIs; audit trails; accountability. - Implementation, deployment and management of network security policies. - Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management. - Fundamental services on network and distributed systems: authentication, data integrity, confidentiality, authorization, non-repudiation, and availability. - Integrating security services with system and application security facilities and protocols: e.g., message handling, file transport/access, directories, time synchronization, data base management, boot services, mobile computing. - Public key infrastructure, key management, certification, and revocation. - Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, reliability and cost. - Security for collaborative applications: teleconferencing and video-conferencing, electronic voting, groupwork, etc. - Software hardening: e.g., detecting and defending against software bugs (overflows, etc.) - Security for large-scale systems and critical infrastructures. - Security of Web-based applications and services. ------------------------------------------------------------------------- SeMIC 2008 1st International Workshop on Security for Mobile Wireless Communications, Held in conjunction with the 3rd International Conference on COMmunication System softWAre and MiddlewaRE (COMSWARE 2008), Bangalore, India, January 6, 2008. http://www.comsware.org/workshop_SeMIC08.htm (Submissions due 21 September 2007) Mobile Wireless Communications enable the exchange of information in a real, or near real-time manner, without the constraint of a fixed point of access. Reliable and secure communications combined with constant and universal network availability, are key elements for the successful commercialization of the applications that utilize the wireless technology. However, new security challenges emerge due to the dynamic network topology, the open nature of the wireless medium, the resource constraints of the mobile devices and, possibly, the lack of a pre-deployed infrastructure. The workshop seeks submissions from the academia and industry, that present novel approaches on addressing security issues for mobile wireless communications. Topics of interest include, but are not limited to: - Authentication and access control - Secure MAC/PHY protocols for mobile networks - Cooperation, fairness and incentive -based security - Key management for wireless/mobile environments - Trust establishment - Intrusion detection in mobile networks - Accountability for malicious behavior and resource misuse - Revocation of malicious parties - Secure location services - Privacy, anonymity and prevention of traffic analysis - Security in cognitive radios - Security in vehicular networks - Anti-Jamming techniques, and DoS Countermeasures - Vulnerability modeling and threat analysis - Security & privacy in RFID systems - Secure routing ------------------------------------------------------------------------- FC 2008 12th International Conference on Financial Cryptography and Data Security, Cozumel, Mexico, January 28-31, 2008. http://fc08.ifca.ai (Submissions due 10 October 2007) Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance in the context of finance and commerce. The conference covers all aspects of securing transactions and systems. Submissions focusing on both theoretical (fundamental) and applied real-world deployments are solicited. The goal of the conference is to bring security/cryptography researchers and practitioners together with economists, bankers, implementers, and policy-makers. Topics include (but are not limited to): - Anonymity and Privacy - Auctions and Audits - Authentication and Identification - Biometrics - Certification and Authorization - Commercial Applications - Transactions and Contracts - E-Cash and Payment Systems - Incentive and Loyalty Systems - Digital Rights Management - Regulation and Reporting - Fraud Detection - Game Theoretic Security - Identity Theft - Spam, Phishing - Social Engineering - Infrastructure Design - Legal and Regulatory Issues - Microfinance and Micro-payments - Monitoring, Management and Operations - Reputation Systems - RFID/Contact-less Payment Systems - Risk Assessment and Management - Secure Banking, Financial Web Services - Securing New Computation Paradigms - Security and Risk Perceptions - Security Economics - Smartcards and Secure Tokens - Trust Management - Underground-Market Economics - Virtual Economies - Voting systems ------------------------------------------------------------------------- ARES 2008 3rd International Conference on Availability, Reliability and Security, Barcelona, Catalonia, Spain, March 4-7, 2008. http://www.ares-conference.eu/conf/ (Submissions due 10 October 2007) The Third International Conference on Availability, Reliability and Security (ARES, The International Security and Dependability Conference) will bring together researchers and practitioners in the area of IT-Security and Dependability. ARES will highlight the various aspects of security - with special focus on secure internet solutions, trusted computing, digital forensics, privacy and organizational security issues. ARES aims at a full and detailed discussion of the research issues of security as an integrative concept that covers amongst others availability, safety, confidentiality, integrity, maintainability and security in the different fields of applications. Topics of interest include, but are not limited to: - Process based Security Models and Methods - Authorization and Authentication - Availability and Reliability - Common Criteria Protocol - Cost/Benefit Analysis - Cryptographic protocols - Dependability Aspects for Special Applications (e.g. ERP-Systems, Logistics) - Dependability Aspects of Electronic Government (e-Government) - Dependability administration - Dependability in Open Source Software - Designing Business Models with security requirements - Digital Forensics - E-Commerce Dependability - Failure Prevention - IPR of Security Technology - Incident Response and Prevention - Information Flow Control - Internet Dependability - Interoperability aspects - Intrusion Detection and Fraud Detection - Legal issues - Mobile Security - Network Security - Privacy-enhancing technologies - RFID Security and Privacy - Risk planning, analysis & awareness - Safety Critical Systems - Secure Enterprise Architectures - Security Issues for Ubiquitous Systems - Security and Privacy in E-Health - Security and Trust Management in P2P and Grid applications - Security and privacy issues for sensor networks, wireless/mobile devices and applications - Security as Quality of Service - Security in Distributed Systems / Distributed Databases - Security in Electronic Payments - Security in Electronic Voting - Software Engineering of Dependable Systems - Software Security - Standards, Guidelines and Certification - Survivability of Computing Systems - Temporal Aspects of Dependability - Trusted Computing - Tools for Dependable System Design and Evaluation - Trust Models and Trust Management - VOIP/Wireless Security ------------------------------------------------------------------------- SecSE 2008 2nd International Workshop on Secure Software Engineering, Held in conjunction with the 3rd International Conference on Availability, Reliability and Security (ARES 2008), Barcelona, Catalonia, Spain, March 4-7, 2008. http://www.ares-conference.eu/conf/index.php?option=com_content&task=view&id=10&Itemid=11 (Submissions due 10 October 2007) In our modern society, software is an integral part of everyday life, and we expect and depend upon software systems to perform correctly. Software security is about ensuring that systems continue to function correctly also under malicious attack. As most systems now are web-enabled, the number of attackers with access to the system increases dramatically and thus the threat scenario changes. The traditional approach to secure a system includes putting up defence mechanisms like IDS and firewalls, but such measures are no longer sufficient by themselves. We need to be able to build better, more robust and more secure systems. Even more importantly, however, we should strive to achieve these qualities in all software systems, not just the ones that need special protection. This workshop will focus on techniques, experiences and lessons learned for engineering secure and dependable software. Suggested topics include, but are not limited to: - Secure architecture and design - Security in agile software development - Aspect-oriented software development for secure software - Security requirements - Risk management in software projects - Secure implementation - Secure deployment - Testing for security - Quantitative measurement of security properties - Static and dynamic analysis for security - Verification and assurance techniques for security properties - Lessons learned - Security and usability - Teaching secure software development - Experience reports on successfully attuning developers to secure software engineering ------------------------------------------------------------------------- Oakland 2008 29th IEEE Symposium on Security and Privacy, The Claremont Resort, Berkeley/Oakland, California, USA, May 18-21, 2008. http://www.ieee-security.org/TC/SP2008/oakland08.html (Submissions due 9 November 2007) Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for the presentation of developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. Previously unpublished papers offering novel research contributions in any aspect of computer security or electronic privacy are solicited for submission to the 2008 symposium. Papers may represent advances in the theory, design, implementation, analysis, or empirical evaluation of secure systems, either for general use or for specific application domains. The Symposium is also open to the submission of co-located half-day or one-day workshops. Topics of particular interest include, but are not limited to: - Access control and audit - Anonymity and pseudonymity - Application-level security - Biometrics - Cryptographic protocols - Database security - Denial of service - Distributed systems security - Formal methods for security - Information flow - Intrusion detection and prevention - Language-based security - Malicious code prevention - Network security - Operating system security - Peer-to-peer security - Privacy - Risk analysis - Secure hardware and smartcards - Security engineering - Security policy - User authentication ------------------------------------------------------------------------- ICDCS 2008 28th International Conference on Distributed Computing Systems, Beijing, China, June 17-20, 2008. http://www.engin.umd.umich.edu/icdcs/ (Submissions due 15 November 2007) ICDCS is an IEEE Computer Society sponsored premier conference with a wide coverage of topics in Distributed Computing. It has a long history of significant achievements and worldwide visibility. The conference provides a forum for engineers and scientists in academia, industry and government to present their latest research findings in any aspects of distributed and parallel computing. Topics of particular interest include, but are not limited to: - Theoretical Foundations - Data Management and Data Centers - Distributed Cyber-Physical Systems - Reliability and Dependability - Security and Privacy - Network Architectures and Protocols - Operating Systems and Middleware - Cyber-Infrastructure for Distributed Computing - Sensor Networks and Applications - Wireless and Mobile Computing - Multimedia Systems - Web-Based Distributed Computing ------------------------------------------------------------------------- IDtrust 2008 7th Symposium on Identity and Trust on the Internet, Gaithersburg, MD, USA, Mar 4-6, 2008. http://middleware.internet2.edu/idtrust/2008/ (Submissions due 17 November 2007) This symposium brings together academia, government, and industry to explore all aspects of identity and trust. Previously known as the PKI R&D Workshop (2002-2007), our new name reflects interest in a broader set of tools and the goal of an identity layer for the Internet. We aim to get practitioners in different sectors together to apply the lessons of real-world deployments to the latest research and ideas on the horizon. In addition to peer-reviewed papers, we facilitate discussions among panels of invited experts and symposium participants. We solicit technical papers and panel proposals from researchers, systems architects, vendor engineers, and users. Suggested topics include but are not limited to: - Reports of real-world experience - Identity management protocols - Identity metasystems, frameworks, and systems - User-centric identity, delegation, reputation - Identity and Web 2.0, secure mash-ups, social networking, trust fabric and mechanisms of "invited networks" - Identity management of devices - Federated approaches to trust - Trust management across security domains - Standards related to identity and trust - Policy - Attribute management, attribute-based access control - Trust path building and certificate validation - Improved usability of identity and trust systems - Identity and privacy - Levels of trust and assurance - Trust infrastructure issues of scalability, performance, etc. - Use of PKI in emerging technologies (e.g., sensor networks) - Application domain requirements ------------------------------------------------------------------------- ISPEC 2008 4th Information Security Practice and Experience Conference, Sydney, Australia, April 21-23, 2008. http://www.uow.edu.au/conferences/ISPEC%202008/index.html/ (Submissions due 23 November 2007) As applications of information security technologies become pervasive, issues pertaining to their deployment and operation are becoming increasingly important. ISPEC is an annual conference that brings together researchers and practitioners to provide a confluence of new information security technologies, their applications and their integration with IT systems in various vertical sectors. Topics of interest include, but are not limited to: - Applications of cryptography - Critical infrastructure protection - Digital rights management - Information security in vertical applications - Legal and regulatory issues - Network security - Privacy and anonymity - Privacy issues in the use of smart cards and RFID systems - Risk evaluation and security certification - Resilience and availability - Secure system architectures - Security in e-commerce and e-business and other applications - Security policy - Security standards activities - Trusted Computing - Trust model and management - Usability aspects of information security systems ------------------------------------------------------------------------- ACNS 2008 6th International Conference on Applied Cryptography and Network Security, New York, New York, USA, June 3-6, 2008. http://acns2008.cs.columbia.edu/ (Submissions due 14 January 2008) ACNS is an annual conference concentrating on current developments that advance the areas of applied cryptography and its application to systems and network security. Original papers on all aspects of applied cryptography and network security are solicited for submission to ACNS'08. Topics of relevance include but are not limited to: - Applied cryptography and provably-secure cryptographic protocols - Design and analysis of efficient cryptographic primitives: public-key and symmetric-key cryptosystems, block ciphers, and hash functions - Network security protocols - Techniques for anonymity; trade-offs between anonymity and utility - Integrating security into the next-generation Internet: DNS security, routing, naming, denial-of-service attacks, TCP/IP, secure multicast - Economic fraud on the Internet: phishing, pharming, spam, and click fraud - Email and web security - Public key infrastructure, key management, certification, and revocation - Security and privacy for emerging technologies: sensor networks, mobile (ad hoc) networks, peer-to-peer networks, bluetooth, 802.11, RFID - Trust metrics and robust trust inference in distributed systems - Security and usability - Intellectual property protection: metering, watermarking, and digital rights management - Modeling and protocol design for rational and malicious adversaries - Automated analysis of protocols ------------------------------------------------------------------------- Elsevier Computer Standards and Interfaces, Special issue on Information and Communications Security, Privacy and Trust: Standards and Regulations, Summer 2008. http://www.elsevier.com/wps/find/journaldescription.cws_home/505607/description#description (Submission Due 30 January 2008) Guest editors: Bhavani Thuraisingham (University of Texas at Dallas, USA) and Stefanos Gritzalis (niversity of the Aegean, Greece) Most of the research and development work carried out by universities, research centers and private companies today, is based, in some way or another, on international standards or pre-standards that have been produced under the auspices of recognized standardization bodies. On top of that, many market sectors have recognized standardization as a prerequisite for the provision of high quality services and products, thus triggering a large number of multi-sectoral voluntary standards. For many years the Security field was somehow isolated in the Information and Communications Technology arena. Inevitably this isolation has been inherited to the standards governing the security, privacy, and trust techniques and mechanisms that are currently employed. It is therefore important to inform the scientific community about these problems and facilitate better collaboration on the security, privacy, and trust aspects of international standards and regulations. We welcome the submission of papers that: provide information about activities and progress of security, privacy, and trust standardization work; focus on critical comments on standards and standardization activities; discuss actual projects results; disseminate experiences and case studies in the application and exploitation of established and emerging standards, methods and interfaces. The areas of interest may include, but not limited, to: - Access Control and Authorization - Assurance Services - Auditing and Forensic Information Management - Authentication, Authorization, and Accounting - Business Services - Confidentiality and Privacy Services - Digital Rights Management - eBusiness, eCommerce, eGovernment Security: Establishing Trust and Confidence of Citizens in eTransactions and eServices - eHealth Security - Lawful Interception Architectures and Functions - Legal and Regulation Issues - Network Defense Services - Privacy and Identity Management - Securing Critical Information and Communication Infrastructures - Security Challenges to the use and deployment of Disruptive Technologies (Trusted Computing, VoIP, WiMAX, RFID, IPv6) - Security issues in Network Event Logging - Standardization Aspects of Electronic Signatures - Trust Services - Wireless, Mobile, Ad hoc and Sensors Networks Security, Privacy, and Trust ------------------------------------------------------------------------- ACISP 2008 13th Australasian Conference on Information Security and Privacy, Wollongong, Australia, July 14-16, 2008. http://www.uow.edu.au/conferences/acisp%202008/index.html (Submissions due 11 February 2008) ACISP 2008 is the main computer security and cryptography conference organized in Australia that provides an avenue for discussion and exchange of ideas for researchers from academia and industry. Original papers pertaining to all aspects of information security and privacy are solicited for submission to the ACISP 2008. Papers may present theory, techniques, applications and practical experiences on a variety of topics. Topics of interest include, but are not limited to: - access control - authentication and identification - authorization - biometrics - computer forensics - copyright protection - cryptography - database security - electronic surveillance - evaluation and certification - intrusion detection - key management - key establishment protocols - legal and privacy issues - mobile system security - network and communication security - secure electronic commerce - secure operating systems - secure protocols - smart cards - malware and viruses ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2007 proceedings are available in hardcopy for $30.00, the 28 year CD is $20.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2007 treasurer (below) with the order description, including shipping method, and send email to the 2007 Registration Chair (Yong Guan) (oakland07-registration @ ieee-security.org) with the shipping address, please. Terry Benzel Treasurer, IEEE Security and Privacy USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 (310) 822-1511 IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog Department of Computer Science Naval Postgraduate School 1 University Circle Monterey, CA 93943 jcherzog@nps.edu ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Jonathan Millen Deborah Shands The MITRE Corporation The Aerospace Corporation Mail Stop S119 El Segundo, CA 202 Burlington Road Rte. 62 oakland07-chair@ieee-security.org Bedford, MA 01730-1420 781-271-51 (voice) jmillen@mitre.org Vice Chair: Chair, Subcommittee on Academic Affairs: Prof. Cynthia Irvine Prof. Cynthia Irvine U.S. Naval Postgraduate School U.S. Naval Postgraduate School Computer Science Department Computer Science Department Code CS/IC Code CS/IC Monterey CA 93943-5118 Monterey CA 93943-5118 (831) 656-2461 (voice) (831) 656-2461 (voice) irvine@cs.nps.navy.mil irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2008 General Chair: and Technical Committee Treasurer: Yong Guan Hilarie Orman Iowa State University Purple Streak, Inc. oakland08-chair@ieee-security.org 500 S. Maple Dr. cipher-editor@ieee-security.org, treasurer@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year