_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 82 January 21, 2008 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" by Niels Provos and Thorsten Holz o NIST announces publication of AES mode Galois Counter Mode (GCM) o NIST seeks comments on RSA prime generation o Obituary notice: Bob Baldwin o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This month we have a book review about honeypots by Richard Austin, announcements from NIST, and many workshop and conference announcements. The Security and Privacy Symposium in May of this year will feature two workshops: the second year of Web 2.0 Security and Privacy, and a newcomer to the symposium, Systematic Approaches to Digital Forensic Engineering. Workshops are a popular approach to widening the scope of the symposium, and more are possible if we have enough organizers to help with planning. I was reflecting on the subjective nature of reviews of submitted papers to conferences, and I wonder if it is possible to evaluate reviewers in some way that is useful across conferences. Authors might be helped by knowing what confidence is placed in the reviewers. Are they experienced and generally helpful, or are they inexperienced and overly critical? My guess is that this knowledge would help authors make sense of the reviewing process, and it should lead to better reviews. An innovation that the SP Symposium used for a couple of years has turned out to have flaws. Authors were invited to submit short papers to the conference, and this helped in getting interesting but not fully developed research directions presented to the audience. However, the process caused confusion and sometimes resentment with authors because they were not sure how much prestige would go along with a short paper, and they were further concerned about the ability to publish follow-on work. Surely there is some logical way to deal with the concerns and allow short papers into top-rate venues? Let your technical committee members and program chairs know if you have any ideas on this. Remember firewalls may not be as high as they appear, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin January 11, 2008 Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz Addison-Wesley 2008. ISBN 978-0-321-33632-3. Amazon.com $31.49 Bookpool.com $31.50 ____________________________________________________________________ Softly, softly, catchee monkey .. with a honeypot While the exact origin of that phrase is a bit nebulous as a Google search will show, the idea of quietly and patiently pursuing a goal is no stranger to the security profession and one of the techniques that has demonstrated great success in searching out security exploits in the wild has been the Honeynet Project (www.honeynet.org). There have been several previous books on the subject of honeypots ranging from Lance Spitzer's "Honeypots: Tracking Hackers," to Roger Grimes' "Honeypots for Windows" to the second edition of "Know your Enemy", so one might question why we're in need of another one. A honeypot is a stalking horse or sacrificial victim whose sole purpose is to be compromised by an attacker to allow the honeypot owner to study the methods, tools and techniques used in the compromise. This book is about virtual honeypots and includes both the idea of running a full-function (or high-interaction) honeypot on a virtual server and also the idea of so called "low interaction" honeypots which just implement the vulnerable portions of specific services. While the advantages of using virtual servers to host a honeypot are pretty obvious (we can host many honeypots on a single physical server and can easily restore the state of a compromised honeypot by replacing its virtual disks), the use of "virtual pieces" of systems (low interaction honeypots) is shown to be a valuable technique for increasing the possible scale of a honeypot deployment. I would recommend reading the book's chapters out of order - begin with the first chapter which introduces honeypot technology, introduces the ideas of high and low interaction honeypots with some review of required networking background and then skip to chapters 10 ("Case Studies") and 11 (" Tracking Botnets") for some real world case studies in how honeypots are actually used in practice. Chapter 10 provides a detailed walkthrough of how real honeypots were compromised and how the compromise was captured and studied. Chapter 11 provides a similar exercise for botnets. This grounding in how honeypots are used will help prevent the reader from becoming lost in the details of the other chapters. The second chapter is devoted to high-interaction honeypots and covers their use on several common virtualization platforms (VMware, Microsoft Virtual Server and PC, User Mode Linux, etc. There's good advice here on the thorny subject of safeguarding your honeypots from becoming a danger after they achieve their intended purpose of being compromised. Chapter 3 introduces low interaction honeypots which do not provide a full installation of an operating system or application but rather only emulate vulnerable versions of specific services. It is noted that they are most useful in detecting exploit attempts using known vulnerabilities and serve as a sort of burglar alarm to let you know how often particular types of attacks are occurring. Chapters 4 and 5 continue the presentation of low-interaction honeypots by discussing honeyd in detail. Honeyd is an Open Source solution that allows emulation of huge numbers of vulnerable targets. This scale allows an organization to efficiently instrument significant portions of their network address space. Chapter 6 ("Collecting Malware with Honeypots") covers the important topic of capturing viruses and worms using "Nepenthes," "Honeytrap," etc. Nepenthes is a low-interaction honeypot that emulates a vulnerable network service to provide an attractive target for malware. Since it is not a full implementation of the service, it can't really be exploited and thus provides a safe way to capture malware. Nepenthes' vulnerability modules implement "just enough" of the vulnerable service to "fool" the malware into thinking it has found a target. Nepenthes "executes" the malware payload to carry out the download of attacker tools, etc, and then halts the execution. The other tools offer somewhat different capabilities but the overriding advantage of all the tools is their immense scalability. Since they are quite lightweight compared to say a full Windows or Linux installation, a single physical server can host many hundreds of apparently vulnerable targets. Of course, one of the weaknesses of the low-interaction honeypots is that they only emulate portions of vulnerable services and are really most effective with known vulnerabilities. Chapter 7 introduces "Hybrid Systems" that combine low and high interaction honeypots to extend their capabilities. For example, when a low-interaction honeypot detects an exploit attempt that it cannot emulate, it might transparently hand that attempt off to a high-interaction honeypot which could capture the full process. This would allow significant coverage of the network address space with few resources while still allowing capture of new exploits as they are found. Unfortunately, these hybrid systems are not Open Source but do offer interesting insights on the future of honeypot technology. Chapter 8 addresses the "other" side of exploitation - client side exploits - by examining client-side honeypots. While a server-side honeypot can sit and patiently wait for an attacker to come "knocking at its door," a client-side honeypot must go looking for malicious content. Chapter 9 covers the ways attackers can detect honeypots. Obviously, an attacker is typically wasting their time when interacting with a honeypot and, worse from their point of view, may reveal a new exploitation technique. With an active underground economy in selling/trading new exploits, this creates economic incentive for attackers to be able to detect a honeypot. Detection can be relatively simple such as noting that all the IP addresses for virtual honeypots have the same MAC address or the fact that a given low-interaction honeypot is hosting what looks like Linux and Windows at the same network address to more complex techniques that detect the virtualization layer itself. At this point, a review of the case studies in chapters 10 and 11 will reinforce the presentation and provide insights on how honeypots are actually used in practice. The final chapter covers malware analysis using an automated tool called "CWSandbox." As we have come to know too well, malware authors are making significant strides in improving their productivity in producing malware which has challenged the ability of the "good guys and gals" to reverse engineer it. CWSandbox is a tool that provides a safe execution environment for malware (a sandbox) and provides automated analysis of its activities. Once can even submit a malware sample online at www.cwsandbox.org and receive the automated analysis. In summary, this is an excellent overview of honeypots, how they are used in practice, and most significantly, how virtualization can be used to scale them to cover large portions of the network address space with fewer physical resources. While honeypots are not a technology every organization will employ, they are a valuable tool for the security professional to keep in mind. And as a bit of humor, a comic from xkcd pictures what may happen when one spends far too much time looking at malware -- http://xkcd.com/350/ ----------- Before retiring, Richard Austin was the storage network security architect at a Fortune 25 company and currently earns his bread and cheese as an itinerant university instructor and security consultant. He welcomes your thoughts and comments at rda7838 at Kennesaw dot edu ____________________________________________________________________ Announcements ____________________________________________________________________ Date: Tue, 27 Nov 2007 16:22:51 -0500 From: Morris Dworkin, NIST FYI, yesterday NIST announced the approval of Special Publication 800-38D, which specifies Galois/Counter Mode (GCM), an AES mode of operation for authenticated encryption with associated data. GCM was submitted to NIST by David McGrew and John Viega. The announcement appears on the NIST website, at http://csrc.nist.gov/ , and the URL for the document is http://csrc.nist.gov/publications/PubsSPs.html#800-38D . ------------------------------------------------------------------- Date: Wed, 02 Jan 2008 09:55:01 -0500 From: Elaine Barker, NIST NIST requests comments on revised text for FIPS 186-3 related to the generation of RSA key pairs. The text is available at "http://csrc.nist.gov/publications/drafts/fips_186-3/fips186-3_Strong-Prime-Sections_Dec2007.pdf" Please provide comments by February 1, 2008 to ebarker@nist.gov. Elaine Barker National Institute of Standards and Technology
100 Bureau Drive, Stop 8930
Gaithersburg, MD 20899-8930
301-975-2911 ------------------------- January 12, 2008 From Gene Spafford I learned this week that the information security world lostanother of our lights in 2007: Bob Baldwin. This may have been more generally known, but a few people I contacted were also surprised and saddened by the news. His contributions to the field were wide-ranging. In addition to his published research results he also built tools that a generation of students and researchers found to be of great value. These included the Kuang tool for vulnerability analysis, which we included in the first edition of COPS, and the Crypt-Breaker's Workbench (CBW), which is still in use. See http://snipurl.com/rwbaldwin for a photo and more information. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== (Posted January 2008) Stevens Institute of Technology Hoboken, New Jersey Faculty Positions Available Open until position is filled http://www.cs.stevens.edu/Search/hiring.shtml (Posted January 2008) DePaul University School of Computer Science, Telecommunications and Information Systems Chicago, IL Assistant or Associate Professor in Information Assurance Application review will begin in January 2008 and will continue until the position is filled. http://www.cti.depaul.edu/news/jobs.asp ---------------------- New postings are copied from http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 1/20/08: Workshop in Information Security Theory and Practices (WIST) Sevilla, Spain; http://wistp2008.xlim.fr/; Submissions are due; info: damien.sauveron@xlim.fr 1/24/08: Service, Security and its Data management technologies in Ubi-comp (SSDU) Kunming, China; http://grid.hust.edu.cn/gpc2008/ Submissions are due; 1/28/08- 1/31/08: Financial Cryptography and Data Security (FC), Cozumel, Mexico; http://fc08.ifca.ai 1/30/08: USENIX Security Symposium (USENIXSec) San Jose, CA; http://www.usenix.org/sec08/cfpa/; Submissions are due; info: sec08chair@usenix.org 2/ 1/08: Applications of Pairing-Based Cryptography: IBE and Beyond (NIST-IBE) Gaithersburg, MD; http://csrc.nist.gov/groups/ST/IBE/index.html Submissions are due; info: ibe@nist.gov 2/ 1/08: SADFE, Oakland, CA; info: yasinac@cs.fsu.edu; Submissions are due; http://conf.ncku.edu.tw/sadfe/sadfe08/ 2/ 4/08: Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA) Paris, France; http://www.dimva.org/dimva2008/; Submissions are due; 2/10/08- 2/13/08: Network and Distributed System Security Symposium (NDSS), San Diego, California; http://www.isoc.org/tools/conferences/NDSS08 2/11/08: Australasian Conference on Information Security and Privacy (ACISP) Wollongong, Australia; http://www.uow.edu.au/conferences Submissions are due; 2/15/08: Symposium on Information Assurance (IASymp) Albany, NY; http://www.albany.edu/iasymposium; Submissions are due; 2/21/08: Workshop on Security and High Performance Computing Systems (SHPCS) Nicosia, Cyprus; http://www.diiga.univpm.it/~spalazzi/nicosia/ proceedings to attendees only (AO); Submissions are due; info: guha@eecs.ucf.edu 2/29/08: Symposium On Usable Privacy and Security (SOUPS) Carnegie Mellon University, Pittsburgh, PA; http://cups.cs.cmu.edu/SOUPS/ Submissions are due; 3/ 1/08: Workshop on the Economics of Information Security (WEIS) Hanover, New Hampshire; http://weis2008.econinfosec.org proceedings to attendees only (AO); Submissions are due; 3/ 1/08: Workshop on Web 2.0 Security and Privacy (W2SP), Oakland, CA; Submissions are due; http://www.ieee-security.org/TC/SP2008/oakland08.html 3/ 4/08- 3/ 6/08: Symposium on Identity and Trust on the Internet (IDtrust), Gaithersburg, MD; http://middleware.internet2.edu/idtrust/2008/ 3/ 4/08- 3/ 7/08: Advances in Policy Enforcement (APE), Barcelona, Catalonia; info: anjomshoaa@ifs.tuwien.ac.at; http://www.telematik.uni-freiburg.de/ape 3/ 4/08- 3/ 7/08: Privacy and Security by means of Artificial Intelligence (PSAI), Barcelona, Catalonia, Spain; http://crises-deim.urv.cat/psai/ 3/ 4/08- 3/ 7/08: Secure Software Engineering (SecSE), Barcelona, Catalonia; http://www.ares-conference.eu/conf/ info: SecSE08 "replace with at-character" gmail.comhttp://www.ares-conference.eu/conf/ 3/16/08- 3/20/08: Symposium on Applied Computing, Track on Trust, Recommendations, Evidence and other Collaboration Know-how (SAC-TRECK), Ceara, Brazil; http://www.acm.org/conferences/sac/sac2008/ info: Jean-Marc.Seigneur@trustcomp.org 3/17/08: Digital Forensic Research Workshop (DFRWS) Baltimore, MD; http://www.dfrws.org/2008/ Submissions are due; 3/18/08- 3/20/08: Symposium on Information, Computer and Communications Security (ASIACCS), Tokyo, Japan; http://www.rcis.aist.go.jp/asiaccs08/ 3/31/08- 4/ 2/08: Wireless Network Security (WiSec), Alexandria, VA; http://discovery.csc.ncsu.edu/WiSec08/ 3/31/08: European Symposium on Research in Computer Security (ESORICS) Malaga, Spain; http://www.isac.uma.es/esorics08 Submissions are due 4/ 4/08: Recent Advances in Intrusion Detection (RAID) Cambridge, MA; http://www.ll.mit.edu/IST/RAID2008/ Submissions are due; info: rkc@ll.mit.edu; 4/ 7/08- 4/11/08: Asynchronous Circuits and Systems (ASYNC), Newcastle upon Tyne, UK; http://async.org.uk/async2008/ 4/11/08: New Security Paradigms Workshop (NSPW), Squaw Valley, CA; http://www.nspw.org; Submissions are due; 4/14/08: Usability, Psychology, and Security (UPSEC), San Francisco, CA; info: upsec08chairs@usenix.org; http://www.usenix.org/upsec08/cfp 4/14/08: Conference on Embedded Networked Sensor Systems (SenSys) Raleigh, NC; http://sensys.acm.org/2008/ Submissions are due 4/18/08: Workshop on Security (IWSEC) Kagawa, Japan; http://www.iwsec.org Submissions are due; 4/25/08: International Conference on Network Protocols (ICNP) Orlando, Florida; http://www.cs.purdue.edu/homes/fahmy/icnp2008/ Submissions are due; proceedings to attendees only (A); info: icnp2008@cs.purdue.edu; 5/13/08- 5/16/08: Workshop in Information Security Theory and Practices (WIST), Sevilla, Spain; info: damien.sauveron@xlim.fr; http://wistp2008.xlim.fr/ 5/18/08- 5/21/08: Symposium on Security and Privacy (IEEE S&P), Berkeley/Oakland, CA; http://www.ieee-security.org/TC/SP2008/oakland08-cfp.html info: oakland08-generalchair @ ieee-security.org 5/22/08: Systematic Approaches to Digital Forensic Engineering (SADFE), Oakland, CA; info: yasinac@cs.fsu.edu http://conf.ncku.edu.tw/sadfe/sadfe08/ 5/22/08: Workshop on Web 2.0 Security and Privacy (W2SP) (W2SP), Oakland, CA; http://www.ieee-security.org/TC/SP2008/oakland08.html 5/25/08- 5/28/08: Service, Security and its Data management technologies in Ubi-comp (SSDU), Kunming, China; http://grid.hust.edu.cn/gpc2008/ 6/ 3/08- 6/ 6/08: Applied Cryptography and Network Security (ACNS), Columbia University, New York City, NY; http://acns2008.cs.columbia.edu/ 6/ 3/08- 6/ 6/08: Workshop on Security and High Performance Computing Systems (SHPCS), Nicosia, Cyprus; proceedings to attendees only (AO); info: guha@eecs.ucf.edu; http://www.diiga.univpm.it/~spalazzi/nicosia/ 6/ 3/08- 6/ 4/08: Applications of Pairing-Based Cryptography: IBE and Beyond (NIST-IBE), Gaithersburg, MD; info:ibe@nist.gov; http://csrc.nist.gov/groups/ST/IBE/index.html 6/ 4/08- 6/ 5/08: Symposium on Information Assurance (IASymp), Albany, NY; http://www.albany.edu/iasymposium proceeding to attendees only; http://www.albany.edu/iasymposium 6/20/08: Workshop on Wireless Security and Privacy (WISP), Beijing, China; info: zjiang@wcupa.edu; http://www.ieee.org/portal/pages/pubs/transactions/stylesheets.html 6/22/08- 6/27/08: USENIX Annual Technical Conference (USENIX), Boston MA; info: conference@usenix.org; http://www.usenix.org/events/usenix08/ 6/23/08- 6/25/08: Computer Security Foundations Symposium (CSF), Pittsburgh, PA; http://www.cylab.cmu.edu/CSF2008/ 6/25/08- 6/27/08: Workshop on the Economics of Information Security (WEIS), Hanover, New Hampshire; http://weis2008.econinfosec.org; proceedings to attendees only; http://weis2008.econinfosec.org 7/ 8/08- 7/18/08: Human Aspects of Information Security & Assurance (HAISA), Plymouth, UK; info: info@haisa.org; http://www.haisa.org 7/10/08- 7/11/08: Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Paris, France; http://www.dimva.org/dimva2008/ 7/14/08- 7/16/08: Australasian Conference on Information Security and Privacy (ACISP), Wollongong, Australia; http://www.uow.edu.au/conferences 7/23/08- 7/25/08: Symposium On Usable Privacy and Security (SOUPS), Carnegie Mellon University, Pittsburgh, PA; http://cups.cs.cmu.edu/SOUPS/ 7/28/08- 8/ 1/08: USENIX Security Symposium (USENIXSec), San Jose, CA; info: sec08chair@usenix.org; http://www.usenix.org/sec08/cfpa/ 8/11/08- 8/13/08: Digital Forensic Research Workshop (DFRWS), Baltimore, MD; http://www.dfrws.org/2008/ 9/ 8/08- 9/10/08: Information Security Conference (SEC), Milan, Italy; http://sec2008.dti.unimi.it 9/15/08- 9/17/08: Recent Advances in Intrusion Detection (RAID), Cambridge, MA; info: rkc@ll.mit.edu; http://www.ll.mit.edu/IST/RAID2008/ 9/22/08- 9/25/08: New Security Paradigms Workshop (NSPW), Squaw Valley, CA; http://www.nspw.org 10/ 6/08-10/ 8/08: European Symposium on Research in Computer Security (ESORICS), Malaga, Spain; http://www.isac.uma.es/esorics08 10/19/08-10/22/08: International Conference on Network Protocols (ICNP), Orlando, Florida; proceedings to attendees only (AO); info: icnp2008@cs.purdue.edu; http://www.cs.purdue.edu/homes/fahmy/icnp2008/ 10/31/08: NIST SHA3 Hash Functio Competition (NIST-SHA3); info: bstein@nist.gov; Submissions are due; http://www.nist.gov/hash-competition 11/ 5/08-11/ 7/08: Conference on Embedded Networked Sensor Systems (SenSys), Raleigh, NC; http://sensys.acm.org/2008/ 11/25/08-11/27/08: Workshop on Security (IWSEC), Kagawa, Japan; http://www.iwsec.org ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since 81) ____________________________________________________________________ ------------------------------------------------------------------------- ACNS 2008 6th International Conference on Applied Cryptography and Network Security, New York, New York, USA, June 3-6, 2008. http://acns2008.cs.columbia.edu/ (Submissions due 14 January 2008) ACNS is an annual conference concentrating on current developments that advance the areas of applied cryptography and its application to systems and network security. Original papers on all aspects of applied cryptography and network security are solicited for submission to ACNS'08. Topics of relevance include but are not limited to: - Applied cryptography and provably-secure cryptographic protocols - Design and analysis of efficient cryptographic primitives: public-key and symmetric-key cryptosystems, block ciphers, and hash functions - Network security protocols - Techniques for anonymity; trade-offs between anonymity and utility - Integrating security into the next-generation Internet: DNS security, routing, naming, denial-of-service attacks, TCP/IP, secure multicast - Economic fraud on the Internet: phishing, pharming, spam, and click fraud - Email and web security - Public key infrastructure, key management, certification, and revocation - Security and privacy for emerging technologies: sensor networks, mobile (ad hoc) networks, peer-to-peer networks, bluetooth, 802.11, RFID - Trust metrics and robust trust inference in distributed systems - Security and usability - Intellectual property protection: metering, watermarking, and digital rights management - Modeling and protocol design for rational and malicious adversaries - Automated analysis of protocols ------------------------------------------------------------------------- SEC 2008 23rd International Information Security Conference, Co-located with IFIP World Computer Congress 2008, Milan, Italy, September 8-10, 2008. http://sec2008.dti.unimi.it (Submissions due 17 January 2008) The conference seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of computer security, as well as case studies and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make convincing argument for the practical significance of the results. Topics of interest include, but are not limited to: - access control - accounting and audit - anonymity - applied cryptography - authentication - computer forensics - cryptographic protocols - database security - data protection - data/system integrity - digital rights management - electronic frauds - identity management - information warfare - intrusion detection - key management - law and ethics - peer-to-peer security - privacy-enhancing technology - secure location services - secure networking - security education - security management - smartcards - commercial and industry security - data and application security - inference/controlled disclosure - risk analysis and risk management - intellectual property protection - security in IT outsourcing - security for mobile code - trust management - trust models ------------------------------------------------------------------------- UPSEC 2008 Workshop on Usability, Psychology, and Security, Co-located with the 5th USENIX Symposium on Networked Systems Design & Implementation (NSDI 2008), San Francisco, California, USA, April 14, 2008. http://www.usenix.org/upsec08/cfp (Submissions due 18 January 2008) Information security involves both technology and people. To design and deploy secure systems, we require an understanding of how users of those systems perceive, understand, and act on security risks and threats. This one-day workshop will bring together an interdisciplinary group of researchers, systems designers, and developers to discuss how the fields of human computer interaction, applied psychology, and computer security can be brought together to inform innovations in secure systems design. We seek to deepen the conversation about usable security to go beyond the user interface, toward developing useful and usable systems of humans and technology. Topics include but are not limited to: - Error detection and recovery - Human perception and cognitive information processing - Identity and impression management - Individual and cultural differences - Information seeking and evaluation - Judgment and decision-making - Learning, training, and experience - Mental models - Models of privacy, sharing, and trust - Organizational, group, and individual behavior - Risk perception, risk analysis, and risk communication - Security behavior study methodology - Social engineering - Social influence and persuasion - System proposals and design approaches - Threat evaluation - Usability - User motivation and incentives for secure behavior ------------------------------------------------------------------------- ATC 2008 5th International Conference on Autonomic and Trusted Computing, Oslo, Norway, June 23-25, 2008. http://www.ux.uis.no/atc08/ (Submissions due 19 January 2008) Computing systems including hardware, software, communication and networks are growing dramatically in both scale and heterogeneity, becoming overly complex. Such complexity is getting even more critical with the ubiquitous permeation of embedded devices and other pervasive systems. To cope with the growing and ubiquitous complexity, Autonomic Computing (AC) focuses on self-manageable computing and communication systems that exhibit self-awareness, self-configuration, self-optimization, self-healing, self-protection and other self-x operations to the maximum extent possible without human intervention or guidance. Organic Computing (OC) additionally emphasizes natural-analogue concepts like self-organization and controlled emergence. Trusted/Trustworthy Computing (TC) aims at making computing and communication systems as well as services available, predictable, traceable, controllable, assessable, sustainable, dependable, persist-able, security/privacy protect-able, etc. ATC-08 addresses the most innovative research and development in these challenging areas and includes all technical aspects related to autonomic/organic computing (AC/OC) and trusted computing (TC). Topics of interest include, but are not limited to: - AC/OC Theory and Models ( Nervous/organic models, negotiation, cooperation, competition, self-organization, emergence, etc.) - AC/OC Architectures and Systems (Autonomic elements & their relationship, frameworks, middleware, observer/controller architectures, etc.) - AC/OC Components and Modules (Memory, storage, database, device, server, proxy, software, OS, I/O, etc.) - AC/OC Communication and Services (Networks, self-organized net, web service, grid, P2P, semantics, agent, transaction, etc.) - AC/OC Tools and Interfaces (Tools/interfaces for AC/OC system development, test, monitoring, assessment, supervision, etc.) - Trust Models and Specifications (Models and semantics of trust, distrust, mistrust, over-trust, cheat, risk, reputation, reliability, etc.) - Trust-related Security and Privacy (Trust-related secure architecture, framework, policy, intrusion detection/awareness, protocols, etc.) - Trusted Reliable and Dependable Systems (Fault-tolerant systems, hardware redundancy, robustness, survivable systems, failure recovery, etc.) - Trustworthy Services and Applications (Trustworthy Internet/web/grid/P2P e-services, secured mobile services, novel applications, etc.) - Trust Standards and Non-Technical Issues (Trust standards and issues related to personality, ethics, sociology, culture, psychology, economy, etc.) ------------------------------------------------------------------------- WISTP 2008 Workshop in Information Security Theory and Practices 2008: Smart Devices, Convergence and Next Generation Networks, Sevilla, Spain, May 13-16, 2008. http://wistp2008.xlim.fr/ (Submissions due 20 January 2008) With the rapid technological development of information technologies and with the transition from the common to the next generation networks, computer systems and especially embedded systems are becoming more mobile and ubiquitous, increasingly interfacing with the physical world. Ensuring the security of these complex and yet, resource constraint systems has emerged as one of the most pressing challenges. Another important challenge is related to the convergence of these new technologies. The aim of this second workshop is to bring together researchers and practitioners in related areas and to encourage interchange and cooperation between the research community and the industrial/consumer community. Topics of interest include, but are not limited to: Smart Devices - Biometrics, National ID cards - Embedded Systems Security and TPMs - Interplay of TPMs and Smart Cards - Mobile Codes Security - Mobile Devices Security - New Applications for Secure RFID Systems - RFID Systems Security - Smart Card Security - Smart Devices Applications - Wireless Sensor Node Security Convergence: Security Architectures, Protocols, Policies and Management for Mobility - Critical Infrastructure (e.g. for Medical or Military Applications) Security - Digital Rights Management (DRM) - Distributed Systems and Grid Computing Security - Industrial and Multimedia Applications - Information Assurance and Trust Management - Intrusion Detection and Information Filtering - Localization Systems Security (Tracking of People and Goods) - M2M (Machine to Machine), H2M (Human to Machine) and M2H (Machine to Human) Security - Mobile Commerce Security - Public Administration and Governmental Services - Privacy Enhancing Technologies - Security Models and Architecture - Security Policies (Human-Computer Interaction and Human Behavior Impact) - Security Protocols (for Identification and Authentication, Confidentiality and Privacy, and Integrity) - Security Measurements Next Generation Networks - Ad Hoc Networks Security - Delay-Tolerant Network Security - Domestic Network Security - Peer-to-Peer Networks Security - Security Issues in Mobile and Ubiquitous Networks - Security of GSM/GPRS/UMTS Systems - Sensor Networks Security - Vehicular Network Security - Wireless Communication Security: Bluetooth, NFC, WiFi, WiMAX, WiMedia, others ------------------------------------------------------------------------- SSDU 2008 2nd International Symposium on Service, Security and its Data management technologies in Ubi-comp, Held in conjunction with the 3rd International Conference on Grid and Pervasive Computing (GPC 2008), Kunming, China, May 25-28, 2008. http://grid.hust.edu.cn/gpc2008/ (Submissions due 24 January 2008) Ubiquitous Computing (Ubi-comp) is emerging rapidly as an exciting new paradigm with user-centric environment to provide computing and communication services at any time and anywhere. In order to realize their advantages, it requires integrating security, services and data management to be suitable for Ubi-com. However, there are still many problems and major challenges awaiting for us to solve such as the security risks in ubiquitous resource sharing, which could be occurred when data resources are connected and accessed by anyone in Ubi-com. Therefore, it will be needed to explore more secure and intelligent mechanism in Ubi-com. Topics include: - Context-Awareness and its Data mining for Ubi-com service - Human-Computer Interface and Interaction for Ubi-com - Smart Homes and its business model for Ubi-com service - Intelligent Multimedia Service and its Data management for Ubi-com - USN / RF-ID for Ubi-com service - Network security issues, protocols, data security in Ubi-com - Database protection for Ubi-com - Privacy Protection and Forensic in Ubi-com - Multimedia Security in Ubi-com - Authentication and Access control for data protection in Ubi-com - Service, Security and its Data management for U-commerce - New novel mechanism and Applications for Ubi-com ------------------------------------------------------------------------- CSF 2008 21st IEEE Computer Security Foundations Symposium, Pittsburgh, PA, USA, June 23-25, 2008. http://www.cylab.cmu.edu/CSF2008/ (Submissions due 29 January 2008) The IEEE Computer Security Foundations (CSF) series brings together researchers in computer science to examine foundational issues in computer security. Over the past two decades, many seminal papers and techniques have been presented first at CSF. The CiteSeer Impact page (http://citeseer.ist.psu.edu/impact.html ) lists CSF as 38th out of more than 1200 computer science venues, top 3.11% in impact based on citation frequency. New theoretical results in computer security are welcome. Also welcome are more exploratory presentations, which may examine open questions and raise fundamental concerns about existing theories. Panel proposals are sought as well as papers. Possible topics include, but are not limited to: - Access control - Anonymity and Privacy - Authentication - Data and system integrity - Database security - Decidability and complexity - Distributed systems security - Electronic voting - Executable content - Formal methods for security - Information flow - Intrusion detection - Language-based security - Network security - Resource usage control - Security for mobile computing - Security models - Security protocols - Trust and trust management ------------------------------------------------------------------------- USENIX-Security 2008 17th USENIX Security Symposium, San Jose, California, USA, July 28-August 1, 2008. http://www.usenix.org/sec08/cfpa/ (Submissions due 30 January 2008) On behalf of the 17th USENIX Security Symposium (USENIX Security '08) program committee, we are inviting you to submit high-quality papers in all areas relating to systems and network security. Please note that the USENIX Security Symposium is primarily a systems security conference. Papers whose contributions are primarily new cryptographic algorithms or protocols, cryptanalysis, electronic commerce primitives, etc., may not be appropriate for this conference. Refereed paper submissions are solicited in all areas relating to systems and network security, including: - Adaptive security and system management - Analysis of network and security protocols - Applications of cryptographic techniques - Attacks against networks and machines - Authentication and authorization of users, systems, and applications - Automated tools for source code analysis - Botnets - Cryptographic implementation analysis and construction - Denial-of-service attacks and countermeasures - File and filesystem security - Firewall technologies - Forensics and diagnostics for security - Intrusion and anomaly detection and prevention - Malicious code analysis, anti-virus, anti-spyware - Network infrastructure security - Operating system security - Privacy-preserving (and -compromising) systems - Public key infrastructure - Rights management and copyright protection - Security architectures - Security in heterogeneous and large-scale environments - Security policy - Self-protecting and healing systems - Techniques for developing secure systems - Technologies for trustworthy computing - Usability and security - Voting systems analysis and security - Wireless and pervasive/ubiquitous computing security - Web security ------------------------------------------------------------------------- Elsevier Computer Standards and Interfaces, Special issue on Information and Communications Security, Privacy and Trust: Standards and Regulations, Summer 2008. http://www.elsevier.com/wps/find/journaldescription.cws_home/505607/description#description (Submission Due 30 January 2008) Guest editors: Bhavani Thuraisingham (University of Texas at Dallas, USA) and Stefanos Gritzalis (niversity of the Aegean, Greece) Most of the research and development work carried out by universities, research centers and private companies today, is based, in some way or another, on international standards or pre-standards that have been produced under the auspices of recognized standardization bodies. On top of that, many market sectors have recognized standardization as a prerequisite for the provision of high quality services and products, thus triggering a large number of multi-sectoral voluntary standards. For many years the Security field was somehow isolated in the Information and Communications Technology arena. Inevitably this isolation has been inherited to the standards governing the security, privacy, and trust techniques and mechanisms that are currently employed. It is therefore important to inform the scientific community about these problems and facilitate better collaboration on the security, privacy, and trust aspects of international standards and regulations. We welcome the submission of papers that: provide information about activities and progress of security, privacy, and trust standardization work; focus on critical comments on standards and standardization activities; discuss actual projects results; disseminate experiences and case studies in the application and exploitation of established and emerging standards, methods and interfaces. The areas of interest may include, but not limited, to: - Access Control and Authorization - Assurance Services - Auditing and Forensic Information Management - Authentication, Authorization, and Accounting - Business Services - Confidentiality and Privacy Services - Digital Rights Management - eBusiness, eCommerce, eGovernment Security: Establishing Trust and Confidence of Citizens in eTransactions and eServices - eHealth Security - Lawful Interception Architectures and Functions - Legal and Regulation Issues - Network Defense Services - Privacy and Identity Management - Securing Critical Information and Communication Infrastructures - Security Challenges to the use and deployment of Disruptive Technologies (Trusted Computing, VoIP, WiMAX, RFID, IPv6) - Security issues in Network Event Logging - Standardization Aspects of Electronic Signatures - Trust Services - Wireless, Mobile, Ad hoc and Sensors Networks Security, Privacy, and Trust ------------------------------------------------------------------------- NYS-IA 2008 3rd Annual Symposium on Information Assurance, Albany, NY, USA, June 4-5, 2008. http://www.albany.edu/iasymposium (Submissions due 31 January 2008) Authors are invited to submit original and unpublished papers to the 3rd Annual Symposium on Information Assurance, which will be jointly held with the 11th Annual NYS Cyber Security Conference. This two day event attracts practitioners, researchers, and vendors providing opportunities for business and intellectual engagement among attendees. The conference program will be organized into topics not limited to: - Security Policy Implementation & Compliance - Computer & Network Forensics - Information Security Risk Management - Network Security and Intrusion Detection - Economics of Information Security - Reverse Engineering of Viruses and Worms - Security Metrics for Evaluating Security - Botnet Detection and Prevention - Computer Crime Data Analytics - Security in Wireless and Ad hoc Networks - Internet-based Terrorism and Espionage - Adaptive & Resilient Security Models - Digital Rights Management - Biological Models of Security - Privacy & Security - Distributed Systems Security - Security Glossaries and Ontologies - Database Security and Data Integrity - Trust Modeling and Management - Curriculum Development in Information Security ------------------------------------------------------------------------- SADFE 2008 3rd International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the 2008 IEEE Symposium on Security and Privacy (SP 2008), The Claremont Resort, Oakland, CA, USA, May 22, 2008. http://conf.ncku.edu.tw/sadfe/sadfe08/ (Submissions due 1 February 2008) The SADFE (Systematic Approaches to Digital Forensic Engineering) International Workshop promotes systematic approaches to cyber crime investigation, by furthering the advancement of digital forensic engineering as a disciplined practice. Digital forensic engineering is characterized by the application of scientific and mathematical principles to the investigation and establishment of facts or evidence, either for use within a court of law or to aid understanding of cyber crimes or cyber-enabled crimes. To advance the state of the art, SADFE 2008 solicits broad-based, innovative digital forensic engineering technology, techno-legal and practice-related submissions in the following four areas: - Digital Data and Evidence Management: advanced digital evidence discovery, collection, and storage. - Principle-based Digital Forensic Processes: systematic engineering processes supporting digital evidence management which are sound on scientific, technical and legal grounds. - Digital Evidence Analytics: advanced digital evidence analysis, correlation, and presentation. - Forensic-support technologies: forensic-enabled and proactive monitoring/response. ------------------------------------------------------------------------- DIMVA 2008 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Paris, France, July 10-11, 2008. http://www.dimva.org/dimva2008/ (Submissions due 4 February 2008) The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year DIMVA brings together international experts from academia, industry and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group Security - Intrusion Detection and Response of the German Informatics Society (GI). DIMVA's scope includes, but is not restricted to the following areas: Intrusion Detection - Approaches - Implementations - Prevention and response - Result correlation - Evaluation - Potentials and limitations - Operational experiences - Evasion and other attacks - Legal and social aspects Malware - Techniques - Detection - Prevention and containment - Evaluation - Trends and upcoming risks - Forensics and recovery Vulnerability Assessment - Vulnerabilities - Vulnerability detection - Vulnerability prevention - Classification and evaluation ------------------------------------------------------------------------- PODC 2008 27th Annual ACM SIGACT-SIGOPS Symposium on the Principles of Distributed Computing, Toronto, Canada, August 18-21, 2008. http://www.podc.org/podc2008 (Submissions due 4 February 2008) PODC solicits papers on all areas of distributed systems. We encourage submissions dealing with any aspect of distributed computing from the theoretical or experimental viewpoints. The common goal is to improve understanding of principles underlying distributed computing. Topics of interest include the following subjects in distributed systems: - distributed algorithms: design and analysis - communication networks: architectures, services, protocols, applications - multiprocessor and multi-core architectures and algorithms - shared and transactional memory, synchronization protocols, concurrent programming - fault-tolerance, reliability, availability, self organization - Internet applications, social networks, recommender systems - distributed operating systems, middleware platforms, databases - distributed computing with selfish agents - peer-to-peer systems, overlay networks, distributed data management - high-performance, cluster, and grid computing - mobile computing, autonomous agents, location- and context-aware distributed systems - security in distributed computing, cryptographic protocols - sensor, mesh, and ad hoc networks - specification, semantics, verification, and testing of distributed systems ------------------------------------------------------------------------- ICIMP 2008 3rd International Conference on Internet Monitoring and Protection, Bucharest, Romania, June 29 - July 5, 2008. http://www.iaria.org/conferences2008/ICIMP08.html (Submissions due 5 February 2008) The International Conference on Internet Monitoring and Protection (ICIMP 2008) initiates a series of special events targeting security, performance, vulnerabilities in Internet, as well as disaster prevention and recovery. Dedicated events focus on measurement, monitoring and lessons learnt in protecting the user. ICIMP 2008 Tracks include: - TRASI: Internet traffic surveillance and interception - IPERF: Internet performance - RTSEC: Security for Internet-based real-time systems - DISAS: Disaster prevention and recovery - EMERG: Networks and applications emergency services - MONIT: End-to-end sampling, measurement, and monitoring - REPORT: Experiences & lessons learnt in securing networks and applications - USSAF: User safety, privacy, and protection over Internet - SYVUL: Systems vulnerabilities - SYDIA: Systems diagnosis - CYBER-FRAUD: Cyber fraud - BUSINESS: Business continuity - RISK: Risk assessment - TRUST: Privacy and trust in pervasive communications - RIGHT: Digital rights management - BIOTEC: Biometric techniques ------------------------------------------------------------------------- Wiley InterScience Security and Communication Networks Journal, Special Issue on Clinical Information Systems (CIS) Security, July/August 2008. http://www3.interscience.wiley.com/cgi-bin/jtoc/114299116/ (Submission Due 10 February 2008) Guest editors: Theodore Stergiou (KPMG Kyriacou Advisors AE, Greece), Dimitrios Delivasilis (Incrypto Ltd., Greece), Mark S Leeson (University of Warwick, UK), and Ray Yueh-Min Huang (National Cheng-Kung University, Taiwan, R.O.C.) Managing records of patient care has become an increasingly complex issue with the widespread use of advanced technologies. The vast amount of information for every routine care must be securely processed over different data bases. Clinical Information Systems (CIS) address the need for a computerized approach in managing personal health information. Hospitals and public or private health insurance organizations are continuously upgrading their database and data management systems to more sophisticated architectures. The possible support of the large patient archives and the flexibility of a CIS in providing up-to-date patient information and worldwide doctors’ collaboration, have leveraged the research on CIS both in academic and government domains. At the same time, it has become apparent that patients require more control over their clinical data, either being results of clinical examinations or medical history. Due to the large amount of information that can be found on the Internet and the free access to medical practitioners and hospitals worldwide, patients may choose to communicate their information so as to obtain several expert opinions regarding their conditions. Given the sensitive nature of the information stored and inevitably in transit, security has become an issue of outmost necessity. Numerous EU and US research projects have been launched to address security in CIS (e.g. EUROMED, ISHTAR, RESHEN), whereas regulatory compliance to acts such as the HIPAA has become an obligation for centers moving to CIS. This Special Issue will serve as a venue for both academia and industry individuals and groups working in this fast-growing research area to share their experiences and state-of-the-art work with the readers. The topics of interest in this Special Issue include, but are not limited to: - Authentication techniques for CIS - Authorization mechanisms and approaches for patient-centric data - Public Key Infrastructures to support diverse clinical information environments and networks - Cryptographic protocols for use to secure patient-centric data - Secure communication protocols for the communication of clinical data - Wireless sensor networks security - Body sensor networks security - CIS Database security - Interoperability across diverse CIS environments (national and multilateral) - Government and international regulatory and compliance requirements ------------------------------------------------------------------------- ACISP 2008 13th Australasian Conference on Information Security and Privacy, Wollongong, Australia, July 14-16, 2008. http://www.uow.edu.au/conferences/acisp%202008/index.html (Submissions due 11 February 2008) ACISP 2008 is the main computer security and cryptography conference organized in Australia that provides an avenue for discussion and exchange of ideas for researchers from academia and industry. Original papers pertaining to all aspects of information security and privacy are solicited for submission to the ACISP 2008. Papers may present theory, techniques, applications and practical experiences on a variety of topics. Topics of interest include, but are not limited to: - access control - authentication and identi?cation - authorization - biometrics - computer forensics - copyright protection - cryptography - database security - electronic surveillance - evaluation and certification - intrusion detection - key management - key establishment protocols - legal and privacy issues - mobile system security - network and communication security - secure electronic commerce - secure operating systems - secure protocols - smart cards - malware and viruses ------------------------------------------------------------------------- CARDIS 2008 8th Smart Card Research and Advanced Application Conference, Royal Holloway, University of London, Egham, Surrey, UK, September 8-11, 2008. http://www.scc.rhul.ac.uk/CARDIS/ (Submissions due 15 February 2008) Since 1994, CARDIS has been the foremost international conference dedicated to smart card research and applications. Submissions across a broad range of smart card development phases are encouraged, from exploratory research and proof-of-concept studies to practical applications and deployment of smart card technology. As a response to the growing development of contactless applications and RFID systems, a special interest is also devoted to low cost cryptographic mechanisms and physical security of constrained devices. Topics of interest include, but are not limited to: - From smart cards to smart devices (hardware, form factor, display) - Software environments for smart cards and devices (OS, VM, API) - Smart cards and devices networking and high-level data models - Smart cards and devices applications, development and deployment - Person representation and biometrics using smart technologies - Identity, privacy and trust issues for smart technologies - High-speed, small-footprint implementations of cryptographic algorithms - Attacks and countermeasures in hardware and software - Cryptographic protocols for smart cards and devices - Biometrics and smart cards - Formal modeling of environments and applications - Interplay of TPMs and smart cards - Security of RFID systems ------------------------------------------------------------------------- EUROSEC 2008 European Workshop on System Security, Held in conjunction with the Annual ACM SIGOPS EuroSys conference (EUROSYS 2008), Glasgow, Scotland, March 31, 2008. http://www.cs.vu.nl/eurosec08/ (Submissions due 15 February 2008) The workshop aims to bring together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The focus of the workshop is on novel, practical, systems-oriented work. EuroSec seeks contributions on all aspects of systems security. Topics of interest include (but are not limited to): - new attacks, evasion techniques, and defenses - operating system security - hardware architectures - "trusted computing" and its applications - identity management, anonymity - small trusted computing bases - mobile systems security - measuring security - malicious code analysis and detection - web security - systems-based forensics - systems work on fighting spam/phishing ------------------------------------------------------------------------- IFIP-DAS 2008 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, London, UK, July 13-16, 2008. http://seclab.dti.unimi.it/~ifip113/2008/ (Submissions due 20 February 2008) The 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in data and applications security. Papers and panel proposals are also solicited. Proceedings will be published by Springer as the next volume in the Research Advances in Database and Information Systems Security series. Papers may present theory, techniques, applications, or practical experience on topics of relevance to IFIP WG 11.3: - Access Control - Applied cryptography in data security - Identity theft and countermeasures - Integrity maintenance - Intrusion detection - Knowledge discovery and privacy - Organizational security - Privacy and privacy-preserving data management - Secure transaction processing - Secure information integration - Secure Semantic Web - Secure sensor monitoring - Secure Web Services - Threats, vulnerabilities, and risk management - Trust management ------------------------------------------------------------------------- SHPCS 2008 Workshop on Security and High Performance Computing Systems, Held in conjunction with the 2008 International Conference on High Performance Computing & Simulation (HPCS 2008) and the 22nd European Conference on Modelling and Simulation (ECMS 2008), Nicosia, Cyprus, June 3-6, 2008. http://www.diiga.univpm.it/~spalazzi/nicosia/ (Submissions due 21 February 2008) This workshop addresses relationships between security and high performance systems in three directions. First, it considers how to add security properties (authentication, confidentiality, integrity, non-repudiation, access control) to high performance computing systems. Second, it covers how to use high performance computing systems to solve security problems. Third, it investigates the tradeoffs between maintaining high performance and achieving security in computing systems and solutions to balance the two objectives. In all these directions, various performance analyses or monitoring techniques can be conducted to show the efficiency of a security infrastructure. This workshop covers (but is not limited to) the following topics: - Access Control - Accounting and Audit - Anonymity - Applied Cryptography - Authentication - Commercial and Industry Security - Cryptographic Protocols - Data and Application Security - Data/System Integrity - Database Security - Digital Rights Management - Formal Verification of Secure Systems - Identity Management - Inference/Controlled Disclosure - Information Warfare - Intellectual Property Protection - Intrusion and Attack Detection - Intrusion and Attack Response - Key Management - Privacy-Enhancing Technology - Secure Networking - Secure System Design - Security Management - Security for Mobile Code - Security for Specific Domains (e.g., E-Government, E-Business, P2P) - Security in IT Outsourcing - Security in Mobile and Wireless Networks - Security in Operating Systems - Security Location Services - Security of Grid and Cluster Architectures - Smartcards - Trust Management Policies - Trust Models ------------------------------------------------------------------------- SOUPS 2008 Symposium On Usable Privacy and Security, Carnegie Mellon University, Pittsburgh, PA, USA, July 23-25, 2008. http://cups.cs.cmu.edu/SOUPS/ (Submissions due 29 February 2008) The 2008 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, discussion sessions, and in-depth sessions (workshops and tutorials). We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to: - innovative security or privacy functionality and design - new applications of existing models or technology - field studies of security or privacy technology - usability evaluations of security or privacy features or security testing of usability features - lessons learned from deploying and using usable privacy and security features ------------------------------------------------------------------------- W2SP 2008, 2nd Workshop on Web 2.0 Security and Privacy, Held in conjunction with the 2008 IEEE Symposium on Security and Privacy (SP 2008), The Claremont Resort, Oakland, CA, USA, May 22, 2008. http://www.ieee-security.org/TC/SP2008/oakland08.html (Submissions due 1 March 2008) The goal of this one day workshop is to bring together researchers and practitioners from academia and industry to focus on understanding Web 2.0 security and privacy issues, and establishing new collaborations in these areas. Web 2.0 is about connecting people and amplifying the power of working together. The mixing of technology and social interaction is occurring in the context of a wave of technologies supporting rapid development of these interpersonal and business interactions. Many of the new web technologies rely on the composition of content and services from multiple sources, resulting in complex technology compositions (mash-ups). The content composition trend is likely to continue. The lure of these technologies is the promise of simpler ways to compose software service and content, at lower cost. However, there are issues with respect to management of identities, reputation, privacy, anonymity, transient and long term relationships, and composition of function and content, both on the server side and at the client (web browser). While the security and privacy issues are not new, these issues are increasingly becoming acute as the technologies are adopted and adapted to appeal to wider audiences. Some of these technologies deliberately bypass existing security mechanisms. This workshop is intended to discuss the limitations of the current technologies and explore alternatives. The scope of W2SP 2008 includes, but is not limited to: - Identity, privacy, reputation and anonymity - End-to-end security architectures - Security of content composition - Security and privacy policy definition and modeling of content composition - Provenance and governance - Usable security and privacy models - Static and dynamic analysis for security - Security as a service - Click fraud - Software as a service - Web services/feeds/mashups - Next generation browser technology ------------------------------------------------------------------------- ISC 2008 Information Security Conference, Taipei, Taiwan, September 15-18, 2008. http://isc08.twisc.org/ (Submissions due 1 March 2008) ISC aims to attract high quality papers in all technical aspects of information security. The topics of interest of ISC include, but are not limited to, the following: - Access Control - Accounting and Audit - Anonymity and Pseudonymity - Applied Cryptography - Attacks and Prevention of Online Fraud - Authentication and Non-repudiation - Biometrics - Cryptographic Protocols and Functions - Database and System Security - Design and Analysis of Cryptographic Algorithms - Digital Rights Management - Economics of Security and Privacy - Formal Methods in Security - Foundations of Computer Security - Identity and Trust Management - Information Hiding and Watermarking - Infrastructure Security - Intrusion Detection, Tolerance and Prevention - Mobile, Ad Hoc and Sensor Network Security - Network and Wireless Network Security - Peer-to-Peer Network Security - PKI and PMI - Private Searches - Security and Privacy in Pervasive/Ubiquitous Computing - Security in Information Flow - Security for Mobile Code - Security of Grid Computing - Security of eCommerce, eBusiness and eGovernment - Security Modeling and Architectures - Security Models for Ambient Intelligence environments - Trusted Computing - Usable Security - Special Session on AES ------------------------------------------------------------------------- IWSSE 2008 2nd International Workshop on Security in Software Engineering, Held in conjunction with the IEEE COMPSAC 2008, Turku, July 28 - August 1, 2008. http://www.sis.pitt.edu/%7Elersais/IWSSE/IWSSE08.html (Submissions due 1 March 2008) Secure software engineering has become an emerging interdisciplinary area across software engineering, programming languages, and security engineering. Secure software engineering focuses on developing secure software and understanding the security risks and managing these risks throughout the life-cycle of software. The purpose of the workshop is to bring together researchers and practitioners who work closely in this area to create a forum for reporting and discussing recent advances in improving security in software engineering and inspiring collaborations and innovations on new methods and techniques to advance software security in our practices. Researchers and practitioners worldwide are invited to present their research expertise and experience, and discuss the issues and challenges in security from software engineering perspective. Submissions of quality papers in the following non-exhaustive list of topics are invited: - Management of software security in industrial practice - Security requirements and policies - Abuse cases and threat modeling - Architecture and design for security - Model-based security - Language-based security - Malicious code prevention and code safety - Security risk analysis - Security taxonomy and metrics - Testing for security - Application security: detection and protection - Software piracy and protection ------------------------------------------------------------------------- Globecom-CCNS 2008 Computer and Communications Network Security Symposium, Held in conjunction with the IEEE Global Communications Conference (GLOBECOM 2008), New Orleans, LA, USA, November 30 - December 4, 2008. http://www.comsoc.org/confs/globecom/2008/symposium/compcom.html (Submissions due 15 March 2008) The Computer and Communications Network Security Symposium will address all aspects of the modelling, design, implementation,deployment, and management of computer/network security algorithms, protocols,architectures, and systems. Furthermore, contributions devoted to the evaluation, optimization, or enhancement of security mechanisms for current technologies as well as devising efficient security and privacy solutions for emerging technologies are solicited. Topics of interest include: - Secure PHY, MAC, Routing and Upper Layer Protocols - Secure Cross Layer Design - Authentication Protocols and Services Authorization - Confidentiality - Data and System Integrity - Availability of Secure Services - Key Distribution and Management - PKI and Security Management - Trust Models and Trust Establishment - Identity Management and Access Control - Deployment and Management of Computer/Network Security Policies - Monitoring Design for Security - Distributed Intrusion Detection Systems and Countermeasures - Traffic Filtering and Firewalling - IPv6 security, IPSec - Virtual Private Networks (VPNs) - Prevention, Detection and Reaction Design - Revocation of Malicious Parties - Light-Weight Cryptography - Quantum Cryptography and QKD - Applications of Cryptography and Cryptanalysis in communications security - Security and Mobility - Mobile Code Security - Network traffic Analysis Techniques - Secure Naming and Addressing (Privacy and Anonymity) - Application/Network Penetration Testing - Advanced Cryptographic Testbeds - Network Security Metrics and Performance Evaluation - Operating System(OS) Security and Log Analysis Tools - Security Modelling and Protocol Design - Security Specification Techniques - Self-Healing Networks - Smart Cards and Secure Hardware - Biometric Security: Technologies, Risks and Vulnerabilities - Information Hiding and Watermarking - Vulnerability, Exploitation Tools, and Virus/Worm Analysis - Distributed Denial-Of-Service (DDOS) Attacks and Countermeasures - DNS Spoofing and Security - Critical infrastructure Security - Single- and Multi-Source Intrusion Detection and Response (Automation) - Web, E-commerce, M-commerce, and E-mail Security - New Design for Unknown Attacks Detection ------------------------------------------------------------------------- Pairing 2008 2nd International Conference on Pairing-based Cryptography, Egham, UK, September 1-3, 2008. http://www.pairing-conference.org/ (Submissions due 16 March 2008) Pairing-based cryptography is an extremely active area of research which has allowed elegant solutions to a number of long-standing open problems in cryptography (such as efficient identity-based encryption). New developments continue to be made at a rapid pace. The aim of "Pairing" conference is thus to bring together leading researchers and practitioners from academia and industry, all concerned with problems related to pairing-based cryptography. Authors are invited to submit papers describing their original research on all aspects of pairing-based cryptography, including, but not limited to the following topics: Area I: Novel cryptographic protocols - ID-based and certificateless cryptosystems - Broadcast encryption, signcryption etc - Short/multi/aggregate/group/ring/threshold/blind signatures - Designed confirmer or undeniable signatures - Identification/authentication schemes - Key agreement Area II: Mathematical foundations - Weil, Tate, Eta, and Ate pairings - Security consideration of pairings - Other pairings and applications of pairings in mathematics - Generation of pairing friendly curves - (Hyper-) Elliptic curve cryptosystems - Number theoretic algorithms - Addition algorithms in divisor groups Area III: SW/HW implementation - Secure operating systems - Efficient software implementation - FPGA or ASIC implementation - Smart card implementation - RFID security - Middleware security - Side channel and fault attacks Area IV: Applied security - Novel security applications - Secure ubiquitous computing - Security management - PKI models - Application to network security - Grid computing - Internet and web security - E-business or E-commerce security ------------------------------------------------------------------------- DFRWS 2008 8th Annual Digital Forensic Research Workshop, Baltimore, MD, USA, August 11-13, 2008. http://www.dfrws.org/2008/ (Submissions due 17 March 2008) DFRWS brings together leading researchers, developers, practitioners, and educators interested in advancing the state of the art in digital forensics from around the world. As the most established venue in the field, DFRWS is the preferred place to present both cutting-edge research and perspectives on best practices for all aspects of digital forensics. As an independent organization, we promote open community discussions and disseminate the results of our work to the widest audience. We invite original contributions as research papers, panel proposals, Work-in-Progress talks, and demo proposals. All papers are evaluated through a double-blind peer-review process, and those accepted will be published in printed proceedings by Elsevier. Topics of Interest include: - Incident response and live analysis - Network-based forensics, including network traffic analysis, traceback and attribution - Event reconstruction methods and tools - File system and memory analysis - Application analysis - Embedded systems - Small scale and mobile devices - Large-scale investigations - Digital evidence storage and preservation - Data mining and information discovery - Data hiding and recovery - File extraction from data blocks (“file carving”) - Multimedia analysis - Tool testing and development - Digital evidence and the law - Anti-forensics and anti-anti-forensics - Case studies and trend reports - Non-traditional approaches to forensic analysis ------------------------------------------------------------------------- ICITS 2008 International Conference on Information Theoretic Security, Calgary, Canada, August 10-13, 2008. http://iqis.org/events/icits2008 (Submissions due 23 March 2008) This is the second conference in a series of conferences that is aimed to bring together the leading researchers in the area of information and quantum theoretic security. This series of conferences is a successor to the 2005 IEEE Information Theory Workshop on Theory and Practice in Information-Theoretic Security (ITW 2005). The first ICITS conference was held in Madrid, after Eurocrypt 2007. Conference proceedings will be published by Springer Verlag in the Lecture Notes in Computer Science. The topics of interest are on work on any aspect of information theoretical security, this means security based on information theory. This includes, but is not limited to the following topics: - Information theoretic analysis of security - Private and Reliable Networks - Anonymity - Public Key Cryptosystems using Codes - Authentication Codes - Quantum Cryptography - Conventional Cryptography using Codes - Quantum Information Theory - Fingerprinting - Randomness extraction - Ideal Ciphers - Secret Sharing - Information Hiding - Secure Multiparty Computation - Key Distribution - Traitor Tracing - Oblivious Transfer - Data hiding and Watermarking ------------------------------------------------------------------------- ESORICS 2008 13th European Symposium on Research in Computer Security, Malaga, Spain, October 6-8, 2008. http://www.isac.uma.es/esorics08 (Submissions due 31 March 2008) Papers offering novel research contributions in any aspect of computer security are solicited for submission to the Thirteenth European Symposium on Research in Computer Security (ESORICS 2008). Organized in a series of European countries, ESORICS is confirmed as the European research event in computer security. The symposium started in 1990 and has been held on alternate years in different European countries and attracts an international audience from both the academic and industrial communities. From 2002 it has been held yearly. The Symposium has established itself as one of the premiere, international gatherings on Information Assurance. Papers may present theory, technique, applications, or practical experience on topics including: - Access control - Anonymity - Authentication - Authorization and delegation - Cryptographic protocols - Data integrity - Dependability - Information flow control - Smartcards - System security - Digital right management - Accountability - Applied cryptography - Covert channels - Cybercrime - Denial of service attacks - Formal methods in security - Inference control - Information warfare - Steganography - Transaction management - Data and application security - Intellectual property protection - Intrusion tolerance - Peer-to-peer security - Language-based security - Network security - Non-interference - Privacy-enhancing technology - Pseudonymity - Subliminal channels - Trustworthy user devices - Identity management - Security as quality of service - Secure electronic commerce - Security administration - Security evaluation - Security management - Security models - Security requirements engineering - Security verification - Survivability - Information dissemination control - Trust models and trust management policies ------------------------------------------------------------------------- RAID 2008 11th International Symposium on Recent Advances in Intrusion Detection, Cambridge, Massachusetts, USA, September 15-17, 2008. http://www.ll.mit.edu/IST/RAID2008/ (Submissions due 4 April 2008) This symposium, the 11th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series furthers advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following: - Network and host intrusion detection and prevention - Anomaly and specification-based approaches - IDS cooperation and event correlation - Malware prevention, detection, analysis and containment - Web application security - Insider attack detection - Intrusion response, tolerance, and self protection - Operational experience and limitations of current approaches - Intrusion detection assessment and benchmarking - Attacks against IDS including DoS, evasion, and IDS discovery - Formal models, analysis, and standards - Deception systems and honeypots - Vulnerability analysis, risk assessment, and forensics - Adversarial machine learning for security - Visualization techniques - Special environments, including mobile and sensor networks - High-performance intrusion detection - Legal, social, and privacy issues - Network exfiltration detection - Botnet analysis, detection, and mitigation ------------------------------------------------------------------------- NSPW 2008 New Security Paradigm Workshop, Olympic Valley, CA, USA, September 22-25, 2008. http://www.nspw.org (Submissions due 11 April 2008) The computers of the world are under siege. Denial of service attacks plague commercial sites, large and small. Major companies are hacked for consumer credit card numbers. Phishing attacks for personal information are commonplace, and million-machine botnets are a reality. Our tools for combating these threats--cryptography, firewalls, access controls, vulnerability scanners, malware and intrusion detectors--are insufficient. We need radical new solutions, but most security researchers propose only incremental improvements. Since 1992, the New Security Paradigm Workshop (NSPW) has been a home for research that addresses the fundamental limitations of current work in information security. NSPW welcomes papers that present a significant shift in thinking about difficult security issues, build on such a recent shift, offer a contrarian view of accepted practice or policy, or address non-technological aspects of security. Our program committee particularly looks for new approaches to information security, early thinking on new topics, innovative solutions to long-time problems, and controversial issues which might not be accepted at other conferences but merit a hearing. We discourage papers that represent completed or established works, or offer incremental improvements to well-established models. NSPW expects a high level of scholarship from contributors, including awareness of prior work produced before the World Wide Web. ------------------------------------------------------------------------- IWSEC 2008 3rd International Workshop on Security, Kagawa, Japan, November 25-27, 2008. http://www.iwsec.org (Submissions due 18 April 2008) The aim of IWSEC2008 is to contribute to security research and development addressing the topics from traditional theory and tools on security to other up-to-date issues. Topics include but are not limited to: - Cryptography - Authorization and Access Control - Biometrics - Information Hiding - Quantum Security - Network and Distributed Systems Security - Privacy Enhancing Technology - Security Issues in Ubiquitous/Pervasive Computing - Security Management - Software and System Security - Protection of Critical Infrastructure - Digital Forensics - Economics and Other Scientific Approaches for Security ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2007 proceedings are available in hardcopy for $30.00, the 28 year CD is $20.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2007 treasurer (below) with the order description, including shipping method, and send email to the 2007 Registration Chair (Yong Guan) (oakland07-registration @ ieee-security.org) with the shipping address, please. Terry Benzel Treasurer, IEEE Security and Privacy USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 (310) 822-1511 IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog Department of Computer Science Naval Postgraduate School 1 University Circle Monterey, CA 93943 jcherzog@nps.edu ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Prof. Cynthia Irvine Deborah Shands U.S. Naval Postgraduate School The Aerospace Corporation Computer Science Department El Segundo, CA Code CS/IC oakland07-chair@ieee-security.org Monterey CA 93943-5118 (831) 656-2461 (voice) irvine@cs.nps.navy.mil Vice Chair: Chair, Subcommittee on Academic Affairs: Hilarie Orman Prof. Cynthia Irvine Purple Streak, Inc. U.S. Naval Postgraduate School 500 S. Maple Dr. Computer Science Department, Code CS/IC Salem, UT 84653 Monterey CA 93943-5118 hilarie @purplestreak.com (831) 656-2461 (voice) irvine@cs.nps.navy.mil Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Scieces Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2008 General Chair: Hilarie Orman Yong Guan Purple Streak, Inc. Iowa State University 500 S. Maple Dr. oakland08-chair@ieee-security.org cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year