_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 86 September 17, 2008 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of Security Engineering: A Guide to Building Dependable Distributed Systems (2ed) by Ross Anderson o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * News o NIST releases standards for Keyed Hashing (HMAC) and Randomized Hashing * Conference and Workshop Announcements o Calendar listing o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Ross Anderson's 2nd edition of his broad spectrum book, "Security Engineering" is the subject of Richard Austin's book review this month. Judging from the massive cases of identity theft resulting from unsecured networks, more people should have read the first edition. NIST is doing its part by releasing new standards for security functions such as HMAC and digital signature randomized hashing, but one gets the feeling that carpenters are hand hewing new barn doors as many generations of horses are running rampant through the gaping structure. Though we do not have a news story about the security of the Domain Naming System (DNS) this month, it is the subject of great scrutiny by the experts (see, for example, "Huge Internet Security Hole Slowly Being Fixed", http://www.foxnews.com/story/0,2933,398488,00.html?sPage=fnc/scitech/cybersecurity ). This is an interesting example of the old maxim that "security design cannot be an add-on". I do not believe that is true more than half the time, but for DNS, there is no question about the difficulty. DNS is a simple concept that has become complicated in practice. Despite 15 years of attempts to add security, it remains an elusive goal, always just about done, just on the horizon. Hierarchical object caching turns out to be a tough nut to crack, security-wise. Please take note of the submission deadline for the 2009 Security and Privacy Symposium, one of the two prestigious conferences sponsored by our IEEE Technical Committee. Try identity shuffling, trade names with the person next you, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin September 8, 2008 ____________________________________________________________________ Security Engineering: A Guide to Building Dependable Distributed Systems (2ed) by Ross Anderson Wiley 2008. ISBN ISBN 978-0-470-06852-6 Amazon.com USD 56.00, bookpool.com USD 59.50 Anderson defines security engineering as "building systems to remain dependable in the face of malice, error or mischance" (p. 3). He then spends the following 888 pages immersing the reader in just how wide the range of "systems" actually is and the multitude of ways malice, error and mischance can interact with them to produce results that were at least "unintended". The book's breadth of coverage is impressive; ranging from the bread-and-butter subjects of security models, access control and cryptography to more exotic topics such as bank note printing and command and control of nuclear weapons. Anderson successfully navigates the Sylla and Charybdis of mind-numbing detail and superficial treatment by clearly presenting the gist of each topic and providing extensive references (a total of 1,379 of them) for further details. An especially helpful feature is that he concludes each chapter with a "Further reading" section that points to recommended sources for more information. Many authors content themselves with a bibliography that catalogues everything anyone ever said on a subject and abandon the hapless reader to ferret out the best place to begin exploring the conversation on a particular subject so these "marked trails" for navigating the topics are much appreciated. Structurally, the book is divided into three parts with the first covering the foundations (usability and psychology, protocols, access control, etc). Chapter 2 on "Usability and Psychology" is a particular gem as it reminds us that adversaries can "exploit psychology at least as much as technology" (p. 17) when attacking our systems. Using passwords as an example, Anderson delves deeply into why systems so often don't work as we intended when people are part of the interface. The second part is devoted to applications of secure systems (e.g., banking and bookkeeping, security printing and seals, electronic and information warfare). Of special interest is chapter 16 on "Physical Tamper Resistance", which gives a clear presentation of how techniques such as "potting" (sealing devices in epoxy) are defeated. His descriptions of "How to hack a smartcard" are both troubling and instructive as he presents the active interplay of attack and defense in the evolution of a technology. The concluding part is devoted to politics, management and assurance. Chapter 24 on "Terror, Justice and Freedom" is a must-read examination of how the security systems we design and deploy can impinge on our daily lives with consequences beyond their original security objectives. Anderson's wide experience with the topics he discusses shines throughout the presentation and soundly grounds it in the real world struggle between defenders and attackers. If there is a flaw with the book, it is the lack of a good copy-editing pass that would have cleared up some distracting spelling errors and word confusions. This is a book that belongs on your shelf and, more importantly, one you should make the time to read. It counters our growing tendency to insularity by revealing what a wide field of endeavor "security" actually is. As noted by Bruce Schneier in the foreword, Anderson (and Roger Needham) coined the phrase "programming Satan's computer" as an aphorism for the difficulties faced by security professionals in securing systems against active and innovative adversaries. Perhaps it's not going too far to call this book the "owner's manual" for Satan's computer. -------- Before beginning life as an itinerant university instructor and security consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rda7838 at Kennesaw dot edu ==================================================================== News Briefs News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== August 18, 2008, press release Sara Caswell, NIST, (sara@nist.gov) wrote The National Institute of Standards and Technology (NIST) is pleased to announce approval of Federal Information Processing Standard(FIPS) Publication 198-1, The Keyed-Hash Message Authentication Code (HMAC), a revision of FIPS 198. The Federal Register Notice (FRN) of the approval is available here. The FIPS specifies a mechanism for message authentication using cryptographic hash functions in Federal information systems. URL to the Federal Register Notice: http://csrc.nist.gov/publications/fips/fips198-1/FIPS198-1_FRN.pdf URL to the FIPS Publication 198-1: http://csrc.nist.gov/publications/PubsFIPS.html#FIPS%20198-1 --------------------------------------------------------------------- August 18, 2008, press release Sara Caswell, NIST, (sara@nist.gov) wrote NIST revised the first drafts of Special Publication(SP) 800-106, Randomized Hashing for Digital Signatures, and SP 800-107, Recommendation for Applications Using Approved Hash Algorithms after receiving great comments from many public and private individuals and organizations. The second drafts of these two SPs have been posted at http://csrc.nist.gov/publications/PubsDrafts.html. The deadlines for public comments and the point-of-contact are listed with the documents. NIST also would like to announce that FIPS 198-1 has already been approved and it is posted at http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf. ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events Date (Month/Day/Year), Event, Locations, web page for more info. 9/15/08- 9/17/08: RAID, 11th International Symposium on Recent Advances in Intrusion Detection, Cambridge, Massachusetts, USA; http://www.ll.mit.edu/IST/RAID2008/ 9/15/08- 9/18/08: ISC, Information Security Conference, Taipei, Taiwan; http://isc08.twisc.org/ 9/17/08: CISS, Communication and Information Systems Security Symposium, Held in conjunction with the IEEE International Conference on Communications (ICC 2009), Dresden, Germany; http://www.ieee-icc.org/2009/; Submissions are due 9/22/08- 9/25/08: NSPW, New Security Paradigm Workshop, Olympic Valley, CA, USA; http://www.nspw.org 9/24/08: PKC, 12th IACR International Workshop on Practice and Theory in Public Key Cryptography, Irvine, California, USA; http://www.iacr.org/workshops/pkc2009; Submissions are due 9/29/08: TrustCol, 3rd International Workshop on Trusted Collaboration, Held in conjunction with IEEE CollaborateCom, The Regal Sun Resort, Orlando, Florida, USA; http://www.sis.uncc.edu/~mshehab/trustcol08/; Submissions are due 9/30/08: Wiley's Security and Communication Networks Journal, Special Issue on Security in Mobile Wireless Networks; http://www3.interscience.wiley.com/cgi-bin/jtoc/114299116/; Submissions are due 9/30/08: PSAI, 2nd Workshop on Privacy and Security by means of Artificial Intelligence, Held in conjunction with ARES 2009, Fukoka, Japan; http://crises-deim.urv.cat/psai/; Submissions are due 10/ 1/08: EURASIP Journal on Wireless Communications and Networking, Special Issue on Wireless Physical Layer Security; http://www.hindawi.com/journals/wcn/si/wpls.html; Submissions are due 10/ 6/08-10/ 8/08: ESORICS, 13th European Symposium on Research in Computer Security, Malaga, Spain; http://www.isac.uma.es/esorics08 10/ 9/08-10/10/08: NordSec, 13th Nordic Workshop on Secure IT Systems, Copenhagen, Denmark; http://lbt.imm.dtu.dk/nsd08/nordsec08/ 10/15/08: IFIP-DF, 5th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org; Submissions are due 10/15/08: NSP, 1st International Workshop on Network Security and Privacy, Held in conjunction with the IEEE IPCCC 2008, Austin, Texas, USA; http://www.ipccc.org/ipccc2008/main.php?page=6#workshop4; Submissions are due 10/17/08: FC, 13th International Conference on Financial Cryptography and Data Security, Accra Beach, Barbados; http://fc09.ifca.ai/; Submissions are due 10/18/08: ALICS, Workshop on Applications of Logic in Computer Security, Held in conjunction with the 15th International Conference on Logic for Programming, Artificial Intelligence and Reasoning (LPAR 2008), Doha, Qatar; http://chacs.nrl.navy.mil/projects/ALICS08/; Submissions are due 10/22/08-10/24/08: DoE-TH3, 3rd DOE Grass Roots Cyber Security Community Town Hall Meeting, Washington, DC, USA; https://wiki.cac.washington.edu/display/doe/Home 10/27/08-10/31/08: ACM CCS, 15th ACM Conference on Computer and Communications Security, Alexandria, VA, USA; http://www.sigsac.org/ccs/CCS2008/ 10/30/08: SecSE, 3rd Workshop on Secure Software Engineering, Held in conjunction with conjunction with ARES 2009, Fukuoka, Japan; http://www.sintef.no/secse; Submissions are due 11/ 2/08: Trust, 2nd International Conference on Trusted Computing, St. Hugh's College, University of Oxford, UK; http://www.trust2009.org; Submissions are due 11/ 3/08-11/ 4/08: SKM, Workshop on Secure Knowledge Management, Richardson, Texas, USA; http://cs.utdallas.edu/skm2008/call_for_papers.htm 11/10/08: SP, 30th IEEE Symposium on Security and Privacy, Oakland/Berkeley, California, USA; http://oakland09.cs.virginia.edu; Submissions are due 11/10/08-11/12/08: IWDW, 7th International Workshop on Digital Watermarking, Busan, Koreas; http://multimedia.korea.ac.kr/iwdw2008 11/13/08-11/16/08: TrustCol, 3rd International Workshop on Trusted Collaboration, Held in conjunction with IEEE CollaborateCom, The Regal Sun Resort, Orlando, Florida, USA; http://www.sis.uncc.edu/~mshehab/trustcol08/ 11/17/08: IDtrust, 8th Symposium on Identity and Trust on the Internet, Gaithersburg, Maryland, USA; http://middleware.internet2.edu/idtrust/; Submissions are due 11/20/08: ISPEC, 5th Information Security Practice and Experience Conference, Xi'an, China; http://www.ispec2009.net/; Submissions are due 11/22/08: ALICS, Workshop on Applications of Logic in Computer Security, Held in conjunction with the 15th International Conference on Logic for Programming, Artificial Intelligence and Reasoning (LPAR 2008), Doha, Qatar; http://chacs.nrl.navy.mil/projects/ALICS08/ 11/25/08-11/27/08: IWSEC, 3rd International Workshop on Security, Kagawa, Japan; http://www.iwsec.org 11/30/08-12/ 4/08: Globecom-CCNS, Computer and Communications Network Security Symposium, Held in conjunction with the IEEE Global Communications Conference (GLOBECOM 2008), New Orleans, LA, USA; http://www.comsoc.org/confs/globecom/2008/symposium/compcom.html 12/ 2/08: MidSec, 1st International Workshop on Middleware Security, Held in conjunction with the 9th ACM International Middleware Conference (MIDDLEWARE 2008), Leuven, Belgium; http://www.cs.kuleuven.be/conference/MidSec2008/ 12/ 7/08-12/ 9/08: NSP, 1st International Workshop on Network Security and Privacy, Held in conjunction with the IEEE IPCCC 2008, Austin, Texas, USA; http://www.ipccc.org/ipccc2008/main.php?page=6#workshop4 12/ 9/08-12/12/08: DSSC, 1st International Workshop on Dependable and Secure Services Computing, Held in conjunction with IEEE APSCC 2008, Yilan, Taiwan; http://6book.niu.edu.tw/DSSC08 12/14/08-12/17/08: Inscrypt, 4th International Conferences on Information Security and Cryptology, Beijing, China; http://www.inscrypt.cn/inscrypt/ 12/16/08-12/20/08: ICISS, 4th International Conference on Information Systems Security, Hyderabad, India; http://www.seclab.cs.sunysb.edu/iciss08/ 12/31/08: IFIP-CIP, Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA; http://www.ifip1110.org; Submissions are due 1/25/09- 1/28/09: IFIP-DF, 5th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org 2/ 4/09- 2/ 6/09: ESSoS, International Symposium on Engineering Secure Software and Systems, Leuven, Belgium; http://distrinet.cs.kuleuven.be/events/essos2009/ 2/ 8/09- 2/11/09: NDSS, 16th Annual Network and Distributed System Security Symposium, San Diego, California, USA; http://www.isoc.org/isoc/conferences/ndss/09/ 2/10/09- 2/13/09: ICIT, IEEE International Conference on Industrial Technology, Special Session on Wireless Bluetooth Technologies and Cyber Security; Churchill, Victoria, Australia; http://www.ieee-icit09.org/specialsessions.php 2/23/09- 2/26/09: FC, 13th International Conference on Financial Cryptography and Data Security, Accra Beach, Barbados; http://fc09.ifca.ai/ 3/ 8/09- 3/12/09: SAC-TREK, 24th ACM Symposium on Applied Computing (SAC 2009) Trust, Reputation, Evidence and other Collaboration Know-how (TRECK) Track; Honolulu, Hawaii, USA; http://tech.groups.yahoo.com/group/trustcomp/ 3/ 8/09- 3/12/09: SAC-SEC, 24th ACM Symposium on Applied Computing (SAC 2009), Computer Security Track, Honolulu, Hawaii, USA; http://www.dmi.unict.it/~giamp/sac/09cfp.html 3/16/09- 3/19/09: PSAI, 2nd Workshop on Privacy and Security by means of Artificial Intelligence, Held in conjunction with ARES 2009, Fukoka, Japan; http://crises-deim.urv.cat/psai/ 3/16/09- 3/19/09: SecSE, 3rd Workshop on Secure Software Engineering, Held in conjunction with conjunction with ARES 2009, Fukuoka, Japan; http://www.sintef.no/secse 3/18/09- 3/20/09: PKC, 12th IACR International Workshop on Practice and Theory in Public Key Cryptography, Irvine, California, USA; http://www.iacr.org/workshops/pkc2009 3/22/09- 3/25/09: IFIP-CIP, Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA; http://www.ifip1110.org 3/26/09- 3/27/09: ICIW, 4th International Conference on Information Warfare and Security, Breakwater Lodge, Cape Town, South Africa; http://academic-conferences.org/iciw/iciw2009/iciw09-home.htm 4/ 6/09- 4/ 8/09: Trust, 2nd International Conference on Trusted Computing, St. Hugh's College, University of Oxford, UK; http://www.trust2009.org 4/13/09- 4/15/09: ISPEC, 5th Information Security Practice and Experience Conference; Xi'an, China; http://www.ispec2009.net/ 4/14/09- 4/16/09: IDtrust, 8th Symposium on Identity and Trust on the Internet Gaithersburg, Maryland, USA; http://middleware.internet2.edu/idtrust/ 5/17/09- 5/20/09: SP, 30th IEEE Symposium on Security and Privacy, Oakland/Berkeley, California, USA; http://oakland09.cs.virginia.edu 6/14/09- 6/18/09: CISS, Communication and Information Systems Security Symposium, Held in conjunction with the IEEE International Conference on Communications (ICC 2009); Dresden, Germany; http://www.ieee-icc.org/2009/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E85) ___________________________________________________________________ CISS 2009, Communication and Information Systems Security Symposium, Held in conjunction with the IEEE International Conference on Communications (ICC 2009), Dresden, Germany, June 14-18, 2009. http://www.ieee-icc.org/2009/ (Submissions due 17 September 2008) With the advent of pervasive computer applications and due to the proliferation of heterogeneous wired and wireless computer and communication networks, security and privacy issues have become paramount. This Symposium will address all aspects of the modeling, design, implementation, deployment, and management of security algorithms, protocols, architectures, and systems. Furthermore, contributions devoted to the evaluation, optimization, or enhancement of security and privacy mechanisms for current technologies, as well as devising efficient security and privacy solutions for emerging technologies, are solicited. Topics of interest include, but are not limited to, the following: - Authentication protocols and message authentication - Biometric security: technologies, risks, vulnerabilities, bio-cryptography, mobile template protection - Computer and network forensics - Cryptography: Conventional public-key crypto, symmetric-key crypto, advanced crypto, and quantum crypto - DDOS attacks, DNS spoofing, and countermeasures - Formal trust models - Information hiding and watermarking - Information systems security - Intrusion detection, localization, and countermeasures - Mobile and Wireless network security, including ad hoc networks, P2P networks, 3G, 4G, sensor networks, Bluetooth, 802.11 family and WiMAX - Network security metrics and performance - Network traffic analysis techniques - Operating systems security and log analysis tools - Optical network security - Privacy and privacy enhancing technologies - Security modeling and protocol design - Virtual private networks - VoIP Security - Vulnerability, exploitation tools and virus analysis - Web, eBusiness, eCommerce, eGovernment security ------------------------------------------------------------------------- PKC 2009, 12th IACR International Workshop on Practice and Theory in Public Key Cryptography, Irvine, California, USA, March 18-20, 2009. http://www.iacr.org/workshops/pkc2009 (Submissions due 24 September 2008) Original research papers on all technical aspects of public key cryptography are solicited for submission to PKC 2009, the 12-th International Workshop on Practice and Theory in Public Key Cryptography. PKC '09 proceedings be published in Sprinter-Verlag LNCS Series and will be available at the conference. ------------------------------------------------------------------------- TrustCol 2008, 3rd International Workshop on Trusted Collaboration, Held in conjunction with IEEE CollaborateCom, The Regal Sun Resort, Orlando, Florida, USA, November 13-16, 2008. http://www.sis.uncc.edu/~mshehab/trustcol08/ (Submissions due 29 September 2008) The ongoing, rapid developments in information systems technologies and networking have enabled significant opportunities for streamlining decision making processes and maximizing productivity through distributed collaborations that facilitate unprecedented levels of sharing of information and computational resources. Emerging collaborative environments need to provide efficient support for seamless integration of heterogeneous technologies such as mobile devices and infrastructures, web services, grid computing systems, online social networks, various operating environments, and diverse COTS products. Such heterogeneity introduces, however, significant security and privacy challenges for distributed collaborative applications. Balancing the competing goals of collaboration and security is difficult because interaction in collaborative systems is targeted towards making people, information, and resources available to all who need it whereas information security seeks to ensure the availability, confidentiality, and integrity of these elements while providing it only to those with proper trustworthiness. The key goal of this workshop is to foster active interactions among diverse researchers and practitioners, and generate added momentum towards research in finding viable solutions to the security and privacy challenges faced by the current and future collaborative systems and infrastructures. We solicit unpublished research papers that address theoretical issues and practical implementations/experiences related to security and privacy solutions for collaborative systems. Topics of interest include, but are not limited to: - Secure dynamic coalition environments - Secure distributed multimedia collaboration - Privacy control in collaborative environments - Secure workflows for collaborative computing - Policy-based management of collaborative workspace - Secure middleware for large scale collaborative infrastructures - Security and privacy issues in mobile collaborative applications - Security frameworks and architectures for trusted collaboration - Secure interoperation in multidomain collaborative environments - Identity management for large scale collaborative infrastructures - Semantic web technologies for secure collaborative infrastructure - Trust models, trust negotiation/management for collaborative systems - Access control models and mechanisms for collaboration environments - Protection models and mechanisms for peer-to-peer collaborative environments - Delegation, accountability, and information flow control in collaborative applications - Intrusion detection, recovery and survivability of collaborative systems/infrastructures - Security of web services and grid technologies for supporting multidomain collaborative applications ------------------------------------------------------------------------- PSAI 2009, 2nd Workshop on Privacy and Security by means of Artificial Intelligence, Held in conjunction with ARES 2009, Fukoka, Japan, March 16-19, 2009. http://crises-deim.urv.cat/psai/ (Submissions due 30 September 2008) In this workshop, we aim to convene researchers in the areas of Security, Data Privacy and Artificial Intelligence. We seek to collect the most recent advances in artificial intelligence techniques (i.e. neural networks, fuzzy systems, multi-agent systems, genetic algorithms, image analysis, clustering, etc), which are applied to the protection of privacy and security. Individual privacy protection is a hot topic and it must be addressed to guarantee the proper evolution of a modern society based on the Information and Communication Techniques (ICTs). However, security policies could invade individual privacy, especially after the appearance of the new forms of terrorism. These two concepts (i.e. security and privacy) are somehow opposite because, most of the times, security is achieved by means of privacy invasion. Statistical agencies and the like are collecting large amounts of personal information that has to be protected before its publication. Different forms of evolutionary computation and clustering have been proposed to tackle this problem. Moreover, the protection of critical infrastructures such as airports has invigorated the study of more efficient techniques for pattern recognition, image analysis, etc. ------------------------------------------------------------------------- Wiley's Security and Communication Networks Journal, Special Issue on Security in Mobile Wireless Networks, 4th quarter of 2009. http://www3.interscience.wiley.com/cgi-bin/jtoc/114299116/ (Submission Due 30 September 2008) Guest editors: Abderrahim Benslimane (University of Avignon, France), Chadi Assi (Concordia University, Montreal, Canada), Stamatios V. Kartalopoulos (University of Oklahoma, USA), and Fred Nen-Fu Huang (National Tsing Hua University, Taiwan) Security has become a primary concern in order to provide protected communication in mobile networks. Unlike the wired networks, the unique characteristics of mobile networks pose a number of nontrivial challenges to security design, such as open peer-to-peer network architecture, shared wireless medium, stringent resource constraints, highly dynamic network topology and absence of a trusted infrastructure. Ubiquitous roaming impacts on a radio access system by requiring that it supports handover between neighbouring cells and different networks. Also, mobile networks are more exposed to interferences than wired networks. There are several components that contribute to this: adjacent channels, co-channels, Doppler shifts, multipath, and fading. This SI aims to identify and explore the different issues and challenges related to security aspects in mobile networks. What are the impacts (benefits or inconvenience) of mobility on security? What are the appropriate mobility models to have a good level of security? Are Classical IDS approaches appropriate for mobile environments? How can be managed security when Mobility pattern and/or behaviour prediction? The complete security solution should span both layers, and encompass all three security components of prevention, detection, and reaction. Topics of interest include, but are not limited to, the following as they relate to mobile networks: - Secure mobile PHY/MAC protocols - Secure mobile routing protocols - Security under resource constraints (e.g., energy, bandwidth, memory, and computation constraints) - Performance and security tradeoffs in mobile networks - Secure roaming across administrative domains - Key management in mobile scenarios - Cryptographic Protocols - Authentication and access control in mobile networks - Intrusion detection and tolerance in mobile network - Trust establishment, negotiation, and management - Secure mobile location services - Secure clock distribution - Privacy and anonymity - Denial of service in mobile networks - Prevention of traffic analysis ------------------------------------------------------------------------- EURASIP Journal on Wireless Communications and Networking, Special Issue on Wireless Physical Layer Security, April 1, 2009. http://www.hindawi.com/journals/wcn/si/wpls.html (Submission Due 1 October 2008) Guest editors: Me'rouane Debbah (Supe'lec, France), Hesham El-Gamal (Ohio State University, USA), H. Vincent Poor (Princeton University, USA), and Shlomo Shamai (Technion, Israel) Security is a critical issue in multiuser wireless networks in which secure transmissions are becoming increasingly difficult to obtain in highly mobile and distributed environments. In his seminal works of the late 1940s, Shannon formalized the concepts of capacity (as a transmission efficiency measure) and equivocation (as a measure of secrecy). Together with Wyner's fundamental formulation of the wiretap channel in the 1970s, this work laid the groundwork for the area of wireless physical area security. Interest in this area has exploded in recent years, motivated by the rise of wireless networking in general and by the increasing interest in large mobile networks with light infrastructure, which are extremely difficult to secure by traditional methods. The objective of this special issue (whose preparation is carried out under the auspices of the EC Network of Excellence in Wireless Communications NEWCOM++) is to gather recent advances in the area of wireless physical layer security from the theoretical, such as the analysis of the secrecy capacity of various channel models, to more practical interests such as the development of codes and other communication schemes that can provide security in real networks. Suitable topics for this special issue dedicated to physical layer security include but are not limited to: - Opportunistic secrecy - The wiretap channel with feedback - Authentication over the wiretap channel - Information theoretic secrecy of fading channels - Secrecy through public discussion - Wireless key distribution - Multiuser channels with secrecy constraints - MIMO wiretap channels - Relay-eavesdropper channel - Scheduling for secure communications - Secure communication with jamming - Game theoretic approaches for secrecy - Codes for secure transmission - Secure compression - Cognitive approaches for secrecy - Physical Secrecy and Common Randomness - Secrecy with channel uncertainty ------------------------------------------------------------------------- IFIP-DF 2009, 5th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 25-28, 2009. http://www.ifip119.org (Submissions due 15 October 2008) The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in the emerging field of digital forensics. The Fifth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the fifth in the series entitled Research Advances in Digital Forensics (Springer) in the summer of 2009. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network forensics - Portable electronic device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- NSP 2008, 1st International Workshop on Network Security and Privacy, Held in conjunction with the IEEE IPCCC 2008, Austin, Texas, USA, December 7-9, 2008. http://www.ipccc.org/ipccc2008/main.php?page=6#workshop4 (Submissions due 15 October 2008) This workshop provides a forum for academia, industry, and government agencies to discuss the challenges involved in network security and privacy. The workshop will identify and define new network security vulnerabilities, fundamental privacy issues and potential solutions. Contributions of all types including case studies and research, addressing the main focus or one of following non-exclusive list of topics are equally welcome: - Anonymous communications - BGP security - Botnets and counter-measures - Covert Channels - Denial of service attacks - DNS security - Email spam - Firewall and traffic monitoring - Honeypot/honeynet - Internet Worms and Virus - On-line Frauds - Malware and Spyware - Network forensic - Network intrusion detection and prevention - Network security policy - Phishing attacks - P2P security - RFID security - Security Testbeds, benchmarks, prototypes and experimental studies - Security and privacy in wireless and sensor networks - Social network privacy and security - User authentication and authorization - Web security ------------------------------------------------------------------------- FC 2009, 13th International Conference on Financial Cryptography and Data Security, Accra Beach, Barbados, February 23-26, 2009. http://fc09.ifca.ai/ (Submissions due 17 October 2008) At its 13th year edition, Financial Cryptography and Data Security (FC'09) is a well established and major international forum for research, advanced development, education, exploration, and debate regarding security in the context of finance and commerce. Original papers, surveys and presentations on all aspects of financial and commerce security are invited. Submissions must have a strong and visible bearing on financial and commerce security issues, but can be interdisciplinary in nature and need not be exclusively concerned with cryptography or security. Possible topics for submission to the various sessions include, but are not limited to: - Anonymity and Privacy - Auctions and Audits - Authentication and Identification - Biometrics - Certification and Authorization - Commercial Cryptographic Applications - Digital Cash and Payment Systems - Digital Incentive and Loyalty Systems - Digital Rights Management - Economics of Information Security - Financial Regulation and Reporting - Fraud Detection - Game Theoretic Approaches to Security - Identity Theft, Spam, Phishing and Social Engineering - Infrastructure Design - Legal and Regulatory Issues - Microfinance and Micropayments - Monitoring, Management and Operations - Reputation Systems - RFID-Based and Contactless Payment Systems - Risk Assessment and Management - Secure Banking and Financial Web Services - Securing Emerging Computational Paradigms - Security and Risk Perceptions and Judgments - Smart Cards and Secure Tokens - Transactions and Contracts - Trust Management - Underground-Market Economics - Virtual Economies - Voting Systems ------------------------------------------------------------------------- ALICS 2008, Workshop on Applications of Logic in Computer Security, Held in conjunction with the 15th International Conference on Logic for Programming, Artificial Intelligence and Reasoning (LPAR 2008), Doha, Qatar, November 22, 2008. http://chacs.nrl.navy.mil/projects/ALICS08/ (Submissions due 18 October 2008) ALICS is intended to be an informal workshop devoted to the applications of logic in computer security. This workshop is intended for presentation and discussion of work in progress and the discussion of emerging and foundational ideas. We are interested in all aspects of the application of logic to computer security. Applications of interest include security policy, access control, security protocols, information flow, but we are also interested in new and as yet untried applications of logic to different areas of computer security. We are also interested in discussion papers that raise fundamental questions and/or suggest new lines of research in this area. Work that has already appeared or is under consideration by other venues is welcome. ------------------------------------------------------------------------- SecSE 2009 3rd Workshop on Secure Software Engineering, Held in conjunction with conjunction with ARES 2009, Fukuoka, Japan, March 16-19, 2009 http://www.sintef.no/secse (Submissions due 30 October 2008) In our modern society, software is an integral part of everyday life, and we expect and depend upon software systems to perform correctly. Software security is about ensuring that systems continue to function correctly also under malicious attack. As most systems now are web-enabled, the number of attackers with access to the system increases dramatically and thus the threat scenario changes. The traditional approach to secure a system includes putting up defence mechanisms like IDS and firewalls, but such measures are no longer sufficient by themselves. We need to be able to build better, more robust and more secure systems. Even more importantly, however, we should strive to achieve these qualities in all software systems, not just the ones that need special protection. This workshop will focus on techniques, experiences and lessons learned for engineering secure and dependable software. Suggested topics include, but are not limited to: - Secure architecture and design - Security in agile software development - Aspect-oriented software development for secure software - Security requirements - Risk management in software projects - Secure implementation - Secure deployment - Testing for security - Quantitative measurement of security properties - Static and dynamic analysis for security - Verification and assurance techniques for security properties - Lessons learned - Security and usability - Teaching secure software development - Experience reports on successfully attuning developers to secure software engineering ------------------------------------------------------------------------- Trust 2009, 2nd International Conference on Trusted Computing, St. Hugh's College, University of Oxford, UK, April 6-8, 2009. http://www.trust2009.org (Submissions due 2 November 2008) Building on the success of Trust 2008 (held in Villach, Austria, in March 2008), this conference focuses on trusted and trustworthy computing, both from the technical and social perspectives. The conference itself will have two main strands, one devoted to technical aspects and one devoted to the socio-economic aspects of trusted computing. The conference solicits original papers on any aspect of the design and application of trusted computing. Topics of interest include, but are not limited to: - architecture and implementation technologies for trusted platforms - limitations of trusted computing - mobile trusted computing - implementations of trusted computing (covering both hardware and software) - applications of trusted computing - attestation and possible variants (e.g. property-based attestation) - cryptographic aspects of trusted computing - intrusion resilience in trusted computing - virtualisation for trusted computing - security policy and management of trusted computing - access control for trusted platforms - privacy aspects of trusted computing - verification of trusted computing architectures ------------------------------------------------------------------------- SP 2009, 30th IEEE Symposium on Security and Privacy, Oakland/Berkeley, California, USA, May 17-20, 2009. http://oakland09.cs.virginia.edu (Submissions due 10 November 2008) Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of computer security or privacy. S & P is interested in all aspects of computer security and privacy. Papers may present advances in the theory, design, implementation, analysis, or empirical evaluation of secure systems. Papers without a clear application to security or privacy will be considered out of scope and may be rejected without full review. Topics of interest include, but are not limited to: - Access control - Anonymity - Application-level security - Attacks and defenses - Authentication - Distributed systems security - Embedded system security - Forensics - Hardware-based security - Information flow - Information security - Intrusion detection - Malicious code - Language-based security - Network security - Physical security - Privacy-preserving systems - Recovery - Secure protocols - Security architectures - Security and privacy policies - System security - Usability and security - Web security ------------------------------------------------------------------------- IDtrust 2009 8th Symposium on Identity and Trust on the Internet, Gaithersburg, Maryland, USA, April 14-16, 2009. http://middleware.internet2.edu/idtrust/ (Submissions due 17 November 2008) IDtrust is devoted to research and deployment experience related to making good security decisions based on identity information, especially when public key cryptography is used and the human elements of usability are considered. The success of any business strategy depends on having the right people gain access to the right information at the right time. This implies that an IT infrastructure has - among other things - an authorization framework in place that can respond to dynamic security conditions and regulatory requirements quickly, flexibly and securely. What are the authorization strategies that will succeed in the next decade? What technologies exist to address complex requirements today? What research is academia and industry pursuing to solve the problems likely to show up in the next few years? We solicit technical papers and panel proposals from researchers, systems architects, vendor engineers, and users. Suggested topics include but are not limited to: - Reports of real-world experience with the use and deployment of identity and trust applications for broad use on the Internet (where the population of users is diverse) and within enterprises who use the Internet (where the population of users may be more limited), how best to integrate such usage into legacy systems, and future research directions. Reports may include use cases, business case scenarios, requirements, best practices, implementation and interoperability reports, usage experience, etc. - Identity management protocols (SAML, Liberty, CardSpace, OpenID, and PKI-related protocols) - Identity metasystems, frameworks, and systems (Shibboleth, Higgins, etc.) - User-centric identity, delegation, reputation - Identity and Web 2.0, secure mash-ups, social networking, trust fabric and mechanisms of "invited networks" - Identity management of devices from RFID tags to cell phones; Host Identity Protocol (HIP) - Federated approaches to trust - Trust management across security domains - Standards related to identity and trust, including X.509, SPKI/SDSI, PGP, S/MIME, XKMS, XACML, XRML, and XML signatures - Intersection of policy-based systems, identity, and trust; identity and trust policy enforcement, policy and attribute mapping and standardization - Attribute management, attribute-based access control - Trust path building and certificate validation in open and closed environments - Improved usability of identity and trust systems for users and administrators, including usability design for authorization and policy management, naming, signing, verification, encryption, use of multiple private keys, and selective disclosure - Identity and privacy - Levels of trust and assurance - Trust infrastructure issues of scalability, performance, adoption, discovery, and interoperability - Use of PKI in emerging technologies (e.g., sensor networks) - Application domain requirements: web services, grid technologies, document signatures, (including signature validity over time), data privacy, etc. ------------------------------------------------------------------------- ISPEC 2009, 5th Information Security Practice and Experience Conference, Xi'an, China, April 13-15, 2009. http://www.ispec2009.net/ (Submissions due 20 November 2008) As applications of information security technologies become pervasive, issues pertaining to their deployment and operation are becoming increasingly important. ISPEC is an annual conference that brings together researchers and practitioners to provide a confluence of new information security technologies, their applications and their integration with IT systems in various vertical sectors. Topics of interest include, but are not limited to: - Applications of cryptography - Critical infrastructure protection - Digital rights management - Information security in vertical applications - Legal and regulatory issues - Network security - Privacy and anonymity - Privacy issues in the use of smart cards and RFID systems - Risk evaluation and security certification - Resilience and availability - Secure system architectures - Security in e-commerce and e-business and other applications - Security policy - Security standards activities - Trusted Computing - Trust model and management - Usability aspects of information security systems ------------------------------------------------------------------------- IFIP-CIP 2009, Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA, March 22-25, 2009. http://www.ifip1110.org (Submissions due 31 December 2008) The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Papers are solicited in all areas of critical infrastructure protection. Areas of interest include, but are not limited to: - Infrastructure vulnerabilities, threats and risks - Security challenges, solutions and implementation issues - Infrastructure sector interdependencies and security implications - Risk analysis and risk assessment methodologies - Modeling and simulation of critical infrastructures - Legal, economic and policy issues related to critical infrastructure protection - Secure information sharing - Infrastructure protection case studies - Distributed control systems/SCADA security - Telecommunications network security ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2007 proceedings are available in hardcopy for $30.00, the 28 year CD is $20.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2007 treasurer (below) with the order description, including shipping method, and send email to the 2007 Registration Chair (Yong Guan) (oakland07-registration @ ieee-security.org) with the shipping address, please. Terry Benzel Treasurer, IEEE Security and Privacy USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 (310) 822-1511 IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officer Roster ____________________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Prof. Cynthia Irvine Yong Guan U.S. Naval Postgraduate School Iowa State University Computer Science Department Computer Engineering and Code CS/IC University and Information Monterey CA 93943-5118 Assurance Center (831) 656-2461 (voice) Ames, IA 50011 irvine@nps.edu (515) 294-8378 (voice) guan@iastate.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Hilarie Orman Prof. Cynthia Irvine Purple Streak, Inc. U.S. Naval Postgraduate School 500 S. Maple Dr. Computer Science Department, Code CS/IC Salem, UT 84653 Monterey CA 93943-5118 hilarie @purplestreak.com (831) 656-2461 (voice) irvine@nps.edu Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Sciences Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2009 General Chair: Hilarie Orman David Du Purple Streak, Inc. Department of Computer Science 500 S. Maple Dr. and Engineering Salem, UT 84653 University of Minnesota cipher-editor@ieee-security.org Minneapolis, MN 55455 oakland09-chair@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year