_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 87 November 17, 2008 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * News o Essay contest announced by Lawrence Gordon, University of Maryland. o NIST Recommendations for Key Derivation, request for comments o NIST Revisions for Digital Signature Standard, request for comments * Commentary and Opinion o Richard Austin's review of Fuzzing for Security Testing and Quality Assurance by Ari Takanen, Jared D. Demott and Charles Miller * Conference and Workshop Announcements o Calendar o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine o Faculty position, Naval Postgraduate School, Monterey, California * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: For those of you looking for something positive in the news, this issue of Cipher describes a new essay contest with a monetary prize, courtesy of Lawrence Gordon. The economy is going to be the ultimate judge of computer security. Is it cost effective, is it a worthwhile expense in hard times? The coming months will winnow the technology, but how will the downturn affect research spending? As research contracts in our field end, will new money be available? This is a critical question for the future of the field. Speaking for the IEEE Technical Committee on Security and Privacy, I'd like to point out that economic downturns usually hit travel budgets hard, and conference attendance will probably decline. Don't let it happen through apathy. This is the time to make sure that your organization knows that your top choice for a 2009 professional meeting will be either the Security and Privacy Symposium in May or the Computer Security Foundations Symposium in July. If your company is doing well enough to support student travel or a workshop at one of the symposia, get it into the budget now and let the organizers know. Looking forward to recovery in 2010, make note that the Security and Privacy Symposium will celebrate its 30th anniversary with special events. You'll want to be there. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html 11/08/08, announcement, http://www.rhsmith.umd.edu/news/stories/2008/gordonprize.aspx From, Lawrence A. Gordon, Ph.D. ( http://www.rhsmith.umd.edu/faculty/lgordon/ ) Several months ago I made a decision to endow a Prize for the best essay on the topic of "Managing Cybersecurity Resources." The story, including the process by which one can apply for the Prize, can now be found at: http://www.rhsmith.umd.edu/news/stories/2008/gordonprize.aspx . My commitment to endow the Prize is part of the University of Maryland's (and the Smith Business School's) Great Expectations Campaign. My initial commitment is for $25K, the goal is to get the total Endowment for the Prize up to $100K. -------------------------------------------------------------------- November 8, 2008, NIST Pub 800-180, http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf NIST request for comments Dear Colleagues: NIST Special Publication 800-108 Recommendation for Key Derivation Using Pseudorandom Functions is published at this url. Thank you very much for your valuable comments during public comments period. Regards, Lily Chen -------------------------------------------------------------------- November 8, 2008, NIST Pub 800-180, NIST request for comments http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf As stated in the Federal Register of November 12, 2008, NIST requests final comments on FIPS 186-3, the proposed revision of FIPS 186-2, the Digital Signature Standard. The draft defines methods for digital signature generation that can be used for the protection of messages, and for the verification and validation of those digital signatures using DSA, RSA and ECDSA. Please submit comments to ebarker@nist.gov with "Comments on Draft 186-3" in the subject line. The comment period closes on December 12, 2008. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 11/13/08 Fuzzing for Security Testing and Quality Assurance by Ari Takanen, Jared D. Demott and Charles Miller Artech House 2008. ISBN 978-1-59693-214-2 Amazon.com USD63.20 ____________________________________________________________________ Fuzzing is attracting a lot of attention these days for the practical reason that its purpose "is to find new, previously undetected flaws" (p, 72). Since fuzzing can be used quite effectively with closed-source proprietary software, it is not too surprising that many recent vulnerabilities in widely-deployed software have been discovered through fuzzing. This book is unique in that it both provides an introduction to fuzzing and also provides solid guidance on how fuzzers should be used in a testing and QA program. The authors open with an introductory chapter that sets the stage for the remainder of the book by providing a good summary of software security, software quality (and the various types of testing) as well as a whirlwind introduction to fuzzers and fuzzing. The second chapter is devoted to software vulnerability analysis and covers the common types of security-relevant defects in software (buffer overflows, race conditions and so on) as well as the various types of people (and their motivations) who look for and analyze software vulnerabilities. Chapter three is devoted to software quality assurance and testing and provides a solid grounding in the general types and purposes of testing. The fourth chapter, "Fuzzing Metrics", is a gem as it tackles a very important point - if you're convinced that fuzzing would be a great benefit to your organization, how can you explain this to management and demonstrate this benefit on an ongoing basis using metrics? The fifth chapter, "Building and Classifying Fuzzers", delves into the details of the different types of fuzzers and how they work. It provides an excellent roadmap to the fuzzing world and concise descriptions of its major denizens. Chapter 6 on "Target Monitoring" covers the challenging issue of when a fuzzer finds something, how will you know? The authors take a solid, practical approach of describing major vulnerability classes and the likely observable results when a fuzzer uncovers an example. The seventh chapter on "Advanced fuzzing" examines current research that will shape future generations of fuzzers. Tantalizing glimpses of research prototypes reveal that fuzzing is still an active area with significant advances still "in the pipeline". Chapter 8, "Fuzzer Comparison", provides good guidance on how you can compare different types of fuzzers when deciding which is most appropriate for your purposes. Open Source as well as commercial fuzzers are examined under a solid and balanced evaluation framework. The final chapter, "Fuzzing Case Studies", has a series of walkthroughs in how fuzzing is used in areas ranging firewalls to network devices to SCADA systems. This book is a welcome addition in the area of fuzzing because it goes beyond the typical items such as "What is a fuzzer?", "What kinds of fuzzers are there?" to offer practical advice on how fuzzers should be used as regular parts of a security testing and software quality assurance program in order to achieve the best results (whether those be eliminating the vulnerabilities before the product ships or identifying the vulnerabilities before the product is deployed in production). The chapter on metrics is especially welcome for demonstrating that this new technology is becoming more and more critical as budgets shrink and come under increasing scrutiny. This book is a definite "recommended read" for security professionals who have heard something about fuzzing and want to dig deeper to see how it could be used effectively in their own organization. ------ Before beginning life as an itinerant university instructor and cybersecurity consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rda7838 at Kennesaw dot edu ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 11/18/08-11/20/08: Symposium on Trusted Computing (TrustCom), Zhang Jia Jie, China; info: csgjwang AT gmail.com, http://trust.csu.edu.cn/conference/trustcom2008 11/20/08: Security Practice and Experience Conference, (ISPEC), Xian, China Submissions are due, http://www.ispec2009.net/ 11/22/08: Symposium on Identity and Trust on the Internet (IDtrust), Gaithersburg, MD; Submissions are due, http://middleware.internet2.edu/idtrust/ 11/22/08: Applications of Logic in Computer Security (ALICS), Doha, Qatar, http://chacs.nrl.navy.mil/projects/ALICS08/ 11/25/08-11/27/08: Workshop on Security (IWSEC), Kagawa, Japan, http://www.iwsec.org 11/30/08-12/ 4/08: IEEE Computer and Communications Network Security Symposium (Globecom), New Orleans, LA; info: abderrahim.benslimane@univ-avignon.fr, http://www.IEEE-Globecom.org/2008 11/30/08: Service, Security and its Data management technologies in Ubi-comp (SSDU) Geneva, Switzerland; ; Submissions are due; info: robertchh@gmail.com, http://www.sersc.org/SSDU2009 12/ 9/08-12/12/08: Workshop on Dependable and Secure Services Computing (DSSC), Yilan, Taiwan, http://6book.niu.edu.tw/DSSC08 12/ 8/08-12/12/08: Annual Computer Security Applications Conference (ACSAC), Anaheim, CA, http://www.acsac.org 12/14/08-12/17/08: Information Security and Cryptology (Inscrypt), Beijing China, http://www.inscrypt.cn/ 12/15/08: Mobile and Wireless Networks Security (MWNS), Aachen, Germany; Submissions are due; info: MWNS2009@gmail.com, http://www.networking-2009.org/calls/MWNS.html 12/16/08-12/20/08: Information Systems Security (ICISS), Hyderabad, India, http://www.seclab.cs.sunysb.edu/iciss08/ 1/09/09: Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (ARSPA-WITS), York, UK; Submissions are due, http://www.avantssar.eu/arspa-wits09/ 1/12/09: Applied Cryptography and Network Security (ACNS), Paris, France; Submissions are due, http://acns09.di.ens.fr/ 1/15/09: IEEE Security and Privacy Magazine, Issue on Securing the Domain Name System (SI-SPMag-DNS), http://www.computer.org/portal/site/security; submissions are due, http://www.computer.org/portal/site/security 2/ 1/09: Information Hiding (IH), Darmstadt, Germany; Submissions are due, http://www.ih09.tu-darmstadt.de/ 2/ 2/09: Information Security and Privacy (ISP) Orlando, FL; Submissions are due; (NP), http://www.promoteresearch.org/2009/isp/index.html 2/ 4/09: USENIX-SECURITY, 18th USENIX Security Symposium, Montreal, Canada, Submissions are due, http://www.usenix.org/events/sec09/cfp/ 2/ 6/09: Computer Security Foundations Symposium (CSF), Port Jefferson, NY; Submissions are due, http://www.cs.sunysb.edu/csf09/ 2/ 8/09- 2/11/09: Network and Distributed System Security Symposium (NDSS), San Diego, CA, http://www.isoc.org/isoc/conferences/ndss/09/cfp.shtml 2/15/09: IEEE Transactions on Information Forensics and Security: Special Issue (SI-IEEE-TransIFS-Voting), http://www.signalprocessingsociety.org/publications/periodicals/forensics/forensics-authors-info/ 2/23/09- 2/26/09: Financial Cryptography and Data Security (FC), Barbados, http://fc09.ifca.ai/cfp.html 3/ 1/09: IEEE Transactions on Instrumentation and Measurement, Special Issue on Biometric Instrumentation and Measurement (SI-IEEE-TIM-Biometrics); Submissions are due; info: fabio.scotti@unimi.it, http://www.dti.unimi.it/~piuri/pages/TIM-SpecialIssueBiometricIMCFP.pdf 3/02/09: Policies for Distributed Systems and Networks (POLICY), Imperial College, London, UK; Submissions are due, http://ieee-policy.org 3/16/09- 3/19/09: Availability, Reliability and Security (ARES), Fukuoka, Japan, http://www.ares-conference.eu 3/16/09- 3/19/09: Secure Software Engineering (SecSE), Fukuoka, Japan, http://www.sintef.no/secse 3/18/09- 3/20/09: Practice and Theory in Public Key Cryptography (PKC), Irvine, CA, http://www.iacr.org/workshops/pkc2009/ 3/26/09- 3/27/09: Information Warfare and Security (ICIW), Cape Town, South Africa; ; BP, http://www.jinfowar.com 3/28/09- 3/29/09: Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (ARSPA-WITS), York, UK, http://www.avantssar.eu/arspa-wits09/ 4/13/09- 4/15/09: Security Practice and Experience Conference, (ISPEC), Xian, China, http://www.ispec2009.net/ 4/14/09- 4/16/09: Symposium on Identity and Trust on the Internet (IDtrust), Gaithersburg, MD, http://middleware.internet2.edu/idtrust/ 5/ 4/09- 5/ 8/09: Service, Security and its Data management technologiesin Ubi-comp (SSDU), Geneva, Switzerland; info: robertchh@gmail.com, http://www.sersc.org/SSDU2009 5/15/09: Mobile and Wireless Networks Security (MWNS), Aachen, Germany; info: MWNS2009@gmail.com, http://www.networking-2009.org/calls/MWNS.html 5/17/09- 5/20/09: Symposium on Security and Privacy (IEEE S&P), Berkeley California; info: oakland09-pcchairs@cs.virginia.edu, http://oakland09.cs.virginia.edu/ 6/ 2/09- 6/ 5/09: Applied Cryptography and Network Security (ACNS), Paris, France, http://acns09.di.ens.fr/ 6/ 7/09- 6/10/09: Information Hiding (IH), Darmstadt, Germany, http://www.ih09.tu-darmstadt.de/ 7/ 8/09- 7/10/09: Computer Security Foundations Symposium (CSF), Port Jefferson, NY, http://www.cs.sunysb.edu/csf09/ 7/13/09- 7/16/09: Information Security and Privacy (ISP), Orlando, FL; (NP), http://www.promoteresearch.org/2009/isp/index.html 7/20/09- 7/22/09: Policies for Distributed Systems and Networks (POLICY), Imperial College, London, UK, http://ieee-policy.org 8/12/09- 8/14/09: USENIX-SECURITY, 18th USENIX Security Symposium, Montreal, Canada, http://www.usenix.org/events/sec09/cfp/ 5/16/10- 5/19/10: Security and Privacy, Berkeley/Oakland, CA 5/22/11- 5/25/11: Security and Privacy, Berkeley/Oakland, CA ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since 86) ____________________________________________________________________ IDtrust 2009 8th Symposium on Identity and Trust on the Internet, Gaithersburg, Maryalnd, USA, April 14-16, 2009. http://middleware.internet2.edu/idtrust/ (Submissions due 17 November 2008) IDtrust is devoted to research and deployment experience related to making good security decisions based on identity information, especially when public key cryptography is used and the human elements of usability are considered. The success of any business strategy depends on having the right people gain access to the right information at the right time. This implies that an IT infrastructure has - among other things - an authorization framework in place that can respond to dynamic security conditions and regulatory requirements quickly, flexibly and securely. What are the authorization strategies that will succeed in the next decade? What technologies exist to address complex requirements today? What research is academia and industry pursuing to solve the problems likely to show up in the next few years? We solicit technical papers and panel proposals from researchers, systems architects, vendor engineers, and users. Suggested topics include but are not limited to: - Reports of real-world experience with the use and deployment of identity and trust applications for broad use on the Internet (where the population of users is diverse) and within enterprises who use the Internet (where the population of users may be more limited), how best to integrate such usage into legacy systems, and future research directions. Reports may include use cases, business case scenarios, requirements, best practices, implementation and interoperability reports, usage experience, etc. - Identity management protocols (SAML, Liberty, CardSpace, OpenID, and PKI-related protocols) - Identity metasystems, frameworks, and systems (Shibboleth, Higgins, etc.) - User-centric identity, delegation, reputation - Identity and Web 2.0, secure mash-ups, social networking, trust fabric and mechanisms of "invited networks" - Identity management of devices from RFID tags to cell phones; Host Identity Protocol (HIP) - Federated approaches to trust - Trust management across security domains - Standards related to identity and trust, including X.509, SPKI/SDSI, PGP, S/MIME, XKMS, XACML, XRML, and XML signatures - Intersection of policy-based systems, identity, and trust; identity and trust policy enforcement, policy and attribute mapping and standardization - Attribute management, attribute-based access control - Trust path building and certificate validation in open and closed environments - Improved usability of identity and trust systems for users and administrators, including usability design for authorization and policy management, naming, signing, verification, encryption, use of multiple private keys, and selective disclosure - Identity and privacy - Levels of trust and assurance - Trust infrastructure issues of scalability, performance, adoption, discovery, and interoperability - Use of PKI in emerging technologies (e.g., sensor networks) - Application domain requirements: web services, grid technologies, document signatures, (including signature validity over time), data privacy, etc. ------------------------------------------------------------------------- ISPEC 2009 5th Information Security Practice and Experience Conference, Xi'an, China, April 13-15, 2009. http://www.ispec2009.net/ (Submissions due 20 November 2008) As applications of information security technologies become pervasive, issues pertaining to their deployment and operation are becoming increasingly important. ISPEC is an annual conference that brings together researchers and practitioners to provide a confluence of new information security technologies, their applications and their integration with IT systems in various vertical sectors. Topics of interest include, but are not limited to: - Applications of cryptography - Critical infrastructure protection - Digital rights management - Information security in vertical applications - Legal and regulatory issues - Network security - Privacy and anonymity - Privacy issues in the use of smart cards and RFID systems - Risk evaluation and security certification - Resilience and availability - Secure system architectures - Security in e-commerce and e-business and other applications - Security policy - Security standards activities - Trusted Computing - Trust model and management - Usability aspects of information security systems ------------------------------------------------------------------------- SSN 2009 5th International Workshop on Security in Systems and Networks, Held in conjunction with the International Parallel and Distributed Processing Symposium (IPDPS 2009), Rome, Italy, May 29, 2009. http://www4.comp.polyu.edu.hk/~csbxiao/ssn09/ (Submissions due 28 November 2008) This workshop aims to bring together the technologies and researchers who share interest in the area of network and distributed system security. The main purpose is to promote discussions of research and relevant activities in security-related subjects. It also aims at increasing the synergy between academic and industry professionals working in this area. The workshop seeks papers that address theoretical, experimental, and work in-progress in the area of cybersecurity at the system and network levels. Topics covered by the workshop will include, but are not limited to, the following: - Ad hoc and sensor network security - Cryptographic algorithms and distributed digital signatures - Distributed denial of service attacks - Distributed intrusion detection and protection systems - Firewall and distributed access control - Grid computing security - Key management - Network security issues and protocols - Mobile codes security and Internet Worms - Security in e-commerce - Security in peer-to-peer and overlay networks - Security in mobile and pervasive computing - Security architectures in distributed and parallel systems - Security theory and tools in distributed and parallel systems - Video surveillance and monitoring systems - Information hiding and multimedia watermarking in distributed systems - Web content secrecy and integrity ------------------------------------------------------------------------- SSDU 2009 3rd International Symposium on Service, Security and its Data management technologies in Ubi-comp , Geneva, Switzerland, May 4-8, 2009. http://www.sersc.org/SSDU2009/ (Submissions due 30 November 2008) Ubiquitous Computing (Ubi-comp) is emerging rapidly as an exciting new paradigm with user-centric environment to provide computing and communication services at any time and anywhere. In order to realize their advantages, it requires integrating security, services and data management to be suitable for Ubi-com. However, there are still many problems and major challenges awaiting for us to solve such as the security risks in ubiquitous resource sharing, which could be occurred when data resources are connected and accessed by anyone in Ubi-com. Therefore, it will be needed to explore more secure and intelligent mechanism in Ubi-com. SSDU-09 is intended to foster the dissemination of state-of-the-art research in the area of security and intelligence integrating into Ubi-com and data management technology. The main topics include but will not be limited to: - Context-Awareness and its Data mining for Ubi-com service - Human-Computer Interface and Interaction for Ubi-com - Smart Homes and its business model for Ubi-com service - Intelligent Multimedia Service and its Data management for Ubi-com - USN / RFID for Ubi-com service - Network security issues, protocols, data security in Ubi-com - Database protection for Ubi-com - Privacy Protection and Forensic in Ubi-com - Multimedia Security in Ubi-com - Authentication and Access control for data protection in Ubi-com - Service, Security and its Data management for U-commerce - New novel mechanism and Applications for Ubi-com ------------------------------------------------------------------------- Security and Communication Networks Journal, Special Issue on Security and Trust Management for Dynamic Coalitions, http://www.iit.cnr.it/staff/fabio.martinelli/STM-DC.pdf (Submission Due 30 November 2008) Guest editor: Theo Dimitrakos (British Telecommunications plc, UK), Fabio Martinelli (Institute of Informatics and Telematics, National Research Council, Italy), and Bruce Schneier (British Telecommunications plc, USA) There is an increasing interest and deployment of technologies that allow cooperation among entities that may act collectively. These entities may form dynamic coalitions where entities may leave and join, may show mobility aspects (either logical or physical), and may act in a collective manner. Examples of these coalitions can be found in the digital world, including: a) Crowds of users walking on the streets with advanced context aware converged telecommunication devices; b) A group of robots, manned and unmanned vehicles equipped with processors, sensors, smartphones, etc. interacting with each other, with their environment, and with a command or a control node, such as the command and control site of a defence coalition or a civil traffic control; c) A set of organizations (possibly virtual) sharing some resource for service provisions, or so called Virtual Organisations; d) Collaborative processes that use resources and services offered by partners in a Virtual Organisation; and e) Web 2.0 mash-ups and composite Web Services that are composed of services and applications offered by different service providers over a public network. These dynamic coalitions involve several technologies as peer to peer systems (P2P), mobile ad hoc networks (MANETs), and service oriented architectures such as those realised in GRID computing and Web Services Frameworks. There are several research areas identified as follows: a) Security in dynamic coalitions; b) trust in dynamic coalitions; c) security and trust interplay; and 4) secure processes and service composition. This special issue is proposed to cover research results and innovation case studies on security and trust management on dynamic coalitions. Topics of interest include but are not limited to: - Semantics and computational models for security and trust in dynamic coalitions - Context-based security and trust management architectures, mechanisms and policies - Privacy and anonymity issues in trust negotiation - Enforcing cooperation in dynamic coalitions - Reputation and recommendation models and architectures for dynamic coalitions - Usage control models, languages and architectures in dynamic coalitions - Cryptographic models and mechanisms for dynamic coalitions - Security protocols for group management - Security for Service Oriented Architectures and Infrastructures - Collaboration and Virtual Organization life-cycle management in dynamic coalitions - Federated Identity Management in dynamic coalitions - Distributed Access Control and administrative delegation in dynamic coalitions - Policy verification and validation in order to predict the impact of changes to an infrastructure in order to support the life-cycle of a dynamic coalition - QoS monitoring, evaluation and reporting in dynamic coalitions - Auditing in dynamic coalitions - Trust and security in ICT Governance and service management for dynamic coalitions - Security frameworks for dynamic service composition - Security frameworks for Web 2.0 service and application mash-ups - Security and trust adaptation in dynamic coalitions - Information management in dynamic coalitions including research in techniques for self-protecting information sets - Trust and security aspects of Operational Support Systems (OSS) for the converged telecommunications infrastructure that underpins dynamic coalitions ------------------------------------------------------------------------- IFIP-CIP 2009 Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA, March 22-25, 2009. http://www.ifip1110.org (Submissions due 31 December 2008) The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Papers are solicited in all areas of critical infrastructure protection. Areas of interest include, but are not limited to: - Infrastructure vulnerabilities, threats and risks - Security challenges, solutions and implementation issues - Infrastructure sector interdependencies and security implications - Risk analysis and risk assessment methodologies - Modeling and simulation of critical infrastructures - Legal, economic and policy issues related to critical infrastructure protection - Secure information sharing - Infrastructure protection case studies - Distributed control systems/SCADA security - Telecommunications network security ------------------------------------------------------------------------- ACNS 2009 7th International Conference on Applied Cryptography and Network Security, Paris, France, June 2-5, 2009. http://acns09.di.ens.fr/ (Submissions due 12 January 2009) ACNS is an annual conference concentrating on current developments that advance the areas of applied cryptography and its application to systems and network security. The goal is to represent both academic research works as well as developments in industrial and technical frontiers. Original research papers pertaining to all aspects of cryptography and network security are solicited for submission to ACNS'09. Relevant topics include but are not limited to: - Applied Cryptography and provably-secure cryptographic protocols - Design and analysis of efficient cryptographic primitives: public-key and symmetric-key cryptosystems, block ciphers, and hash functions - Network security protocols - Techniques for anonymity; trade-offs between anonymity and utility - Integrating security into the next-generation Internet: DNS security, routing, naming, denial-of-service attacks, TCP/IP, secure multicast - Economic fraud on the Internet: phishing, pharming, spam, and click fraud - Email and web security - Public key infrastructure, key management, certification, and revocation - Security and privacy for emerging technologies: sensor networks, mobile (ad hoc) networks, peer-to-peer networks, bluetooth, 802.11, RFID - Trust metrics and robust trust inference in distributed systems - Security and usability - Intellectual property protection: metering, watermarking, and digital rights management - Modeling and protocol design for rational and malicious adversaries - Automated analysis of protocols ------------------------------------------------------------------------- SECURWARE 2009 3rd International Conference on Emerging Security Information, Systems and Technologies, Athens, Greece, June 14-19, 2009. http://www.iaria.org/conferences2009/SECURWARE09.html (Submissions due 20 January 2009) The SECURWARE 2009 is an event covering related topics on theory and practice on security, cryptography, secure protocols, trust, privacy, confidentiality, vulnerability, intrusion detection and other areas related to low enforcement, security data mining, malware models, etc. SECURWARE 2009 Special Areas (details in the CfP on site) are: - ARCH: Security frameworks, architectures and protocols - SECMAN: Security management - SECTECH: Security technologies - SYSSEC: System security - INFOSEC: Information security - MALWA: Malware and Anti-malware - ANTIFO: Anti-forensics - PRODAM: Profiling data mining - SECHOME: Smart home security - SECDYN: Security and privacy in dynamic environments - ECOSEC: Ecosystem security and trust - CRYPTO: Cryptography - CYBER-Threat ------------------------------------------------------------------------- IH 2009 11th Information Hiding Workshop, Darmstadt, Germany, June 7-10, 2009. http://www.ih09.tu-darmstadt.de/ (Submissions due 1 February 2009) For many years, Information Hiding has captured the imagination of researchers: Digital watermarking and steganography protect information, conceal secrets or are used as core primitives in Digital Rights Management schemes; steganalysis and digital forensics pose important challenges to investigators; and information hiding plays an important role in anonymous communication systems. These are but a small number of related topics and issues. Current research themes include: - Anonymous communication and privacy - Low probability of intercept communications - Digital forensics - Covert/subliminal channels - Steganography and steganalysis - Watermarking algorithms and applications - Security aspects of watermarking - Novel data hiding domains - Multimedia and document security - Novel applications of information hiding ------------------------------------------------------------------------- MobiSec 2009 1st International Conference on Security and Privacy in Mobile Information and Communication Systems, Turin, Italy, June 3-5, 2009. http://www.mobisec.org/ (Submissions due 2 February 2009) The convergence of information and communication technology is most palpable in the form of intelligent mobile devices, accompanied by the advent of converged, and next-generation, communication networks. As mobile communication and information processing becomes a commodity, economy and society require protection of this precious resource. MobiSec brings together leading-edge researchers from academia and industry in the field of mobile systems security and privacy, as well as practitioners, standards developers and policymakers. Topics of interest include, but are not limited to the following focus areas: - Security architectures for next-generation, new-generation, and converged communication networks - Trusted mobile devices, hardware security - Network resilience - Threat analyses for mobile systems - Multi-hop authentication and trust - Non-repudiation of communication - Context-aware and data-centric security - Protection and safety of distributed mobile data - Mobile application security - Security for voice and multimedia communication - Machine-to-machine communication security - Trust in autonomic and opportunistic communication - Location based applications security and privacy - Security for the networked home environment - Security and privacy for mobile communities - Mobile emergency communication, public safety - Lawful interception and mandatory data retention - Security of mobile agents and code - Idenity management - Embedded security ------------------------------------------------------------------------- USENIX-SECURITY 2009 18th USENIX Security Symposium, Montreal, Canada, August 12-14, 2009. http://www.usenix.org/events/sec09/cfp/ (Submissions due 4 February 2009) The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. Refereed paper submissions are solicited in all areas relating to systems and network security, including: - Adaptive security and system management - Analysis of network and security protocols - Applications of cryptographic techniques - Attacks against networks and machines - Authentication and authorization of users, systems, and applications - Automated tools for source code analysis - Botnets - Cryptographic implementation analysis and construction - Denial-of-service attacks and countermeasures - File and filesystem security - Firewall technologies - Forensics and diagnostics for security - Hardware security - Intrusion and anomaly detection and prevention - Malicious code analysis, anti-virus, anti-spyware - Network infrastructure security - Operating system security - Privacy-preserving (and compromising) systems - Public key infrastructure - Rights management and copyright protection - Security architectures - Security in heterogeneous and large-scale environments - Security policy - Self-protecting and healing systems - Techniques for developing secure systems - Technologies for trustworthy computing - Usability and security - Virtualization security - Voting systems analysis and security - Web security - Wireless and pervasive/ubiquitous computing security ------------------------------------------------------------------------- ACSISP 2009 14th Australasian Conference on Information Security and Privacy, Brisbane, Australia, July 1-3, 2009. http://conf.isi.qut.edu.au/acisp2009/ (Submissions due 9 February 2009) Original papers pertaining to all aspects of information security and privacy are solicited for submission to the 14th Australasian Conference on Information Security and Privacy (ACISP 2009). Papers may present theory, techniques, applications and practical experiences on a variety of topics including: - Cryptology - Mobile communications security - Database security - Authentication and authorization - Secure operating systems - Intrusion detection - Access control - Security management - Security protocols - Network security - Secure commercial applications - Privacy Technologies - Smart cards - Key management and auditing - Mobile agent security - Risk assessment - Secure electronic commerce - Privacy and policy issues - Copyright protection - Security architectures and models - Evaluation and certification - Software protection and viruses - Computer forensics - Distributed system security - Identity management - Biometrics ------------------------------------------------------------------------- IEEE Transactions on Information Forensics and Security, Special Issue on Electronic Voting, December 2009. http://vote.cs.gwu.edu/cfp.html (Submission Due 15 February 2009) Guest editor: Ronald L. Rivest (MIT, USA, Lead Guest Editor), David Chaum (Voting Systems Institute, USA), Bart Preneel (Katholieke Universiteit Leuven, Belgium), Aviel D. Rubin (Johns Hopkins University, USA), Donald G. Saari (University of California at Irvine, USA), and Poorvi L. Vora (The George Washington University, USA) Following the discovery of a wide variety of flaws in electronic voting technology used in the US and other parts of the world, there has recently been a spurt of research activity related to electronic voting. The activity has been broad, ranging from the design of voting systems that specify what information is collected from voters and how it is used to determine one or many winners, through the development of cryptographic vote counting systems and the experimental security analysis of deployed voting systems, the experimental study of the usability of voting systems, to the development of methods for identifying election fraud. Most of the work has of necessity been interdisciplinary, involving contributions from experts in the areas of cryptography, computer security, information theory, political science, statistics, usability, game theory, mathematical modeling, etc. This special issue aims to provide an overview of the research area of electronic voting, with a focus on original results. The scope includes both remote and polling-place voting, and the areas of interest include, but are not limited to, the following: - Voting theory, including voting models - Cryptographic voting systems - Formal security analysis of voting systems - Experimental security analysis of voting systems - Evaluations and ratings of voting systems - Usability and accessibility of voting systems - History of voting technology - Components building-blocks of voting systems, such as anonymous voting channels and secure bulletin boards - Fraud/anomaly detection in elections - Political districting and the allocation of voting technology ------------------------------------------------------------------------- SECRYPT 2009 International Conference on Security and Cryptography, Milan, Italy, July 7-10, 2009. http://www.secrypt.org/ (Submissions due 17 February 2009) The purpose of SECRYPT 2009 is to bring together researchers, engineers and practitioners interested on information systems and applications in the context of wireless networks and mobile technologies. Topics of interest include, but are not limited to, provided they fit in one of the following main topic areas: Area 1: Access Control and Intrusion Detection - Intrusion Detection and Vulnerability Assessment - Authentication and Non-repudiation - Identification and Authentication - Insider Threats and Countermeasures - Intrusion Detection & Prevention - Identity and Trust Management - Biometric Security - Trust models and metrics - Regulation and Trust Mechanisms - Data Integrity - Models for Authentication, Trust and Authorization - Access Control in Computing Environments - Multiuser Information Area 2: Network Security and Protocols - IPsec, VPNs and Encryption Modes - Service and Systems Design and QoS Network Security - Fairness Scheduling and QoS Guarantee - Reliability and Dependability - Web Performance and Reliability - Denial of Service and Other Attacks - Data and Systems Security - Data Access & Synchronization - GPRS and CDMA Security - Mobile System Security - Ubiquitous Computing Security - Security in Localization Systems - Sensor and Mobile Ad Hoc Network Security - Wireless Network Security (WiFi, WiMAX, WiMedia and Others) - Security of GSM/GPRS/UMTS Systems - Peer-to-Peer Security - e-Commerce Protocols and Micropayment Schemes Area 3: Cryptographic Techniques and Key Management - Smart Card Security - Public Key Crypto Applications - Coding Theory and Practice - Spread Spectrum Systems - Speech/Image Coding - Shannon Theory - Stochastic Processes - Quantum Information Processing - Mobile Code & Agent Security - Digital Rights Management Area 4: Information Assurance - Planning Security - Risk Assessment - Security Area Control - Organizational Security Policies and Responsibility - Security Through Collaboration - Human Factors and Human Behaviour Recognition Techniques - Ethical and Legal Implications - Intrusive, Explicit Security vs. Invisible, Implicit Computing - Information Hiding - Information Systems Auditing - Management of Computing Security Area 5: Security in Information Systems - Security for Grid Computing - Secure Software Development Methodologies - Security for Web Services - Security for Databases and Data Warehouses - e-Health - Security Engineering - Security Information Systems Architectures - Security Requirements - Security Metrics - Personal Data Protection - XML Security - Workflow and Business Process Security ------------------------------------------------------------------------- DBSEC 2009 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Montreal, Canada, July 12-15, 2009. http://www.ciise.concordia.ca/dbsec09/ (Submissions due 20 February 2009) The 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in data and applications security. Papers and panel proposals are also solicited. Papers may present theory, techniques, applications, or practical experience on topics of relevance to IFIP WG 11.3: - Access Control - Applied cryptography in data security - Identity theft and countermeasures - Integrity maintenance - Intrusion detection - Knowledge discovery and privacy - Organizational security - Privacy and privacy-preserving data management - Secure transaction processing - Secure information integration - Secure Semantic Web - Secure sensor monitoring - Secure Web Services - Threats, vulnerabilities, and risk management - Trust management ------------------------------------------------------------------------- ACM Transactions on Autonomous and Adaptive Systems, Special Issue on Adaptive Security Systems, 2010. http://nss.cqu.edu.au/FCWViewer/getFile.do?id=23880 (Submission Due 15 March 2009) Guest editor: Yang Xiang (Central Queensland University, Australia) and Wanlei Zhou (Deakin University, Australia) This special issue on Adaptive Security Systems in ACM TAAS focuses on autonomous and adaptive security system theories, technologies, and reallife applications. Original papers are solicited for this special issue. Suggested topics include, but are not limited to: Adaptive Security System Theories - Adaptive security architectures, algorithms, and protocols - Autonomic learning mechanisms in security systems - Intelligent attack systems and mechanisms - Interactions between autonomic nodes of security systems - Modeling of adaptive attack and defense mechanisms - Theories in adaptive security systems Adaptive Security System Technologies - Adaptive security systems design - Adaptive security systems implementation - Adaptive intrusion detection/prevention systems - Self-organizing identity management and authentication - Adaptive defense against large-scale attacks - Simulation and tools for adaptive security systems - Adaptive Security System Applications - Benchmark, analysis and evaluation of adaptive security systems - Distributed autonomous access control and trust management - Autonomous denial-of-service attacks and countermeasures - Autonomous wireless security systems - Autonomous secure mobile agents and middleware - Adaptive defense against viruses, worms, and other malicious codes ------------------------------------------------------------------------- ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Posted October 2008 Naval Postgraduate School Monterey, California Faculty Positions Open until filled http://www.nps.edu/Academics/GSOIS/CS/jobOpportunities.htm -------------- http://cisr.nps.edu/jobscipher.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2007 proceedings are available in hardcopy for $30.00, the 28 year CD is $20.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2007 treasurer (below) with the order description, including shipping method, and send email to the 2007 Registration Chair (Yong Guan) (oakland07-registration @ ieee-security.org) with the shipping address, please. Terry Benzel Treasurer, IEEE Security and Privacy USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 (310) 822-1511 IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officer Roster ____________________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Prof. Cynthia Irvine Yong Guan U.S. Naval Postgraduate School Iowa State University Computer Science Department Computer Engineering and Code CS/IC University and Information Monterey CA 93943-5118 Assurance Center (831) 656-2461 (voice) Ames, IA 50011 irvine@nps.edu (515) 294-8378 (voice) guan@iastate.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Hilarie Orman Prof. Cynthia Irvine Purple Streak, Inc. U.S. Naval Postgraduate School 500 S. Maple Dr. Computer Science Department, Code CS/IC Salem, UT 84653 Monterey CA 93943-5118 hilarie @purplestreak.com (831) 656-2461 (voice) irvine@nps.edu Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Sciences Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2009 General Chair: Hilarie Orman David Du Purple Streak, Inc. Department of Computer Science 500 S. Maple Dr. and Engineering Salem, UT 84653 University of Minnesota cipher-editor@ieee-security.org Minneapolis, MN 55455 oakland09-chair@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year