_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 88 January 19, 2009 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o NIST Seeks Comments on Wireless Authentication o IEEE Dependable and Secure Computing Magazine Seeks Editor-in-Chief o MD5 collisions exploited to demonstrate "Rogue Certificate Authorities" o Richard Austin's review of "Applied Security Visualization" by Raffael Marty o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Editor-in-Chief sought for IEEE Transactions on Dependable and Secure Computing * Conference and Workshop Announcements * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The widely reported "Rogue CA" demonstration carried out by researchers in the Netherlands illustrates several things about the current state of security on the Internet. There is an interesting clash between the rather fast pace of cryptologic research and the slower pace of changing Internet practices. The exploit demonstration was foreseeable and inevitable from the time that an MD5 hash function "collision" was demonstrated several years ago. Despite the ready availability of replacement functions, MD5 remains in common use as a part of digital signatures and chains of trust in network browsers. The Internet, so agile and open to innovative applications, is a quagmire when it comes to erasing security weaknesses. At the end of February, the National Institute of Standards and Technology (NIST), will hold a "SHA3" conference in Leuven, Belgium, to begin the selection process among dozens of candidates for a new hash function standard. One has to wonder at what date the winning function will be widely deployed. In this issue Richard Austin reviews a book on the interesting topic of security visualization. Though I often suspect that most computers and networks harbor nightmarish security scenes, I think that most objective security professionals will welcome this direction in dealing with security monitoring and assessment. Finally, never confuse "phishing" with "ghotiing", Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ NIST Request Comments on Wireless Network Authentication ____________________________________________________________________ NIST announces the release of draft Special Publication 800-120, Recommendation for EAP Methods Used in Wireless Network Access Authentication, http://csrc.nist.gov/publications/PubsDrafts.html#800-120 This Recommendation specifies security requirements for authentication methods with key establishment supported by the Extensible Authentication Protocol (EAP) defined in IETF RFC 3748 for wireless access authentications to federal networks. Please submit comments to 800-120comments@nist.gov with "Comments on SP 800-120" in the subject line. The comment period closes on January 30, 2009. ____________________________________________________________________ IEEE Dependable and Secure Computing Magazine Seeks Editor-in-Chief ____________________________________________________________________ Applications are Invited for the Position of Editor-in-Chief for IEEE Transactions on Dependable and Secure Computing http://www.computer.org/tdsc The IEEE Computer Society seeks applicants for the position of Editor-in-Chief (EIC) of IEEE Transactions on Dependable and Secure Computing. The initial two-year term of the new EIC is to begin 1 January 2010. QUALIFICATIONS AND REQUIREMENTS In general, candidates for all IEEE Computer Society Editor in Chief positions should possess a good understanding of industry, academic, and government aspects of the specific publication's field. IEEE Transactions on Dependable and Secure Computing emphasizes the research into foundations, methodologies, and mechanisms that support the achievement-through design, modeling, and evaluation-of systems and networks that are dependable and secure to the desired degree without compromising performance. The focus also includes measurement, modeling, and simulation techniques, and foundations for jointly evaluating, verifying, and designing for performance, security, and dependability constraints. In addition, candidates must demonstrate the managerial skills necessary to process manuscripts through the editorial cycle in a timely fashion. An EIC must be able to attract respected experts to his or her editorial board. Major responsibilities of the EIC include * actively soliciting high-quality manuscripts from potential authors and, with support from publication staff, helping these authors to get their manuscripts published; * identifying and appointing editorial board members, with the concurrence of the Publications Board; * selecting competent manuscript reviewers, with the help of editorial board members, and managing timely reviews of manuscripts; * directing editorial board members to seek special-issue proposals and manuscripts in specific areas; * providing a clear, broad focus through promotion of personal vision and guidance where appropriate; and * resolving conflicts or problems as necessary. Applicants should possess recognized expertise in the computer science and engineering community, have editorial experience, and be able to lead an active editorial board and work effectively with technical and publishing professionals. Applicants must have clear employer support. SEARCH PROCEDURE Prospective candidates are asked to provide a complete resume or curriculum vitae, a brief plan (or vision statement) for the publication's future, and a letter of support from their institution or employer in electronic form by 2 March 2009. Material should be sent as PDF files to Jennifer Carruth jcarruth@computer.org , the staff coordinator for the IEEE TDSC search, who will coordinate getting all information to the search committee and its Chair. ____________________________________________________________________ MD5 collisions exploited to demonstrate "Rogue Certificate Authority" ____________________________________________________________________ Researchers in the Netherlands carried out a tour de force of trust exploitation by capitalizing on a well-known weakness in the MD5 hash function. Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger state: "We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol." See http://www.win.tue.nl/hashclash/rogue-ca/ ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin January 15, 2009 Applied Security Visualization by Raffael Marty Addison-Wesley 2008. ISBN 978-0-321-51010-5 Amazon.com USD 42.75 Bookpool.com USD 38.95 ____________________________________________________________________ As security professionals we are drowning in data: the applications, servers, routers, and other entities that litter our networks can generate massive amounts of data that could provide vital information on critical security questions such as: Are we in compliance with security policy? Are we under attack? Have we been compromised? Is our "state of security" getting better or worse? The problem lies in making that leap from raw data into timely and usable information. Marty takes a mighty whack at preparing us for that leap. This is a book about visualizing information (reporting is almost never mentioned) and its nine chapters provide a firm basis for making usable sense of the data we already have. The reader will that the book has three parts: introductory material on visualization (5 chapters), applications of visualization to specific security-related use cases (3 chapters), and a review of visualization tools (one chapter). The introductory material alone is worth the price of the book. It delves into exactly what we should mean we talk about "visualization" and most importantly, the things that distinguish a good information visualization from a bad one. The first chapter sets the tone by describing what information visualization is and why it can be such an effective way of communicating complex information to human decision makers. As Marty notes, most security professionals have very limited exposure to principles of good visual design and he provides a whirlwind introduction to visualization theory, perception and effective principles of graphical design. Chapter 2 addresses data sources with all their warts and blemishes. In addition to cataloging common places where useful data hides in our infrastructure, he confronts the problems of inconsistent formats, the need to consolidate data from multiple sources, etc, and shows how these problems can be solved to provide a solid collection of data in usable formats to feed the visualization process. Chapter 3, titled "Visually Representing Data", begins the discussion of how we should represent data in a visual form. This useful chapter delves into the types of graphs and more importantly the properties that contribute to making them effective in telling the story of the underlying data. The chapter ends with a useful summary table that provides solid guidance in choosing the right graph to match the data and the purpose of the visualization. Chapter 4, "Data to Graphs", covers the process of actually making the transformation from data to graphical representation. Marty describes an excellent 4-step "Information Visualization Process" to structure this transformation and illustrates it in application. In the final introductory chapter, "Visual Security Analysis", Marty begins the application of good graphical design in the specialized area of information security. This chapter forms a bridge between the introductory material and the detailed consideration of three use cases in the following chapters. In chapter 6, Marty considers the use case of "Perimeter Threat" and how visualization can be effectively used in assessing and recognizing threats at the network perimeter. Chapter 7 considers the use case of "Compliance" and delves into how data visualization can provide effective answers to questions about the state of compliance for an organization. Chapter 8 considers the thorny use case of "Insider Threat" and how visualization can help make insider abuse (whether in information theft, fraud or sabotage) more visible and identifiable. Chapter 9 concludes the book with a discussion of "Data Visualization Tools". These tools are pre-installed on the accompanying bootable CD where they can be explored without the necessity of downloading and installing them. Marty calls his customized Linux Environment DAVIX (Data Analysis and Visualization Unix). In summary this is a very useful contribution to the process of transforming the mountains of data we have available into useful information to both guide and assess our security efforts. Some of the book will be heavy sledding for the more management oriented security professionals (particularly the sections that describe how to use regular expressions, etc, to parse and rearrange fields in the data) but the material on visualization theory, characteristics of a good visualization, etc, are a recommended read for all. -------- Before beginning life as an itinerant university instructor and cybersecurity consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 1/16/09: WNGS, 4th International Workshop on Security, Korea University, Seoul, Korea; http://www.sersc.org/WNGS2009/ Submissions are due 1/17/09: SADFE, 4th International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the 2009 IEEE Symposium on Security and Privacy (SP 2009), Oakland/Berkeley, CA, USA; http://conf.ncku.edu.tw/sadfe/sadfe09 Submissions are due 1/19/09: ATC, 6th International Conference on Autonomic and Trusted Computing, Brisbane, Australia; http://www.itee.uq.edu.au/~atc09 Submissions are due 1/20/09: SECURWARE, 3rd International Conference on Emerging Security Information, Systems and Technologies, Athens, Greece; http://www.iaria.org/conferences2009/SECURWARE09.html Submissions are due 1/23/09: SACMAT, 14th ACM Symposium on Access Control Models and Technologies, Hotel La Palma, Stresa, Italy; http://www.sacmat.org Submissions are due 1/25/09- 1/28/09: IFIP-DF, 5th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA http://www.ifip119.org 2/ 1/09: IH, 11th Information Hiding Workshop, Darmstadt, Germany; http://www.ih09.tu-darmstadt.de/ Submissions are due 2/ 2/09: MobiSec, 1st International Conference on Security and Privacy in Mobile Information and Communication Systems, Turin, Italy; http://www.mobisec.org/ Submissions are due 2/ 4/09: USENIX-SECURITY, 18th USENIX Security Symposium, Montreal, Canada; http://www.usenix.org/events/sec09/cfp/ Submissions are due 2/ 4/09- 2/ 6/09: ESSoS, International Symposium on Engineering Secure Software and Systems, Leuven, Belgium; http://distrinet.cs.kuleuven.be/events/essos2009/ 2/ 6/09: CSF, 22nd IEEE Computer Security Foundations Symposium, Port Jefferson, New York, USA; http://www.cs.sunysb.edu/csf09/ Submissions are due 2/ 6/09: DIMVA, 6th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Milan, Italy; http://www.dimva.org/dimva2009 Submissions are due 2/ 8/09- 2/11/09: NDSS, 16th Annual Network and Distributed System Security Symposium, San Diego, California, USA; http://www.isoc.org/isoc/conferences/ndss/09/ 2/ 9/09: ACSISP, 14th Australasian Conference on Information Security and Privacy, Brisbane, Australia; http://conf.isi.qut.edu.au/acisp2009/ Submissions are due 2/10/09- 2/13/09: ICIT, IEEE International Conference on Industrial Technology Special Session on Wireless Bluetooth Technologies and Cyber Security, Churchill, Victoria, Australia; http://www.ieee-icit09.org/specialsessions.php 2/ 15/09: CTC, Cybercrime and Trustworthy Computing Workshop, Held in conjunction with the 6th International Conference on Autonomic and Trusted Computing (ATC 2009), Brisbane, Australia; http://www.cybercrime.com.au/ctc09 Submissions are due 2/15/09: IEEE Transactions on Information Forensics and Security, Special Issue on Electronic Voting; http://vote.cs.gwu.edu/cfp.html Submissions are due 2/17/09: SECRYPT, International Conference on Security and Cryptography, Milan, Italy; http://www.secrypt.org/ Submissions are due 2/20/09: DBSEC, 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Montreal, Canada; http://www.ciise.concordia.ca/dbsec09/ Submissions are due 2/20/09: TrustBus, 6th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with the 20th International Conference on Database and Expert Systems Applications (DEXA 2009), Linz, Austria; http://www.icsd.aegean.gr/trustbus2009/ Submissions are due 2/23/09- 2/26/09: FC, 13th International Conference on Financial Cryptography and Data Security, Accra Beach, Barbados; http://fc09.ifca.ai/ 2/25/09- 2/28/09: SHA-3, 1st SHA-3 Candidate Conference, Leuven, Belgium; http://csrc.nist.gov/groups/ST/hash/sha-3/index.html 3/ 2/09: POLICY, IEEE International Symposium on Policies for Distributed Systems and Networks, Imperial College London, UK; http://ieee-policy.org Submissions are due 3/ 8/09- 3/12/09: SAC-TREK, 24th ACM Symposium on Applied Computing (SAC 2009), Trust, Reputation, Evidence and other Collaboration Know-how (TRECK) Track, Honolulu, Hawaii, USA; http://tech.groups.yahoo.com/group/trustcomp/ 3/ 8/09- 3/12/09: SAC-SEC, 24th ACM Symposium on Applied Computing (SAC 2009), Computer Security Track, Honolulu, Hawaii, USA; http://www.dmi.unict.it/~giamp/sac/09cfp.html 3/15/09: ACM Transactions on Autonomous and Adaptive Systems, Special Issue on Adaptive Security Systems; http://nss.cqu.edu.au/FCWViewer/getFile.do?id=23880 Submissions are due 3/16/09- 3/19/09: PSAI, 2nd Workshop on Privacy and Security by means of Artificial Intelligence, Held in conjunction with ARES 2009, Fukoka, Japan; http://crises-deim.urv.cat/psai/ 3/16/09- 3/19/09: SecSE, 3rd Workshop on Secure Software Engineering, Held in conjunction with conjunction with ARES 2009, Fukuoka, Japan; http://www.sintef.no/secse 3/18/09: Elsevier Journal on Computer Networks, Special Issue on Performance Sensitive Security for Very Large Scale Collaboration; http://home.fnal.gov/~maltunay/ComNet.html Submissions are due 3/18/09- 3/20/09: PKC, 12th IACR International Workshop on Practice and Theory in Public Key Cryptography, Irvine, California, USA; http://www.iacr.org/workshops/pkc2009 3/22/09- 3/25/09: IFIP-CIP, Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA; http://www.ifip1110.org 3/26/09- 3/27/09: ICIW, 4th International Conference on Information Warfare and Security, Breakwater Lodge, Cape Town, South Africa; http://academic-conferences.org/iciw/iciw2009/iciw09-home.htm 3/31/09: SECURECOMM, 5th International ICST Conference on Security and Privacy for Communication Networks, Athens, Greece; http://www.securecomm.org Submissions are due 4/ 3/09: IWSEC, 4th International Workshop on Security, Toyama, Japan; http://www.iwsec.org Submissions are due 4/ 6/09- 4/ 8/09: Trust, 2nd International Conference on Trusted Computing, St. Hugh's College, University of Oxford, UK; http://www.trust2009.org 4/13/09: SIN, 2nd ACM International Conference on Security of Information and Networks, Eastern Mediterranean University, Gazimagusa, TRNC, North Cyprus; http://www.sinconf.org/cfp/cfp.htm Submissions are due 4/13/09- 4/15/09: ISPEC, 5th Information Security Practice and Experience Conference, Xi'an, China; http://www.ispec2009.net/ 4/14/09- 4/16/09: IDtrust, 8th Symposium on Identity and Trust on the Internet Gaithersburg, Maryalnd, USA; http://middleware.internet2.edu/idtrust/ 4/30/09: LISA, 23rd USENIX Large Installation System Administration Conference Baltimore, MD, USA; http://usenix.org/events/lisa09/ Submissions are due 5/ 1/09: IEEE Transactions on Software Engineering, Special Issue on Exception Handling: From Requirements to Software Maintenance; http://www.computer.org/portal/cms_docs_transactions/transactions /tse/CFP/cfp_tse_eh_web.pdf; Submissions are due 5/ 4/09- 5/ 8/09: SSDU, 3rd International Symposium on Service, Security and its Data management technologies in Ubi-comp, Geneva, Switzerland; http://www.sersc.org/SSDU2009/ 5/17/09- 5/20/09: SP, 30th IEEE Symposium on Security and Privacy, Oakland/Berkeley, California, USA; http://oakland09.cs.virginia.edu 5/21/09: SADFE, 4th International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the 2009 IEEE Symposium on Security and Privacy (SP 2009), Oakland/Berkeley, CA, USA; http://conf.ncku.edu.tw/sadfe/sadfe09 5/24/09- 5/28/09: ICIMP, 4th International Conference on Internet Monitoring and Protection, Venice, Italy; http://www.iaria.org/conferences2009/ICIMP09.html 5/29/09: SSN, 5th International Workshop on Security in Systems and Networks, Held in conjunction with the International Parallel and Distributed Processing Symposium (IPDPS 2009), Rome, Italy; http://www4.comp.polyu.edu.hk/~csbxiao/ssn09/ 6/ 2/09- 6/ 5/09: ACNS, 7th International Conference on Applied Cryptography and Network Security, Paris, France; http://acns09.di.ens.fr/ 6/ 3/09- 6/ 5/09: MobiSec, 1st International Conference on Security and Privacy in Mobile Information and Communication Systems, Turin, Italy; http://www.mobisec.org/ 6/ 3/09- 6/ 5/09: SACMAT, 14th ACM Symposium on Access Control Models and Technologies, Hotel La Palma, Stresa, Italy; http://www.sacmat.org 6/ 7/09- 6/10/09: IH, 11th Information Hiding Workshop, Darmstadt, Germany; http://www.ih09.tu-darmstadt.de/ 6/14/09- 6/18/09: CISS, Communication and Information Systems Security Symposium, Held in conjunction with the IEEE International Conference on Communications (ICC 2009), Dresden, Germany; http://www.ieee-icc.org/2009/ 6/14/09- 6/19/09: SECURWARE, 3rd International Conference on Emerging Security Information, Systems and Technologies, Athens, Greece; http://www.iaria.org/conferences2009/SECURWARE09.html 6/25/09- 6/27/09: WNGS, 4th International Workshop on Security, Korea University, Seoul, Korea; http://www.sersc.org/WNGS2009/ 7/ 1/09- 7/ 3/09: ACSISP, 14th Australasian Conference on Information Security and Privacy, Brisbane, Australia; http://conf.isi.qut.edu.au/acisp2009/ 7/ 7/09- 7/10/09: SECRYPT, International Conference on Security and Cryptography, Milan, Italy; http://www.secrypt.org/ 7/ 7/09- 7/10/09: ATC, 6th International Conference on Autonomic and Trusted Computing, Brisbane, Australia; http://www.itee.uq.edu.au/~atc09 7/ 7/09- 7/10/09: CTC, Cybercrime and Trustworthy Computing Workshop, Held in conjunction with the 6th International Conference on Autonomic and Trusted Computing (ATC 2009), Brisbane, Australia; http://www.cybercrime.com.au/ctc09 7/ 8/09- 7/10/09: CSF, 22nd IEEE Computer Security Foundations Symposium, Port Jefferson, New York, USA; http://www.cs.sunysb.edu/csf09/ 7/12/09- 7/15/09: DBSEC, 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Montreal, Canada; http://www.ciise.concordia.ca/dbsec09/ 7/20/09- 7/22/09: POLICY, IEEE International Symposium on Policies for Distributed Systems and Networks, Imperial College London, UK; http://ieee-policy.org 8/12/09- 8/14/09: USENIX-SECURITY, 18th USENIX Security Symposium, Montreal, Canada; http://www.usenix.org/events/sec09/cfp/ 8/31/09- 9/ 4/09: TrustBus, 6th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with the 20th International Conference on Database and Expert Systems Applications (DEXA 2009), Linz, Austria; http://www.icsd.aegean.gr/trustbus2009/ 9/14/09- 9/18/09: SECURECOMM, 5th International ICST Conference on Security and Privacy for Communication Networks, Athens, Greece; http://www.securecomm.org 10/ 6/09-10/10/09: SIN, 2nd ACM International Conference on Security of Information and Networks, Eastern Mediterranean University, Gazimagusa, TRNC, North Cyprus; http://www.sinconf.org/cfp/cfp.htm 10/28/09-10/30/09: IWSEC, 4th International Workshop on Security, Toyama, Japan; http://www.iwsec.org 11/ 1/09-11/ 6/09: LISA, 23rd USENIX Large Installation System Administration Conference, Baltimore, MD, USA; http://usenix.org/events/lisa09/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E87) ___________________________________________________________________ WNGS 2009 4th International Workshop on Security, Korea University, Seoul, Korea, June 25-27, 2009 http://www.sersc.org/WNGS2009/ (Submissions due 16 January 2009) The workshop will provide an opportunity for academic and industry professionals to discuss the latest issues and progress in the area of NGS. The workshop will publish high quality papers which are closely related to the various theories and practical applications in NGS. In addition, we expect that the workshop and its publications will be a trigger for further related research and technology improvements in this important subject. Topics (included, but are not limited to): - Cryptographic Protocol & Application In NGS - Peer-to-Peer Security & Application - Privacy & Anonymity in NGS - Access Control in NGS - Biometrics in NGS - Key/Identity Management in NGS - Smart & Java Cards in NGS - Mobile Communication in NGS - Future Aviation in NGS - Computer Forensics in NGS - Efficient Implementations in NGS ------------------------------------------------------------------------- SADFE 2009 4th International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the 2009 IEEE Symposium on Security and Privacy (SP 2009), Oakland, CA, USA, May 21, 2009. http://conf.ncku.edu.tw/sadfe/sadfe09/ (Submissions due 17 January 2009) The SADFE (Systematic Approaches to Digital Forensic Engineering) International Workshop promotes systematic approaches to computer investigations, by furthering the advancement of digital forensic engineering as a disciplined practice. Most previous SADFE papers have emphasized cyber crime investigations, and this is still a key focus of the meeting. However, we also welcome papers on forensics that do not necessarily involve a crime: general attack analysis, insider threat, insurance and compliance investigations, and similar forms of retrospective analysis are all viable topics. Digital forensic engineering is characterized by the application of scientific and mathematical principles to the investigation and establishment of facts or evidence, either for use within a court of law or to aid in understanding past events on a computer system. Past speakers and attendees of SADFE have included computer scientists, social scientists, forensic practitioners, law enforcement, lawyers, and judges. The synthesis of hard technology and science with social science and practice forms the foundation of this conference. To advance the state of the art, SADFE-2009 solicits broad-based, innovative digital forensic engineering technology, techno-legal and practice-related submissions in the following four areas: Digital Data and Evidence Management: advanced digital evidence discovery, collection, and storage - Identification, authentication and collection of digital evidence - Post-collection handling of evidence and the preservation of data integrity - Evidence preservation and storage - Forensic-enabled architectures and processes, including network processes - Managing geographically, politically and/or jurisdictionally dispersed data - Data and web mining systems for identification and authentication of relevant data Principle-based Digital Forensic Processes: systematic engineering processes supporting digital evidence management which are sound on scientific, technical and legal grounds - Legal and technical aspects of admissibility and evidence tests - Examination environments for digital data - Courtroom expert witness and case presentation - Case studies illustrating privacy, legal and legislative issues - Forensic tool validation: legal implications and issues - Legal and privacy implications for digital and computational forensic analysis Digital Evidence Analytics: advanced digital evidence analysis, correlation, and presentation - Advanced search, analysis, and presentation of digital evidence - Progressive cyber crime scenario analysis and reconstruction technology - Legal case construction & digital evidence support - Cyber-crime strategy analysis & modeling - Combining digital and non-digital evidence - Supporting qualitative or statistical evidence - Computational systems and computational forensic analysis Forensic-support technologies: forensic-enabled and proactive monitoring/response - Forensics of embedded or non-traditional devices (e.g. digicams, cell phones, SCADA) - Innovative forensic engineering tools and applications - Forensic-enabled support for incident response - Forensic tool validation: methodologies and principles - Legal and technical collaboration - Digital Forensics Surveillance Technology and Procedures - "Honeypot" and other target systems for data collection and monitoring ------------------------------------------------------------------------- ATC 2009 6th International Conference on Autonomic and Trusted Computing, Brisbane, Australia, July 7-10, 2009 http://www.itee.uq.edu.au/~atc09 (Submissions due 19 January 2009) ATC-09 will offer a forum for researchers to exchange ideas and experiences in the most innovative research and development in these challenging areas and includes all technical aspects related to autonomic/organic computing (AC/OC) and trusted computing (TC). Topics include but are not limited to the following: - AC/OC Theory and Model: Models, negotiation, cooperation, competition, self-organization, emergence, verification etc. - AC/OC Architectures and Systems: Autonomic elements & their relationship, frameworks, middleware, observer/controller architectures, etc. - AC/OC Components and Modules: Memory, storage, database, device, server, proxy, software, OS, I/O, etc. - AC/OC Communication and Services: Networks, self-organized net, web service, grid, P2P, semantics, agent, transaction, etc. - AC/OC Tools and Interfaces: Tools/interfaces for AC/OC system development, test, monitoring, assessment, supervision, etc. - Trust Models and Specifications: Models and semantics of trust, distrust, mistrust, over-trust, cheat, risk, reputation, reliability, etc. - Trust-related Security and Privacy: Trust-related secure architecture, framework, policy, intrusion detection/awareness, protocols, etc. - Trusted Reliable and Dependable Systems: Fault-tolerant systems, hardware redundancy, robustness, survivable systems, failure recovery, etc. - Trustworthy Services and Applications: Trustworthy Internet/web/grid/P2P e-services, secured mobile services, novel applications, etc. - Trust Standards and Non-Technical Issues: Trust standards and issues related to personality, ethics, sociology, culture, psychology, economy, etc. ------------------------------------------------------------------------- SECURWARE 2009 3rd International Conference on Emerging Security Information, Systems and Technologies, Athens, Greece, June 14-19, 2009 http://www.iaria.org/conferences2009/SECURWARE09.html (Submissions due 20 January 2009) The SECURWARE 2009 is an event covering related topics on theory and practice on security, cryptography, secure protocols, trust, privacy, confidentiality, vulnerability, intrusion detection and other areas related to low enforcement, security data mining, malware models, etc. SECURWARE 2009 Special Areas (details in the CfP on site) are: - ARCH: Security frameworks, architectures and protocols - SECMAN: Security management - SECTECH: Security technologies - SYSSEC: System security - INFOSEC: Information security - MALWA: Malware and Anti-malware - ANTIFO: Anti-forensics - PRODAM: Profiling data mining - SECHOME: Smart home security - SECDYN: Security and privacy in dynamic environments - ECOSEC: Ecosystem security and trust - CRYPTO: Cryptography - CYBER-Threat ------------------------------------------------------------------------- SACMAT 2009 14th ACM Symposium on Access Control Models and Technologies, Hotel La Palma, Stresa, Italy, June 3-5, 2009 http://www.sacmat.org (Submissions due 23 January 2009) Papers offering novel research contributions in all aspects of access control are solicited for submission to the ACM Symposium on Access Control Models and Technologies (SACMAT). SACMAT 2009 is the fourteenth of a successful series of symposiums that continue the tradition, first established by the ACM Workshop on Role-Based Access Control, of being the premier forum for presentation of research results and experience reports on leading edge issues of access control, including models, systems, applications, and theory. The missions of the symposium are to share novel access control solutions that fulfill the needs of heterogeneous applications and environments and to identify new directions for future research and development. SACMAT gives researchers and practitioners a unique opportunity to share their perspectives with others interested in the various aspects of access control. Accepted papers will be presented at the symposium and published by the ACM in the symposium proceedings. Outstanding papers will be invited for possible publication in a prestigious journal in information assurance area. Topics of interest include but are not limited to: - Access control models and extensions - Access control requirements - Access control design methodology - Access control mechanisms, systems, and tools - Access control in distributed and mobile systems - Access control for innovative applications - Administration of access control policies - Delegation - Identity management - Policy/Role Engineering - Safety analysis and enforcement - Standards for access control - Trust management - Trust models - Theoretical foundations for access control - Usage control ------------------------------------------------------------------------- IH 2009 11th Information Hiding Workshop, Darmstadt, Germany, June 7-10, 2009 http://www.ih09.tu-darmstadt.de/ (Submissions due 1 February 2009) For many years, Information Hiding has captured the imagination of researchers: Digital watermarking and steganography protect information, conceal secrets or are used as core primitives in Digital Rights Management schemes; steganalysis and digital forensics pose important challenges to investigators; and information hiding plays an important role in anonymous communication systems. These are but a small number of related topics and issues. Current research themes include: - Anonymous communication and privacy - Low probability of intercept communications - Digital forensics - Covert/subliminal channels - Steganography and steganalysis - Watermarking algorithms and applications - Security aspects of watermarking - Novel data hiding domains - Multimedia and document security - Novel applications of information hiding ------------------------------------------------------------------------- http://www.mobisec.org/ MobiSec 2009 1st International Conference on Security and Privacy in Mobile Information and Communication Systems, Turin, Italy, June 3-5, 2009 (Submissions due 2 February 2009) The convergence of information and communication technology is most palpable in the form of intelligent mobile devices, accompanied by the advent of converged, and next-generation, communication networks. As mobile communication and information processing becomes a commodity, economy and society require protection of this precious resource. MobiSec brings together leading-edge researchers from academia and industry in the field of mobile systems security and privacy, as well as practitioners, standards developers and policymakers. Topics of interest include, but are not limited to the following focus areas: - Security architectures for next-generation, new-generation, and converged communication networks - Trusted mobile devices, hardware security - Network resilience - Threat analyses for mobile systems - Multi-hop authentication and trust - Non-repudiation of communication - Context-aware and data-centric security - Protection and safety of distributed mobile data - Mobile application security - Security for voice and multimedia communication - Machine-to-machine communication security - Trust in autonomic and opportunistic communication - Location based applications security and privacy - Security for the networked home environment - Security and privacy for mobile communities - Mobile emergency communication, public safety - Lawful interception and mandatory data retention - Security of mobile agents and code - Idenity management - Embedded security ------------------------------------------------------------------------- http://www.usenix.org/events/sec09/cfp/ USENIX-SECURITY 2009 18th USENIX Security Symposium, Montreal, Canada, August 12-14, 2009 (Submissions due 4 February 2009) The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. Refereed paper submissions are solicited in all areas relating to systems and network security, including: - Adaptive security and system management - Analysis of network and security protocols - Applications of cryptographic techniques - Attacks against networks and machines - Authentication and authorization of users, systems, and applications - Automated tools for source code analysis - Botnets - Cryptographic implementation analysis and construction - Denial-of-service attacks and countermeasures - File and filesystem security - Firewall technologies - Forensics and diagnostics for security - Hardware security - Intrusion and anomaly detection and prevention - Malicious code analysis, anti-virus, anti-spyware - Network infrastructure security - Operating system security - Privacy-preserving (and compromising) systems - Public key infrastructure - Rights management and copyright protection - Security architectures - Security in heterogeneous and large-scale environments - Security policy - Self-protecting and healing systems - Techniques for developing secure systems - Technologies for trustworthy computing - Usability and security - Virtualization security - Voting systems analysis and security - Web security - Wireless and pervasive/ubiquitous computing security ------------------------------------------------------------------------- http://www.cs.sunysb.edu/csf09/ CSF 2009 22nd IEEE Computer Security Foundations Symposium, Port Jefferson, New York, USA, July 8-10, 2009 (Submissions due 6 February 2009) The IEEE Computer Security Foundations (CSF) series brings together researchers in computer science to examine foundational issues in computer security. Over the past two decades, many seminal papers and techniques have been presented first at CSF. CiteSeer lists CSF as 38th out of more than 1200 computer science venues (top 3.11%) in impact based on citation frequency. CiteSeerX lists CSF 2007 as 7th out of 581 computer science venues (top 1.2%) in impact based on citation frequency. New theoretical results in computer security are welcome. Also welcome are more exploratory presentations, which may examine open questions and raise fundamental concerns about existing theories. Panel proposals are sought as well as papers. Possible topics include, but are not limited to: - Access control - Anonymity and Privacy - Authentication - Data and system integrity - Database security - Decidability and complexity - Distributed systems security - Electronic voting - Executable content - Formal methods for security - Information flow - Intrusion detection - Language-based security - Network security - Resource usage control - Security for mobile computing - Security models - Security protocols - Trust and trust management ------------------------------------------------------------------------- DIMVA 2009 6th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Milan, Italy, June/July, 2009 http://www.dimva.org/dimva2009 (Submissions due 6 February 2009) The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. DIMVA's scope includes, but is not restricted to the following areas: - Intrusion Detection: Approaches, Insider detection, Applications to business level fraud, Implementations, Prevention and response, Result correlation and cooperation, Evaluation, Potentials and limitations, Operational experiences, Legal and social aspects - Malware Detection: Techniques, Acquisition of specimen, Detection and analysis, Automated behavior model generation, Early warning, Prevention and containment, Trends and upcoming risks, Forensics and recovery, Economic aspects - Vulnerability Assessment: Vulnerabilities, Vulnerability detection and analysis, Vulnerability prevention, Classification and evaluation, Situational awareness ------------------------------------------------------------------------- ACSISP 2009 14th Australasian Conference on Information Security and Privacy, Brisbane, Australia, July 1-3, 2009 http://conf.isi.qut.edu.au/acisp2009/ (Submissions due 9 February 2009) Original papers pertaining to all aspects of information security and privacy are solicited for submission to the 14th Australasian Conference on Information Security and Privacy (ACISP 2009). Papers may present theory, techniques, applications and practical experiences on a variety of topics including: - Cryptology - Mobile communications security - Database security - Authentication and authorization - Secure operating systems - Intrusion detection - Access control - Security management - Security protocols - Network security - Secure commercial applications - Privacy Technologies - Smart cards - Key management and auditing - Mobile agent security - Risk assessment - Secure electronic commerce - Privacy and policy issues - Copyright protection - Security architectures and models - Evaluation and certification - Software protection and viruses - Computer forensics - Distributed system security - Identity management - Biometrics ------------------------------------------------------------------------- CTC 2009 Cybercrime and Trustworthy Computing Workshop, Held in conjunction with the 6th International Conference on Autonomic and Trusted Computing (ATC 2009), Brisbane, Australia, July 7-10, 2009 http://www.cybercrime.com.au/ctc09 (Submissions due 15 February 2009) Cybercrime continues to be a growth industry, assisted by a combination of technical factors, such as insecure hardware and software platforms, and psychological factors, such as user error or naivety. The objective of this workshop is to bring together two distinct groups to encourage further collaboration - those who are working on researching cybercrime activity, such as phishing and malware, and those who are working on technical countermeasures. Example topic areas on the cybercrime theme might include: - Phishing, SPAM - Malware, Botnets - Scams, including advance fee fraud, romance scams, etc. - Forensic means to classify e-mail messages or web pages soliciting cybercrime or providing a vector for attack - Forensic means to cluster and identify different groups or modus operandi arising from distinct "kits" - For the countermeasures side, topic areas might include Anti-phishing, Anti-virus, Anti-rootkit, Anti-botnet - User education and/or psychological operations ------------------------------------------------------------------------- IEEE Transactions on Information Forensics and Security, Special Issue on Electronic Voting, December 2009 http://vote.cs.gwu.edu/cfp.html (Submissions Due 15 February 2009) Guest editor: Ronald L. Rivest (MIT, USA, Lead Guest Editor), David Chaum (Voting Systems Institute, USA), Bart Preneel (Katholieke Universiteit Leuven, Belgium), Aviel D. Rubin (Johns Hopkins University, USA), Donald G. Saari (University of California at Irvine, USA), and Poorvi L. Vora (The George Washington University, USA) Following the discovery of a wide variety of flaws in electronic voting technology used in the US and other parts of the world, there has recently been a spurt of research activity related to electronic voting. The activity has been broad, ranging from the design of voting systems that specify what information is collected from voters and how it is used to determine one or many winners, through the development of cryptographic vote counting systems and the experimental security analysis of deployed voting systems, the experimental study of the usability of voting systems, to the development of methods for identifying election fraud. Most of the work has of necessity been interdisciplinary, involving contributions from experts in the areas of cryptography, computer security, information theory, political science, statistics, usability, game theory, mathematical modeling, etc. This special issue aims to provide an overview of the research area of electronic voting, with a focus on original results. The scope includes both remote and polling-place voting, and the areas of interest include, but are not limited to, the following: - Voting theory, including voting models - Cryptographic voting systems - Formal security analysis of voting systems - Experimental security analysis of voting systems - Evaluations and ratings of voting systems - Usability and accessibility of voting systems - History of voting technology - Components building-blocks of voting systems, such as anonymous voting channels and secure bulletin boards - Fraud/anomaly detection in elections - Political districting and the allocation of voting technology ------------------------------------------------------------------------- SECRYPT 2009 International Conference on Security and Cryptography, Milan, Italy, July 7-10, 2009 http://www.secrypt.org/ (Submissions due 17 February 2009) The purpose of SECRYPT 2009 is to bring together researchers, engineers and practitioners interested on information systems and applications in the context of wireless networks and mobile technologies. Topics of interest include, but are not limited to, provided they fit in one of the following main topic areas: Area 1: Access Control and Intrusion Detection - Intrusion Detection and Vulnerability Assessment - Authentication and Non-repudiation - Identification and Authentication - Insider Threats and Countermeasures - Intrusion Detection & Prevention - Identity and Trust Management - Biometric Security - Trust models and metrics - Regulation and Trust Mechanisms - Data Integrity - Models for Authentication, Trust and Authorization - Access Control in Computing Environments - Multiuser Information Area 2: Network Security and Protocols - IPsec, VPNs and Encryption Modes - Service and Systems Design and QoS Network Security - Fairness Scheduling and QoS Guarantee - Reliability and Dependability - Web Performance and Reliability - Denial of Service and Other Attacks - Data and Systems Security - Data Access & Synchronization - GPRS and CDMA Security - Mobile System Security - Ubiquitous Computing Security - Security in Localization Systems - Sensor and Mobile Ad Hoc Network Security - Wireless Network Security (WiFi, WiMAX, WiMedia and Others) - Security of GSM/GPRS/UMTS Systems - Peer-to-Peer Security - e-Commerce Protocols and Micropayment Schemes Area 3: Cryptographic Techniques and Key Management - Smart Card Security - Public Key Crypto Applications - Coding Theory and Practice - Spread Spectrum Systems - Speech/Image Coding - Shannon Theory - Stochastic Processes - Quantum Information Processing - Mobile Code & Agent Security - Digital Rights Management Area 4: Information Assurance - Planning Security - Risk Assessment - Security Area Control - Organizational Security Policies and Responsibility - Security Through Collaboration - Human Factors and Human Behaviour Recognition Techniques - Ethical and Legal Implications - Intrusive, Explicit Security vs. Invisible, Implicit Computing - Information Hiding - Information Systems Auditing - Management of Computing Security Area 5: Security in Information Systems - Security for Grid Computing - Secure Software Development Methodologies - Security for Web Services - Security for Databases and Data Warehouses - e-Health - Security Engineering - Security Information Systems Architectures - Security Requirements - Security Metrics - Personal Data Protection - XML Security - Workflow and Business Process Security ------------------------------------------------------------------------- DBSEC 2009 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Montreal, Canada, July 12-15, 2009 http://www.ciise.concordia.ca/dbsec09/ (Submissions due 20 February 2009) The 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in data and applications security. Papers and panel proposals are also solicited. Papers may present theory, techniques, applications, or practical experience on topics of relevance to IFIP WG 11.3: - Access Control - Applied cryptography in data security - Identity theft and countermeasures - Integrity maintenance - Intrusion detection - Knowledge discovery and privacy - Organizational security - Privacy and privacy-preserving data management - Secure transaction processing - Secure information integration - Secure Semantic Web - Secure sensor monitoring - Secure Web Services - Threats, vulnerabilities, and risk management - Trust management ------------------------------------------------------------------------- TrustBus 2009 6th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with the 20th International Conference on Database and Expert Systems Applications (DEXA 2009), Linz, Austria, August 31 - September 4, 2009 http://www.icsd.aegean.gr/trustbus2009/ (Submissions due 20 February 2009) TrustBus'09 will bring together researchers from different disciplines, developers, and users all interested in the critical success factors of digital business systems. We are interested in papers, work-in-progress reports, and industrial experiences describing advances in all areas of digital business applications related to trust and privacy, including, but not limited to: - Anonymity and pseudonymity in business transactions - Business architectures and underlying infrastructures - Common practice, legal and regulatory issues - Cryptographic protocols - Delivery technologies and scheduling protocols - Design of businesses models with security requirements - Economics of Information Systems Security - Electronic cash, wallets and pay-per-view systems - Enterprise management and consumer protection - Identity and Trust Management - Intellectual property and digital rights management - Intrusion detection and information filtering - Languages for description of services and contracts - Management of privacy & confidentiality - Models for access control and authentication - Multimedia web services - New cryptographic building-blocks for e-business applications - Online transaction processing - PKI & PMI - Public administration, governmental services - P2P transactions and scenarios - Real-time Internet E-Services - Reliability and security of content and data - Reliable auction, e-procurement and negotiation technology - Reputation in services provision - Secure process integration and management - Security and Privacy models for Pervasive Information Systems - Security Policies - Shopping, trading, and contract management tools - Smartcard technology - Transactional Models - Trust and privacy issues in mobile commerce environments - Usability of security technologies and services Additional topics of interest include (but are not limited to): Critical Infrastructure Protection, Cyber Terrorism, Information Warfare, Database Forensics, Electronic Commerce Security, and Security in Digital Health Care. ------------------------------------------------------------------------- POLICY 2009 IEEE International Symposium on Policies for Distributed Systems and Networks, Imperial College London, UK, July 20-22, 2009 http://ieee-policy.org (Submissions due 2 March 2009) The symposium brings together researchers and practitioners working on policy-based systems across a range of application areas including policy-based networking, privacy and security management, storage area networking, and enterprise systems. POLICY 2009 has grown out of a highly successful series of workshops and this is recognized by the elevation of the event to an IEEE symposium. This year, in addition to the latest research results from the communities working in any area of policy-based management and computing, we encourage contributions on policy-based techniques in support of privacy and security management, including the policy life-cycle, detection and resolution of inconsistency, refining policies from users' requirements, and usability issues. Topics of interest include, but are not limited to the following: - Privacy and Security - Policy Models and Languages - Policy Applications ------------------------------------------------------------------------- ACM Transactions on Autonomous and Adaptive Systems, Special Issue on Adaptive Security Systems, 2010. http://nss.cqu.edu.au/FCWViewer/getFile.do?id=23880 (Submissions Due 15 March 2009) Guest editor: Yang Xiang (Central Queensland University, Australia) and Wanlei Zhou (Deakin University, Australia) This special issue on Adaptive Security Systems in ACM TAAS focuses on autonomous and adaptive security system theories, technologies, and reallife applications. Original papers are solicited for this special issue. Suggested topics include, but are not limited to: Adaptive Security System Theories - Adaptive security architectures, algorithms, and protocols - Autonomic learning mechanisms in security systems - Intelligent attack systems and mechanisms - Interactions between autonomic nodes of security systems - Modeling of adaptive attack and defense mechanisms - Theories in adaptive security systems Adaptive Security System Technologies - Adaptive security systems design - Adaptive security systems implementation - Adaptive intrusion detection/prevention systems - Self-organizing identity management and authentication - Adaptive defense against large-scale attacks - Simulation and tools for adaptive security systems Adaptive Security System Applications - Benchmark, analysis and evaluation of adaptive security systems - Distributed autonomous access control and trust management - Autonomous denial-of-service attacks and countermeasures - Autonomous wireless security systems - Autonomous secure mobile agents and middleware - Adaptive defense against viruses, worms, and other malicious codes ------------------------------------------------------------------------- Elsevier Journal on Computer Networks, Special Issue on Performance Sensitive Security for Very Large Scale Collaboration, December 2009 http://home.fnal.gov/~maltunay/ComNet.html (Submissions Due 18 March 2009) Guest editor: Deborah A. Frincke (PNNL, University of Washington, USA), Frank Siebenlist (Argonne National Laboratory, University of Chicago, USA), and Mine Altunay (Fermi National Laboratory, USA) It is anticipated that this trend towards very large-scale collaboration will continue and that these virtual organizations will become increasingly complex and diverse. Exascale computing is predicted by some to be a necessity to support scientific as well as business activities by 2018. It will be important for security solutions to scale equally well, so that the collaboration is enriched by usable, management-friendly, performance-sensitive security solutions, rather than hindered by them. In this special issue, we emphasize research approaches that show promise in providing performance sensitive security for very large scale collaboration. Performance sensitivity here refers both to traditional computer performance measures as well as the usability of the security solution being proposed - collaboration should be supported, rather than hindered, by the security solutions. Topics of interest include, but are not limited to: - Security for very large datasets (petascale through exascale), where very large scale data sets can be shared without loss of important security properties, such as integrity, confidentiality. - Secure remote access to unique instrumentation; e.g., where scientists and the computer-based instrumentation they use are geographically and organizationally dispersed. - Security validation techniques that can provide some measure of assurance that a shared infrastructure meets the collaboration's and the individual organization's security requirements. - New architectures and methods supporting shared intrusion detection/prevention, situational awareness, threat containment and/or response needed to defend geographically and organizationally dispersed shared computational resources, including shared code. - User privilege and user trust negotiation within very large federated environments, both for brief access (minutes) and for long term access (years) ------------------------------------------------------------------------- SECURECOMM 2009 5th International ICST Conference on Security and Privacy for Communication Networks, Athens, Greece, September 14-18, 2009 http://www.securecomm.org (Submissions due 31 March 2009) Securecomm seeks high-quality research contributions in the form of well developed papers. Topics of interest encompass research advances in ALL areas of secure communications and networking. However, topics in other areas (e.g., formal methods, database security, secure software, foundations of cryptography) will be considered only if a clear connection to private or secure communications/networking is demonstrated. The aim of Securecomm is to bring together security and privacy experts in academia, industry and government as well as practitioners, standards developers and policy makers, in order to engage in a discussion about common goals and explore important research directions in the field. TOPICS of interest include, but are not limited to, the following: - Security & Privacy in Wired, Wireless, Mobile, Hybrid, Sensor, Ad Hoc networks - Network Intrusion Detection and Prevention, Firewalls, Packet Filters - Malware and botnets - Communication Privacy and Anonymity - Distributed denial of service - Public Key Infrastructures, key management, credentials - Web security - Secure Routing, Naming/Addressing, Network Management - Security & Privacy in Pervasive and Ubiquitous Computing, e.g., RFIDs - Security & Privacy for emerging technologies: VoIP, peer-to-peer and overlay network systems, Web 2.0 ------------------------------------------------------------------------- IWSEC 2009 4th International Workshop on Security, Toyama, Japan, October 28-30, 2009 http://www.iwsec.org (Submissions due 3 April 2009) The aim of IWSEC2009 is to contribute to research and development of various security topics: theory and applications of traditional and up-to-date security issues. Topics include but are not limited to: - Network and Distributed Systems Security - Security Issues in Ubiquitous/Pervasive Computing - Authorization and Access Control - Software and System Security - Usable Security - Privacy Enhancing Technology - Digital Identity Management - Digital Forensics - Biometrics - Cryptography - Information Hiding - Quantum Security - Secure and Efficient Implementation - Other Scientific Approaches for Security ------------------------------------------------------------------------- SIN 2009 2nd ACM International Conference on Security of Information and Networks, Eastern Mediterranean University, Gazimagusa, TRNC, North Cyprus, October 6-10, 2009 http://www.sinconf.org/cfp/cfp.htm (Submissions due 13 April 2009) The 2nd International Conference on Security of Information and Networks (SIN 2009) provides an international forum for presentation of research and applications of security in information and networks. SIN 2009 conference features contributed as well as invited papers, special sessions, workshops, and tutorials on theory and practice. Its drive is to convene a high quality, well-attended, and up-to-date conference on scientific and technical issues of security in information, networks, and systems. The main theme of SIN 2009 is Intelligent Systems for Information Assurance, Security, and Public Policy in the Age of e-Euphoria. ------------------------------------------------------------------------- LISA 2009 23rd USENIX Large Installation System Administration Conference, Baltimore, MD, USA, November 1-6, 2009 http://usenix.org/events/lisa09/ (Submissions due 30 April 2009) Effective administration of a large site requires a good understanding of modern tools and techniques, together with their underlying principles but the human factors involved in managing and applying these technologies in a production environment are equally important. Bringing together theory and practice is an important goal of the LISA conference, and practicing system administrators as well as academic researchers all have valuable contributions to make. Topics of interest include, but are not limited to the following: - Authentication and authorization: "Single sign-on" technologies, identity management - Autonomic computing: Self-repairing systems, zero administration systems, fail-safe design - Configuration management: Specification languages, configuration deployment - Data center design: Modern methods, upgrading old centers - Data management: DBMS management systems, deployment architectures and methods, real world performance - Email: Mail infrastructures, spam prevention - Grid computing: Management of grid fabrics and infrastructure - Hardware: Multicore processor ramifications - Mobile computing: Supporting and managing laptops and remote communications - Multiple platforms: Integrating and supporting multiple platforms (e.g., Linux, Windows, Macintosh) - Networking: New technologies, network management - Security: Malware and virus prevention, security technologies and procedures, response to cyber attacks targeting individuals - Standards: Enabling interoperability of local and remote services and applications - Storage: New storage technologies, remote filesystems, backups, scaling - Web 2.0 technologies: Using, supporting, and managing wikis, blogs, and other Web 2.0 applications - Virtualization: Managing and configuring virtualized resources ------------------------------------------------------------------------- IEEE Transactions on Software Engineering (TSE), Special Issue on Exception Handling: From Requirements to Software Maintenance, November 2009 http://www.computer.org/portal/cms_docs_transactions/transactions/tse/CFP/cfp_tse_eh_web.pdf (Submissions Due 1 May 2009) Guest editor: Alessandro Garcia (Lancaster University, UK), Valerie Issarny (INRIA, France), and Alexander Romanovsky (Newcastle University, UK) With the complexity of contemporary software systems increasingly growing, we still have much to learn on how software engineering practice can contribute to improving specification, design, testing, and evolution of exception handling. Our body of knowledge on effective exception handling in software projects is still limited and fragmented. It is not surprising that recent field studies have identified that error handling design in industrial applications typically exhibits poor quality independently of the underlying programming language and application domain. A holistic application of software engineering principles and techniques can certainly improve the treatment of exception handling across the software lifecycle. In this context, one of the underlying motivations of this special issue is to revisit the research directions involving exception handling in software engineering after one decade the first successful issue on this topic has appeared in IEEE TSE. This special issue will serve as a key reference for researchers, practitioners and educators to understand the most recent innovations, trends, experiences and concerns involving exception handling aspects in software engineering. We invite submissions approaching exception handling on all areas of software development and maintenance, such as model-driven development, requirements engineering, refactoring, software evolution, reverse engineering, contemporary modularity techniques (e.g., aspect-oriented programming and feature-oriented programming), and formal methods. The special issue is intended to cover a wide range of topics, from theoretical foundations to empirical studies, with all of them presenting innovative ideas on the interplay of exception handling and software engineering. Topics of interest include (but are not limited to) the following: - Exceptions in software processes - Empirical studies of exception handling - Exception documentation - Exception handling and requirements engineering - Exception handling and architectural design - Design patterns and anti-patterns, architectural styles, and good programming practice cookbooks - Static analysis and testing of exception handling - Refactoring and evolution of exception handling code - Exceptions and variability management - Comparative studies of innovative exception handling techniques and conventional ones - Exception handling and contemporary modularization techniques (e.g., aspect-oriented programming and feature-oriented programming) - Exception handling and variability mechanisms - Metrics and quality models for abnormal behaviour - Exception handling and middleware design - Model-driven engineering for exception handling - Exception handling in multi-agent systems - Development of predictive models of defect rates - Checked versus unchecked exceptions ------------------------------------------------------------------------- ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html Posted January 2009 Temple University Department of Computer and Information Science Philadelphia, PA Senior Faculty Position - Associate or Full Professor Open until filled http://www.temple.edu/cis/news/index.html#SeniorFacultyPosition Posted January 2009 Iowa State University Department of Electrical and Computer Engineering Ames, IA Faculty Positions at All Levels - Assistant or Associate or Full Professor Open until filled http://www.ece.iastate.edu/jobs/faculty-positions.html Posted December 2008 DePaul University College of Computing and Digital Media Chicago, IL Assistant/Associate Professor in Information Assurance Application review will begin in January 2009 http://www.cdm.depaul.edu/aboutcdm/Pages/JobsatCTI.aspx -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2007 proceedings are available in hardcopy for $30.00, the 28 year CD is $20.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2007 treasurer (below) with the order description, including shipping method, and send email to the 2007 Registration Chair (Yong Guan) (oakland07-registration @ ieee-security.org) with the shipping address, please. Terry Benzel Treasurer, IEEE Security and Privacy USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 (310) 822-1511 IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officer Roster ____________________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Prof. Cynthia Irvine Yong Guan U.S. Naval Postgraduate School Iowa State University Computer Science Department Computer Engineering and Code CS/IC University and Information Monterey CA 93943-5118 Assurance Center (831) 656-2461 (voice) Ames, IA 50011 irvine@nps.edu (515) 294-8378 (voice) guan@iastate.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Hilarie Orman Prof. Cynthia Irvine Purple Streak, Inc. U.S. Naval Postgraduate School 500 S. Maple Dr. Computer Science Department, Code CS/IC Salem, UT 84653 Monterey CA 93943-5118 hilarie @purplestreak.com (831) 656-2461 (voice) irvine@nps.edu Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Sciences Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2009 General Chair: Hilarie Orman David Du Purple Streak, Inc. Department of Computer Science 500 S. Maple Dr. and Engineering Salem, UT 84653 University of Minnesota cipher-editor@ieee-security.org Minneapolis, MN 55455 oakland09-chair@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year