_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 94 January 19, 2010 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of '24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them' by Michael Howard, David Leblanc and John Viega o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * News Items o NIST press release, Special publication on Key Management o Chaos Communication Conference: How you can build an eavesdropper for a quantum cryptosystem o RSA Challenge Modulus, 768 Bits, Factored. From Ars Technica, by John Timmer o German government warns against using Microsoft Internet Explorer. From BBC News, by Daniel Emery * Conference and Workshop Announcements o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The plans for the 30th anniversary celebration of the Security and Privacy Symposium this May are well underway, and there will be a gala awards dinner with master of ceremonies Peter Neumann. Registration will open soon, and you can register for the full conference (at the Claremont Resort, as always) or just the awards dinner on May 17, at the Pauley Ballroom on the University of California campus. I was dismayed to read about the recent practical demonstration of a vulnerability in quantum key distribution. Although the method has limited applicability and is not in widespread use, it had a a lustre of unbreakable security founded in physical principles. What a shame to learn that it can also break down in the actual physical world. Engineering scores another triumph over theory. See Richard Austin's review of the "24 Sins", a book devoted to trying to engineer security errors out of software, for more examples of how engineers try to cope with reality, or read any online security news publication to hear about the 0-day exploit used against Microsoft's Internet Explorer in recent days. The victory of machine over large numbers in the recent factorization of a 768-bit RSA public key modulus is another reminder that our reliance on theory requires constant vigilance of the progress of practical mathematicians. Although 1024-bit moduli are not yet in danger, cryptography remains a delicate balancing act between practice and theory. Hoping your keys are safe for now, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== 12/28/09, NIST press release, Special publication on Key Management NIST is proud to announce the publication of NIST Special Publication (SP) 800-57, RECOMMENDATION FOR KEY MANAGEMENT, Part 3: Application-Specific Key Management Guidance. This SP is intended to help system administrators and system installers adequately secure applications based on product availability and organizational needs, and to support organizational decisions about future procurements. The guide also provides information for end users regarding application options left under their control in normal use of the application. Recommendations are given for a select set of applications, namely: Public Key Infrastructures (PKI), Internet Protocol Security (IPsec), Transport Layer Security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME), Kerberos, Over-the-Air Rekeying of Digital Radios (OTAR), Domain Name System Security Extensions (DNSSEC) and Encrypted File Systems (EFS). The document is available at http://csrc.nist.gov/publications/PubsSPs.html. Elaine Barker National Institute of Standards and Technology 301-975-2911 ________________________________________________________________________ 26th Chaos Communication Congress How you can build an eavesdropper for a quantum cryptosystem ________________________________________________________________________ This presentation will show the first experimental implementation of an eavesdropper for quantum cryptosystem. Although quantum cryptography has been proven unconditionally secure, by exploiting physical imperfections (detector vulnerability) we have successfully built an intercept-resend attack and demonstrated eavesdropping under realistic conditions on an installed quantum key distribution line. The actual eavesdropping hardware we have built will be shown during the conference. Quantum cryptography, as being based on the laws of physics, was claimed to be much more secure than all classical cryptography schemes.(Un)fortunately physical hardware is not beyond of an evil control: We present a successful attack of an existing quantum key distribution system exploiting a photon detector vulnerability which is probably present in all existing devices. Without Alice and Bob losing their faith in their secure communication, we recorded 100% of the supposedly secret key. Single photon detectors based on passively quenched avalanche photodiodes are used in a number of quantum key distribution experiments. A vulnerability has been found in which these detectors can be temporarily blinded and then forced to produce a click [1]. An attack exploiting this vulnerability against a free-space polarization based quantum cryptosystem [2,3] is feasible. By controlling the polarization of a bright beam the eavesdropper Eve can force any detector of her choice to fire in the legitimate receiver Bob, such that she gets a full control of it without introducing additional errors. This allows Eve to run an intercept-resend attack without getting caught, and obtain a full copy of the transmitted secret key. We have fully demonstrated this attack under realistic conditions on an installed fiber optic quantum key distribution system. The system uses polarization encoding over 290 m of optical fiber spanning four buildings. A complete eavesdropper has been built, inserted at a mid-way point in the fiber line, and 100% of the secret key information has been recorded. Under attack, no significant changes in the system operating parameters have been observed by the legitimate users, which have happily continued to generate their 'secret' key. [1] V. Makarov, New J. Phys. 11, 065003 (2009). [2] I. Marcikic, A. Lamas-Linares, C. Kurtsiefer, Appl. Phys. Lett. 89, 101122 (2006). [3] M. P. Peloso et al., New J. Phys. 11, 045007 (2009). _________________________________________________________________________ RSA Challenge Modulus, 768 Bits, Factored From Ars Technica, http://arstechnica.com/security/news/2010/01/768-bit-rsa-cracked-1024-bit-safe-for-now.ars by John Timmer, January 10, 2010 Using some new advances in practical factoring methods, an international team has factored a 768-bit challenge number, and that is typical in public key cryptography. The team published a technical report (http://eprint.iacr.org/2010/006.pdf) explaining their work. ____________________________________________________________________ German government warns against using MS Internet Explorer By Daniel Emery Technology Reporter, BBC News http://news.bbc.co.uk/2/hi/technology/8463516.stm The BBC News article reports that a serious flaw in Microsoft's Internet Explorer has been utiliized in attacks against Google's GMail, and especially against Chinese dissidents. Because there is as yet no patch for the problem, the German government issued a statement advising its citizens to find alternative browsers ____________________________________________________________________ News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 1//16/2010 ____________________________________________________________________ 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them by Michael Howard, David Leblanc and John Viega McGraw-Hill 2010. ISBN 978-0-07-162675-0 amazon.com USD 31.49 If a profession as young as information security can be said to have classic literature then the predecessor to this book, "19 Deadly Sins of Software Security," certainly earned that accolade. Published in 2005, it clearly described 19 of the most egregious errors in programming, illustrated them with numerous examples, described the testing techniques that could be used to identify them and provided paths to redemption that would avoid them in the first place. This set a very high standard for any second edition and I think the authors have succeeded in both updating the content (things have changed in some ways since 2005) and improving the organization of the book. The sins are now organized into four major categories reflecting the area where the sins occur: 1. Web Application Sins: SQL injection, XSS, etc. 2. Implementation Sins: buffer overflows, etc. 3. Cryptographic sins: weak passwords, the incorrect use of encryption, etc. 4. Networking sins: failing to protect network traffic, using SSL improperly, etc. Like its predecessor, each sin has its own chapter that follows a common format. The chapter opens with an overview of the sin that includes the consequences that can follow from its presence in a deployed application (such as failing to meet regulatory compliance mandates). Next, CWE (Common Weakness Enumeration) references are provided and languages which can commit the sin are listed (a welcome feature to counteract the "you can't write vulnerable software in language X" mantra). The sin is then explained in detail with concise illustrations in the various languages. With a good grasp of the sin and its manifestations, the discussion then moves to tactics for dealing with it. First, solid guidance is given on how to "spot" the sin by describing the general conditions that must exist in order for the sin to occur. Next, advice is given on identifying the sin during code review (specific things to look for) and testing techniques that can be used to identify the sin's presence. Example CVE references are provided to remind the reader that these sins do manage to creep in to widely used software systems. The next section describes the paths to redemption that can prevent the sin from worming its way into your code. The redemptive steps are illustrated in multiple languages. The chapter then concludes with an extensive list of references and a concise summary of the chapter. Read from cover to cover, this book will give you a good grasp of the common problems in software that generate the vulnerabilities we spend much of our professional lives mitigating. However, as noted in the introduction, the sections (and chapters) are designed to be standalone. So, if you are developing a new web application, you can spend your quality time with just that section. If your application makes use of a SQL database (whose doesn't these days?), you can read just the chapter SQL injection sins. This book is a worthy successor to the "19 Deadly Sins", and the authors managed to "top" themselves by writing a better organized and more inclusive book the second time around. Going from 19 to 24 deadly sins might cause some to say we're headed in the wrong direction but a careful reader will note that some of the original 19 sins have disappeared and been replaced. That is cause for hope. This is an excellent book to put on your shelf but I hope you won't leave it there. Do share it with software development managers and the software developers (in chapter doses if necessary). If we do this often enough and well enough, maybe the next edition will be the 18 deadly sins and won't include any of the present 24. ----------------- Before beginning life as an itinerant university instructor and security curmudgeon, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 1/15/10: SACMAT, 15th ACM Symposium on Access Control Models and Technologies, Pittsburgh, PA, USA; http://www.sacmat.org; Submissions are due 1/16/10: SADFE, 5th International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the IEEE Symposium on Security and Privacy (SP 2010), Oakland/Berkeley, CA, USA; http://conf.ncku.edu.tw/sadfe/sadfe10/; Submissions are due 1/20/10: Trust, 3rd International Conference on Trust and Trustworthy Computing, Berlin, Germany; http://www.trust2010.org/; Submissions are due 1/22/10: ICDCS-SPCC, 1st International Workshop on Security and Privacy in Cloud Computing (ICDCS-SPCC), Held in conjunction with the IEEE International Conference on Distributed Computing Systems (ICDCS 2010), Genoa, Italy; http://www.ece.iit.edu/~ubisec/workshop.htm; Submissions are due 1/25/10- 1/28/10: FC, Financial Cryptography and Data Security, Tenerife, Canary Islands, Spain; http://fc10.ifca.ai/ 1/28/10- 1/29/10: WECSR, Workshop on Ethics in Computer Security Research, Held in conjunction with the 14th International Conference on Financial Cryptography and Data Security (FC 2010), Tenerife, Canary Islands, Spain; http://www.cs.stevens.edu/~spock/wecsr2010/ 1/31/10: IFIP-TC9-HCC9, IFIP TC-9 HCC-9 Stream on Privacy and Surveillance, Held in conjunction with the IFIP World Computer Congress 2010, Brisbane, Australia; http://www.wcc2010.org/migrated/HCC92010/HCC92010_cfp.html; Submissions are due 2/ 1/10: International Journal of Secure Software Engineering (IJSSE), Special Issue on Software Safety & Dependability - the Art of Engineering Trustworthy Software; http://www.igi-global.com/journals/details.asp?id=34297; Submissions are due 2/ 3/10: SECRYPT, 5th International Conference on Security and Cryptography, Athens, Greece; http://www.secrypt.icete.org; Submissions are due 2/ 3/10- 2/ 4/10: ESSoS, 2nd International Symposium on Engineering Secure Software and Systems, Pisa, Italy; http://distrinet.cs.kuleuven.be/events/essos2010 2/ 4/10: D-SPAN, 1st International Workshop on Data Security and PrivAcy in Wireless Networks, Held in conjunction with WoWMoM 2010, Montreal, QC, Canada; http://home.gwu.edu/~nzhang10/DSPAN2010/; Submissions are due 2/ 4/10- 2/ 5/10: COSADE, 1st Workshop on Constructive Side-channel analysis and Secure Design, Darmstadt, Germany; http://cosade2010.cased.de/ 2/ 5/10: ACNS, 8th International Conference on Applied Cryptography and Network Security, Beijing, China; http://www.tcgchina.org/acns2010/; Submissions are due 2/ 5/10: DBSec, 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Rome, Italy; http://dbsec2010.dti.unimi.it; Submissions are due 2/ 5/10: DIMVA, 7th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, Bonn, Germany; http://www.dimva.org/dimva2010; Submissions are due 2/ 5/10: USENIX-Security, 19th USENIX Security Symposium, Washington, DC, USA; http://www.usenix.org/events/sec10/cfp/; Submissions are due 2/ 7/10: EuroSec, European Workshop on System Security, Held in conjunction with the Annual ACM SIGOPS EuroSys conference, Paris, France; http://www.iseclab.org/eurosec-2010/; Submissions are due 2/ 7/10: OWASP-AppSec-Research, OWASP AppSec Research 2010, Stockholm, Sweden; http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden; Submissions are due 2/ 8/10: POLICY, IEEE International Symposium on Policies for Distributed Systems and Networks, Fairfax, Virginia, USA; http://www.ieee-policy.org; Submissions are due 2/15/10: SHPCS, 5th Workshop on Security and High Performance Computing Systems, Held in conjunction with the 6th International Wireless Communications and Mobile Computing Conference (IWCMC 2010), Caen, Normandy, France; http://leibniz.diiga.univpm.it/~spalazzi/caen/; Submissions are due 2/15/10- 2/18/10: SecSE, 4th International Workshop on Secure Software Engineering, Held in conjunction with the 5th International Conference on Availability, Reliability and Security (ARES 2010), Krakow, Poland; http://www.sintef.org/secse 2/15/10- 2/18/10: SPattern, 4th International Workshop on Secure systems methodologies using patterns, Held in conjunction with the 5th International Conference on Availability, Reliability and Security (ARES 2010), Krakow, Poland; http://www-ifs.uni-regensburg.de/spattern10/ 2/17/10- 2/19/10: SNDS, 18th Euromicro International Conference on Parallel, Distributed and network-based Processing, Special Session on Security in Networked and Distributed Systems, Pisa, Italy; http://www.comsec.spb.ru/SNDS10/ 2/22/10: WEIS, 9th Workshop on the Economics of Information Security, Harvard University, Cambridge, MA, USA; http://weis2010.econinfosec.org/cfp.html; Submissions are due 2/22/10: Journal of Computer Security, Special Issue on RFID System Security; http://icsd.i2r.a-star.edu.sg/staff/jianying/JCS_CFP_final.pdf; Submissions are due 2/22/10- 2/23/10: RFIDsec, The 2010 Workshop on RFID Security, Singapore; http://rfidsec2010.i2r.a-star.edu.sg/ 2/22/10: TaPP, 2nd Workshop on the Theory and Practice of Provenance, Held in conjunction with the 8th USENIX Conference on File and Storage Technologies (FAST 2010), San Jose, CA, USA; http://www.usenix.org/events/tapp10/cfp/ 2/25/10: LEET, 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, Held in conjunction with the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2010), San Jose, CA, USA; http://www.usenix.org/events/leet10/cfp/; Submissions are due 2/26/10: TSP, 3rd IEEE International Symposium on Trust, Security and Privacy for Emerging Applications, Bradford, UK; http://trust.csu.edu.cn/conference/tsp2010/Call_for_Papers.htm; Submissions are due 2/28/10- 3/ 3/10: NDSS, 17th Annual Network and Distributed System Security Symposium, San Diego, CA, USA; http://www.isoc.org/isoc/conferences/ndss/10/cfp.shtml 3/ 5/10: SOUPS, Symposium On Usable Privacy and Security, Redmond, WA, USA; http://cups.cs.cmu.edu/SOUPS/; Submissions are due 3/ 7/10: MMM-ACNS, 5th International Conference on Mathematical Methods, Models, and Architectures for Computer Networks Security, St. Petersburg, Russia; http://comsec.spb.ru/mmm-acns10/; Submissions are due 3/13/10: IH, 12th Information Hiding Conference, Calgary, Alberta, Canada; http://ih2010.cpsc.ucalgary.ca; Submissions are due 3/14/10- 3/17/10: IFIP-CIP, 4th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Fort McNair, Washington, DC, USA; http://www.ifip1110.org 3/19/10: HOST, IEEE International Symposium on Hardware-Oriented Security and Trust, Anaheim, California, USA; http://www.engr.uconn.edu/HOST/; Submissions are due 3/22/10- 3/24/10: WiSec, 3rd ACM Conference on Wireless Network Security, Stevens Institute of Technology, Hoboken, NJ, USA; http://www.sigsac.org/wisec/WiSec2010 3/22/10- 3/26/10: SAC-CF, 25th ACM Symposium on Applied Computing, Computer Forensics Track, Sierre, Switzerland; http://comp.uark.edu/~bpanda/sac2010cfp.pdf 3/22/10- 3/26/10: SAC-TRECK, 25th ACM Symposium on Applied Computing, Trust, Reputation, Evidence and other Collaboration Know-how Track, Sierre, Switzerland; http://www.trustcomp.org/treck/ 3/22/10- 3/26/10: SAC-ISRA, 25th ACM Symposium on Applied Computing, Information Security Research and Applications Track, Sierre, Switzerland; http://www.albany.edu/~er945/CfP_SAC2010_ISRA.html 3/22/10- 3/26/10: SAC-SEC, 25th ACM Symposium on Applied Computing, Computer Security Track, Sierre, Switzerland; http://www.dmi.unict.it/~giamp/sac/10cfp.html 3/29/10- 4/ 2/10: SESOC, International Workshop on SECurity and SOCial Networking, Mannheim, Germany; http://www.sesoc.org 4/ 1/10: ESORICS, 15th European Symposium on Research in Computer Security, Athens, Greece; http://www.esorics2010.org; Submissions are due 4/ 1/10: IDMAN, 2nd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, Oslo, Norway; http://ifipidman2010.nr.no/ifipidman2010/index.php5/Main_Page; Submissions are due 4/ 2/10- 4/ 4/10: AH, 1st ACM Augmented Human International Conference, Mege've ski resort, France; http://www.augmented-human.com/ 4/ 3/10: PST, 8th International Conference on Privacy, Security and Trust, Ottawa, Canada; http://pstnet.unb.ca/pst2010; Submissions are due 4/ 5/10: SECURECOMM, 6th International Conference on Security and Privacy in Communication Networks, Singapore; http://www.securecomm.org/; Submissions are due 4/ 9/10: HealthSec, 1st USENIX Workshop on Health Security and Privacy, Washington DC, USA; http://www.usenix.org/healthsec10/cfpa/; Submissions are due 4/13/10: EuroSec 2010 European Workshop on System Security, Held in conjunction with the Annual ACM SIGOPS EuroSys conference, Paris, France; http://www.iseclab.org/eurosec-2010/ 4/13/10- 4/14/10: WISTP, 4th Workshop on Information Security Theory and Practice, Passau, Germany; http://www.wistp.org/ 4/13/10- 4/15/10: IDtrust, 9th Symposium on Identity and Trust on the Internet, Gaithersburg, Maryland, USA; http://middleware.internet2.edu/idtrust/2010/ 4/13/10- 4/16/10: ASIACCS, 5th ACM Symposium on Information, Computer and Communications Security, Beijing, China; http://www.dacas.cn/asiaccs2010 4/20/10: RFIDSec, 6th Workshop on RFID Security, Istanbul, Turkey; http://www.projectice.eu/rfidsec10/index.html; Submissions are due 4/20/10: SIN, 3rd International Conference on Security of Information and Networks, Taganrog, Rostov-on-Don, Russia; http://www.sinconf.org/sin2010/; Submissions are due 4/27/10: LEET, 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, Held in conjunction with the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2010), San Jose, CA, USA; http://www.usenix.org/events/leet10/cfp/ 5/16/10- 5/19/10: SP, 31st IEEE Symposium on Security and Privacy, 30th Anniversary Conference and Awards Dinner, The Claremont Resort, Oakland/Berkeley, CA, USA; http://oakland10.cs.virginia.edu/cfp.html 5/20/10: SADFE, 5th International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the IEEE Symposium on Security and Privacy (SP 2010), Oakland/Berkeley, CA, USA; http://conf.ncku.edu.tw/sadfe/sadfe10/ 5/26/10- 5/28/10: MOBISEC, 2nd International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, Catania, Sicily; http://mobisec.org/ 6/ 7/10- 6/ 8/10: WEIS, 9th Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA, USA; http://weis2010.econinfosec.org/cfp.html 6/ 8/10- 6/10/10: RFIDSec, 6th Workshop on RFID Security, Istanbul, Turkey; http://www.projectice.eu/rfidsec10/index.html 6/ 9/10- 6/11/10: SACMAT, 15th ACM Symposium on Access Control Models and Technologies, Pittsburgh, PA, USA; http://www.sacmat.org 6/13/10: SA&PS4CS, 1st International Workshop on Scientific Analysis and Policy Support for Cyber Security, Held in conjunction with the 5th International Conference on Mathematical Methods, Models, and Architectures for Computer Networks Security (MMM-ACNS 2010), St. Petersburg, Russia; http://www.comsec.spb.ru/saps4cs10/; Submissions are due 6/13/10- 6/14/10: HOST, IEEE International Symposium on Hardware-Oriented Security and Trust, Anaheim, California, USA; http://www.engr.uconn.edu/HOST/ 6/14/10: D-SPAN, 1st International Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with WoWMoM 2010, Montreal, QC, Canada; http://home.gwu.edu/~nzhang10/DSPAN2010/ 6/16/10- 6/18/10: IFIP-TM, 4th IFIP International Conference on Trust Management, Morioka, Japan; http://www.ifip-tm2010.org/ 6/21/10- 6/23/10: Trust, 3rd International Conference on Trust and Trustworthy Computing, Berlin, Germany; http://www.trust2010.org/ 6/21/10- 6/23/10: DBSec, 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Rome, Italy; http://dbsec2010.dti.unimi.it 6/21/10- 6/24/10: OWASP-AppSec-Research, OWASP AppSec Research 2010, Stockholm, Sweden; http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden 6/22/10- 6/25/10: ACNS, 8th International Conference on Applied Cryptography and Network Security, Beijing, China; http://www.tcgchina.org/acns2010/ 6/25/10: HST, 10th IEEE International Conference on Technologies for Homeland Security, Waltham, MA, USA; http://ieee-hst.org/; Submissions are due 6/25/10: ICDCS-SPCC, 1st International Workshop on Security and Privacy in Cloud Computing (ICDCS-SPCC), Held in conjunction with the IEEE International Conference on Distributed Computing Systems (ICDCS 2010), Genoa, Italy; http://www.ece.iit.edu/~ubisec/workshop.htm. 6/28/10- 6/30/10: IH, 12th Information Hiding Conference, Calgary, Alberta, Canada; http://ih2010.cpsc.ucalgary.ca 6/28/10- 7/ 2/10: SHPCS, 5th Workshop on Security and High Performance Computing Systems, Held in conjunction with the 6th International Wireless Communications and Mobile Computing Conference (IWCMC 2010), Caen, Normandy, France; http://leibniz.diiga.univpm.it/~spalazzi/caen/ 6/29/10- 7/ 1/10: TSP, 3rd IEEE International Symposium on Trust, Security and Privacy for Emerging Applications, Bradford, UK; http://trust.csu.edu.cn/conference/tsp2010/Call_for_Papers.htm 7/ 8/10- 7/ 9/10: DIMVA, 7th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, Bonn, Germany; http://www.dimva.org/dimva2010 7/14/10- 7/16/10: SOUPS, Symposium On Usable Privacy and Security, Redmond, WA, USA; http://cups.cs.cmu.edu/SOUPS/ 7/21/10- 7/23/10: POLICY, IEEE International Symposium on Policies for Distributed Systems and Networks, Fairfax, Virginia, USA; http://www.ieee-policy.org 7/26/10- 7/28/10: SECRYPT, 5th International Conference on Security and Cryptography, Athens, Greece; http://www.secrypt.icete.org 8/10/10: HealthSec, 1st USENIX Workshop on Health Security and Privacy, Washington DC, USA; http://www.usenix.org/healthsec10/cfpa/ 8/11/10- 8/13/10: USENIX-Security, 19th USENIX Security Symposium, Washington, DC, USA; http://www.usenix.org/events/sec10/cfp/ 8/17/10- 8/19/10: PST, 8th International Conference on Privacy, Security and Trust, Ottawa, Canada; http://pstnet.unb.ca/pst2010 9/ 6/10- 9/ 9/10: MMM-ACNS, 5th International Conference on Mathematical Methods, Models, and Architectures for Computer Networks Security, St. Petersburg, Russia; http://comsec.spb.ru/mmm-acns10/ 9/ 7/10- 9/10/10: SECURECOMM, 6th International Conference on Security and Privacy in Communication Networks, Singapore; http://www.securecomm.org/ 9/ 7/10- 9/11/10: SIN, 3rd International Conference on Security of Information and Networks, Taganrog, Rostov-on-Don, Russia; http://www.sinconf.org/sin2010/ 9/ 9/10: SA&PS4CS, 1st International Workshop on Scientific Analysis and Policy Support for Cyber Security, Held in conjunction with the 5th International Conference on Mathematical Methods, Models, and Architectures for Computer Networks Security (MMM-ACNS 2010), St. Petersburg, Russia; http://www.comsec.spb.ru/saps4cs10/ 9/20/10- 9/22/10: ESORICS, 15th European Symposium on Research in Computer Security, Athens, Greece; http://www.esorics2010.org 9/20/10- 9/23/10: IFIP-TC9-HCC9, IFIP TC-9 HCC-9 Stream on Privacy and Surveillance, Held in conjunction with the IFIP World Computer Congress 2010, Brisbane, Australia; http://www.wcc2010.org/migrated/HCC92010/HCC92010_cfp.html 11/ 8/10-11/10/10: HST, 10th IEEE International Conference on Technologies for Homeland Security, Waltham, MA, USA; http://ieee-hst.org/ 11/18/10-11/19/10: IDMAN, 2nd IFIP WG 11.6 Working Conference on Policies and Research in Identity Management, Oslo, Norway; http://ifipidman2010.nr.no/ifipidman2010/index.php5/Main_Page ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E93) ___________________________________________________________________ SACMAT 2010 15th ACM Symposium on Access Control Models and Technologies, Pittsburgh, PA, USA, June 9-11, 2010. http://www.sacmat.org/ (Submissions due 15 January 2010) Papers offering novel research contributions in all aspects of access control are solicited for submission to the ACM Symposium on Access Control Models and Technologies (SACMAT). The missions of the symposium are to share novel access control solutions that fulfill the needs of heterogeneous applications and environments and to identify new directions for future research and development. SACMAT gives researchers and practitioners a unique opportunity to share their perspectives with others interested in the various aspects of access control. Topic of Interest include: - Access control models and extensions - Access control requirements - Access control design methodology - Access control mechanisms, systems, and tools - Access control in distributed and mobile systems - Access control for innovative applications - Administration of access control policies - Delegation - Identity management - Policy/Role Engineering - Safety analysis and enforcement - Standards for access control - Trust management - Trust models - Theoretical foundations for access control models - Usage control ------------------------------------------------------------------------- SADFE 2010 5th International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the IEEE Symposium on Security and Privacy (SP 2010), Oakland/Berkeley, CA, USA, May 20, 2010. http://conf.ncku.edu.tw/sadfe/sadfe10/ (Submissions due 16 January 2010) The SADFE (Systematic Approaches to Digital Forensic Engineering) Workshop promotes systematic approaches to computer investigations, by furthering the advancement of digital forensic engineering as a disciplined science and practice. Most previous SADFE papers have emphasized cyber crime investigations and digital forensics tools. While these are still key topics of the meeting, we also welcome digital forensics papers that do not necessarily involve either crime or digital forensics tools. General attack analysis, the insider threat, insurance and compliance investigations, similar forms of retrospective analysis, and digital discovery are all viable topics. Digital forensic engineering is the application of scientific principles to the collection and analysis of digital artifacts, either for use within the legal system or to aid in understanding past events with the goal of improving computer system security. ------------------------------------------------------------------------- Trust 2010 3rd International Conference on Trust and Trustworthy Computing, Berlin, Germany June 21-23, 2010. http://www.trust2010.org/ (Submissions due 20 January 2010) Building on the success of Trust 2009 (held at Oxford, UK) and Trust 2008 (Villach, Austria), this conference focuses on trusted and trustworthy computing, both from the technical and social perspectives. The conference itself will have two main strands, one devoted to technical aspects and one devoted to the socio-economic aspects of trusted computing. This call for papers is for contributions to the technical strand - a separate call is issued for contributions to the socio-economic strand of the conference. The conference solicits original papers on any aspect of the design and application of trusted and trustworthy computing, which concerns a broad range of concepts including trustworthy infrastructures, services, hardware, software and protocols. Topics of interest include, but are not limited to: - Architecture and implementation technologies for trusted platforms and trustworthy infrastructures - Mobile trusted computing - Implementations of trusted computing (covering both hardware and software) - Applications of trusted computing - Trustworthy infrastructures and services for cloud computing - Attestation and possible variants (e.g., property-based attestation, runtime attestation) - Cryptographic aspects of trusted computing - Security hardware, i.e., hardware with cryptographic and security functions, including physically unclonable functions (PUFs) - Hardware Trojans (detection, prevention) - Intrusion resilience in trusted computing - Virtualisation for trusted platforms - Security policy and management of trusted computing - Access control for trusted platforms - Privacy aspects of trusted computing - Verification of trusted computing architectures - End-user interactions with trusted platforms - Limitations of trusted computing ------------------------------------------------------------------------- ICDCS-SPCC 2010 1st International Workshop on Security and Privacy in Cloud Computing, Held in conjunction with the IEEE International Conference on Distributed Computing Systems (ICDCS 2010), Genoa, Italy, June 25, 2010. http://www.ece.iit.edu/~ubisec/workshop.htm (Submissions due 22 January 2010) Cloud computing has recently emerged as a new information technology infrastructure. In cloud computing, information is permanently stored in large data centers on the Internet and temporarily accessed and cached on clients that include desktops and portable PCs, sensors, etc. With the "cloud" as a metaphor for the Internet, cloud computing promises to deliver massively scalable IT-enabled data, software, and hardware capabilities as a service to external clients using Internet technologies. Cloud computing has been envisioned as the key technology to achieve economies of scale in the deployment and operation of IT solutions. Cloud computing has unique attributes that raise many security and privacy challenges in areas such as data security, recovery, and privacy, as well as legal issues in areas such as regulatory compliance and auditing. In contrast to traditional enterprise IT solutions, where the IT services are under proper physical, logical and personnel controls, cloud computing moves the application software and databases to the servers in large data centers on the Internet, where the management of the data and services are not fully trustworthy. When clients store their data on the server without themselves possessing a copy of it, how the integrity of the data can be ensured if the server is not fully trustworthy? Will encryption solve the data confidentiality problem of sensitive data? How will encryption affect dynamic data operations such as query, insertion, modification, and deletion? Data in the cloud is typically in a shared environment alongside data from other clients. How the data segregation should be done, while data are stored, executed, and transmitted? How the virtulized resources is being managed and secured in the cloud? Due to the fundamental paradigm shift in cloud computing, many security concerns have to be better understood, unanticipated vulnerabilities identified, and viable solutions to critical threats devised, before the wide deployment of cloud computing techniques can take place. Topics of interests include (but are not limited to) the following subject categories: - Secure management of virtualized cloud resources - Secure network architecture for cloud computing - Joint security and privacy aware cloud protocol design - Access control and key management - Trust and policy management in clouds - Identification and privacy in cloud - Remote data integrity protection - Secure computation outsourcing - Dynamic data operation security - Software and data segregation security - Failure detection and prediction - Secure data management within and across data centers - Availability, recovery and auditing - Secure wireless cloud ------------------------------------------------------------------------- IFIP-TC9-HCC9 2010 IFIP TC-9 HCC-9 Stream on Privacy and Surveillance, Held in conjunction with the IFIP World Computer Congress 2010, Brisbane, Australia, September 20-23, 2010. http://www.wcc2010.org/migrated/HCC92010/HCC92010_cfp.html (Submissions due 31 January 2010) New technical and legal developments pose greater and greater privacy dilemmas. Governments have in the recent years increasingly established and legalised surveillance schemes in form of data retention, communication interception or CCTVs for the reason of fighting terrorism or serious crimes. Surveillance Monitoring of individuals is also a threat in the private sector: Private organisations are for instance increasingly using profiling and data mining techniques for targeted marketing, analysing customer buying predictions or social sorting. Work place monitoring practices allow surveillance of employees. Emerging pervasive computing technologies, where individuals are usually unaware of a constant data collection and processing in their surroundings, will even heighten the problem that individuals are effectively losing control over their personal spheres. At a global scale, Google Earth and other corporate virtual globes may have dramatic consequences for the tracking and sorting of individuals. With CCTV, the controlling power of surveillance is in few hands. With live, high resolution imagery feeds from space in the near future, massive surveillance may soon be available to everybody, a development whose consequences we do not yet grasp. New means of surveillance are also enabled by social networks, in which individuals are publishing many intimate personal details about themselves and others. Such social networks are today already frequently analysed by employers, marketing industry, law enforcement or social engineering. The aim of this conference stream is to discuss and analyse such privacy risks of surveillance for humans and society as well as countermeasures for protecting the individuals' rights to informational self-determination from multi-disciplinary perspectives. We are therefore especially inviting the submissions of papers addressing privacy aspects in relation to topics such as (but not limited to): - Surveillance technologies - Corporate virtual globes (Google Earth and Microsoft Virtual Earth) - Profiling & data mining - Ambient Intelligence, RFID - GPS, Location-Based Services - Social Network Analysis - ID cards - Biometrics - Data sharing - Visual surveillance - Workplace monitoring - Communication interception - Data retention - Anonymity & Pseudonymity - Privacy-enhancing technologies - Privacy-enhancing Identity Management ------------------------------------------------------------------------- International Journal of Secure Software Engineering (IJSSE), Special Issue on Software Safety & Dependability - the Art of Engineering Trustworthy Software, January 2011. http://www.igi-global.com/journals/details.asp?id=34297 (Submissions Due 1 February 2010) Guest editor: Lei Wu (University of Houston-Clear Lake, Houston, Texas, U.S.A) and Yi Feng (Algoma University, Sault Ste. Marie, Ontario, Canada) Software Safety is an element of the total safety program. It optimizes system safety & dependability in the design, development, use, and maintenance of software systems and their integration with safety critical application systems in an operational environment. Increasing size and complexity of software systems makes it harder to ensure their dependability. At the same time, the issues of safety become more critical as we more and more rely on software systems in our daily life. These trends make it necessary to support software engineers with a set of techniques and tools for developing dependable, trustworthy software. Software safety cannot be allowed to function independently of the total effort. Both simple and highly integrated multiple systems are experiencing an extraordinary growth in the use of software to monitor and/or control safety-critical subsystems or functions. A software specification error, design flaw, or the lack of generic safety-critical requirements can contribute to or cause a system failure or erroneous human decision. To achieve an acceptable level of dependability goals for software used in critical applications, software safety engineering must be given primary emphasis early in the requirements definition and system conceptual design process. Safety-critical software must then receive continuous management emphasis and engineering analysis throughout the development and operational lifecycles of the system. In this special issue, we are seeking insights in how we can confront the challenges of software safety & dependability issues in developing dependable, trustworthy software systems. Some suggested areas include, but not limited to: - Safety consistent with mission requirements - Secure software engineering with software security & trustworthy software development - State-of-arts literature review of technology dealing with software system security - Identify and analysis of safety-critical functionality of complex systems - Intrusion detection, security management , applied cryptography - Derive hazards and design safeguards for mitigations - Safety-Critical functions design and preliminary hazards analysis - Identification, evaluation, and elimination techniques for hazards associated with the system and its software, throughout the lifecycle - Complexity of safety critical interfaces, software components - Sound secure software engineering principles that apply to the design of the software-user interface to minimize the probability of human error - Failure & hazard models, including hardware, software, human and system are addressed in the design of the software - Software testing techniques targeting at software safety issues at different levels of testing ------------------------------------------------------------------------- SECRYPT 2010 5th International Conference on Security and Cryptography, Athens, Greece, July 26-28, 2010. http://www.secrypt.icete.org (Submissions due 3 February 2010) SECRYPT is an annual international conference covering research in information and communication security. The 5th International Conference on Security and Cryptography will be held in Athens, Greece. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, applications security, and cryptography. Papers describing the application of security technology, the implementation of systems, and lessons learned are also encouraged. Areas of interest include, but are not limited to: - Data and Application Security and Privacy - Access Control and Intrusion Detection - Network Security and Protocols - Cryptographic Techniques and Key Management - Information Assurance - Security in Information Systems and Software Engineering ------------------------------------------------------------------------- D-SPAN 2010 1st International Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with WoWMoM 2010, Montreal, QC, Canada, Jun 14, 2010. http://home.gwu.edu/~nzhang10/DSPAN2010/ (Submissions due 4 February 2010) This workshop is focused on defining new problems and developing novel techniques for data security and privacy issues in wireless and mobile networks. With the emergence of data-intensive wireless networks such as wireless sensor networks and data-centric mobile applications such as location-based services, the traditional boundaries between these three disciplines are blurring. This workshop solicits papers from two main categories: (1) papers that consider the security and privacy of data collection, transmission, storage, publishing, and sharing in wireless networks broadly defined, e.g., MANET, cellular, vehicular, ad hoc, cognitive, as well as sensor networks, and (2) papers that use data analytics techniques to address security and privacy problems in wireless networks. The workshop provides a venue for researchers to present new ideas with impact on three communities - wireless networks, databases, and security. The list of topics includes, but not limited to: - Fundamental theory of a security network science - Key exchange, distribution and management in wireless networks - Location privacy in wireless networks - Secure data collection and aggregation for wireless sensor networks - Secure data collection in body-area networks - Secure data processing in mobile ad-hoc networks (MANET) - Secure query processing over wireless sensor networks - Security and privacy of RFID systems - Security and privacy for data streaming - Security for cognitive radio networks - Tradeoffs between Security and Communication Performance ------------------------------------------------------------------------- ACNS 2010 8th International Conference on Applied Cryptography and Network Security, Beijing, China, June 22-25, 2010. http://www.tcgchina.org/acns2010/ (Submissions due 5 February 2010) Original papers on all aspects of applied cryptography and network security are solicited for submission to ACNS '10. Topics of relevance include but are not limited to: - Applied cryptography and provably-secure cryptographic protocols - Design and analysis of efficient cryptographic primitives: public-key and symmetric-key cryptosystems, block ciphers, and hash functions - Network security protocols - Techniques for anonymity; trade-offs between anonymity and utility - Integrating security into the next-generation Internet: DNS security, routing, naming, denial-of-service attacks, TCP/IP, secure multicast - Economic fraud on the Internet: phishing, pharming, spam, and click fraud - Email and web security - Public key infrastructure, key management, certification, and revocation - Security and privacy for emerging technologies: sensor networks, mobile (ad hoc) networks, peer-to-peer networks, bluetooth, 802.11, RFID - Trust metrics and robust trust inference in distributed systems - Security and usability - Intellectual property protection and digital rights management - Modeling and protocol design for rational and malicious adversaries - Automated analysis of protocols ------------------------------------------------------------------------- DBSec 2010, 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Rome, Italy, June 21-23, 2010. http://dbsec2010.dti.unimi.it (Submissions due 5 February 2010) DBSec is an annual international conference covering research in data and applications security and privacy. The 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec 2010) will be held in Rome, Italy. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, and applications security. Topics of interest include, but are not limited to: - access control - anonymity - applied cryptography in data security - authentication - data and system integrity - data protection - database security - digital rights management - identity management - intrusion detection - knowledge discovery and privacy - methodologies for data and application security - network security - organizational security - privacy - secure cloud computing - secure distributed systems - secure information integration - secure Web services - security and privacy in IT outsourcing - security and privacy in location-based services - security and privacy in P2P scenarios and social networks - security and privacy in pervasive/ubiquitous computing - security and privacy policies - security management - security metrics - threats, vulnerabilities, and risk management - trust and reputation systems - trust management - wireless and mobile security ------------------------------------------------------------------------- DIMVA 2010 7th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, Bonn, Germany, July 8-9, 2010. http://www.dimva.org/dimva2010 (Submissions due 5 February 2010) The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. DIMVA's scope includes, but is not restricted to the following areas: Intrusion Detection - Novel approaches & new environments - Insider detection - Prevention and response - Data leakage - Result correlation & cooperation - Evasion attacks - Potentials & limitations - Operational experiences - Privacy, legal & social aspects Malware - Automated analysis, reversing & execution tracing - Containment & sandboxed operation - Acquisition of specimen - Infiltration - Behavioral models - Prevention & containment - Trends & upcoming risks - Forensics & recovery - Economic aspects Vulnerability Assessment - Vulnerability detection & analysis - Vulnerability prevention - Web application security - Fuzzing techniques - Classification & evaluation - Situational awareness ------------------------------------------------------------------------- USENIX-Security 2010 19th USENIX Security Symposium, Washington, DC, USA, August 11-13, 2010. http://www.usenix.org/events/sec10/cfp/ (Submissions due 5 February 2010) The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in security or applied cryptography. ------------------------------------------------------------------------- EuroSec 2010 European Workshop on System Security, Held in conjunction with the Annual ACM SIGOPS EuroSys conference, Paris, France, April 13, 2010. http://www.iseclab.org/eurosec-2010/ (Submissions due 7 February 2010) The workshop aims to bring together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The focus of the workshop is on novel, practical, systems-oriented work. EuroSec seeks contributions on all aspects of systems security. Topics of interest include (but are not limited to): - Operating systems security - Web/network/distributed systems security - New attacks and evasion techniques - Hardware architectures - Trusted computing and its applications - Identity management, anonymity - Small trusted computing bases - Mobile systems security - Measuring security - Malicious code analysis and detection - Systems-based forensics - Systems work on fighting spam/phishing ------------------------------------------------------------------------- OWASP-AppSec-Research 2010 OWASP AppSec Research 2010, Stockholm, Sweden, June 21-24, 2010. http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden. (Submissions due 7 February 2010) OWASP AppSec Research focuses on web application security and invites both academia and industry. The conference features a full-paper research track published by Springer-Verlag (LNCS) as well as industry talks and demos. OWASP (the Open Web Application Security Project) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. We encourage the publication and presentation of new tools, new methods, empirical data, novel ideas, and lessons learned in the following areas: - Web application security - Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0, offline support, etc) - Security in web services, REST, and service oriented architectures - Security in cloud-based services - Security of frameworks (Struts, Spring, ASP.Net MVC etc) - New security features in platforms or languages - Next-generation browser security - Security for the mobile web - Secure application development (methods, processes etc) - Threat modeling of applications - Vulnerability analysis (code review, pentest, static analysis etc) - Countermeasures for application vulnerabilities - Metrics for application security - Application security awareness and education ------------------------------------------------------------------------- POLICY 2010 IEEE International Symposium on Policies for Distributed Systems and Networks, Fairfax, Virginia, USA, July 21-23, 2010. http://www.ieee-policy.org (Submissions due 8 February 2010) The symposium brings together researchers and practitioners working on policy-based systems across a range of application areas including policy-based networking, privacy and security management, storage area networking, and enterprise systems. POLICY 2010 has grown out of a highly successful series of workshops and this is recognized by the elevation of the event to an IEEE symposium. POLICY 2010 invites novel contributions on all aspects of policy-based management. Topics of interest include (but are not limited to): - Privacy and Security - Policy Models and Languages - Policy Applications ------------------------------------------------------------------------- SHPCS 2010 5th Workshop on Security and High Performance Computing Systems, Held in conjunction with the 6th International Wireless Communications and Mobile Computing Conference (IWCMC 2010), Caen, Normandy, France, June 28 - July 2, 2010. http://leibniz.diiga.univpm.it/~spalazzi/caen/ (Submissions due 15 February 2010) Providing high performance computing and security is a challenging task. Internet, operating systems and distributed environments currently suffer from poor security support and cannot resist common attacks. Adding security measures typically degrade performance. This workshop addresses relationships between security and high performance computing systems in three directions. First, it considers how to add security properties (authentication, confidentiality, integrity, non-repudiation, access control) to high performance computing systems. In this case, safety properties can also be addressed, such as availability and fault tolerance for high performance computing systems. Second, it covers how to use high performance computing systems to solve security problems. For instance, a grid computation can break an encryption code, or a cluster can support high performance intrusion detection. More generally, this topic addresses every efficient use of a high performance computing systems to improve security. Third, it investigates the tradeoffs between maintaining high performance and achieving security in computing systems and solutions to balance the two objectives. In all these directions, various performance analyses or monitoring techniques can be conducted to show the efficiency of a security infrastructure. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of computer and network security, as well as case studies and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. The Workshop topics include (but are not limited to) the following: - Access Control - Accounting and Audit - Anonymity - Applied Cryptography - Authentication - Cloud Security - Commercial and Industry Security - Cryptographic Protocols - Data and Application Security - Data/System Integrity - Database Security - Digital Rights Management - Formal Verification of Secure Systems - Identity Management - Inference/Controlled Disclosure - Information Warfare - Intellectual Property Protection - Intrusion and Attack Detection - Intrusion and Attack Response - Key Management - Privacy-Enhancing Technology - Secure Networking - Secure System Design - Security Monitoring & Management - Security for Mobile Code - Security for Specific Domains (e.g., E-Government, E-Business, P2P) - Security in IT Outsourcing - Security in Mobile and Wireless Networks - Security in Untrusted & Adversarial Environments and Systems - Security in Operating Systems - Security Location Services - Security of Grid and Cluster Architectures - Security Visualization - Smartcards - Trust Management Policies - Trust Models - Web Security - Web Services Security ------------------------------------------------------------------------- Journal of Computer Security, Special Issue on RFID System Security, 4th Quarter, 2010. http://icsd.i2r.a-star.edu.sg/staff/jianying/JCS_CFP_final.pdf (Submissions Due 22 February 2010) Guest editor: Yingjiu Li (Singapore Management University, Singapore) and Jianying Zhou (Institute for Infocomm Research, Singapore) Besides selected papers (after significant extensions) from the 2010 Workshop on RFID Security (RFIDsec'10 Asia), other papers representing original research in the theory and practice concerning RFID system security are solicited for this special issue in Journal of Computer Security (IOS Press). Topics of interest include, but are not limited to: - New applications for secure RFID systems - Data protection and privacy-enhancing techniques for RFID - Cryptographic protocols for RFID (Authentication protocols, Key update mechanisms, Scalability issues) - Integration of secure RFID systems (Middleware and security, Public-key infrastructures) - Resource-efficient implementation of cryptography (Small-footprint hardware, Low-power architectures) - Attacks on RFID systems such as RFID malwares - RFID security hardware such as RFID with PUF - Trust model, data protection and sharing for EPCglobal Network ------------------------------------------------------------------------- WEIS 2010 9th Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA, USA, June 7-8, 2010. http://weis2010.econinfosec.org/cfp.html (Submissions due 22 February 2010) The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science. Prior workshops have explored the role of incentives between attackers and defenders, identified market failures dogging Internet security, and assessed investments in cyber-defense. This workshop will build on past efforts using empirical and analytic tools to not only understand threats, but also strengthen security through novel evaluations of available solutions. How should information risk be modeled given the constraints of rare incidence and high interdependence? How do individuals' and organizations' perceptions of privacy and security color their decision making? How can we move towards a more secure information infrastructure and code base while accounting for the incentives of stakeholders? We encourage economists, computer scientists, business school researchers, legal scholars, security and privacy specialists, as well as industry experts to submit their research and attend the workshop. Suggested topics include (but are not limited to) empirical and theoretical studies of: - Optimal investment in information security - Online crime (including botnets, phishing and spam) - Models and analysis of online crime - Risk management and cyberinsurance - Security standards and regulation - Cybersecurity policy - Privacy, confidentiality and anonymity - Behavioral security and privacy - Security models and metrics - Psychology of risk and security - Vulnerability discovery, disclosure, and patching - Cyberwar strategy and game theory - Incentives for information sharing and cooperation ------------------------------------------------------------------------- LEET 2010 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, Held in conjunction with the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2010), San Jose, CA, USA, April 27, 2010. http://www.usenix.org/events/leet10/cfp/ (Submissions due 25 February 2010) LEET aims to provide a unique forum for the discussion of threats to the confidentiality of our data, the integrity of digital transactions, and the dependability of the technologies we increasingly rely on. We encourage submissions of papers that focus on the malicious activities themselves (e.g., reconnaissance, exploitation, privilege escalation, rootkit installation, attack), our responses as defenders (e.g., prevention, detection, and mitigation), or the social, political, and economic goals driving these malicious activities and the legal and ethical codes guiding our defensive responses. Topics of interest include but are not limited to: - Infection vectors for malware (worms, viruses, etc.) - Botnets, command, and control channels - Spyware - Operational experience - Forensics - Click fraud - Measurement studies - New threats and related challenges - Boutique and targeted malware - Phishing - Spam - Underground markets - Carding and identity theft - Miscreant counterintelligence - Denial-of-service attacks - Hardware vulnerabilities - Legal issues - The arms race (rootkits, anti-anti-virus, etc.) - New platforms (cellular networks, wireless networks, mobile devices) - Camouflage and detection - Reverse engineering - Vulnerability markets and zero-day economics - Online money laundering - Understanding the enemy - Data collection challenges ------------------------------------------------------------------------- TSP 2010 3rd IEEE International Symposium on Trust, Security and Privacy for Emerging Applications, Bradford, UK, June 29-July 1, 2010. http://trust.csu.edu.cn/conference/tsp2010/Call_for_Papers.htm (Submissions due 26 February 2010) Satisfying user requirements for trust, security and privacy in an efficient way is one of the first considerations for almost all emerging applications, using emerging technologies such as pervasive computing, peer to peer computing, grid computing, cloud computing, virtualization and, mobile and wireless technologies. Challenges arise as emerging applications evolve to provide more scalable and comprehensive services. One of the biggest challenges is that traditional security technologies and measures may not meet user requirements in open, dynamic, heterogeneous, and distributed computing environments. Therefore, we need to build networks and systems in which emerging applications allow users to enjoy more scalable and comprehensive services while preserving trust, security and privacy at the same time. TSP-10 aims at bringing together researchers and practitioners in the world working on trust, security, privacy, and related issues such as technical, social, and cultural implications for all emerging devices, services, applications, networks, and systems, and providing a forum for them to present and discuss emerging ideas and trends in this highly challenging research area. ------------------------------------------------------------------------- SOUPS 2010 Symposium On Usable Privacy and Security, Redmond, WA, USA, July 14-16, 2010. http://cups.cs.cmu.edu/SOUPS/ (Submissions due 5 March 2010) The 2010 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to: - innovative security or privacy functionality and design - new applications of existing models or technology - field studies of security or privacy technology - usability evaluations of new or existing security or privacy features - security testing of new or existing usability features - longitudinal studies of deployed security or privacy features - the impact of organizational policy or procurement decisions - lessons learned from the deployment and use of usable privacy and security features ------------------------------------------------------------------------- MMM-ACNS 2010 5th International Conference on Mathematical Methods, Models, and Architectures for Computer Networks Security, St. Petersburg, Russia, http://comsec.spb.ru/mmm-acns10/ September 6-9, 2010. (Submissions due 7 March 2010) MMM-ACNS-2010 aims at bringing together leading researchers from academia and governmental organizations as well as practitioners to advance the states of the art and practice in the area of computer networks and information security with a focus on novel theoretical aspects of computer network security, facilitate personal interactions and discussions on various aspects of information technologies in conjunction with computer network and information security problems arising in large-scale computer networks. MMM-ACNS-2010's scope includes, but is not restricted to the following areas: - Adaptive security - Anti-malware techniques: detection, analysis, prevention - Anti-phishing, anti-spam, anti-fraud, anti-botnet techniques - Authentication, Authorization and Access Control - Computer and network forensics - Covert channels - Critical infrastructure protection - Data and application security - Data mining, machine learning, and bio-inspired approaches for security - Deception systems and honeypots - Denial-of-service attacks and countermeasures - Digital Rights Management - eCommerce, eBusiness and eGovernment security - Formal analysis of security properties - Information warfare - Internet and web security - Intrusion prevention, detection, and response - Language-based security - Network survivability - New ideas and paradigms for security - Operating system security - Security and privacy in pervasive and ubiquitous computing - Security event processing and predictive security monitoring - Security for cloud computing - Security for large-scale systems and critical infrastructures - Security of emerging technologies: sensor, wireless/mobile, peer-to-peer and overlay networks - Security of autonomous agents and multi-agent systems - Security modeling and simulation - Security policies - Security protocols - Security verification - Self-protecting and healing - Software protection - Trusted computing - Trust and reputation management - Vulnerability assessment, risk analysis and risk management ------------------------------------------------------------------------- IH 2010 12th Information Hiding Conference, Calgary, Alberta, Canada, June 28 - 30, 2010. http://ih2010.cpsc.ucalgary.ca (Submissions due 13 March 2010) For many years, Information Hiding has captured the imagination of researchers. Digital watermarking and steganography protect information, conceal secrets or are used as core primitives in digital rights management schemes. Steganalysis and forensics pose important challenges to investigators; and privacy techniques try to hide relational information such as the actors' identities in anonymous communication systems. These and other topic share the notion that security is defined by the difficulty to make (or avoid) inference on certain properties of host data, which therefore has to be well understood and modeled. Current research themes include: - Anonymity and privacy - Covert/subliminal channels - Digital rights management - Fingerprinting and embedding codes - Multimedia and document security - Multimedia forensics and counter forensics - Novel applications of information hiding - Other data hiding domains (e.g. text, software, etc.) - Security metrics for information hiding - Steganography and steganalysis - Theoretical aspects of information hiding and detection - Watermarking (algorithms, security, attacks) ------------------------------------------------------------------------- HOST 2010 IEEE International Symposium on Hardware-Oriented Security and Trust, Anaheim, California, USA, June 13-14, 2010. http://www.engr.uconn.edu/HOST/ (Submissions due 19 March 2010) HOST covers security and trust issues in all types of electronic devices and systems such as ASICs, COTS, FPGAs, microprocessors/DSPs, and embedded systems. The mission of HOST is to provide a forum for the presentation and discussion of research that is of critical significance to the security of, and trust in, modern society's microelectronic-supported infrastructures. Papers and presentations that address any of the following "hot topics" are of high interest to the symposium. Papers addressing HOST issues outside of these areas will be considered equally relevant in the review process: - Trojan Detection and Isolation - Authenticating Foundry of Origin - Side Channel Analysis/Attacks - Watermarking - FPGA Design Security - Hardware focused Cryptography - IC Metering - Physical Unclonable Functions - Embedded and Distributed Systems Security - Hardware Intrusion Detection and Prevention - Security Engineering - Scan chain Encryption ------------------------------------------------------------------------- ESORICS 2010 15th European Symposium on Research in Computer Security, Athens, Greece, September 20-22, 2010. http://www.esorics2010.org (Submissions due 1 April 2010) ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. We encourage submissions of papers discussing industrial research and development. Papers should focus on topics such as: - Access Control - Accountability - Anonymity - Applied Cryptography - Attacks and Viral Software - Authentication and Delegation - Data Integrity - Database Security - Inference Control - Identity Management - Information Flow Control - Intrusion Tolerance - Formal Security Methods - Language-based Security - Network Security - Privacy Enhancing Technologies - Risk Analysis and Management - Secure Electronic Voting - Security Architectures - Security Economics - Security for Mobile Code - Security for Dynamic Coalitions - Security in Location Services - Security in Social Networks - Security Models - Security Verification - System Security - Trust Models and Management - Trust Theories - Trustworthy User Devices ------------------------------------------------------------------------- IDMAN 2010 2nd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, Oslo, Norway, November 18-19, 2010. http://ifipidman2010.nr.no/ifipidman2010/index.php5/Main_Page (Submissions due 1 April 2010) Papers offering research contributions focusing on identity management in general and surveillance and monitoring in particular are solicited for submission to the 2nd IFIP WG-11.6 International Conference on Identity Management. Papers may present theory, applications or practical experiences in the field of national identity management, from both a technical and a social perspective, including, but not necessarily limited to: - History - Law - Philosophical and ethical aspects - Economics Impact of surveillance and monitoring in both the physical world and in cyberspace - Impact on society and politics - Impact on e-government and e-government applications - Consecutive developments in social tracking, -tracing and -sorting - Quality of identity management in general - Quality identity data, processes and applications - Security and identity management - User centered, usable and inclusive identity management - Attacks on identity management infrastructure and procedures Central storage of general and biometric identity data - Effectiveness of surveillance and monitoring in fighting terrorism, international crime and human trafficking - Methods of identification and authentication - Models of identification procedures - Models of inclusive identification and authentication procedures - Government PKI - (Possible) role of pseudonymous and anonymous identity in identity management - Electronic Ids European and worldwide policies and cooperation in the field of identity management and surveillance and monitoring - (Inter)national policies on unique identifiers /social security numbers / personalisation IDs - (Inter)national applications of biometrics - Vulnerabilities of electronic identification protocols - Federative identity management and de-perimetrization - Fraud, fraud detection, fraud resistence of technologies - Biometric verification, assurance, metrics and measurements - Fraud resistance of biometrics - Junction between (large scale) applications of identity management and surveillance and monitoring - Data Protection - Privacy and Privacy Enhancing Technologies (PETs) in identity management - Privacy Intrusion Technologies (PITs) in identity management - Privacy side-effects and privacy risks assessment of identity management Intelligence and (inter)national threats - Impersonation, identity fraud, identity forge and identity theft - Tracing, monitoring and forensics ------------------------------------------------------------------------- PST 2010 8th International Conference on Privacy, Security and Trust, Ottawa, Canada, August 17-19, 2010. http://pstnet.unb.ca/pst2010 (Submissions due 3 April 2010) PST2010 provides a forum for researchers world-wide to unveil their latest work in privacy, security and trust and to show how this research can be used to enable innovation. This year's theme is "Privacy, Security and Trust by Design: PbD - The Gold Standard." With the growth and ubiquity of data in today's hyper-networked world, the need for trust has become more critical than ever. We need new paradigms that seek to integrate and build privacy, security and trustworthiness directly into technologies and systems from the outset and by default. PST2010 will include an Industry Day followed by two days of high-quality research papers whose topics include, but are NOT limited to, the following: - Privacy Preserving / Enhancing Technologies - Trust Technologies, Technologies for Building Trust in e-Business Strategy - Critical Infrastructure Protection - Observations of PST in Practice, Society, Policy and Legislation - Network and Wireless Security - Digital Rights Management - Operating Systems Security - Identity and Trust management - Intrusion Detection Technologies - PST and Cloud Computing - Secure Software Development and Architecture - Human Computer Interaction and PST - PST Challenges in e-Services - Implications of, and Technologies for, Lawful Surveillance - Network Enabled Operations - Biometrics, National ID Cards, Identity Theft - Advanced Training Tools - PST and Web Services / SOA - Information Filtering, Data Mining & Knowledge from Data - Privacy, Traceability, and Anonymity - National Security and Public Safety - Trust and Reputation in Self-Organizing Environments - Security Metrics - Anonymity and Privacy vs. Accountability - Recommendation, Reputation and Delivery Technologies - Access Control and Capability Delegation - Continuous Authentication - Representations and Formalizations of Trust in Electronic and Physical Social Systems ------------------------------------------------------------------------- SECURECOMM 2010 6th International Conference on Security and Privacy in Communication Networks, Singapore, September 7-10, 2010. http://www.securecomm.org/ (Submissions due 5 April 2010) SecureComm'10 seeks high-quality research contributions in the form of well developed papers. Topics of interest encompass research advances in ALL areas of secure communications and networking. Topics in other areas (e.g., formal methods, database security, secure software, applied cryptography) will also be considered if a clear connection to private or secure communications/networking is demonstrated. ------------------------------------------------------------------------- HealthSec 2010 1st USENIX Workshop on Health Security and Privacy, Washington, DC, USA, August 10, 2010. http://www.usenix.org/healthsec10/cfpa/ (Submissions due 9 April 2010) HealthSec '10 is intended as a forum for lively discussion of aggressively innovative and potentially disruptive ideas on all aspects of medical and health security and privacy. A fundamental goal of the workshop is to promote cross-disciplinary interactions between fields, including, but not limited to, technology, medicine, and policy. Surprising results and thought-provoking ideas will be strongly favored; complete papers with polished results in well-explored research areas are comparatively discouraged. Workshop topics are solicited in all areas relating to healthcare information security and privacy, including: - Security and privacy models for healthcare information systems - Industrial experiences in healthcare information systems - Deployment of open systems for secure and private use of healthcare information technology - Security and privacy threats against and countermeasures for existing and future medical devices - Regulatory and policy issues of healthcare information systems - Privacy of medical records - Usability issues in healthcare information systems - Threat models for healthcare information systems ------------------------------------------------------------------------- RFIDSec 2010 6th Workshop on RFID Security, Istanbul, Turkey, June 8-10, 2010. http://www.projectice.eu/rfidsec10/index.html (Submissions due 20 April 2010) The workshop focuses on approaches to solve security and data-protection issues in advanced contactless technologies like RFID. It stresses implementation aspects imposed by resource constraints. Topics of the conference include but are not limited to: - New applications for secure RFID systems - Data protection and privacy-enhancing techniques for RFID - Cryptographic protocols for RFID (Authentication protocols, Key update mechanisms, Scalability issues) - Integration of secure RFID systems (Middleware and security, Public-key infrastructures, Case studies) - Resource-efficient implementation of cryptography (Small-footprint hardware, Low-power architectures) - Attacks on RFID systems - RFID security hardware e.g. RFID with PUF, RFID Trojans ------------------------------------------------------------------------- SIN 2010 3rd International Conference on Security of Information and Networks, Taganrog, Rostov-on-Don, Russia, September 7-11, 2010. (Submissions due 20 April 2010) Papers addressing all aspects of security in information and networks are being sought. Researchers working on the following and related subjects are especially encouraged: realization of security schemes, new algorithms, experimenting with existing approaches; secure information systems, especially distributed control and processing applications, and security in networks; interoperability, service levels and quality issues in such systems; information assurance, security, and public policy. Topics of the conference include but are not limited to: - Access control and intrusion detection - Autonomous and adaptive security - Cryptographic techniques and key management - Information assurance - Network security and protocols - Security in information systems - Security tools and development platforms - Security ontology, models, protocols & policies - Secure ontology-based systems - Standards, guidelines and certification - Security-aware software engineering - Trust and privacy ------------------------------------------------------------------------- SA&PS4CS 2010 1st International Workshop on Scientific Analysis and Policy Support for Cyber Security, Held in conjunction with the 5th International Conference on Mathematical Methods, Models, and Architectures for Computer Networks Security (MMM-ACNS 2010), St. Petersburg, Russia, September 9, 2010. http://www.comsec.spb.ru/saps4cs10/ (Submissions due 13 June 2010) The workshop is dedicated to the methods of scientific analysis and policy support for response to cyber intrusions and attacks. The main topics of the SA&PS4CS'2010 are detection, discrimination, and attribution of various activities of malefactors and response to cyber intrusions and attacks including national level information operations as well as identifying emergent cyber technologies supporting social and political activity management and trans-national distributed computing management. ------------------------------------------------------------------------- HST 2010 10th IEEE International Conference on Technologies for Homeland Security, Waltham, MA, USA, November 8-10, 2010. http://ieee-hst.org/ (Submissions due 25 June 2010) The tenth annual IEEE Conference on Technologies for Homeland Security will focus on innovative technologies for deterring and preventing attacks, protecting critical infrastructure and individuals, and mitigating damage and expediting recovery. Submissions are desired in the broad areas of critical infrastructure and key resources protection (CIKR), border protection and monitoring, and disaster recovery and response, with application within about five years. ------------------------------------------------------------------------- ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $12, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $10.00 The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $10.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2010 treasurer (below) with the order description, including shipping method and shipping address. Al Shaffer Treasurer, IEEE Symposium Security and Privacy 2010 Glasgow East Annex, Rm. 218 (GE-218) 1411 Cunningham Rd. Naval Postgraduate School Montrerey, CA 93943 831/656\3319, voice oakland10-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officer Roster ____________________________________________________________________________ Chair: Security and Privacy SymposiumChair Emeritus: Hilarie Orman David Du Purple Streak, Inc. Department of Computer Science 500 S. Maple Dr. and Engineering Woodland Hills, UT 84653 University of Minnesota ieee-chair@purplestreak.com Minneapolis, MN 55455 du@umn.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Sven Dietrich Prof. Cynthia Irvine Department of Computer Science U.S. Naval Postgraduate School Stevens Institute of Technology Computer Science Department, Code CS/IC +1 201 216 8078 Monterey CA 93943-5118 spock AT cs.stevens.edu (831) 656-2461 (voice) irvine@nps.edu Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Sciences Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Newsletter Editor: Security and Privacy Symposium: General Chair 2010 Hilarie Orman Ulf Lindqvist Purple Streak, Inc. SRI 500 S. Maple Dr. Menlo Park, CA Woodland Hills, UT 84653 (650)859-2351 (voice) cipher-editor@ieee-security.org ulf.lindqvist@sri.com ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year