_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 100 January 19, 2011 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of "SQL Injection Attacks and Defense" by Justin Clarke o Book Announcement, "Surveillance or Security?: The Risks Posed by New Wiretapping Technologies" by Susan Landau * News o Stuxnet and Its Centrifuge Rampage o Was Conficker a Stuxnet Precursor? * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Though we do not have a Cipher article this month about the Stuxnet malware, I think that almost everyone in the security world already knows about it. This landmark piece of carefully crafted software, designed to damage equipment used in producing material for nuclear devices, signals that malware is on the forefront of international espionage, and defensive security is a distant runner in that race. Our own current pet peeve is privacy, specifically privacy when using popular social networking (PSN) services. Dismayed by finding many sites gleefully welcoming us with our photo from a PSN site, we have found it necessary to cleanse the web browser carefully after visiting that PSN site. We now understand some news reports that mention users who find it expedient to disable their PSN accounts when they are not logged in. The program for the Security and Privacy Symposium will be announced soon, and this year there will be three associated workshops: Web 2.0 Security (W2SP); Systematic Approaches to Digital Forensic Engineering (SADFE); and Community Workshop on Ethical Guidelines for Security Research. Watch the website (http://www.ieee-security.org/TC/SP2011) for news. Finally, I'd like to note a small event: the 100th electronic edition of Cipher. Under the guidance of Carl Landwehr, the newsletter was an early adopter of web technology. Do you know where that USB stick has been? Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 01/14/2011 ____________________________________________________________________ SQL Injection Attacks and Defense by Justin Clarke Syngress 2009. ISBN 978-1-59749-424-3 amazon.com USD31.94 Table of Contents: http://www.syngress.com/hacking-and-penetration-testing/SQL-Injection-Attacks-and-Defense/ The book is structured into three basic parts - identification, exploitation and defense. In the identification section, Clarke reviews how injection vulnerabilities are discovered either through "black box" testing of exposed web interfaces or "white box" code reviews. The testing material illustrates the use of proxies to capture full interactions with the application and explores notable topics such as "blind" injection where the application doesn't directly display database information. The code review material includes examples of regular expressions that can be used to sift the source code for potentially vulnerable areas worthy of further study. The exploitation section reveals how a discovered vulnerability is actually used to accomplish access to information or the underlying operating system. Coverage is both practical and well-illustrated with examples. Of particular note is his coverage of exfiltration techniques: how to get database information out of the organization while evading input sanitization filters. The defense section is paradoxically the shortest section of the book and covers defensive techniques at both the code and platform levels. The beauty of these two brief chapters is their solid advice on how to properly use defenses such as parameterized statements and input validation. The book closes with a reference chapter that includes a primer on the SQL language and concise summaries of key concepts and techniques. This is a practical book and is clearly intended for the technical security professional. Though it is largely self-contained, some background knowledge of database and web application technologies will aid in understanding code samples and details of attack and defense. Clarke has done the security community a great service by concentrating in a single resource a masterful overview of the practical methods of database attack and defense. Whether you are a professional penetration tester or charged with defending your organization's database assets, this book is definitely a recommended read. ---------- Richard Austin MS, CISSP (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry holding positions ranging from software developer to security architect before becoming a semi-retired, part-time academic. He welcomes your thoughts and comments on this review at raustin2 at spsu dot edu. ____________________________________________________________________ Book Announcement 01/18/2011 ____________________________________________________________________ Surveillance or Security?: The Risks Posed by New Wiretapping Technologies by Susan Landau MIT Press, 2011. ISBN 978-0262015301. Pre-order price at amazon.com USD$17.79 This just-announced book can be pre-ordered from Amazon.com: "Governments have been trying to control the Internet since the early 1990s, when they realized that it would change everything and they didn't understand how. Much of the 1990s was spent on the Crypto Wars, as governments tried to control surveillance online. One of the veterans, Susan Landau, gives us a perspective on where the battle lines are now and where surveillance is likely to go in the future." --Ross J. Anderson, Professor of Security Engineering, University of Cambridge ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------------------------------------------------ Stuxnet and Its Centrifuge Rampage 01/15/2011, New York Times, http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html An intricate and carefully directed piece of computer malware caused malfunction and perhaps even damage to centrifuges used in producing nuclear device material in Iran. Why the Stuxnet worm could be Conficker's cousin January 19, 2011, USA Today http://content.usatoday.com/communities/technologylive/post/2011/01/why-the-stuxnet-worm-could-be-confickers-cousin-/1 Was Conficker a precursor to Stuxnet? A Finnish security analyst thinks the software shows similarities. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil Posted January 2011 California State University, Fullerton Fullerton, California Assistant Professor, tenure-track Application review will commence on January 17, 2011 and continue until filled http://diversity.fullerton.edu Posted January 2011 Polytechnic Institute of NYU Brooklyn, New York Asst. Assoc or Full Professor Position open until filled http://www.poly.edu/academics/departments/computer/faculty-search/cybersecurity Posted December 2010 Internetworked Systems Security Network (NSERC ISSNet) Location: One of eight cities across Canada Postdoctoral Fellowships Accepting applications in 2011 until positions are filled https://www.issnet.ca/call_for_post-doc_fellows Posted October 2010 (updated December 2010) Rutgers University Management Science and Information Systems Department Piscataway, New Jersey Tenure-track Assistant/Associate professor Applications received by February 1, 2011 are given full consideration http://www.business.rutgers.edu/files/msis_communications_of_the_acm.pdf ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 1/17/11: CSC, Workshop on Cryptography and Security in Clouds, Zurich, Switzerland; http://www.zurich.ibm.com/~cca/csc2011/ Submissions are due 1/19/11: HOST, 4th IEEE International Sympoium on Hardware-Oriented Security and Trust, San Diego, CA, USA; http://www.engr.uconn.edu/HOST/ Submissions are due 1/21/11: ACNS, 9th International Conference on Applied Cryptography and Network Security, Nerja, Malaga, Spain; http://www.isac.uma.es/acns2011/ Submissions are due 1/21/11: DIMVA, 8th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Amsterdam, The Netherlands; http://www.dimva.org/dimva2011; Submissions are due 1/25/11: LEET, 4th USENIX Workshop on Large-Scale Exploits and Emergent Threats, Boston, MA, USA; http://www.usenix.org/events/leet11/cfp/ Submissions are due 1/30/11- 2/ 2/11: IFIP-DF, 7th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, FL, USA; http://www.ifip119.org 1/31/11: IH, 13th Information Hiding Conference, Prague, Czech Republic; http://www.ihconference.org/ Submissions are due 2/ 4/11: D-SPAN, 2nd IEEE International Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with IEEE WoWMoM 2011, Lucca, Italy; http://home.gwu.edu/~nzhang10/DSPAN2011/ Submissions are due 2/ 6/11- 2/ 9/11: NDSS, Network & Distributed System Security Symposium, San Diego, CA, USA; http://hotcrp.cylab.cmu.edu/ndss11/ 2/ 9/11: CSF, 24th IEEE Computer Security Foundations Symposium, Domaine de l'Abbaye des Vaux-de-Cernay, France; http://csf2011.inria.fr/ Submissions are due 2/ 9/11- 2/10/11: ESSoS, International Symposium on Engineering Secure Software and Systems, Madrid, Spain; http://distrinet.cs.kuleuven.be/events/essos2011/ 2/10/11: USENIX Security, 20th USENIX Security Symposium, San Francisco, CA, USA; https://db.usenix.org/events/sec11/cfp/ Submissions are due 2/14/11: SAR/SSI, International Conference on Network and Information Systems Security, La Rochelle, France; http://sarssi-conf.org; Submissions are due 2/14/11: DBSec, 25th Annual WG 11.3 Conference on Data and Applications Security and Privacy, Richmond, Virginia, USA; http://www.egr.vcu.edu/dbsec2011/ Submissions are due 2/14/11- 2/16/11: FSE, 18th International Workshop on Fast Software Encryption, Lyngby, Denmark; http://fse2011.mat.dtu.dk/ 2/14/11- 2/18/11: CT-RSA, RSA Conference, The Cryptographers' Track, San Francisco, CA, USA; http://ct-rsa2011.di.uoa.gr 2/15/11: TRUST, 4th International Conference on Trust and Trustworthy Computing, Pittsburgh, PA, USA; http://www.trust2011.org; Submissions are due 2/15/11: ID, ACM/Springer International Workshop on Identity: Security, Management & Applications, Kochi, Kerala, India; http://www.acc-rajagiri.org/ID2011.html; Submissions are due 2/18/11: SADFE, International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA; http://conf.ncku.edu.tw/sadfe/sadfe11/ Submissions are due 2/21/11- 2/23/11: CODASPY, 1st ACM Conference on Data and Application Security and Privacy, San Antonio, TX, USA; http://www.codaspy.org/ 2/23/11: IEEE Security and Privacy Magazine, Special Issue on Living with Insecurity; http://www.computer.org/portal/web/computingnow/spcfp6; Submissions are due 2/27/11: DFRWS, 11th Digital Forensics Research Conference, New Orleans, LA, USA; http://www.dfrws.org; Submissions are due 2/27/11: SAFECOMP, 30th International Conference on Computer Safety, Reliability and Security, Naples, Italy; http://www.safecomp2011.unina.it/ Submissions are due 2/28/11: PETS, 11th Privacy Enhancing Technologies Symposium, Waterloo, ON, Canada; http://petsymposium.org/2011/ Submissions are due 2/28/11- 3/ 4/11: FC, 15th International Conference on Financial Cryptography and Data Security, Bay Gardens Beach Resort, St. Lucia; http://ifca.ai/fc11/ 3/ 4/11: WECSR, 2nd Workshop on Ethics in Computer Security Research, Bay Gardens Beach Resort, St. Lucia; http://www.cs.stevens.edu/~spock/wecsr2011/ 3/ 7/11: International Journal of Secure Software Engineering, Special Issue on Lessons Learned in Engineering Secure & Dependable Web Applications; http://www.sislab.no/ijsse; Submissions are due 3/14/11- 3/15/11: LightSec, Workshop on Lightweight Security & Privacy: Devices, Protocols, and Applications, Istanbul, Turkey; http://www.light-sec.org 3/15/11- 3/16/11: CSC, Workshop on Cryptography and Security in Clouds, Zurich, Switzerland; http://www.zurich.ibm.com/~cca/csc2011/ 3/20/11: PST, 9th International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada; http://pstnet.unb.ca/pst2011; Submissions are due 3/21/11: ESORICS, 16th European Symposium on Research in Computer Security, Leuven, Belgium; https://www.cosic.esat.kuleuven.be/esorics2011/ Submissions are due 3/21/11: SESOC, 3rd International Workshop on Security and Social Networking, Held in conjunction with the PerCom 2011, Seattle, WA, USA; http://www.sesoc.org 3/21/11- 3/25/11: SAC-TRECK, 26th ACM Symposium on Applied Computing, Track: Trust, Reputation, Evidence and other Collaboration Know-how (TRECK), TaiChung, Taiwan; http://www.trustcomp.org/treck/ 3/23/11- 3/25/11: IFIP-CIP, 5th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA; http://www.ifip1110.org 3/25/11: W2SP, Web 2.0 Security and Privacy 2011 Workshop, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA; http://w2spconf.com/2011/cfp.html; Submissions are due 3/29/11: FCS, Workshop on Foundations of Computer Security, Held in conjunction with LICS 2011, Toronto, Ontario, Canada; http://www.di.ens.fr/~blanchet/fcs11/ Submissions are due 3/29/11: LEET, 4th USENIX Workshop on Large-Scale Exploits and Emergent Threats, Boston, MA, USA; http://www.usenix.org/events/leet11/cfp/ 3/31/11: RAID, 14th International Symposium on Recent Advances in Intrusion Detection, Menlo Park, CA, USA; http://raid2011.org; Submissions are due 4/ 6/11- 4/ 8/11: RFIDsec-Asia, Workshop on RFID Security, Wuxi, China; http://wuxi.ss.pku.edu.cn/~RFIDSec2011/ 5/18/11- 5/20/11: IH, 13th Information Hiding Conference, Prague, Czech Republic; http://www.ihconference.org/ 5/18/11- 5/21/11: SAR/SSI, International Conference on Network and Information Systems Security, La Rochelle, France; http://sarssi-conf.org 5/22/11- 5/25/11: SP, 32nd IEEE Symposium on Security & Privacy, The Claremont Resort, Berkeley/Oakland, California, USA; http://oakland32-submit.cs.ucsb.edu/ 5/26/11: SADFE, International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA; http://conf.ncku.edu.tw/sadfe/sadfe11/ 5/26/11: W2SP, Web 2.0 Security and Privacy 2011 Workshop, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA; http://w2spconf.com/2011/cfp.html 5/30/11- 6/ 1/11: ISPEC, 7th Information Security Practice and Experience Conference, Guangzhou, China; http://ispec2011.jnu.edu.cn/ 6/ 1/11- 6/ 3/11: WISTP, 5th Workshop in Information Security Theory and Practice, Heraklion, Crete, Greece; http://www.wistp.org/ 6/ 5/11- 6/ 9/11: ICC-CISS, IEEE ICC 2011, Communication and Information Systems Security Symposium, Kyoto, Japan; http://www.ieee-icc.org/2011 6/ 5/11- 6/ 6/11: HOST, 4th IEEE International Sympoium on Hardware-Oriented Security and Trust, San Diego, CA, USA; http://www.engr.uconn.edu/HOST/ 6/ 6/11- 6/ 8/11: POLICY, 12th IEEE International Symposium on Policies for Distributed Systems and Networks, Pisa, Italy; http://ieee-policy.org 6/ 7/11- 6/ 9/11: IFIP-SEC, 26th IFIP TC-11 International Information Security Conference, Luzern, Switzerland; http://www.sec2011.org/ 6/ 7/11- 6/10/11: ACNS, 9th International Conference on Applied Cryptography and Network Security, Nerja, Malaga, Spain; http://www.isac.uma.es/acns2011/ 6/14/11- 6/17/11: WiSec, 4th ACM Conference on Wireless Network Security, Hamburg, Germany; http://www.sigsac.org/wisec/WiSec2011 6/15/11- 6/17/11: SACMAT, 16th ACM Symposium on Access Control Models and Technologies, Innsbruck, Austria; http://sacmat.org/ 6/20/11: D-SPAN, 2nd IEEE International Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with IEEE WoWMoM 2011, Lucca, Italy; http://home.gwu.edu/~nzhang10/DSPAN2011/ 6/20/11: FCS, Workshop on Foundations of Computer Security, Held in conjunction with LICS 2011, Toronto, Ontario, Canada; http://www.di.ens.fr/~blanchet/fcs11/ 6/22/11- 6/24/11: TRUST, 4th International Conference on Trust and Trustworthy Computing, Pittsburgh, PA, USA; http://www.trust2011.org 6/27/11- 6/29/11: CSF, 24th IEEE Computer Security Foundations Symposium, Domaine de l'Abbaye des Vaux-de-Cernay, France; http://csf2011.inria.fr 6/29/11- 7/ 1/11: IFIPTM, 5th IFIP International Conference on Trust Management, Copenhagen, Denmark; http://www.ifiptm.org/ 7/ 7/11- 7/ 8/11: DIMVA, 8th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Amsterdam, The Netherlands; http://www.dimva.org/dimva2011 7/11/11- 7/13/11: DBSec, 25th Annual WG 11.3 Conference on Data and Applications Security and Privacy, Richmond, Virginia, USA; http://www.egr.vcu.edu/dbsec2011/ 7/19/11- 7/21/11: PST, 9th International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada; http://pstnet.unb.ca/pst2011 7/22/11- 7/24/11: ID, ACM/Springer International Workshop on Identity: Security, Management & Applications, Kochi, Kerala, India; http://www.acc-rajagiri.org/ID2011.html 7/27/11- 7/29/11: PETS, 11th Privacy Enhancing Technologies Symposium, Waterloo, ON, Canada; http://petsymposium.org/2011/ 8/ 1/11- 8/ 3/11: DFRWS, 11th Digital Forensics Research Conference, New Orleans, LA, USA; http://www.dfrws.org 8/10/11- 8/12/11: USENIX Security, 20th USENIX Security Symposium, San Francisco, CA, USA; https://db.usenix.org/events/sec11/cfp/ 9/12/11- 9/14/11: ESORICS, 16th European Symposium on Research in Computer Security, Leuven, Belgium; https://www.cosic.esat.kuleuven.be/esorics2011/ 9/19/11- 9/21/11: SAFECOMP, 30th International Conference on Computer Safety, Reliability and Security, Naples, Italy; http://www.safecomp2011.unina.it/ 9/20/11- 9/21/11: RAID, 14th International Symposium on Recent Advances in Intrusion Detection, Menlo Park, CA, USA; http://raid2011.org ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E99) ___________________________________________________________________ ------------------------------------------------------------------------- CSC 2011 Workshop on Cryptography and Security in Clouds, Zurich, Switzerland, March 15-16, 2011. (Abstract Submissions due 17 January 2011) http://www.zurich.ibm.com/~cca/csc2011/ The cloud computing model offers cheap access to a variety of standardized services, but comes with concerns about the correctness, privacy, and integrity of remote data and computations. Cryptographic mechanisms can reduce such trust by allowing the user to protect its data and computations, as well as to verify aspects of remote computation. The aim of this workshop is to bring together researchers and practitioners working in cryptography and security, from academia and industry, who are interested in the security of current and future cloud computing technology. The workshop considers the viewpoint of cloud-service providers as well as the concerns of cloud users. The goal is to create a dialogue about common goals and to discuss solutions for security problems in cloud computing, with emphasis on cryptographic methods. Topics of interest include: - Data privacy and integrity - Proofs of storage - Remote attestation and verification - Secure outsourcing of computation - Verification of outsourced computation - Storage integrity - Private remote storage - Obfuscation of programs and data - Identity management in cloud computing - Robust generation of cryptographic random bits - Cryptosystems with conditional decryption (such as searchable encryption or functional encryption) - Trusted computing - Virtualization security ------------------------------------------------------------------------- HOST 2011 4th IEEE International Sympoium on Hardware-Oriented Security and Trust, San Diego, CA, June 5-6, 2011. (Submissions due 19 January 2011) http://www.engr.uconn.edu/HOST/ A wide range of applications, from secure RFID tagging to high-end trusted computing, relies on dedicated and trusted hardware platforms. The security and trustworthiness of such hardware designs are critical to their successful deployment and operation. Recent advances in tampering and reverse engineering show that important challenges lie ahead. For example, secure electronic designs may be affected by malicious circuits, Trojans that alter system operation. Furthermore, dedicated secure hardware implementations are susceptible to novel forms of attack that exploit side-channel leakage and faults. Third, the globalized, horizontal semiconductor business model raises concerns of trust and intellectual-property protection. HOST 2011 is a forum for novel solutions to address these challenges. Innovative test mechanisms may reveal Trojans in a design before they are able to do harm. Implementation attacks may be thwarted using side-channel resistant design or fault-tolerant designs. New security-aware design tools can assist a designer in implementing critical and trusted functionality, quickly and efficiently. HOST 2011 seeks contributions based on, but not limited to, the following topics: - Trojan detection and isolation - Implementation Attacks and Countermeasures - Side channel Analysis and Fault Analysis - Intellectual Property Protection and Metering - Tools and Methodologies for Secure Hardware Design - Hardware Architectures for Cryptography - Hardware Security Primitives: PUFs and TRNGs - Applications of Secure Hardware - Interaction of Secure Hardware and Software ------------------------------------------------------------------------- ACNS 2011 9th International Conference on Applied Cryptography and Network Security, Nerja, Malaga, Spain, June 7-10, 2011. (Submissions due 21 January 2011) http://www.isac.uma.es/acns2011/ Original papers on all aspects of applied cryptography as well as computer/network security and privacy are solicited. Topics of interest include, but are not limited, to: - Applied cryptography and cryptographic protocols - Cryptographic primitives, e.g., cryptosystems, ciphers and hash functions - Network security protocols - Privacy, anonymity and untraceability - Security for the next-generation Internet - Internet fraud, e.g., phishing, pharming, spam, and click fraud - Email and web security - Public key infrastructures, key management, certification and revocation - Trust and its metrics - Usable security and cryptography - Intellectual property protection and digital rights management - Modeling and protocol design - Automated protocols analysis - Secure virtualization and security in cloud computing - Security and privacy in sensor, mobile, ad hoc and delay-tolerant networks, p2p systems, as well as wireless (e.g., RFID, Bluetooth) communications ------------------------------------------------------------------------- DIMVA 2011 8th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Amsterdam, The Netherlands, July 7-8, 2011. (Submissions due 21 January 2011) http://www.dimva.org/dimva2011 The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. DIMVA's scope includes, but is not restricted to the following areas: Intrusion Detection - Novel approaches & new environments - Insider detection - Prevention & response - Data leakage - Result correlation & cooperation - Evasion attacks - Potentials & limitations - Operational experiences - Privacy, legal & social aspects Malware Detection - Automated analysis, reversing & execution tracing - Containment & sandboxed operation - Acquisition of specimen - Infiltration - Behavioral models - Prevention & containment - Trends & upcoming risks - Forensics & recovery - Economic aspects Vulnerability Assessment - Vulnerability detection & analysis - Vulnerability prevention - Web application security - Fuzzing techniques - Classification & evaluation - Situational awareness ------------------------------------------------------------------------- LEET 2011 4th USENIX Workshop on Large-Scale Exploits and Emergent Threats, Boston, MA, USA, March 29, 2011. (Submissions due 25 January 2011) http://www.usenix.org/events/leet11/cfp/ Now in its fourth year, LEET continues to provide a unique forum for the discussion of threats to the confidentiality of our data, the integrity of digital transactions, and the dependability of the technologies we increasingly rely on. We encourage submissions of papers that focus on the malicious activities themselves (e.g., reconnaissance, exploitation, privilege escalation, rootkit installation, attack), our responses as defenders (e.g., prevention, detection, and mitigation), or the social, political, and economic goals driving these malicious activities and the legal and ethical codes guiding our defensive responses. Topics of interest include but are not limited to: - Infection vectors for malware (worms, viruses, etc.) - Botnets, command and control channels - Spyware - Operational experience - Forensics - Click fraud - Measurement studies - New threats and related challenges - Boutique and targeted malware - Phishing - Spam - Underground economy - Miscreant counterintelligence - Carding and identity theft - Denial-of-service attacks - Hardware vulnerabilities - Legal issues - The arms race (rootkits, anti-anti-virus, etc.) - New platforms (cellular networks, wireless networks, mobile devices) - Camouflage and detection - Reverse engineering - Vulnerability markets and zero-day economics - Online money laundering - Understanding the enemy - Data collection challenges ------------------------------------------------------------------------- IH 2011 13th Information Hiding Conference, Prague, Czech Republic, May 18-20, 2011. (Submissions due 31 January 2011) http://www.ihconference.org/ For many years, Information Hiding has captured the imagination of researchers. Digital watermarking and steganography protect information, conceal secrets or are used as core primitives in digital rights management schemes. Steganalysis and forensics pose important challenges to investigators; and privacy techniques try to hide relational information such as the actors' identities in anonymous communication systems. These and other topic share the notion that security is defined by the difficulty to make (or avoid) inference on certain properties of host data, which therefore has to be well understood and modeled. Current research themes include: - Anonymity and privacy - Covert/subliminal channels - Digital rights management - Fingerprinting and embedding codes - Multimedia and document security - Multimedia forensics and counter forensics - Novel applications of information hiding - Other data hiding domains (e.g. text, software, etc.) - Security metrics for information hiding - Steganography and steganalysis - Theoretical aspects of information hiding and detection - Watermarking (algorithms, security, attacks) ------------------------------------------------------------------------- D-SPAN 2011 2nd IEEE International Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with IEEE WoWMoM 2011, Lucca, Italy, June 20, 2011. (Submissions due 4 February 2011) http://home.gwu.edu/~nzhang10/DSPAN2011/ D-SPAN 2011, the Second International Workshop on Data Security and PrivAcy in wireless Networks (D-SPAN), is focused on defining new problems and developing novel techniques for data security and privacy issues in wireless and mobile networks. With the emergence of data-intensive wireless networks such as wireless sensor networks and data-centric mobile applications such as location-based services, the traditional boundaries between these three disciplines are blurring. This workshop solicits papers from two main categories: (1) papers that consider the security and privacy of data collection, transmission, storage, publishing, and sharing in wireless networks broadly defined, e.g., MANET, cellular, vehicular, ad hoc, cognitive, as well as sensor networks, and (2) papers that use data analytics techniques to address security and privacy problems in wireless networks. The workshop provides a venue for researchers to present new ideas with impact on three communities: wireless networks, databases, and security. The list of topics includes, but not limited to: - Foundations in wireless security & privacy (game theory, information theory, belief models, etc) - Location privacy in wireless networks - Secure data collection and aggregation for wireless sensor networks - Secure data collection in body-area networks - Secure data processing in mobile ad-hoc networks (MANET) - Secure query processing over wireless sensor networks - Security and privacy of RFID systems - Security and privacy for data streaming - Security for cognitive radio networks - Tradeoffs between Security and Communication Performance ------------------------------------------------------------------------- CSF 2011 24th IEEE Computer Security Foundations Symposium, Domaine de l'Abbaye des Vaux-de-Cernay, France, June 27-29, 2011. (Submissions due 9 February 2011) http://csf2011.inria.fr/ New theoretical results in computer security are welcome. Also welcome are more exploratory presentations, which may examine open questions and raise fundamental concerns about existing theories. Panel proposals are sought as well as papers. Possible topics include, but are not limited to: - Access control - Distributed systems security - Language-based security - Anonymity and Privacy - Electronic voting - Network security - Authentication - Executable content - Resource usage control - Data and system integrity - Formal methods for security - Security for mobile computing - Database security - Information flow - Security models - Data provenance - Intrusion detection - Security protocols - Decidability and complexity - Hardware-based security - Trust and trust management ------------------------------------------------------------------------- USENIX Security 2011 20th USENIX Security Symposium, San Francisco, CA, USA, August 10?12, 2011. (Submissions due 10 February 2011) https://db.usenix.org/events/sec11/cfp/ The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. Refereed paper submissions are solicited in all areas relating to systems and network security, including: - Adaptive security and system management - Analysis of network and security protocols - Applications of cryptographic techniques - Attacks against networks and machines - Authentication and authorization of users, systems, and applications - Automated tools for source code analysis - Botnets - Cryptographic implementation analysis and construction - Denial-of-service attacks and countermeasures - File and filesystem security - Firewall technologies - Forensics and diagnostics for security - Hardware security - Intrusion and anomaly detection and prevention - Malicious code analysis, anti-virus, anti-spyware - Network infrastructure security - Operating system security - Privacy-preserving (and compromising) systems - Public key infrastructure - Rights management and copyright protection - Security architectures - Security in heterogeneous and large-scale environments - Security policy - Self-protecting and -healing systems - Techniques for developing secure systems - Technologies for trustworthy computing - Usability and security - Voting systems analysis and security - Wireless and pervasive/ubiquitous computing security - Web security, including client-side and server-side security ------------------------------------------------------------------------- SAR/SSI 2011 International Conference on Network and Information Systems Security, La Rochelle, France, May 18-21, 2011. (Submissions due 14 February 2011) http://sarssi-conf.org The SAR-SSI conference series provides a forum for presenting novel research results, practical experiences and innovative ideas in network and information systems security. The goal of SAR-SSI-2011 is fostering exchanges among academic researchers, industry and a wider audience interested in network and information system security. The conference will offer a broad area of events, ranging from panels, tutorials, technical presentations and informal meetings. Prospective authors are encouraged to submit papers describing novel research contributions as well as proposals for tutorials and panels. ------------------------------------------------------------------------- DBSec 2011 25th Annual WG 11.3 Conference on Data and Applications Security and Privacy, Richmond, Virginia, USA, July 11-13, 2011. (Submissions due 14 February 2011) http://www.egr.vcu.edu/dbsec2011/ The 25th Annual WG 11.3 Conference on Data and Applications Security and Privacy provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in data and applications security. Both research papers and panel proposals are solicited. Papers may present theory, techniques, applications, or practical experience on topics of relevance to IFIP WG 11.3: - Access control - Applied cryptography in data security and privacy - Identity theft and countermeasures - Integrity maintenance - Intrusion detection - Knowledge discovery and privacy - Organizational security - Privacy and privacy-preserving data management - Secure transaction processing - Secure information integration - Secure semantic web - Secure sensor monitoring - Secure web services - Threats, vulnerabilities, and risk management - Trust management ------------------------------------------------------------------------- TRUST 2011 4th International Conference on Trust and Trustworthy Computing, Pittsburgh, PA, USA, June 22-24, 2011. (Submissions due 15 February 2011) http://www.trust2011.org This conference focuses on trusted and trustworthy computing, both from the technical and social perspectives. The conference itself has two main strands, one devoted to technical aspects and one devoted to socio-economic aspects of trusted computing. The conference solicits original papers on any aspect (technical or social and economic) of the design, application and usage of trusted and trustworthy computing, which concerns a broad range of concepts including trustworthy infrastructures, cloud computing, services, hardware, software and protocols. Topics of interest include, but are not limited to: Technical Strand - Architecture and implementation technologies for trusted platforms and trustworthy infrastructures - Trust, Security and Privacy in embedded systems - Trust, Security and Privacy in social networks - Trusted mobile platforms and mobile phone security - Implementations of trusted computing (hardware and software) - Applications of trusted computing - Trustworthy infrastructures and services for cloud computing (including resilience) - Attestation and integrity verification - Cryptographic aspects of trusted and trustworthy computing - Design, implementation and analysis of security hardware, i.e., hardware with cryptographic and security functions, physically unclonable functions (PUFs) - Intrusion resilience in trusted computing - Virtualization for trusted platforms - Secure storage - Security policy and management of trusted computing - Access control for trusted platforms - Privacy aspects of trusted computing - Verification of trusted computing architectures - Usability and end-user interactions with trusted platforms - Limitations of trusted computing Socio-economic Strand - Usability and user perceptions of trustworthy systems and risks - Effects of trustworthy systems upon user, corporate, and governmental behavior - Economic drivers for trustworthy systems in corporate environment - The impact of trustworthy systems in enhancing trust in cloud-like infrastructures - The adequacy of guarantees provided by trustworthy systems for systems critically dependent upon trust, such as elections and government oversight - The impact of trustworthy systems upon digital forensics, police investigations and court proceedings - Game theoretical approaches to modeling or designing trustworthy systems - Approaches to model and simulate scenarios of how trustworthy systems would be used in corporate environments and in personal space - Experimental economics studies of trustworthiness - The interplay between privacy, privacy enhancing technologies and trustworthy systems - Critiques of trustworthy systems ------------------------------------------------------------------------- ID 2011 ACM/Springer International Workshop on Identity: Security, Management & Applications, Kochi, Kerala, India, July 22-24, 2011. (Submissions due 15 February 2011) http://www.acc-rajagiri.org/ID2011.html 2011 ACM/Springer International Workshop on Identity ID 2011: Security, Management & Applications, is designated to meet with researchers, engineers and practitioners from academia, service providers, industry and government working on Identity-based Internet & infrastructure systems. ID 2011 aims to bring to forefront the recent trends in most significant technology topics such as Identity Management (IdM), Cloud Computing, Internet of Things (IoT), Service Oriented Architecture (SoA), Security & Privacy Systems, Access Management, Risk Management, and Role and Policy Management, etc in software, hardware and firmware applications running on private and public networks. ------------------------------------------------------------------------- SADFE 2011 International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA, May 26, 2011. (Submissions due 18 February 2011) http://conf.ncku.edu.tw/sadfe/sadfe11/ The SADFE (Systematic Approaches to Digital Forensic Engineering) International Workshop promotes systematic approaches to cyber crime investigations, by furthering the advancement of digital forensic engineering as a disciplined science and practice. Today's digital artifacts permeate our lives and are part of every crime and every case of digital discovery. The field of digital forensics faces many challenges, including scale, scope and presentation of highly technical information in legal venues to nontechnical audiences. Digital evidence may be extant for only nanoseconds or for years; they may consist of a single modified bit, or huge volumes of data; they may be found locally or spread globally throughout a complex digital infrastructure on public or private systems. Following the success of previous SADFE workshops, cyber crime investigations and digital forensics tools will continue to be the key topics of the meeting. We also welcome a broader range of digital forensics papers that do not necessarily involve either crime or digital forensics tools. General attack analysis, the insider threat, insurance and compliance investigations, similar forms of retrospective analysis, and digital discovery are all viable topics. Past speakers and attendees of SADFE have included computer and information scientists, social scientists, digital forensic practitioners, IT professionals, law enforcement, lawyers, and judges. The synthesis of science with practice and the law with technology form the foundation of this conference. SADFE addresses the gap between today's practice and the establishment of digital forensics as a science. To advance the field, SADFE-2011 solicits broad-based, innovative approaches to digital forensic engineering in the following four areas: - Digital Data and Evidence Management: advanced digital evidence discovery, collection, and storage - Scientific Principle-based Digital Forensic Processes: systematic engineering processes supporting digital evidence management which are sound on scientific, technical and legal grounds - Digital Evidence Analytics: advanced digital evidence analysis, correlation, and presentation - Forensic-support technologies: forensic-enabled and proactive monitoring/response To honor the outstanding work in digital forensics, the SADFE will provide awards for the highest overall quality papers and posters from the accepted program, as measured by scientific contribution, depth, and impact. A student must be the first author to be eligible for the best student paper award. ------------------------------------------------------------------------- IEEE Security and Privacy Magazine, Special Issue on Living with Insecurity, November/December 2011, (Submission Due 23 February 2011) http://www.computer.org/portal/web/computingnow/spcfp6 Editor: Deborah A. Frincke (PNNL, USA) and Bill Arbaugh (University of Maryland, USA) Many approaches to security start with the assumption that there is a trustworthy and secure base on which one can build, perhaps based on some provably correct hardware platform. In contrast, this issue seeks papers that start with the opposite assumption. While a computing environment in which all of our devices are reliable and secure sounds appealing, that is not the world in which we live. For the foreseeable future, we will be living and working in an environment of vulnerable, unreliable systems, where we still wrestle with definitions of what it even means to be secure. This special edition focuses on how we can live with insecurity, how our devices and systems can support users at home and at work, when the underlying base is potentially compromised and users themselves may be untrustworthy or unfocused on security. In this themed issue we are particularly interested in papers that address the implications of building software and hardware upon an admittedly untrustworthy basis, across the full spectrum of design, development, testing, use, and maintenance of digitally based systems. We are also interested in policy and regulatory issues related to our topic. Potential topics and questions related to living with security include: - effects on system design, development, testing, maintenance, procurement - organizational implications for business risk, organization - liability, privacy support - ways to assist the home user in determining the risk - factors within a particular computing environment implications for user interfaces and user behavior - means for synthesizing trustworthy islands or subspaces within untrustworthy environments - implications for assessing business risk or corporate liability when systems are acknowledged to be potentially compromised - parallels with other domains in which some desired attribute is acknowledged to be unattainable in practice that could assist us with living with insecurity - methods for distinguishing relatively dangerous neighborhoods in cyberspace from relatively benign ones ------------------------------------------------------------------------- DFRWS 2011 11th Digital Forensics Research Conference, New Orleans, LA, USA, August 1-3, 2011. (Submissions due 27 February 2010) http://www.dfrws.org/ DFRWS brings together leading researchers, developers, practitioners, and educators interested in advancing the state of the art in digital forensics from around the world. As the most established venue in the field, DFRWS is the preferred place to present both cutting-edge research and perspectives on best practices for all aspects of digital forensics. As an independent organization, we promote open community discussions and disseminate the results of our work to the widest audience. We invite original contributions as research papers, panel proposals, Work-in-Progress talks, workshop proposals, and demo proposals. Topics of Interest: - Forensic analysis - Incident response and live analysis - Network-based forensics, including network traffic analysis, traceback and attribution - Event reconstruction methods and tools - File system and memory analysis - Application analysis - Embedded systems - Small scale and mobile devices - Large-scale investigations - Digital evidence storage and preservation - Data mining and information discovery - Data hiding and recovery - Data extraction and reconstruction - Multimedia analysis - Database forensics - Tool testing and development - Digital evidence and the law - Anti-forensics and anti-anti-forensics - Case studies and trend reports - Malware forensics - Data visualization in forensic analysis - Forensics of virtual and cloud environments - Investigation of insider attacks - Error rates of forensic methods - Interpersonal communications and social network analysis - Non-traditional approaches to forensic analysis ------------------------------------------------------------------------- SAFECOMP 2011 30th International Conference on Computer Safety, Reliability and Security, Naples, Italy, September 19-21, 2011. (Submissions due 27 February 2011) http://www.safecomp2011.unina.it/ SAFECOMP is an annual event covering the state-of-the-art, experience and trends in the areas of safety, security and reliability of critical computer applications. The 2011 Key theme is "Safety and security of computer-based systems and infrastructures: from risk assessment to threat mitigation". Papers are invited in application and industrial sectors as well as research areas. Especially papers on industrial experience and practice are encouraged. ------------------------------------------------------------------------- PETS 2011 11th Privacy Enhancing Technologies Symposium, Waterloo, ON, Canada, July 27-29, 2011. (Submissions due 28 February 2011) http://petsymposium.org/2011/ Privacy and anonymity are increasingly important in the online world. Corporations, governments, and other organizations are realizing and exploiting their power to track users and their behavior. Approaches to protecting individuals, groups, but also companies and governments, from profiling and censorship include decentralization, encryption, distributed trust, and automated policy disclosure. The 11th Privacy Enhancing Technologies Symposium addresses the design and realization of such privacy services for the Internet and other data systems and communication networks by bringing together anonymity and privacy experts from around the world to discuss recent advances and new perspectives. The symposium seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of privacy technologies, as well as experimental studies of fielded systems. We encourage submissions with novel technical contributions from other communities such as law, business, and data protection authorities, that present their perspectives on technological issues. Suggested topics include but are not restricted to: - Anonymous communications and publishing systems - Attacks on privacy and privacy technologies - Censorship resistance - Data protection technologies - Economics of privacy and PETs - Fielded systems and techniques for enhancing privacy in existing systems - Location privacy - Privacy and anonymity in Peer-to-Peer, Cloud, and Ubiquitous Computing Environments - Privacy and inference control in databases - Privacy-enhanced access control or authentication/certification - Privacy-friendly payment mechanisms for PETs and other services - Privacy in Online Social Networks - Privacy policy languages and tools - Privacy threat models - Profiling and data mining - Pseudonyms, identity management, linkability, and reputation - Reliability, robustness and abuse prevention in privacy systems - Traffic analysis - Transparency enhancing tools - Usability issues and user interfaces for PETs ------------------------------------------------------------------------- International Journal of Secure Software Engineering, Special Issue on Lessons Learned in Engineering Secure & Dependable Web Applications, January/February 2012, (Submission Due 7 March 2011) http://www.sislab.no/ijsse Editor: Martin Gilje Jaatun (SINTEF ICT, Norway), Edgar Weippl (SBA Research, Austria), and Riccardo Scandariato (KU Leuven, Belgium) Software is an integral part of everyday life, and we expect and depend upon software systems to perform correctly. Software security is about ensuring that systems continue to function correctly also under malicious attack. As most systems now are web-enabled, the number of attackers with access to the system increases dramatically and thus the threat scenario changes. The traditional approach to secure a system includes putting up defense mechanisms such as Intrusion Detection Systems and firewalls, but such measures are no longer sufficient by themselves. We need to be able to build better, more robust and thus more secure systems. Even more importantly, however, we should strive to achieve these qualities in all software systems, not just the ones that need special protection. This special issue will focus on techniques, experiences and lessons learned for engineering secure and dependable software for the web. Suggested topics include, but are not limited to: - Secure architecture and design - Security in agile software development - Aspect-oriented software development for secure software - Security requirements - Risk management in software projects - Secure implementation - Secure deployment - Testing for security - Quantitative measurement of security properties - Static and dynamic analysis for security - Verification and assurance techniques for security properties - Lessons learned - Security and usability - Teaching secure software development - Experience reports on successfully attuning developers to secure software engineering ------------------------------------------------------------------------- PST 2011 9th International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada, July 19-21, 2011. (Submissions due 20 March 2011) http://pstnet.unb.ca/pst2011 PST2011 provides a forum for researchers world-wide to unveil their latest work in privacy, security and trust and to show how this research can be used to enable innovation. PST2011 will include an Innovation Day featuring workshops and tutorials followed by two days of high-quality research papers whose topics include, but are NOT limited to, the following: - Privacy Preserving / Enhancing Technologies - Critical Infrastructure Protection - Network and Wireless Security - Operating Systems Security - Intrusion Detection Technologies - Secure Software Development and Architecture - PST Challenges in e-Services, e.g. e-Health, e-Government, e Commerce - Network Enabled Operations - Digital forensics - Information Filtering, Data Mining and Knowledge from Data - National Security and Public Safety - Security Metrics - Recommendation, Reputation and Delivery Technologies - Continuous Authentication - Trust Technologies, Technologies for Building Trust in e-Business Strategy - Observations of PST in Practice, Society, Policy and Legislation - Digital Rights Management - Identity and Trust management - PST and Cloud Computing - Human Computer Interaction and PST - Implications of, and Technologies for, Lawful Surveillance - Biometrics, National ID Cards, Identity Theft - PST and Web Services / SOA - Privacy, Traceability, and Anonymity - Trust and Reputation in Self-Organizing Environments - Anonymity and Privacy vs. Accountability - Access Control and Capability Delegation - Representations and Formalizations of Trust in Electronic and Physical Social Systems ------------------------------------------------------------------------- ESORICS 2011 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12-14, 2011. (Submissions due 21 March 2011) https://www.cosic.esat.kuleuven.be/esorics2011/ ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. We encourage submissions of papers discussing industrial research and development. Suggested topics include but are not restricted to: - Access Control - Accountability - Ad hoc Networks - Anonymity - Applied Cryptography - Attacks and Viral Software - Authentication and Delegation - Biometrics - Database Security - Digital Content Protection - Distributed Systems Security - Electronic Payments - Embedded Systems Security - Inference Control - Information Hiding - Identity Management - Information Flow Control - Integrity - Intrusion Detection - Formal Security Methods - Language-Based Security - Network Security - Phishing and Spam Prevention - Privacy - Risk Analysis and Management - Secure Electronic Voting - Security Architectures - Security Economics - Security and Privacy Policies - Security for Mobile Code - Security in Location Services - Security in Social Networks - Security Models - Security Verification - Software Security - Steganography - Systems Security - Trust Models and Management - Trustworthy User Devices - Web Security - Wireless Security ------------------------------------------------------------------------- W2SP 2011 Web 2.0 Security and Privacy 2011 Workshop, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA, May 26, 2011. (Submissions due 25 March 2011) http://w2spconf.com/2011/cfp.html W2SP brings together researchers, practitioners, web programmers, policy makers, and others interested in the latest understanding and advances in the security and privacy of the web, browsers and their eco-system. We have had four years of successful W2SP workshops. This year, we will additionally invite selected papers to a special issue of the journal. We are seeking both short position papers (2-4 pages) and longer papers (a maximum of 10 pages). The scope of W2SP 2011 includes, but is not limited to: - Trustworthy cloud-based services - Privacy and reputation in social networks - Security and privacy as a service - Usable security and privacy - Security for the mobile web - Identity management and psuedonymity - Web services/feeds/mashups - Provenance and governance - Security and privacy policies for composible content - Next-generation browser technology - Secure extensions and plug-ins - Advertisement and affiliate fraud - Measurement study for understanding web security and privacy ------------------------------------------------------------------------- FCS 2011 Workshop on Foundations of Computer Security, Held in conjunction with LICS 2011, Toronto, Ontario, Canada, June 20, 2011. (Submissions due 29 March 2011) http://www.di.ens.fr/~blanchet/fcs11/ Computer security is an established field of computer science of both theoretical and practical significance. In recent years, there has been increasing interest in logic-based foundations for various methods in computer security, including the formal specification, analysis and design of security protocols and their applications, the formal definition of various aspects of security such as access control mechanisms, mobile code security and denial-of-service attacks, and the modeling of information flow and its application to confidentiality policies, system composition, and covert channel analysis. The aim of the workshop FCS'11 is to provide a forum for continued activity in different areas of computer security, bringing computer security researchers in closer contact with the LICS community and giving LICS attendees an opportunity to talk to experts in computer security, on the one hand, and contribute to bridging the gap between logical methods and computer security foundations, on the other. We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories, as well as in new results on developing and applying automated reasoning techniques and tools for the formal specification and analysis of security protocols. ------------------------------------------------------------------------- RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection, Menlo Park, CA, USA, September 20-21, 2011. (Submissions due 31 March 2011) http://raid2011.org This symposium, the 14th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series furthers advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following: - Network and host intrusion detection and prevention - Anomaly and specification-based approaches - IDS cooperation and event correlation - Malware prevention, detection, analysis, containment - Web application security - Insider attack detection - Intrusion response, tolerance, and self-protection - Operational experiences with current approaches - Intrusion detection assessment and benchmarking - Attacks against intrusion detection systems - Formal models, analysis, and standards - Deception systems and honeypots - Vulnerability analysis and forensics - Adversarial machine learning for security - Visualization techniques - High-performance intrusion detection - Legal, social, and privacy issues - Network exfiltration detection - Botnet analysis, detection, and mitigation - Cyber-physical systems ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officer Roster ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Hilarie Orman Ulf Lindqvist Purple Streak, Inc. SRI 500 S. Maple Dr. Menlo Park, CA Woodland Hills, UT 84653 (650)859-2351 (voice) ieee-chair@purplestreak.com ulf.lindqvist@sri.com Vice Chair: Chair, Subcommittee on Academic Affairs: Sven Dietrich Prof. Cynthia Irvine Department of Computer Science U.S. Naval Postgraduate School Stevens Institute of Technology Computer Science Department, Code CS/IC +1 201 216 8078 Monterey CA 93943-5118 spock AT cs.stevens.edu (831) 656-2461 (voice) irvine@nps.edu Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Sciences Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Newsletter Editor: Security and Privacy Symposium, 2011 Chair: Hilarie Orman Deborah Frincke Purple Streak, Inc. Pacific Northwest National Laboratory 500 S. Maple Dr. deborah.frincke@pnl.gov Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year