_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 102 June 3, 2011 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * News Items o Technical Committee on Security and Privacy, Annual Meeting by Hilarie Orman o Verified Software Milestone Award Announced o NIST Request for Comments: Key Management; Random Numbers * Commentary and Opinion o Richard Austin's review of Social Engineering: The Art of Human Hacking by Christopher Hadnagy o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The Security and Privacy Symposium was held last week in Berkeley, California, and it was, in almost every aspect, better than ever. The organizers selected a great technical program, the largest to date, some papers garnered press coverage, and the traditional evening receptions were congenial and well-attended. The event has become a victim of its own success, and its 32 year history at the Claremont Hotel will come to an end. See the report of the Technical Committee in this issue. The upcoming event of note is the Computer Security Foundations Symposium, this year in Domaine de l'Abbaye des Vaux de Cernay, France, June 27-29. The preliminary program is available at http://csf2011.inria.fr/preliminary-program. The number of people involved in computer security research and development appears to be growing, and in the US, funding from government and industry is increasing. More papers are being written, conference attendance is increasing. Does this reflect success or failure? Have previous efforts failed, or have they been too difficult to implement? Are current efforts fixated on a kind of Zeno's paradox in which smaller and smaller problems are solved with more and more effort? These speculations have caused me to reformulate an old joke involving an artificial intelligence oracle, similar to Watson. "When will we achieve computer security?" asks the petitioner of the oracle. The answer seems baffling: "Thirteen miles". A backtrace of the logic reveals that each year's Security & Privacy Symposium bring us "one step closer to true security." May your path be shorter, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== _____________________________________________________________________ Verified Software Award Announced _____________________________________________________________________ At the 3rd International Conference on Verified Software: Theories, Tools and Experiments (VSTTE 2010), it was announced that Microsoft Research would sponsor an award that recognises significant technological advances towards the goals of the Verified Software Initiative (VSI). We are delighted to announce that the recipients of the inaugural Microsoft Research Verified Software Milestone Award are Janet Barnes and Rod Chapman for the Tokeneer Project (http://www.altran-praxis.com/security.aspx). The formal presentation of the Award will be made to Janet and Rod at AVoCS 2011 (http://conferences.ncl.ac.uk/AVoCS2011/), which is being hosted by Newcastle University this September. "Congratulations to Janet and Rod as well-deserved recipients of this award. And thanks to Altran Praxis and the US National Security Agency for their commitment to their project. It has given a persuasive demonstration of the cost effectiveness of formal methods in application to security software, and complements similar experience at Microsoft" (Prof. Sir Tony Hoare, Microsoft Research). The full award citation is provided along with further details of the award process at the VSI website, i.e. http://dream.inf.ed.ac.uk/vsi Kind regards, Andrew Ireland & Jim Woodcock (Chairs of the Award Committee) _____________________________________________________________________ NIST Request for Comments: Key Management; Random Numbers _____________________________________________________________________ NIST requests comments on the draft revisions of two publications: NIST Special Publication (SP) 800-57, Part 1 and SP 800-90A. The revision of SP 800-57, Part 1, Recommendation for Key Management: Part 1: General, is intended to align the document with SP 800-131A, as well as to provide a general update of the document, including references to NIST publications that have been completed since the last revision of the document. A general list of the changes is provided at the end of Appendix D, and except for some editorial changes, the changes within the documented are marked. The document is available at http://csrc.nist.gov/publications/PubsDrafts.html . Please send comments to KeyManagement@nist.gov by July 1, 2011, with "SP 800-57, Part 1 comments" in the subject line. SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, is intended as a revision of the currently-posted version of SP 800-90. Two of the appendices in SP 800-90 provided information on entropy sources and RBG constructions. These topics will be discussed in further detail in SP 800-90B and SP 800-90C, respectively, which are under development. SP 800-90A takes into account the work on RBGs that has been conducted within Accredited Standards Committee X9 since the original publication of SP 800-90. A general list of the changes is provided at the end of Appendix H, and except for some editorial changes, the changes within the document are marked. The document is available at http://csrc.nist.gov/publications/PubsDrafts.html . Please send comments to RBG_comments@nist.gov by August 1, 2011, with "SP 800-90A comments" in the subject line. ______________________________________________________________________ News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== ____________________________________________________________________ Report from the Annual Meeting of the Technical Committee on Security and Privacy ____________________________________________________________________ The Technical Committee on Security and Privacy holds a business meeting once a year. The most recent meeting was on May 24 at the Security and Privacy Symposium. The awards presented for best papers, service to the conference community, and organizer reports are available at http://www.ieee-security.org/TC/Reports.html (this includes the draft minutes of the meeting and the ensuing discussions). It was a pleasure to announce that Patrick McDaniel was selected to be the Vice Chair of the Technical Committee his two-year term begin January 1, 2012. At this meeting, we announced a quasi-new event now sponsored by the Technical Committee. The event is the Security and Privacy Workshops, which are co-located with the Symposium. The workshops have been a feature of the Symposium for several years. Sven Dietrich heads the new steering committee that will expand the number of workshops over the next few years. Terry Benzel and Cynthia Irvine have drafted rules for governing the Technical Committee, and they are available for review on the aforementioned website. Three issues were open to general discussion during the meeting, which was attended by about 75 people. Follow-up discussion is available through an email list at http://mailman.xmission.com/mailman/listinfo/ieeetcsp - How many papers should there be in the technical program? What should the acceptance rate be? Somesh Jha, who will be a program committee co-chair for 2012 suggested that he could accommodate 50 papers, an significant increase from this year's 34 papers. Comments were varied, from encouragement to skepticism about preserving the quality of the program. - Is the IEEE copyright restriction on dissemination of conference papers consistent with what attendees want or need? This discussion resulted in a resolution to adopt a "USENIX-style" copyright. The resolution had nearly unanimous support. As, TC Chair, I would like to see more discussion about this, because the purpose of obtaining the change was not expressed definitively. One of the professed goals was to allow authors to post papers on their personal websites, but this may already be allowed by IEEE. - Should the Symposium move to a new venue for 2012? Although the Symposium has been held at the same location for 32 years, it has become clear that we need a larger venue. This year 410 people wanted to attend, but we had space for only 350. There was nearly unanimous support for finding new space in the San Francisco area in 2012. The organizers identified three possible sites, and they will work with the Computer Society to make it happen. Hilarie Orman TCSP Chair ____________________________________________________________________ Book Review By Richard Austin May 31, 2011 ____________________________________________________________________ Social Engineering: The Art of Human Hacking by Christopher Hadnagy Wiley 2010. ISBN ISBN 978-0470639535 Amazon.com USD 22.74 Table of Contents: http://media.wiley.com/product_data/excerpt/39/04706395/0470639539-157.pdf Social engineering, "the act of manipulating a person to take an action that may or may not be in the "target's" best interest"(pg. 10), has played a major role in several significant breaches of late, which makes this a most timely book for security professionals. Hadnagy asserts that there are two reasons we're seeing more instances of social engineering attacks. First, there's the simple principle of return-on-investment: "no self-respecting hacker is going to spend 100 hours to get the same results from a simple attack that takes one hour, or less" (p.2). Secondly, better products and defenses are making many classic technical attack vectors more difficult to employ with a high probability of success (p. 17). The book presents an excellent introduction to the techniques used by social engineers, whether an authorized penetration tester or a malicious attacker, to induce otherwise knowledgeable and careful people into revealing intimate details of their personal and professional lives. Hadnagy begins with information gathering and elicitation which together provide the basis for establishing the pretext actually used in interacting with the target. He makes extensive use of examples, anecdotes and links to additional material on his website (http://www.social-engineer.org). His presentation on "Mind Tricks" (Chapter 5) is likely the most controversial part of the book as it introduces "microexpressions" and "neuro linguistic programming". To put it mildly, the professional jury is still very much out on the validity of these models for understanding and influencing human behavior. As a reader, if those models are useful to you in organizing and understanding the material, then by all means use them. However, if they seem like meaningless buzz-words used to create a pretext of understanding a very complex subject, then ignore them and be reassured that many professionals in the psychological fields would agree with you. Once the social engineer has invested the time in information gathering and elicitation and used that information to create a viable pretext, the time has come for the end game of persuading the target to take the desired action. Hadnagy presents influence and persuasion as a well-organized process with definite intermediate steps on the way to realizing the final goal. Any skilled craftsperson has the appropriate set of tools and a social engineer is no exception. Beyond the obvious examples of lock picks and Internet search engines, Hadnagy covers other useful items such as SET (the Social Engineering Toolkit). There's even advice on appropriate dress for dumpster-diving. Six case studies illustrate the practice of social engineering in real-world situations. Each case study is followed by a review that reinforces the salient points from the case. Hadnagy finishes his presentation with advice on how to defend yourself and your organization against social engineering attacks. Though there are no "silver bullets", he provides solid advice on tactics such as enhanced awareness training that realistically covers social engineering attacks, anticipating attack methods in scripts developed for help desk personnel (e.g., what they should really say when the CEO calls for a password reset), etc, that will strengthen organizational resistance to social engineering attempts. In all honesty, you probably will feel rather "dirty" after reading this book. You will encounter examples reminiscent of car salesmen, the worst sort of politician, and many other social denizens that have complicated your life in one way or another. However, the same techniques that may have been used to "get-one-up" on you in those social interactions are being employed by your adversaries in attempting to achieve unauthorized access to the assets you are charged with defending. By studying and applying the practical advice in this book, you will be much better prepared to help your organization become more resistant to exploit attempts against human elements, which bitter experience has shown to be the weakest links in any security system. ------------------- Before beginning life as a university instructor and independent sybersecurity consultant, Richard Austin (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry in positions ranging from software developer to security architect. He welcomes your thoughts and comments at raustin2 at spsu dot edu ------------------------------------------------------------------------ Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil *New* Posted May 2011 University of Massachusetts Amherst Amherst, MA, USA Positions: Research Scientist, Postdoctoral Research Associate, Undergraduate Researcher Collaboration with faculty in Computer Science and Electrical Computer Engineering Open until filled http://spqr.cs.umass.edu/jobs.php -------------------------------------- In the research project Trust and Access Policies on the Web there is a vacancy for a 4 year PhD position at the Computer Science Department of the VU University Amsterdam, in a joint project between the Theoretical Computer Science Group (http://www.cs.vu.nl/~tcs), the Knowledge Representation and Reasoning Group (http://krr.cs.vu.nl/), and the Web and Media Group (http://www.few.vu.nl/~guus/). Industrial partners are Rijksmuseum in Amsterdam (http://www.rijksmuseum.nl/) and Naturalis Museum in Leiden (http://www.naturalis.nl/). Aim of the project is to develop a framework for controlling Web access and evaluating in how far contributed distributed content can be trusted. See the paper http://journal.webscience.org/315/2/websci10_submission_81.pdf for a first step in this direction. More information on the research project can be found at http://www.cs.vu.nl/~tcs/WP8.doc. This is a work package (WP8) within the project "Socially-Enriched Access to Cultural Media", which itself is part (project P6) of the Dutch national COMMIT research project. The original COMMIT project description can be found at http://www.commit-nl.nl/090929%20COMMIT%20PROGRAMMA.pdf. To apply for the PhD position, send a CV, letter of motivation, and names of at least two references to Wan Fokkink (w.j.fokkink@vu.nl). Deadline for application is June 14, 2011. ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 5/30/11- 6/ 1/11: ISPEC, 7th Information Security Practice and Experience Conference, Guangzhou, China; http://ispec2011.jnu.edu.cn/ 6/ 1/11: FAST, 8th International Workshop on Formal Aspects of Security & Trust, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium; http://www.iit.cnr.it/FAST2011/Unico.htm; Submissions are due 6/ 1/11: IWSSC, 1st International Workshop on Securing Services on the Cloud, Held in conjunction with the 5th International Conference on Network and System Security (NSS 2011), Milan, Italy; http://sesar.dti.unimi.it/iwssc2011; Submissions are due 6/ 1/11- 6/ 3/11: WISTP, 5th Workshop in Information Security Theory and Practice, Heraklion, Crete, Greece; http://www.wistp.org/ 6/ 5/11: SETOP, 4th International Workshop on Autonomous and Spontaneous Security, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011) Leuven, Belgium; http://setop2011.dyndns.org/ Submissions are due 6/ 5/11: DPM, 6th International Workshop on Data Privacy Management, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011) Leuven, Belgium; http://dpm2011.dyndns.org/ Submissions are due 6/ 5/11- 6/ 9/11: ICC-CISS, IEEE ICC 2011, Communication and Information Systems Security Symposium, Kyoto, Japan; http://www.ieee-icc.org/2011 6/ 5/11- 6/ 6/11: HOST, 4th IEEE International Sympoium on Hardware-Oriented Security and Trust, San Diego, CA, USA; http://www.engr.uconn.edu/HOST/ 6/ 6/11: WISA, 12th International Workshop on Information Security Applications, Jeju Island, Korea; http://www.wisa.or.kr; Submissions are due 6/ 6/11: ACSAC, 27th Annual Computer Security Applications Conference, Orlando, Florida, USA; http://www.acsac.org Submissions are due 6/ 6/11: CRiSIS, 6th International Conference on Risks and Security of Internet and Systems, Timisoara, Romania; http://www.crisis-conference.org/ Submissions are due 6/ 6/11- 6/ 8/11: POLICY, 12th IEEE International Symposium on Policies for Distributed Systems and Networks, Pisa, Italy; http://ieee-policy.org 6/ 7/11- 6/ 9/11: IFIP-SEC, 26th IFIP TC-11 International Information Security Conference, Luzern, Switzerland; http://www.sec2011.org/ 6/ 7/11- 6/10/11: ACNS, 9th International Conference on Applied Cryptography and Network Security Nerja, Malaga, Spain; http://www.isac.uma.es/acns2011/ 6/10/11: EuroPKI, 8th European Workshop on Public Key Services, Applications and Infrastructures, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011) Leuven, Belgium; http://www.cosic.esat.kuleuven.be/europki2011/ Submissions are due 6/10/11: DSPSR, 1st IEEE/IFIP EUC Workshop on Data Management, Security and Privacy in Sensor Networks and RFID, Held in conjunction with the 9th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC 2011), Melbourne, Australia; http://www.deakin.edu.au/~rchell/DSPSR2011.html; Submissions are due 6/14/11- 6/17/11: WiSec, 4th ACM Conference on Wireless Network Security, Hamburg, Germany; http://www.sigsac.org/wisec/WiSec2011 6/15/11: HICSS-ST, 45th Annual HAWAI'I International Conference on System Sciences, Software Technology Track, Grand Wailea Maui, Hawaii, USA; http://www.hicss.hawaii.edu/hicss_45/apahome45.htm; Submissions are due 6/15/11- 6/17/11: SACMAT, 16th ACM Symposium on Access Control Models and Technologies, Innsbruck, Austria; http://sacmat.org/ 6/17/11: SecIoT, 2nd Workshop on the Security of the Internet of Things, Held in conjunction with IEEE iThings 2011, Dalian, China; http://www.isac.uma.es/seciot11; Submissions are due 6/20/11: D-SPAN, 2nd IEEE International Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with IEEE WoWMoM 2011, Lucca, Italy; http://home.gwu.edu/~nzhang10/DSPAN2011/ 6/20/11: FCS, Workshop on Foundations of Computer Security, Held in conjunction with LICS 2011, Toronto, Ontario, Canada; http://www.di.ens.fr/~blanchet/fcs11/ 6/22/11: WIFS, IEEE Workshop on Information Forensics and Security, Foz do Iguaçu, Brazil; http://www.wifs11.org; Submissions are due 6/22/11- 6/24/11: TRUST, 4th International Conference on Trust and Trustworthy Computing, Pittsburgh, PA, USA; http://www.trust2011.org 6/27/11- 6/29/11: CSF, 24th IEEE Computer Security Foundations Symposium, Domaine de l'Abbaye des Vaux-de-Cernay, France; http://csf2011.inria.fr/ 6/27/11: STC, 6th ACM Workshop on Scalable Trusted Computing, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://www.cs.utsa.edu/~acmstc/stc2011/ Submissions are due 6/29/11- 7/ 1/11: IFIPTM, 5th IFIP International Conference on Trust Management, Copenhagen, Denmark; http://www.ifiptm.org/ 6/30/11: TrustCom, 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Changsha, China; http://trust.csu.edu.cn/conference/trustcom2011; Submissions are due 7/ 1/11: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://crypto.cs.stonybrook.edu/ccsw11; Submissions are due 7/ 2/11: WPES, 10th ACM Workshop on Privacy in the Electronic Society, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://wpes11.rutgers.edu/ Submissions are due 7/ 4/11: EC2ND, 7th European Conference on Computer Network Defense, Gothenburg, Sweden; http://2011.ec2nd.org/ Submissions are due 7/ 6/11: AISec, 4th Workshop on Artificial Intelligence and Security, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://tsig.fujitsulabs.com/~aisec2011/ Submissions are due 7/ 7/11- 7/ 8/11: DIMVA, 8th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Amsterdam, The Netherlands; http://www.dimva.org/dimva2011 7/ 8/11: TSCloud, 1st IEEE International Workshop on Trust and Security in Cloud Computing, Changsha, China; http://tscloud.org; Submissions are due 7/11/11- 7/13/11: DBSec, 25th Annual WG 11.3 Conference on Data and Applications Security and Privacy, Richmond, Virginia, USA; http://www.egr.vcu.edu/dbsec2011/ 7/19/11- 7/21/11: PST, 9th International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada; http://pstnet.unb.ca/pst2011 7/21/11: eCrime Researchers Summit, 6th IEEE eCrime Researchers Summit, Held in conjunction with the 2011 APWG General Meeting, San Diego, CA, USA; http://ecrimeresearch.org; Submissions are due 7/22/11- 7/24/11: ID, ACM/Springer International Workshop on Identity: Security, Management & Applications, Kochi, Kerala, India; http://www.acc-rajagiri.org/ID2011.html 7/27/11- 7/29/11: PETS, 11th Privacy Enhancing Technologies Symposium, Waterloo, ON, Canada; http://petsymposium.org/2011/ 8/ 1/11- 8/ 3/11: DFRWS, 11th Digital Forensics Research Conference, New Orleans, LA, USA; http://www.dfrws.org 8/ 9/11: NDSS, Network & Distributed System Security Symposium, San Diego, California, USA; http://www.isoc.org/isoc/conferences/ndss/12/cfp.shtml; Submissions are due 8/10/11- 8/12/11: USENIX Security, 20th USENIX Security Symposium, San Francisco, CA, USA; https://db.usenix.org/events/sec11/cfp/ 8/15/11: WICT-NDF, World Congress on Information and Communication Technologies, Intrusion Detection and Forensics, Mumbai, India; http://www.mirlabs.org/wict11/index.php-c=main&a=show&id=34.htm Submissions are due 8/21/11: International Journal of Information Security, Special Issue on SCADA and Control System Security; http://springerlink.com/content/c228708131853np8/fulltext.pdf; Submissions are due 8/22/11- 8/24/11: WISA, 12th International Workshop on Information Security Applications, Jeju Island, Korea; http://www.wisa.or.kr 9/ 6/11- 9/ 7/11: EC2ND, 7th European Conference on Computer Network Defense, Gothenburg, Sweden; http://2011.ec2nd.org/ 9/ 6/11- 9/ 8/11: IWSSC, 1st International Workshop on Securing Services on the Cloud, Held in conjunction with the 5th International Conference on Network and System Security (NSS 2011), Milan, Italy; http://sesar.dti.unimi.it/iwssc2011 9/12/11- 9/14/11: ESORICS, 16th European Symposium on Research in Computer Security, Leuven, Belgium; https://www.cosic.esat.kuleuven.be/esorics2011/ 9/15/11: IFIP-DF, 8th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Pretoria, Pretoria, South Africa; http://www.ifip119.org; Submissions are due 9/15/11- 9/16/11: FAST, 8th International Workshop on Formal Aspects of Security & Trust, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium; http://www.iit.cnr.it/FAST2011/Unico.htm 9/15/11- 9/16/11: SETOP, 4th International Workshop on Autonomous and Spontaneous Security, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011) Leuven, Belgium; http://setop2011.dyndns.org/ 9/15/11- 9/16/11: DPM, 6th International Workshop on Data Privacy Management, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011) Leuven, Belgium; http://dpm2011.dyndns.org/ 9/15/11- 9/16/11: EuroPKI, 8th European Workshop on Public Key Services, Applications and Infrastructures, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium; http://www.cosic.esat.kuleuven.be/europki2011/ 9/19/11- 9/21/11: SAFECOMP, 30th International Conference on Computer Safety, Reliability and Security, Naples, Italy; http://www.safecomp2011.unina.it/ 9/20/11- 9/21/11: RAID, 14th International Symposium on Recent Advances in Intrusion Detection, Menlo Park, CA, USA; http://raid2011.org 9/26/11- 9/28/11: CRiSIS, 6th International Conference on Risks and Security of Internet and Systems, Timisoara, Romania; http://www.crisis-conference.org/ 10/17/11: STC, 6th ACM Workshop on Scalable Trusted Computing, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://www.cs.utsa.edu/~acmstc/stc2011/ 10/17/11: WPES, 10th ACM Workshop on Privacy in the Electronic Society, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://wpes11.rutgers.edu/ 10/19/11: SecIoT, 2nd Workshop on the Security of the Internet of Things, Held in conjunction with IEEE iThings 2011, Dalian, China; http://www.isac.uma.es/seciot11 10/21/11: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://crypto.cs.stonybrook.edu/ccsw11 10/21/11: AISec, 4th Workshop on Artificial Intelligence and Security, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://tsig.fujitsulabs.com/~aisec2011/ 10/24/11-10/26/11: DSPSR, 1st IEEE/IFIP EUC Workshop on Data Management, Security and Privacy in Sensor Networks and RFID, Held in conjunction with the 9th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC 2011), Melbourne, Australia; http://www.deakin.edu.au/~rchell/DSPSR2011.html 11/ 7/11-11/ 9/11: eCrime Researchers Summit, 6th IEEE eCrime Researchers Summit, Held in conjunction with the 2011 APWG General Meeting, San Diego, CA, USA; http://ecrimeresearch.org 11/16/11: TSCloud, 1st IEEE International Workshop on Trust and Security in Cloud Computing, Changsha, China; http://tscloud.org 11/16/11-11/18/11: TrustCom, 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Changsha, China; http://trust.csu.edu.cn/conference/trustcom2011 11/29/11-12/ 2/11: WIFS, IEEE Workshop on Information Forensics and Security, Foz do Iguaçu, Brazil; http://www.wifs11.org 12/ 5/11-12/ 9/11: ACSAC, 27th Annual Computer Security Applications Conference, Orlando, Florida, USA; http://www.acsac.org/ 12/11/11-12/14/11: WICT-NDF, World Congress on Information and Communication Technologies, Intrusion Detection and Forensics, Mumbai, India; http://www.mirlabs.org/wict11/index.php-c=main&a=show&id=34.htm 1/ 3/12- 1/ 5/12: IFIP-DF, 8th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Pretoria, Pretoria, South Africa; http://www.ifip119.org 1/ 4/12- 1/ 7/12: HICSS-ST, 45th Annual HAWAI'I International Conference on System Sciences, Software Technology Track, Grand Wailea Maui, Hawaii, USA; http://www.hicss.hawaii.edu/hicss_45/apahome45.htm 2/ 5/12- 2/ 8/12: NDSS, Network & Distributed System Security Symposium, San Diego, California, USA; http://www.isoc.org/isoc/conferences/ndss/12/cfp.shtml ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E101) ___________________________________________________________________ ------------------------------------------------------------------------- FAST 2011 8th International Workshop on Formal Aspects of Security & Trust, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium, September 15-16, 2011. (Submissions due 1 June 2011) http://www.iit.cnr.it/FAST2011/Unico.htm The eighth International Workshop on Formal Aspects of Security and Trust aims at continuing the successful efforts of the previous FAST workshops, fostering cooperation among researchers in the areas of security and trust. Computing and network infrastructures have become pervasive, and now support a great deal of economic activity. Thus, society needs suitable security and trust mechanisms. Interactions increasingly span several enterprises and involve loosely structured communities of individuals. Participants in these activities must control interactions with their partners based on trust policies and business logic. Trust-based decisions effectively determine the security goals for shared information and for access to sensitive or valuable resources. FAST focuses on the formal models of security and trust that are needed to state goals and policies for these interactions. We also seek new and innovative techniques for establishing consequences of these formal models. Implementation approaches for such techniques are also welcome. ------------------------------------------------------------------------- IWSSC 2011 1st International Workshop on Securing Services on the Cloud, Held in conjunction with the 5th International Conference on Network and System Security (NSS 2011), Milan, Italy, September 6-8, 2011. (Submissions due 1 June 2011) http://sesar.dti.unimi.it/iwssc2011 The ongoing merge between Service-Oriented Architectures (SOAs) and the Cloud computation paradigm provides a new environment fostering the integration of services located within company boundaries with those on the Cloud. An increasing number of organizations implement their business processes and applications via runtime composition of services made available on the Cloud by external suppliers. This scenario is changing the traditional view of security introducing new service security risks and threats, and requires re-thinking of current development, testing, and verification methodologies. IWSSC 2011 aims to address the security issues related to the deployment of services on the Cloud, along with evaluating their impact on traditional security solutions for software and network systems. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of security of services implemented on the Cloud, as well as experimental studies in Cloud infrastructures, the implementation of services, and lessons learned. Topics of interest include, but are not limited to: - Security in Cloud services - Software verification in critical services - Static code analysis of software services - Test-based verification of services - Authentication and access control on the Cloud - Challenges in moving critical systems to the Cloud - Cybercrime and cyberterrorism on the Cloud - Communication confidentiality and integrity - Data security and privacy on the Cloud - Formal methods for the Cloud - Homeland security - Information assurance and trust management - Intrusion detection on the Cloud - Model-based validation of services - Orchestration and choreography - RESTful service security - SOAP security - Security certification of services - Security metrics on the Cloud - Security models and architectures - Security patterns for the Cloud - Security protocols on the Cloud ------------------------------------------------------------------------- SETOP 2011 4th International Workshop on Autonomous and Spontaneous Security, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium, September 15-16, 2011. (Submissions due 5 June 2011) http://setop2011.dyndns.org/ The SETOP Workshop seeks submissions that present research results on all aspects related to spontaneous and autonomous security. Topics of interest include, but are not limited to the following: - Security policy deployment - Self evaluation of risk and impact - Distributed intrusion detection - Cryptography & Cryptanalysis - Autonomous and spontaneous response - Trust establishment - Lightweight cryptography - Selfish behaviour and collaboration enforcement - Security in autonomous networks - Security in ad hoc networks - Security in sensor/RFID networks - Security of Next Generation Networks - Security in Cloud Computing - Security of Service Oriented Architecture - Security of opportunistic networks - Privacy in self-organized networks - Secure localization - Context aware and ubiquitous computing - Secure interoperability and negotiation - Self-organization in secure routing - Identity management - Modelling and validation of security ------------------------------------------------------------------------- DPM 2011 6th International Workshop on Data Privacy Management, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium, September 15-16, 2011. (Submissions due 5 June 2011) http://dpm2011.dyndns.org/ The aim of this workshop is to discuss and exchange the ideas related to privacy data management. We invite papers from researchers and practitioners working in privacy, security, trustworthy data systems and related areas to submit their original papers in this workshop. Topics of interest include, but are not limited to the following: - Privacy Information Management - Privacy Policy-based Infrastructures and Architectures - Privacy-oriented Access Control Languages and Models - Privacy in Trust Management - Privacy Data Integration - Privacy Risk Assessment and Assurance - Privacy Services - Privacy Policy Analysis - Lightweight cryptography & Cryptanalysis - Query Execution over Privacy Sensitive Data - Privacy Preserving Data Mining - Hippocratic and Water-marking Databases - Privacy for Integrity-based Computing - Privacy Monitoring and Auditing - Privacy in Social Networks - Privacy in Ambient Intelligence (AmI) Applications - Individual Privacy vs. Corporate/National Security - Code-based Cryptology - Privacy in computer networks - Privacy and RFIDs - Privacy in sensor networks ------------------------------------------------------------------------- WISA 2011 12th International Workshop on Information Security Applications, Jeju Island, Korea, August 22-24, 2011. (Submissions due 6 June 2011) http://www.wisa.or.kr The focus of this workshop is on all technical and practical aspects of cryptographic and non-cryptographic security applications. The workshop will serve as a forum for new results from the academic research community as well as from the industry. The areas of interest include, but are not limited to: - Internet & Wireless Security - E-Commerce Protocols - Access Control & Database Security - Biometrics & Human Interface - Network Security & Intrusion Detection - Security & Trust Management - IPTV Security - Content Protection & Service Security - Digital Rights Management - Secure Software & Systems - Information Hiding - Digital Forensics - Secure Hardware - Cyber Indication & Intrusion Detection - Multicast & Group Security - Secure Application Protocols - Secure Coding - Smart Cards & Applications - Mobile Security - Privacy & Anonymity - Public Key Crypto Applications - Threats & Information Warfare - Virus Protection & Applications - Ubiquitous Computing Security - Combating SPAM - ID Management - Peer-to-Peer Security - Information Assurance - RFID Security & Applications - Sensor Network Security & Applications - Common Criteria - Critical Information Infrastructure Protection - Video Surveillance Systems - Smartphone Security ------------------------------------------------------------------------- ACSAC 2011 27th Annual Computer Security Applications Conference, Orlando, Florida, USA, December 5-9, 2011. (Submissions due 6 June 2011) http://www.acsac.org/ ACSAC is an internationally recognized forum where practitioners, researchers, and developers in information system security meet to learn and to exchange practical ideas and experiences. If you are developing practical solutions to problems relating to protecting commercial enterprises' or countries' information infrastructures, consider submitting your work to the Annual Computer Security Applications Conference. We are especially interested in submissions that address the application of security technology, the implementation of systems, and lessons learned. Some example topics are: - Access control - Assurance - Audit and audit reduction - Biometrics - Boundary control devices - Certification and accreditation - Database security - Denial of service protection - Distributed systems security - Electronic commerce security - Enterprise security management - Forensics - Identity management - Incident response planning - Insider threat protection - Integrity - Intellectual property rights protection - Intrusion detection and prevention - Malware - Mobile and wireless security - Multimedia security - Network resiliency - Operating systems security - Peer-to-peer security - Privacy and data protection - Privilege management - Product evaluation criteria and compliance - Risk/vulnerability assessment - Securing cloud infrastructures - Security engineering and management - Security in service oriented architectures - Security usability - Software security - Supply chain risk management - Trust management - Virtualization security - VoIP security - Web 2.0/3.0 security ------------------------------------------------------------------------- CRiSIS 2011 6th International Conference on Risks and Security of Internet and Systems, Timisoara, Romania, September 26-28, 2011. (Submissions due 6 June 2011) http://www.crisis-conference.org/ The International Conference on Risks and Security of Internet and Systems 2011 will be the 6th in a series dedicated to security issues in Internet-related applications, networks and systems recent advances on Internet-related security threats and vulnerabilities, and on the solutions that are needed to counter them. The topics addressed by CRiSIS range from the analysis of risks, attacks to networks and system survivability, passing through security models, security mechanisms and privacy enhancing technologies. Prospective authors are invited to submit research results as well as practical experiment or deployment reports. Industrial papers about applications and case studies, such as telemedicine, banking, e-government and critical infrastructure, are also welcome. The list of topics includes but is not limited to: - Analysis and management of risks - Attacks and defences - Attack data acquisition and network monitoring - Cryptography, Biometrics, Watermarking - Dependability and fault tolerance of Internet applications - Distributed systems security - Embedded system security - Intrusion detection and Prevention systems - Hardware-based security and Physical security - Trust management - Organizational, ethical and legal issues - Privacy protection and anonymization - Security and dependability of operating systems - Security and safety of critical infrastructures - Security and privacy of peer-to-peer system - Security and privacy of wireless networks - Security models and security policies - Security of new generation networks, security of VoIP and multimedia - Security of e-commerce, electronic voting and database systems - Traceability, metrology and forensics - Use of smartcards and personal devices for Internet applications - Web security ------------------------------------------------------------------------- EuroPKI 2011 8th European Workshop on Public Key Services, Applications and Infrastructures, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium, September 15-16, 2011. (Submissions due 10 June 2011) http://www.cosic.esat.kuleuven.be/europki2011/ EuroPKI is a successful series of workshops that started in 2004. For the 2011 edition, the scope will cover all research aspects of Public Key Services, Applications and Infrastructures. In particular, we encourage also submissions dealing with any innovative applications of public key cryptography. Submitted papers may present theory, applications or practical experiences on topics including, but not limited to: - Anonymity and Privacy - Architecture and Modeling - Authentication - Authorization and Delegation - Case Studies - Certificates Status - Certification Policy and Practices - Credentials - Cross Certification - Directories - eCommerce/eGovernment - Evaluation - Fault-Tolerance and reliability - Federations - Group signatures - ID-based schemes - Identity Management and eID - Implementations - Interoperability - Key Management - Legal issues - Long-time archiving - Mobile PKI - Multi-signatures - Policies & Regulations - Privacy - Privilege Management - Protocols - Repositories - Risk/attacks - Standards - Timestamping - Trust management - Trusted Computing - Ubiquitous scenarios - Usage Control - Web services security ------------------------------------------------------------------------- DSPSR 2011 1st IEEE/IFIP EUC Workshop on Data Management, Security and Privacy in Sensor Networks and RFID, Held in conjunction with the 9th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC 2011), Melbourne, Australia, October 24-26, 2011. (Submissions due 10 June 2011) http://www.deakin.edu.au/~rchell/DSPSR2011.html As the real world deployment of wireless sensor networks and RFID systems becomes increasingly common place, the issues of data management, security and privacy of these systems need to be addressed. Sensor networks and RFID make possible innovative applications in important areas such as healthcare, homeland security, early warning systems, emergency response and other time and/or life critical situations. These applications demand that the management of data, the security of these systems from a network and application perspective as well as the privacy of these systems from a user and data perspective are efficient and can be guaranteed. Hence the main motivation for this workshop is to bring together researchers and practitioners working on related areas in wireless sensor networks and RFID to present current research advances. The aim of the workshop is to provide a platform for the discussion of the major research challenges and achievements on the following topics of interest but not limited to: - Data Fusion and Aggregation - Information discovery and query processing - Network Scheduling - Distributed Information Processing - Remote reprogramming - Intrusion detection and response - Privacy preserving techniques - Network Resilience and Recovery - Vulnerability and Cryptanalysis - Lightweight Cryptography for sensors and RFID - Security Standards, Frameworks and Protocols - Security in mobile sensor and RFID systems - Trust management and related frameworks - Security policy and management - Key management techniques - Security Issues in specific application contexts (e.g., healthcare, military, supply chains) ------------------------------------------------------------------------- HICSS-ST 2012 45th Annual HAWAI'I International Conference on System Sciences, Software Technology Track, Grand Wailea Maui, Hawaii, USA, January 4-7, 2012. (Submissions due 15 June 2011) http://www.hicss.hawaii.edu/hicss_45/apahome45.htm Modern society is irreversibly dependent on software systems of remarkable scope and complexity. Yet methods for assuring the dependability and quality of these systems have not kept pace with their rapid deployment and evolution. The result has been persistent errors, failures, vulnerabilities, and compromises. Research is required in assurance technologies that can meet the needs of 21st century systems. These technologies must scale beyond present labor-intensive practices that are increasingly overwhelmed by the task at hand. Many organizations in academia, industry, and defense are interested in this subject, but often with a focus on specific subject matter areas. The goal of this Minitrack is to bring together researchers from all areas of system assurance to promote sharing and cross-pollination of promising methods and technologies. We will promote a unified assurance discipline characterized by science foundations and substantial automation that can effectively address the scope and scale of the problem. Assurance research focuses on achieving an acceptable level of trust and confidence through auditable evidence that software systems will function as intended in both benign and threat environments to meet organizational objectives. It addresses all aspects of the system development lifecycle in terms of technical, management, and standards-related issues. The following topics will be included in the Minitrack: - Advances in specification and design of assured systems - Advances in software correctness verification - Advances in software security assurance - Advances in system testing and certification - Assurance for embedded systems - Assurance for hardware components - Assurance for large-scale infrastructure systems - Assurance for SOA architectures and cloud computing environments - Assurance in system maintenance and evolution - Automated methods for system assurance - Assurance through computation of software behavior - Secure coding techniques - Management of assurance operations - Processes and metrics for assurance operations - Business case and ROI development for system assurance - Supply chain and standards issues in system assurance - Case studies of system assurance successes - Formal methods in software assurance - Curriculum development and education for software assurance ------------------------------------------------------------------------- SecIoT 2011 2nd Workshop on the Security of the Internet of Things, Held in conjunction with IEEE iThings 2011, Dalian, China, October 19, 2011. (Submissions due 17 June 2011) http://www.isac.uma.es/seciot11 While there are many definitions of the Internet of Things (IoT), all of them revolve around the same central concept: a world-wide network of interconnected objects. These objects will make use of multiple technological building blocks, such as wireless communication, sensors, actuators, and RFID, in order to allow people and things to be connected anytime anyplace, with anything and anyone. However, mainly due to the inherent heterogeneity of this vision and its broad scope, there will not be a single silver bullet security solution that will fulfill all the security requirements of the IoT. Therefore: How we can include security as a core element of the IoT? How the IoT will interact with other security mechanisms of the Future Internet? What security requirements will be truly challenged by the ultimate vision of the IoT? It is precisely the goal of this workshop to bring together researchers and industry experts in areas relevant to the security of the Internet of Things to discuss these and other significant issues. Moreover, this workshop also has the objective to serve as a forum for not only presenting cutting-edge research, but also for debating the role of security and its practical implications in the development of the IoT. Topics of interest for the workshop include the following: - New security problems in the context of the IoT - Privacy risks and data management problems - Identifying, authenticating, and authorizing entities - Development of trust frameworks for secure collaboration - New cryptographic primitives for constrained "things" - Connecting heterogeneous ecosystems and technologies - Legal Challenges and Governance Issues - Resilience to external and internal attacks - Context-Aware Security - Providing protection to an IP-connected IoT - Web services security and other application-layer issues - Distributed policy enforcement and rights management - Usability of Security and Privacy Technologies in the context of the IoT ------------------------------------------------------------------------- WIFS 2011 IEEE Workshop on Information Forensics and Security, Foz do Iguacu, Brazil, November 29-December 2, 2011. (Submissions due 22 June 2011) http://www.wifs11.org The IEEE International Workshop on Information Forensics and Security (WIFS) is the primary annual event organized by the IEEE's Information Forensics and Security Technical Committee (IEEE IFS TC). WIFS is a venue for knowledge exchange that encompasses a broad range of disciplines and facilitates the exchange of ideas between various disparate communities that constitute information security. With this focus, we hope that researchers will identify new opportunities for collaboration across disciplines and gain new perspectives. The conference will feature prominent keynote speakers, tutorials, and lecture sessions. Appropriate topics of interest include, but are not limited to: - Computer security: intrusion detection, vulnerability analysis, cloud security - Biometrics: emerging modalities, fuzzy extractors, attacks and countermeasures - Cryptography for multimedia content: multimedia encryption, signal processing in the encrypted domain, traitor tracing codes - Data hiding: watermarking, steganography and steganalysis - Content Protection: conditional access, digital rights management (secure clocks, proximity detection, DRM architectures, DRM interoperability) - Hardware Security: Identification, PUFS, Anti-counterfeiting - Forensics Analysis: device identification, data recovery, processing history recovery, validation of forensic evidence - Network Security: traffic monitoring, intrusion detection, incident response, network tomography, surveillance and traceback - Usable Security, and usability aspects of security - Information Theoretical Security - Privacy: legal, ethical, social, and economical issues, anonymity, social network obfuscation - (Video) Surveillance: arrays of sensors design and analysis, content tracking, events recognition, large crowd behavior analysis - Secure Applications: e-Voting, e-Commerce, IPTV, VOD, VoIP, Medical ------------------------------------------------------------------------- STC 2011 6th ACM Workshop on Scalable Trusted Computing, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA, October 17, 2011. (Submissions due 27 June 2011) http://www.cs.utsa.edu/~acmstc/stc2011/ Built on the continuous success of ACM STC 2006-2010, this workshop focuses on fundamental technologies of trusted and high assurance computing and its applications in large-scale systems with varying degrees of trust. The workshop is intended to serve as a forum for researchers as well as practitioners to disseminate and discuss recent advances and emerging issues. The workshop solicits two types of original papers that are single-column using at least 11pt fonts. The length of the full-paper submissions is at most 15 pages excluding bibliography, appendix etc. The total number of pages should not be more than 20, whereas the reviewers are not required to read the appendix. The length of short/work-in-progress/position-paper submissions is at most 8 pages excluding bibliography. A paper submitted to this workshop must not be in parallel submission to any other journal, magazine, conference or workshop with proceedings. It is up to the authors to decide whether a submission should be anonymous. Topics of interests include but not limited to: - security policies and models of trusted computing - architecture and implementation technologies for trusted platform - limitations, alternatives and tradeoffs regarding trusted computing - trusted computing in cloud and data center - cloud-based attestation services - trusted smartphone devices and systems - trust in smart grid, energy, and Internet of Things - trusted emerging and future Internet infrastructure - trusted online social network - trust in authentications, users and computing services - hardware based trusted computing - software based trusted computing - pros and cons of hardware based approach - remote attestation of trusted devices - censorship-freeness in trusted computing - cryptographic support in trusted computing - case study in trusted computing - principles for handling scales - scalable trust supports and services in cloud - trusted embedded computing and systems - virtualization and trusted computing ------------------------------------------------------------------------- TrustCom 2011 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Changsha, China, November 16-18, 2011. (Submissions due 30 June 2011) http://trust.csu.edu.cn/conference/trustcom2011 With rapid development and increasing complexity of computer and communications systems and networks, user requirements for trust, security and privacy are becoming more and more demanding. However, there is a grand challenge that traditional security technologies and measures may not meet user requirements in open, dynamic, heterogeneous, mobile, wireless, and distributed computing environments. Therefore, we need to build systems and networks in which various applications allow users to enjoy more comprehensive services while preserving trust, security and privacy at the same time. As useful and innovative technologies, trusted computing and communications are attracting researchers with more and more attention. IEEE TrustCom-11 is an international conference for presenting and discussing emerging ideas and trends in trusted computing and communications in computer systems and networks from both the research community as well as the industry. ------------------------------------------------------------------------- CCSW 2011 ACM Cloud Computing Security Workshop, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA, October 21, 2011. (Submissions due 1 July 2011) http://crypto.cs.stonybrook.edu/ccsw11 Notwithstanding the latest buzzword (grid, cloud, utility computing, SaaS, etc.), large-scale computing and cloud-like infrastructures are here to stay. How exactly they will look like tomorrow is still for the markets to decide, yet one thing is certain: clouds bring with them new untested deployment and associated adversarial models and vulnerabilities. CCSW aims to bring together researchers and practitioners in all security aspects of cloud-centric and outsourced computing, including (but not limited to): - practical cryptographic protocols for cloud security - secure cloud resource virtualization mechanisms - secure data management outsourcing (e.g., database as a service) - practical privacy and integrity mechanisms for outsourcing - foundations of cloud-centric threat models - secure computation outsourcing - remote attestation mechanisms in clouds - sandboxing and VM-based enforcements - trust and policy management in clouds - secure identity management mechanisms - new cloud-aware web service security paradigms and mechanisms - cloud-centric regulatory compliance issues and mechanisms - business and security risk models and clouds - cost and usability models and their interaction with security in clouds - scalability of security in global-size clouds - trusted computing technology and clouds - binary analysis of software for remote attestation and cloud protection - network security (DOS, IDS etc.) mechanisms for cloud contexts - security for emerging cloud programming models - energy/cost/efficiency of security in clouds ------------------------------------------------------------------------- WPES 2011 10th ACM Workshop on Privacy in the Electronic Society, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA, October 17, 2011. (Submissions due 2 July 2011) http://wpes11.rutgers.edu/ The need for privacy-aware policies, regulations, and techniques has been widely recognized. This workshop discusses the problems of privacy in the global interconnected societies and possible solutions. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of electronic privacy, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues. Topics of interest include, but are not limited to: - anonymity, pseudonymity, and unlinkability - data correlation and leakage attacks - data security and privacy - electronic communication privacy - economics of privacy - information dissemination control - personally identifiable information - privacy-aware access control - privacy and anonymity in the Web - privacy in cloud and grid systems - privacy and confidentiality management - privacy and data mining - privacy in the digital business - privacy in the electronic records - privacy enhancing technologies - privacy in health care and public administration - privacy and human rights - privacy metrics - privacy in mobile systems - privacy in outsourced scenarios - privacy policies - privacy vs. security - privacy in social networks - privacy threats - privacy and virtual identity - public records and personal privacy - user profiling - wireless privacy ------------------------------------------------------------------------- EC2ND 2011 7th European Conference on Computer Network Defense, Gothenburg, Sweden, September 6-7, 2011. (Submissions due 4 July 2011) http://2011.ec2nd.org/ EC2ND invites submissions presenting novel ideas at an early stage with the intention to act as a discussion forum and feedback channel for promising, innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results. This year we are especially interested in papers concerning the protection against attacks in "special environments" (such as the ICT component of the smart grid) or protection against attacks that could cause a large societal impact. Topics include but are not limited to: - Intrusion Detection - Denial-of-Service - Privacy Protection - Security Policy - Peer-to-Peer and Grid Security - Network Monitoring - Web Security - Vulnerability Management and Tracking - Network Forensics - Wireless and Mobile Security - Cryptography - Network Discovery and Mapping - Incident Response and Management - Malicious Software - Web Services Security - Legal and Ethical Issues ------------------------------------------------------------------------- AISec 2011 4th Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2011, Chicago, IL., USA, October 21, 2011. (Submissions due 6 July 2011) http://tsig.fujitsulabs.com/~aisec2011/ We invite original research papers describing the use of AI or Machine Learning in security and privacy problems. We also invite position papers discussing the role of AI or Machine Learning in security and privacy. Submitted papers may not substantially overlap papers that have been published or that are simultaneously submitted to a journal or conference with proceedings. Topics of interest include, but are not limited to: - Adversarial Learning - Robust Statistics - Online Learning - Spam detection - Botnet detection - Intrusion detection - Malware identification - Privacy-preserving data mining - Design and analysis of CAPTCHAs - Phishing detection and prevention - AI approaches to trust and reputation - Vulnerability testing through intelligent probing (e.g. fuzzing) - Content-driven security policy management & access control - Techniques and methods for generating training and test sets - Anomalous behavior detection (e.g. for the purposes of fraud prevention, authentication) ------------------------------------------------------------------------- TSCloud 2011 1st IEEE International Workshop on Trust and Security in Cloud Computing, Changsha, China, November 16, 2011. (Submissions due 8 July 2011) http://tscloud.org The TSCloud workshop tries to bring together researchers with an interest in theoretical foundations and practical approaches to trust and security in cloud computing. The emphasis is on high-impact, novel/adopted theories and paradigms that address mathematical and logical underpinnings in trust and security in cloud computing, e.g. encryption, obfuscation, virtualisation security, governance, accountability, etc. Topics of interest include, but are not limited to: - Malware detection in cloud computing - Cryptography and encryption techniques for cloud computing - Data obfuscation for cloud computing - Accountability in cloud computing - Security in virtualised environments - Governance, regulation and compliance in cloud computing - Data analytics for security in cloud computing - Visualization for security in cloud computing - Cloud computing threat detection techniques - Trust in cloud services - Trust reputation systems for cloud computing - Reports on critical, real-life security and trust use cases in cloud computing - Secure and trusted workflows in cloud computing - Position papers on issues in security and trust in cloud computing ------------------------------------------------------------------------- eCrime Researchers Summit 2011 6th IEEE eCrime Researchers Summit, Held in conjunction with the 2011 APWG General Meeting, San Diego, CA, USA, November 7-9, 2011. (Submissions due 21 July 2011) http://ecrimeresearch.org eCRS 2011 will bring together academic researchers, security practitioners, and law enforcement to discuss all aspects of electronic crime and ways to combat it, Topics of interests include (but are not limited to): - Phishing, rogue-AV, pharming, click-fraud, crimeware, extortion and emerging attacks - Technical, legal, political, social and psychological aspects of fraud and fraud prevention - Malware, botnets, ecriminal/phishing gangs and collaboration, or money laundering - Techniques to assess the risks and yields of attacks and the success rates of countermeasures - Delivery techniques, including spam, voice mail and rank manipulation; and countermeasures - Spoofing of different types, and applications to fraud - Techniques to avoid detection, tracking and takedown; and ways to block such techniques - Honeypot design, data mining, and forensic aspects of fraud prevention - Design and evaluation of user interfaces in the context of fraud and network security - Best practices related to digital forensics tools and techniques, investigative procedures, and evidence acquisition, handling and preservation ------------------------------------------------------------------------- NDSS 2012 Network & Distributed System Security Symposium, San Diego, California, USA, February 5-8, 2012. (Submissions due 9 August 2011) http://www.isoc.org/isoc/conferences/ndss/12/cfp.shtml The Network and Distributed System Security Symposium fosters information exchange among research scientists and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Overall, we are looking for not only for solid results but also for crazy out of the box ideas. Areas of interest include (but are not limited to): - Network perimeter controls: firewalls, packet filters, application gateways - Network protocol security: routing, naming, network management - Cloud computing security - Security issues in Future Internet architecture and design - Security of web-based applications and services - Anti-malware techniques: detection, analysis, and prevention - Secure future home networks, Internet of Things, body-area networks - Intrusion prevention, detection, and response - Combating cyber-crime: anti-phishing, anti-spam, anti-fraud techniques - Privacy and anonymity technologies - Security for wireless, mobile networks - Security of personal communication systems - Vehicular Ad-hoc Network (VANETs) Security - Security of peer-to-peer and overlay network systems - Electronic commerce security: e.g., payments, notarization, timestamping - Network security policies: implementation deployment, management - Intellectual property protection: protocols, implementations, DRM - Public key infrastructures, key management, certification, and revocation - Security for Emerging Technologies - Special problems and case studies: cost, usability, security vs. efficiency - Collaborative applications: teleconferencing and video-conferencing - Smart Grid Security - Secure Electronic Voting - Security of large-scale critical infrastructures - Trustworthy Computing for network protocols and distributed systems - Network and distributed systems forensics ------------------------------------------------------------------------- WICT-NDF 2011 World Congress on Information and Communication Technologies, Intrusion Detection and Forensics, Mumbai, India, December 11-14, 2011. (Submissions due 15 August 2011) http://www.mirlabs.org/wict11/index.php-c=main&a=show&id=34.htm Authors are invited to submit original papers containing cutting edge research, novel research vision or work-in-progress in any area of intrusion detection and forensics. All accepted papers will be published in the conference proceedings by IEEE. The track will cover a wide range of topics. Topics of interest include but are not limited to: - Host and Network based approaches - Anomaly and specification-based approaches - Lightweight, data mining and soft computing approaches - Hybrid Approaches to information discovery and intrusion detection - Formal Models, Framework and Architectures - Botnets and vulnerabilities - Malware, Worm, Virus and Spyware - Insider attack detection and investigation - High Performance and Real-Time Environments, including large-scale, high data volume/ high-Speed networks. - Highly distributed and heterogeneous environments - Embedded system and small scale environments - Special environments, including wireless, mobile, sensor networks and smart grid - Virtual and Cloud Environments - Social network analysis - Deception systems and honeypots - Incident response and live analysis - Traceback and attribution - Event reconstruction methods and tools - Attacks against IDS, IDS protection and tolerance - Anti-forensics and anti-anti-forensics - Visualization Techniques - Performance evaluation, metrics and benchmarking - Commercial products and their directions - Test Beds and Datasets ------------------------------------------------------------------------- International Journal of Information Security, Special Issue on SCADA and Control System Security, 2012, (Submission Due 21 August 2011) http://springerlink.com/content/c228708131853np8/fulltext.pdf Editor: Irfan Ahmed (Queensland University of Technology, Australia), Martin Naedele (ABB Corporate Research, Switzerland), Charles Palmer (Dartmouth College, USA), Ryoichi Sasaki (Tokyo Denki University, Japan), Bradley Schatz (Queensland University of Technology, Australia), and Andrew West (Invensys Operations Management, Australia) Supervisory control and data acquisition (SCADA) and industrial control systems monitor and control a wide range of industrial and infrastructure processes such as manufacturing production lines, water treatment, fuel production and electricity distribution. Such systems are usually built using a variety of commodity computer and networking components, and are becoming increasingly interconnected with corporate and other Internet-visible networks. As a result, they face significant threats from internal and external actors. For example, the now famous Stuxnet (which is a Windows-specific computer worm containing a rootkit and four zero-day attacks) was specifically written to attack SCADA systems that alone caused multi-million dollars damages in 2010. The critical requirement for high availability in SCADA and industrial control systems, along with the use of bespoke, resource constrained computing devices, legacy operating systems and proprietary software applications limits the applicability of traditional information security solutions. Thus, research focusing on devising security solutions that are applicable in the control systems context is imperative, as evidenced by the increased focus on the problem by governments worldwide. This Special Issue aims to present the latest developments, trends and research solutions addressing security of the computers and networks used in SCADA and other industrial control systems. The topics of interest include but not limited to, intrusion detection and prevention, malware, vulnerability analysis of control systems protocols, digital forensics, application security and performance impact of security methods and tools in control systems. This list is not exhaustive and other relevant topics will be considered. ------------------------------------------------------------------------- IFIP-DF 2012 8th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Pretoria, Pretoria, South Africa, January 3-5, 2012. (Submissions due 15 September 2011) http://www.ifip119.org The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Eighth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the eighth in the series entitled Research Advances in Digital Forensics in the summer of 2012. Revised and/or extended versions of selected papers from the conference will be published in special issues of one or more international journals. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officer Roster ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Hilarie Orman Ulf Lindqvist Purple Streak, Inc. SRI 500 S. Maple Dr. Menlo Park, CA Woodland Hills, UT 84653 (650)859-2351 (voice) ieee-chair@purplestreak.com ulf.lindqvist@sri.com Vice Chair: Chair, Subcommittee on Academic Affairs: Sven Dietrich Prof. Cynthia Irvine Department of Computer Science U.S. Naval Postgraduate School Stevens Institute of Technology Computer Science Department, Code CS/IC +1 201 216 8078 Monterey CA 93943-5118 spock AT cs.stevens.edu (831) 656-2461 (voice) irvine@nps.edu Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Sciences Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Newsletter Editor: Security and Privacy Symposium, 2011 Chair: Hilarie Orman Deborah Frincke Purple Streak, Inc. Pacific Northwest National Laboratory 500 S. Maple Dr. deborah.frincke@pnl.gov Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year