_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 105 November 22, 2011 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control System by Eric D. Knapp o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * News Items o H. O. Lubbes * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The deadline for submitting papers to the 2012 Security and Privacy Symposium has passed, and the program committee are beginning to consider the 300+ entries. The Symposium will be held in San Francisco next year, at the Westin at Union Square. This is an exciting change for the conference, and the organizers are in the midst of planning the conference amenities for a record setting crowd. The Computer Security Foundations Symposium will be held in Cambridge, Massachusetts in June of 2012, and it will be an outstanding event. This event moves between the USA and Europe, and this year it is returning to the USA from a sojourn in France. This newsletter is an activity of the IEEE Computer Society's Technical Committee on Security and Privacy (TCSP). The technical committees are represented withing the Computer Society through membership in the Technical Activities Committee (TAC). During the last few years, there have been many complaints about the inability of the TAC to set its own agendas or to get its concerns heard by the Computer Society. As a result, the TAC recently voted to adopt a resolution seeking changes to allow the TAC members to elect their own chair to represent them to the higher level entity, the Technical and Conference Activities Board (T & C Board). If it receives approval from the board, the changes should allow the TAC to choose its own chair next May, and then to embark on a pathway to improve the way conferences are approved and to open up more interaction between TCs and the Computer Society's publishing activities. At the same time, the IEEE has clamped down even further on conference planning, and as a result, conference organizers will have to do additional work in order to get hotel contracts approved. IEEE giveth and taketh away. Wash away this bureaucratic angst by reading Richard Austin's review of a new book about security for SCADA and more. The Internet is wild with might, It has devoured the little website. The little website is not aware, It has been orphaned by a DNS error. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin November 18, 2011 ____________________________________________________________________ Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control System by Eric D. Knapp Syngress 2011. ISBN 978-1-59749-645-2 Amazon.com, USD: 32.90 Table of Contents: http://www.elsevierdirect.com/toc.jsp?isbn=9781597496452 Whether based on the success of STUXNET, Richard Clarke's "Cyber War" or Joel Brenner's "America the Vulnerable", a convincing case has been made that we, as security professionals, should be concerned about the security measures (or lack thereof) being applied to the industrial control systems that manage power generation and distribution as well as many other critical infrastructure components. At the same time, many of us, like your humble correspondent, would be forced to admit that our knowledge in this area doesn't go much further than being able to spell out the acronym "SCADA". Knapp recognizes this lack and provides a quite readable introduction to industrial networks and how familiar security principles can be translated to apply in this complex area. The first third of the book provides an introduction to industrial networks, their protocols and how they operate. Peppered throughout the introduction are sidelights on security incidents and previews of how security measures may be applied. Acronyms multiply quickly and readers will likely want to maintain a cheat sheet to avoid having to flip back and forth to find their meanings (many, but not all, are in the glossary). The majority of the book is devoted to parsing out what "information security" really means in the context of industrial networks. Familiar topics such as "vulnerability and risk management" and "situational awareness" are placed in context and the unique considerations imposed by an industrial control network are identified. For example, many of us will have had the experience of crashing a piece of network equipment when scanning its management interface to assess its attack surface. What is an inconvenience in that context may have a much wider impact when the device is controlling a real-world process. As you might expect, compliance is a major concern and a very useful chapter reviews the relevant standards/regulations and provides recommendations for demonstrating compliance. Knapp also provides a "reverse mapping" that even identifies the relevant chapter of the book. The closing chapter's review of why-things-often-go-wrong includes many of the usual suspects ("Compliance vs. Security", "Misconfigurations", etc) and serves as a final reminder that though industrial networks present many unique features, they also have much in common with the more familiar areas of information security. Whether you are charged with defending an industrial network or curious about all the "buzz" over SCADA security, Knapp's book will provide a solid introduction to this fascinating area. Definitely a recommended read. ------------------------------------------------------- Before beginning life as a university instructor and independent cybersecurity consultant, Richard Austin (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry in positions ranging from software developer to security architect. He welcomes your thoughts and comments at raustin2 at spsu dot edu ==================================================================== News Items ==================================================================== We have heard of the death of H.O. Lubbes, a pioneer computer security and assurance. Washington Post notice: http://www.legacy.com/obituaries/washingtonpost/obituary.aspx?n=herman-o-lubbes&pid=151429357 ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Cipher calendar announcements are on Twitter; follow "ciphernews" Date (Month/Day/Year), Event, Locations, web page for more info. 11/22/11: WiSec, ACM Conference on Wireless Network Security, Tucson, Arizona, USA; http://www.sigsac.org/wisec/WiSec2012/ Submissions are due 11/27/11-11/29/11: INTRUST, International Conference on Trusted Systems, Beijing, China; http://www.onets.com.cn/intrust11 11/29/11-12/ 2/11: WIFS, IEEE Workshop on Information Forensics and Security, Foz do Iguacu, Brazil; http://www.wifs11.org 11/30/11: SFCS, 1st IEEE International Workshop on Security and Forensics in Communication Systems, Held in conjunction with IEEE ICC 2012, Ottawa, Canada; http://sites.google.com/site/sfcs2012/ Submissions are due 12/ 1/11: Elsevier Computer Networks, Special Issue on Botnet Activity: Analysis, Detection and Shutdown; http://www.elsevierscitech.com/dronsite/CFP_SIonBotnetActivity.pdf; Submissions are due 12/ 1/11: IFIP-CIP, 6th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, National Defense University, Fort McNair, Washington, DC, USA; http://www.ifip1110.org; Submissions are due 12/ 5/11-12/ 9/11: ACSAC, 27th Annual Computer Security Applications Conference, Orlando, Florida, USA; http://www.acsac.org/ 12/ 8/11: ASIACCS, 7th ACM Symposium on Information, Computer and Communications Security, Seoul, Republic of Korea; http://elec.sch.ac.kr/asiaccs/ Submissions are due 12/ 9/11: WPLS, Workshop on Physical Layer Security, Held in conjunction with the IEEE Globecom Conference 2011, Houston, Texas, USA; http://www.comm.utoronto.ca/~akhisti/GlobecomWorkshop/ 12/11/11-12/14/11: WICT-NDF, World Congress on Information and Communication Technologies, Intrusion Detection and Forensics, Mumbai, India; http://www.mirlabs.org/wict11/index.php-c=main&a=show&id=34.htm 12/12/11: CoSec, 3rd IEEE Workshop on Collaborative Security Technologies, Bangalore, India; http://www.imsaa.org/ 12/12/11: COSADE, 3rd International Workshop on Constructive Side-Channel Analysis and Secure Design, Darmstadt, Germany; http://cosade2011.cased.de; Submissions are due 1/ 3/12- 1/ 5/12: IFIP-DF, 8th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Pretoria, Pretoria, South Africa; http://www.ifip119.org 1/ 4/12- 1/ 7/12: HICSS-ST, 45th Annual HAWAI'I International Conference on System Sciences, Software Technology Track, Grand Wailea Maui, Hawaii, USA; http://www.hicss.hawaii.edu/hicss_45/apahome45.htm 1/ 8/12: ICDCS-NFSP, 1st International Workshop on Network Forensics, Security and Privacy, Held in conjunction with ICDCS 2012, Macau, China; http://www.deakin.edu.au/~syu/nfsp/ Submissions are due 1/ 8/12: ICDCS-SPCC, 3rd International Workshop on Security and Privacy in Cloud Computing, Held in conjunction with ICDCS 2012, Macau, China; http://www.ece.iit.edu/~ubisec/workshop.htm; Submissions are due 1/10/12: SEC, 27th IFIP International Information Security and Privacy Conference, Creta Maris Hotel, Heraklion, Crete, Greece; http://www.sec2012.org; Submissions are due 1/13/12: SACMAT, 17th ACM Symposium on Access Control Models and Technologies, Newark, NJ, USA; http://www.sacmat.org; Submissions are due 2/ 5/12: ACNS, 10th International Conference on Applied Cryptography and Network Security, Singapore; http://icsd.i2r.a-star.edu.sg/acns2012; Submissions are due 2/ 5/12- 2/ 8/12: NDSS, Network & Distributed System Security Symposium, San Diego, California, USA; http://www.isoc.org/isoc/conferences/ndss/12/cfp.shtml 2/16/12- 2/17/12: ESSoS, 4th International Symposium on Engineering Secure Software and Systems, Eindhoven, The Netherlands; http://distrinet.cs.kuleuven.be/events/essos2012/ 2/20/12: PETS 2012 12th Privacy Enhancing Technologies Symposium, Vigo, Spain; http://petsymposium.org/2012/ Submissions are due 2/27/12- 3/ 2/12: CT-RSA, RSA Conference, Cryptographers' Track, San Francisco, California, USA; http://ctrsa2012.cs.haifa.ac.il/ 2/27/12- 3/ 2/12: FC, 16th Financial Cryptography and Data Security, Divi Flamingo Beach Resort, Bonaire; http://fc12.ifca.ai/ 3/ 2/12: WECSR, 3rd Workshop on Ethics in Computer Security Research, Divi Flamingo Resort, Bonaire; http://www.cs.stevens.edu/~spock/wecsr2012/cfp.html 3/ 2/12: USEC, Workshop on Usable Security, Held in conjunction with the Financial Cryptography and Data Security (FC 2012), Divi Flamingo Beach Resort, Bonaire; http://infosecon.net/usec12/index.php 3/ 5/12: CHES, IACR Workshop on Cryptographic Hardware and Embedded Systems, Leuven, Belgium; http://www.iacr.org/workshops/ches/ches2012/start.php; Submissions are due 3/19/12- 3/21/12: IFIP-CIP, 6th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, National Defense University, Fort McNair, Washington, DC, USA; http://www.ifip1110.org 3/24/12- 4/ 1/12: POST, 1st Conference on Principles of Security and Trust, Tallinn, Estonia; http://web.cs.wpi.edu/~guttman/post12/ 4/16/12- 4/18/12: WiSec, ACM Conference on Wireless Network Security, Tucson, Arizona, USA; http://www.sigsac.org/wisec/WiSec2012/ 5/ 1/12- 5/ 3/12: ASIACCS, 7th ACM Symposium on Information, Computer and Communications Security, Seoul, Republic of Korea; http://elec.sch.ac.kr/asiaccs/ 5/ 3/12- 5/ 4/12: COSADE, 3rd International Workshop on Constructive Side-Channel Analysis and Secure Design, Darmstadt, Germany; http://cosade2011.cased.de 5/20/12- 5/23/12: SP, 33rd IEEE Symposium on Security and Privacy, San Francisco Bay Area, California, USA; http://www.ieee-security.org/TC/SP2012/cfp.html 6/ 4/12- 6/ 6/12: SEC, 27th IFIP International Information Security and Privacy Conference, Creta Maris Hotel, Heraklion, Crete, Greece; http://www.sec2012.org 6/10/12- 6/15/12: SFCS, 1st IEEE International Workshop on Security and Forensics in Communication Systems, Held in conjunction with IEEE ICC 2012, Ottawa, Canada; http://sites.google.com/site/sfcs2012/ 6/18/12- 6/21/12: ICDCS-NFSP, 1st International Workshop on Network Forensics, Security and Privacy, Held in conjunction with ICDCS 2012, Macau, China; http://www.deakin.edu.au/~syu/nfsp/ 6/18/12- 6/21/12: ICDCS-SPCC, 3rd International Workshop on Security and Privacy in Cloud Computing, Held in conjunction with ICDCS 2012, Macau, China; http://www.ece.iit.edu/~ubisec/workshop.htm 6/20/12- 6/22/12: SACMAT, 17th ACM Symposium on Access Control Models and Technologies, Newark, NJ, USA; http://www.sacmat.org 6/26/12- 6/29/12: ACNS, 10th International Conference on Applied Cryptography and Network Security, Singapore; http://icsd.i2r.a-star.edu.sg/acns2012 7/11/12- 7/13/12: PETS 2012 12th Privacy Enhancing Technologies Symposium, Vigo, Spain; http://petsymposium.org/2012/ 9/ 9/12- 9/12/12: CHES, IACR Workshop on Cryptographic Hardware and Embedded Systems, Leuven, Belgium; http://www.iacr.org/workshops/ches/ches2012/start.php 7/15/11- 7/15/12: IEEE Internet Computing, Track Articles on Computer Crime; http://www.computer.org/portal/web/computingnow/cfptrack; Submissions are due ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E104) ___________________________________________________________________ WiSec 2012 ACM Conference on Wireless Network Security, Tucson, Arizona, USA, April 16-18, 2012. (Submissions due 22 November 2011) http://www.sigsac.org/wisec/WiSec2012/ As wireless and mobile networking becomes ubiquitous, security and privacy become increasingly critical. The focus of the ACM Conference on Wireless Network Security (ACM WiSec) is on exploring vulnerabilities, threats, and attacks in wireless communications and the techniques needed to address them. Settings of interest include cellular, metropolitan, mesh, local-area, personal-area, home, vehicular, sensor, ad hoc, satellite, cognitive radio, RFID, and underwater networks as well as systems using non-RF wireless communication. The conference is soliciting contributions to topics including but not limited to: - Key management in wireless/mobile environments - Secure services (neighbor discovery, localization, etc.) - Secure PHY and MAC protocols - Trust establishment - Intrusion, attack, and malicious behavior detection - Denial of service - User and location privacy - Anonymity, unobservability, prevention of traffic analysis - Identity theft and phishing in mobile networks - Charging & secure payment - Cooperation and mitigating non?cooperative behavior - Economics of wireless security - Vulnerability and attack modeling - Incentive-aware secure protocol design - Jamming/Anti-jamming communication - Cross-layer design for security - Monitoring and surveillance - Cryptographic primitives for wireless communication - Theoretical foundations and formal methods for wireless security and privacy - Security and privacy of mobile OS and mobile applications - Secure delay- and disruption-tolerant networking - Secure non-RF wireless communication (e.g., ultrasound, vision, laser) - Security/privacy in wireless smart grid and smart metering applications - Security/privacy in wireless network coding - Security/privacy in wireless/ephemeral social networking - Security/privacy in mobile/wireless cloud services ------------------------------------------------------------------------- SFCS 2012 1st IEEE International Workshop on Security and Forensics in Communication Systems, Held in conjunction with IEEE ICC 2012, Ottawa, Canada, June 10-15, 2012. (Submissions due 30 November 2011) http://sites.google.com/site/sfcs2012/ Digital attacks are continuing to increase at an alarming rate. They target a wide variety of protocols and communication systems ranging from servers and end-user machines to wireless and mobile networks and devices. The absence of supporting evidence and technically sound methods may prevent administrators from: proving the identity of the guilty party, identifying the root vulnerability to prevent a future occurrence of a similar incident, and understanding the attackerÂ’s motivation for an efficient design of security solutions. In this context, digital forensic engineering is emerging as a disciplined science in charge of developing novel scientific and theoretical methods, techniques, and approaches to collect, process, and analyze information retrieved from systems affected by security incidents and generate conclusive descriptions. The SFCS 2012 Workshop will bring together researchers, scientists, engineers and practitioners involved in research in the fields of communication systems security and forensics, to present their latest research findings, ideas, and developments. Topics of interest include, but are not limited to: - Formal aspects of network security - Theoretical techniques of digital forensics - Embedded and handled devices forensic - Evidence preservation, management, storage, reassembly, and analysis - Anti-forensics prevention detection and analysis - Development of Investigation processes and procedures - Automated analysis of evidence - Forensics in multimedia and communication protocols - Security and Investigation techniques in wireless and mobile communication systems - Risk analysis and management in communication systems - Social networks security and forensics - Collaborative and distributed digital investigation - Hypothetical reasoning in forensics and incident response - Legal and policy issues in digital forensics - Intrusion Detection, incident response, and evidence handling - Vulnerability analysis and assessment, and analysis of malware - Cryptography and forensics techniques in multimedia communication - Data hiding, extraction, and recovery techniques - Techniques for Tracking and traceback of attacks in systems and networks - Availability, privacy, authentication, and anonymity - Secure e-services, e-government, e-learning, e-voting, and m-commerce applications - File systems memory analysis - Infrastructure protection, and Virtual Private Networks security - Storage system protection and forensics - Physical and Biometric security ------------------------------------------------------------------------- Elsevier Computer Networks, Special Issue on Botnet Activity: Analysis, Detection and Shutdown, 2012, (Submission Due 1 December 2011) http://www.elsevierscitech.com/dronsite/CFP_SIonBotnetActivity.pdf Editors: Ronaldo Salles (Military Institute of Engineering, Brazil), Guofei Gu (Texas A&M University, USA), Thorsten Holz (Ruhr-University Bochum, Germany), and Morton Swimmer (Trend Micro Deutschland, Germany) Large scale attacks and criminal activities experienced in recent years have exposed the Internet to serious security breaches, and alarmed the world regarding cyber crime. In the center of this problem are the so called botnets -- collections of infected zombie machines (bots) controlled by the botmaster to perpetrate malicious activities and massive attacks. Some recent botnets are composed of millions of infected machines, making use of this attack vector inevitably harmfully. Hence, it is paramount to detect, analyze and shutdown such overlay networks before they become active. This special issue of Computer Networks is intended to foster the dissemination of high quality research in all aspects regarding botnet activity, detection and countermeasures. The objective of this special issue is to publish papers presenting detection algorithms, traffic monitoring and identification, protocols and architectures, as well as botnet modeling, behavior, simulation, statistics, dissemination, analysis, preventive procedures and possible countermeasures. Only technical papers describing previously unpublished, original, state-of-the-art research, and not currently under review by a conference or journal will be considered. We solicit papers in a variety of topics related to botnet research including, but not limited to: - Traffic Monitoring and Detection Algorithms - Data Collection, Statistics and Analysis - Modeling Behavior and Simulation - Protocols and Architectures (IRC, HTTP, P2P, etc) - Firewalls and IDS - Cyber Crime Case Studies - Reverse Engineering and Automated Analysis of Bots - Honeypots and Honeynets - New Platforms: Cellular and Wireless networks, Mobile devices, TV, etc. - Legal Issues and Countermeasures - Underground Markets, Vulnerability Markets and Zero-day Economics - Mini-Botnets ------------------------------------------------------------------------- IFIP-CIP 2012 6th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, National Defense University, Fort McNair, Washington, DC, USA, March 19-21, 2012. (Submissions due 1 December 2011) http://www.ifip1110.org The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Following the success of the first five conferences, the Sixth Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection will again provide a forum for presenting original, unpublished research results and innovative ideas related to all aspects of critical infrastructure protection. Papers and panel proposals are solicited. Submissions will be refereed by members of Working Group 11.10 and other internationally-recognized experts in critical infrastructure protection. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.10. The conference will be limited to seventy participants to facilitate interactions among researchers and intense discussions of research and implementation issues. Papers are solicited in all areas of critical infrastructure protection. Areas of interest include, but are not limited to: - Infrastructure vulnerabilities, threats and risks - Security challenges, solutions and implementation issues - Infrastructure sector interdependencies and security implications - Risk analysis and risk assessment methodologies - Modeling and simulation of critical infrastructures - Legal, economic and policy issues related to critical infrastructure protection - Secure information sharing - Infrastructure protection case studies - Distributed control systems/SCADA security - Telecommunications network security ------------------------------------------------------------------------- ASIACCS 2012 7th ACM Symposium on Information, Computer and Communications Security, Seoul, Republic of Korea, May 1-3, 2012. (Submissions due 8 December 2011) http://elec.sch.ac.kr/asiaccs/ ASIACCS is a major international forum for information security researchers, practitioners, developers, and users to explore and exchange the newest cyber security ideas, breakthroughs, findings, techniques, tools, and experiences. We invite submissions from academia, government, and industry presenting novel research on all theoretical and practical aspects of computer and network security. Areas of interest for ASIACCS 2012 include, but are not limited to: - anonymity - inference/controlled disclosure - cryptographic protocols - access control - intellectual-property protection - data/system integrity - secure networking - operating system security - hardware-based security - cloud security - digital-rights management - information warfare - accounting and audit - trusted computing - formal methods for security - key management - phishing and countermeasures - identity management - intrusion detection - commercial and industry security - security in ubiquitous computing, e.g., RFIDs - authentication - security management - smartcards - web security - security and privacy for emerging technologies, e.g., VoIP, peer-to-peer and overlay network systems, Web 2.0 - data and application security - applied cryptography - malware and botnets - mobile-computing security - privacy-enhancing technology - software security - wireless security ------------------------------------------------------------------------- COSADE 2012 3rd International Workshop on Constructive Side-Channel Analysis and Secure Design, Darmstadt, Germany, May 3-4, 2012. (Submissions due 12 December 2011) http://cosade2011.cased.de Side-channel analysis (SCA) and implementation attacks have become an important field of research at universities and in the industry. In order to enhance the resistance of cryptographic and security critical implementations within the design phase, constructive attacks and analyzing techniques may serve as a quality metric to optimize the design- and development process. This workshop provides an international platform for researchers, academics, and industry participants to present their work and their current research topics. It is an excellent opportunity to meet experts and to initiate new collaborations and information exchange at a professional level. The workshop will feature both invited presentations and contributed talks. ------------------------------------------------------------------------- ICDCS-NFSP 2012 1st International Workshop on Network Forensics, Security and Privacy, Held in conjunction with ICDCS 2012, Macau, China, June 18-21, 2012. (Submissions due 8 January 2012) http://www.deakin.edu.au/~syu/nfsp/ Cyber space has become an integrated part of human society. At the same time, has also been providing convenient platforms for crimes, such as financial fraud, information phishing, distributed denial of service attacks, and fake message propagation. Especially, the emergence of social networks has introduced significant security and privacy issues to the public. It is a great and new challenge of fighting against criminals in the cyber space. This field involved various disciplines, such as networking, information theory, mathematical modelling, data mining, machine learning, image and voice processing, neural network, pattern recognition, cryptography and forensic criminology. Topics of interest include, but not limited to: - Anonymous system and forensics - IP traceback - Malware detection - Botnet identification - Networked video system - Biometric security and forensics - Emotion identification via video - Wireless forensics, security and privacy - Game theory in forensics, security and privacy - Data Mining in forensics, security and privacy - DDoS attacks - Virus source traceback - Malware source traceback - Botmaster traceback - Distributed systems and forensics - System security and forensics - Intrusion detection - Social networks forensics, security and privacy - Information theory in network security - Multimedia in network security ------------------------------------------------------------------------- ICDCS-SPCC 2012 3rd International Workshop on Security and Privacy in Cloud Computing, Held in conjunction with ICDCS 2012, Macau, China, June 18-21, 2012. (Submissions due 8 January 2012) http://www.ece.iit.edu/~ubisec/workshop.htm Cloud computing has recently emerged as a new information technology infrastructure. Cloud computing has unique attributes that raise many security and privacy challenges in areas such as data security, recovery, and privacy, as well as legal issues in areas such as regulatory compliance and auditing. In contrast to traditional enterprise IT solutions, where the IT services are under proper physical, logical and personnel controls, cloud computing moves the application software and databases to the servers in large data centers on the Internet, where the management of the data and services are not fully trustworthy. When clients store their data on the server without themselves possessing a copy of it, how the integrity of the data can be ensured if the server is not fully trustworthy? Will encryption solve the data confidentiality problem of sensitive data? How will encryption affect dynamic data operations such as query, insertion, modification, and deletion? Data in the cloud is typically in a shared environment alongside data from other clients. How the data segregation should be done, while data are stored, transmitted, and processed? Due to the fundamental paradigm shift in cloud computing, many security concerns have to be better understood, unanticipated vulnerabilities identified, and viable solutions to critical threats devised, before the wide deployment of cloud computing techniques can take place. We are soliciting both full papers that present relatively complete and mature research results and short position papers that report work-in-progress but inspiring and intriguing new ideas. Topics of interests include (but are not limited to) the following subject categories: - Secure cloud architecture - Cloud access control and key management - Identification and privacy in cloud - Remote data integrity protection - Dynamic data operation security - Software and data segregation security - Secure management of virtualized resources - Joint security and privacy aware protocol design - Failure detection and prediction - Secure data management in/across data centers - Availability, recovery and auditing - Secure wireless cloud ------------------------------------------------------------------------- SEC 2012 27th IFIP International Information Security and Privacy Conference, Creta Maris Hotel, Heraklion, Crete, Greece, June 4-6, 2012. (Submissions due 10 January 2012) please see http://www.sec2012.org Papers offering novel research contributions in any aspect of computer security are solicited for submission to the 27th IFIP International Information Security and Privacy Conference. The focus is on original, high quality, unpublished research and implementation experiences. Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. We encourage submissions of papers discussing industrial research and development. Papers should focus on topics which include, but are not limited to, the following: - Access control - Accountability - Anonymity - Applied Cryptography - Attacks & Malicious Code - Authentication & Delegation - Awareness & Education - Data Integrity - Database Security - Identity Management - Information Security Culture - Formal Security Verification - Mobile Code Security - Policies & Standards - Privacy Attitudes & Practices - Risk Analysis & Management - Security Architectures - Security Economics - Security in Location Services - Security in Social Networks - Security Models - Social Engineering & other Human-related Risks - System Security - Usable Security - Trust Models & Management - Trust Theories - Trustworthy User Devices ------------------------------------------------------------------------- SACMAT 2012 17th ACM Symposium on Access Control Models and Technologies, Newark, NJ, USA, June 20-22, 2012. (Submissions due 13 January 2012) http://www.sacmat.org Papers offering novel research contributions in all aspects of access control are solicited for submission to SACMAT 2012. It is the premier forum for presentation of research results and experience reports on leading edge issues of access control, including models, systems, applications, and theory. The missions of the symposium are to share novel access control solutions that fulfill the needs of heterogeneous applications and environments and to identify new directions for future research and development. SACMAT gives researchers and practitioners a unique opportunity to share their perspectives with others interested in the various aspects of access control. Accepted papers will be presented at the symposium and published by the ACM in the symposium proceedings. Best Paper Award will be presented to the authors of the most outstanding paper at the conference. Topics of interest include but are not limited to: - Access control models and extensions - Access control requirements - Access control design methodology - Access control mechanisms, systems, and tools - Access control in distributed and mobile systems - Access control for innovative applications - Administration of access control policies - Delegation - Identity management - Policy/Role Engineering - Safety analysis and enforcement - Standards for access control - Trust management - Trust and risk models in access control - Theoretical foundations for access control models - Usability in access control systems - Usage control ------------------------------------------------------------------------- ACNS 2012 10th International Conference on Applied Cryptography and Network Security, Singapore, June 26-29, 2012. (Submissions due 5 February 2012) http://icsd.i2r.a-star.edu.sg/acns2012 The conference seeks submissions from academia, industry, and government presenting novel research on all aspects of applied cryptography as well as network security and privacy. Papers describing novel paradigms, original directions, or non-traditional perspectives are also encouraged. The conference has two tracks: a research track and an industry track. Topics of interest include, but are not limited to: - Access control - Applied cryptography - Automated protocols analysis - Biometric security and privacy - Complex systems security - Critical infrastructure protection - Cryptographic primitives and protocols - Database and system security - Data protection - Digital rights management - Email and web security - Identity management - Intellectual property protection - Internet fraud - Intrusion detection and prevention - Key management - Malware - Network security protocols - Privacy, anonymity, and untraceability - Privacy-enhancing technology - Policies - Protection for the future Internet - Security in P2P systems - Security and privacy in cloud and grid systems - Security in e-commerce - Security in pervasive/ubiquitous computing - Security and privacy in distributed systems - Security and privacy in smart grids - Security and privacy in wireless networks - Security and privacy metrics - Secure mobile agents and mobile code - Trust management - Usability and security ------------------------------------------------------------------------- PETS 2012 12th Privacy Enhancing Technologies Symposium, Vigo, Spain, July 11-13, 2012. (Submissions due 20 February 2012) http://petsymposium.org/2012/ Privacy and anonymity are increasingly important in the online world. Corporations, governments, and other organizations are realizing and exploiting their power to track users and their behavior. Approaches to protecting individuals, groups, but also companies and governments, from profiling and censorship include decentralization, encryption, distributed trust, and automated policy disclosure. The 12th Privacy Enhancing Technologies Symposium addresses the design and realization of such privacy services for the Internet and other data systems and communication networks by bringing together anonymity and privacy experts from around the world to discuss recent advances and new perspectives. The symposium seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of privacy technologies, as well as experimental studies of fielded systems. We encourage submissions with novel technical contributions from other communities such as law, business, and data protection authorities, that present their perspectives on technological issues. As in the past, the proceedings will be published in the Springer Lecture Notes in Computer Science series, and will be available at the event. Suggested topics include but are not restricted to: - Anonymous communications and publishing systems - Attacks on privacy and privacy technologies - Censorship resistance - Data protection technologies - Economics of privacy and PETs - Fielded systems and techniques for enhancing privacy in existing systems - Location privacy - Privacy and anonymity in Peer-to-Peer, Cloud, and Ubiquitous Computing Environments - Privacy and inference control in databases - Privacy-enhanced access control or authentication/certification - Privacy-friendly payment mechanisms for PETs and other services - Privacy in Online Social Networks - Privacy policy languages and tools - Privacy threat models - Profiling and data mining - Pseudonyms, identity management, linkability, and reputation - Reliability, robustness and abuse prevention in privacy systems - Traffic analysis - Transparency enhancing tools - Usability issues and user interfaces for PETs ------------------------------------------------------------------------- CHES 2012 IACR Workshop on Cryptographic Hardware and Embedded Systems, Leuven, Belgium, September 9-12, 2012. (Submissions due 5 March 2012) http://www.iacr.org/workshops/ches/ches2012/start.php CHES covers new results on all aspects of the design and analysis of cryptographic hardware and software implementations. The workshop builds a bridge between the cryptographic research community and the cryptographic engineering community. With participants from industry, academia, and government organizations, the number of participants has grown to over 300 in recent years. In addition to a track of high-quality presentations, CHES 2012 will offer invited talks, tutorials, a poster session, and a rump session. CHES 2012 especially encourages submissions on the following two subjects: Design Methods to Build Secure and Efficient Hardware or Software, and Leakage Resilient Cryptography Including New Model Definitions and Analysis and the Design of New Cryptosystems. All submitted papers will be reviewed by at least four Program Committee members. The topics of CHES 2012 include but are not limited to: Cryptographic implementations, including - Hardware architectures for public-key, secret-key and hash algorithms - Cryptographic processors and co-processors - Hardware accelerators for security protocols - True and pseudorandom number generators - Physical unclonable functions - Efficient software implementations of cryptography Attacks against implementations and countermeasures against these attacks, including - Side channel attacks and countermeasures - Fault attacks and countermeasures - Hardware tampering and tamper-resistance Tools and methodologies, including - Computer aided cryptographic engineering - Verification methods and tools for secure design - Metrics for the security of embedded systems - Secure programming techniques - FPGA design security - Formal methods for secure hardware Interactions between cryptographic theory and implementation issues, including - New and emerging cryptographic algorithms and protocols targeting embedded devices - Special-purpose hardware for cryptanalysis - Leakage resilient cryptography Applications, including - Cryptography in wireless applications - Cryptography for pervasive computing - Hardware IP protection and anti-counterfeiting - Reconfigurable hardware for cryptography - Smart card processors, systems and applications - Security in consumer applications - Secure storage devices - Technologies and hardware for content protection - Trusted computing platforms ------------------------------------------------------------------------- IEEE Internet Computing, Track Articles on Computer Crime, 2012, (Submission will be accepted for this track from 15 July 2011 to 15 July 2012) http://www.computer.org/portal/web/computingnow/cfptrack Editors: Nasir Memon (New York University, USA) and Oliver Spatscheck (AT&T, USA) As the Internet has grown and extended its reach into every part of people's lives, it shouldn't be surprising that criminals have seized the opportunity to expand their activities into this new realm. This has been fostered in particular by the fact that the Internet was designed as an open and trusting environment. Unfortunately many of these architectural choices are fundamental to the Internet's success and current architecture and are therefore hard to overcome. Computer crime ranges from rather simple crimes such as theft of intellectual property or computer and network resources to complex cooperate espionage or even cyber terrorism. This special track for Internet Computing seeks original articles that cover computer crime as it relates to the Internet. Appropriate topics include: - trends and classification of criminal activities on the Internet; - computer crime prevention, including approaches implemented in user interfaces, end user systems, networks, or server infrastructure; - case studies of criminal activities; - computer forensics; - impact assessments of criminal activities on the Internet; and - new architectures to prevent Internet crime Track articles run one per issue for a single calendar year. Articles will be run in the order in which they are accepted for publication. ------------------------------------------------------------------------- ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Cipher Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Ted Lee announced his retirement; his email address remains unchanged, the same one he has had for 25 years. Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Hilarie Orman Deborah Frincke Purple Streak, Inc. debfrincke@gmail.com 500 S. Maple Dr. Woodland Hills, UT 84653 ieee-chair@purplestreak.com Vice Chair: Sven Dietrich Security and Privacy Symposium, 2012 Chair: Department of Computer Science Robert Cunningham Stevens Institute of Technology MIT Lincoln Laboratories +1 201 216 8078 http://www.ll.mit.edu/mission spock AT cs.stevens.edu /communications/ist/biographies /cunningham-bio.html Treasurer: Newsletter Editor: Terry Benzel Hilarie Orman USC Information Sciences Intnl Purple Streak, Inc. 4676 Admiralty Way, Suite 1001 500 S. Maple Dr. Los Angeles, CA 90292 Woodland Hills, UT 84653 (310) 822-1511 (voice) cipher-editor@ieee-security.org tbenzel @isi.edu ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year