_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 106 January 25, 2012 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of "Liars & Outliers: Enabling The Trust That Society Needs To Thrive" by Bruce Schneier o Richard Austin's review of "Tangled Web: A Guide to Securing Modern Web Applications" by Michael Zalewski o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * News o DNS Security Error Causes Consternation * Conference and Workshop Announcements o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This month marks the start of the terms of office for the new chairs of the Technical Committee on Security and Privacy. Sven Dietrich moves from Vice Chair to Chair, and Patrick McDaniel is the new Vice Chair. They will guide the sponsored conferences through the transitionary period of rapid growth that seems to be sweeping the security research community. Richard Austin contributed two reviews of interesting books this month. One is a timely look at Web security (one suspects that the topic will remain timely for all forseeable time!), and the other is a sociological look at trust by the wide-thinking Bruce Schneier. We note an item about an untimely security error that mimicked a security breach. Since the early 1990's, Internet security gurus have been working on strengthening the Domain Name System. In an amazing feat of persistence, they have begun to achieve results. However, when a government agency failed to update their security information properly, many security-aware users drew wrong conclusions about the source of the problem. It's an interesting lesson about "secure/not secure" judgments. I have begun to notice a digital divide that separates the generations in a way that is related to security. Many baby boomers are more conservative about Internet use than their children or their elderly parents. Those who used the Internet gingerly or not at all when it was a novelty have retained a deep distrust of online transactions and fears of identity theft, whereas those who have been introduced to it recently believe that with a reasonable degree of caution they can enjoy the benefits of Facebook, Skype, and streaming entertainment. I commend to you the satirical and provocative video by The Onion about Facebook and the CIA (http://www.youtube.com/watch?v=cqggW08BWO0). Two trust policies diverged in the Web, and I - I took the one less verified, And that has made all the difference. (apologies to Robert Frost) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Reviews By Richard Austin January 19, 2012 ____________________________________________________________________ Liars & Outliers: Enabling The Trust That Society Needs To Thrive by Bruce Schneier Wiley 2012. ISBN 978-1-118-14330-8 Amazon.com USD 15.18 (pre-order), Table of Contents: http://www.schneier.com/book-lo-toc.html Schneier's latest book is a wide-ranging exploration of the trust that both enables and supports the functioning of a group (whether a family, tribe, society or civilization). It is not an information security book and the publisher has aptly positioned it in the "Current Affairs/Sociology" category. As might be expected, the book is well written and researched (the references and notes make up a third of its length). Trust is explored in the context of a variety of societal dilemmas - situations where an actor (a person, corporation, etc) must make a choice between their interest and competing interests of the group that contains them. Defectors (the "liars and outliers" of the title) are those that choose not to follow (or defect from) the norms of the group. Defectors can sometimes be reprehensible people such as thieves and confidence tricksters and sometimes admirable people such as abolitionists fighting a social norm of slavery. The trust model starts with moral and reputational factors which operate in the arena of individuals and small groups. These are quite effective when actors are familiar with one another but falter when scaling to larger groups such a society or civilization. To deal with the increasing scale (numbers of actors, geographical separation, high mobility, etc), institutional factors (e.g., laws and punishments) and security mechanisms (e.g., police forces and militaries) come into play. Technology is one of the main factors increasing the scale of social interactions that challenge our traditional and familiar tactics for creating and evaluating trust. For example, an interaction over the web can transparently cross cultural and geographical boundaries and pose perplexing conundrums of how trust (who we're talking to, the reliability of their communications, etc) can be established and maintained. Chapter 15, "How Societal Pressures Fail", is an absolute gem and suggests plausible explanations for many of the troublesome issues that arise when actors interact in complex ways and have the ability to exploit natural delays in the system (e.g., if a particular tactic can generate a profit of $10,000 per month with an expected 9 months before the tactic is detected and a $5,000 sanction is imposed, it can be quite profitable to defect). After exploring the trust model, how it works, and how it fails (or can be made to fail), Schneier suggests a list of tactics for improving the "trustability" of our interactions ranging from understanding the societal dilemmas operating in particular contexts to increasing transparency. While they sound trite in isolation, taken in the overall context of Schneier's examination, they form good advice on how to improve the situation. The book is not without its controversies. Some will question the suggested genetic basis for many of the behaviors (rather than "there's a gene for that", it might be the case that the genetic basis rather enables emergence of the behaviors). Sometimes the assumption that technological advancement and improvement is a monotonically increasing up-and-to-the-right function seems to ignore the fact that a substantial portion of the world population is locked in a grim struggle to obtain the basics of food, water and shelter. Though a minor point suggested in the end notes, many of us will disagree that the time of representational democracy is over or that the next development in human civilization is to join the queue for assimilation into the "group mind". Controversies aside, this book deserves to be read. Its exploration of trust, its development, nurturing, manipulation and failure is sorely needed as a background to many of the issues faced by individuals and the societies they form. It's a trite truism, but if we do not understand the basis of the problem, we will eternally focus on treating the symptoms of the underlying disease. Schneier has done the community a great service by presenting a masterful exploration of the issue of trust. --------------------------------------------------------------------------- Tangled Web: A Guide to Securing Modern Web Applications by Michael Zalewski No Starch Press 2012. ISBN ISBN 978-1-59327-388-0 Amazon.com USD 29.97, Table of Contents: http://nostarch.com/tangledweb.htm#toc We've all experienced a suspicion that is there something basically wrong with the world-wide web and how we use it. Browser vulnerabilities, web-based exploits and malware continue to appear in a regular hit parade despite our best efforts to bring some order and safety to our interactions with the online world. In his second book (the first being the sobering "Silence on the Wire" reviewed by Bob Bruen in the May, 2005 issue), Zalewski provides an explanation of how we find ourselves in the midst of these troubles and offers suggestions for a way forward. The first of the book's three parts, "Anatomy of the Web", provides an introduction and overview of just how we came to find ourselves on slippery footing in the midst of a murky swamp with various species of alligators swimming just below the surface. The author displays a brutal honesty as evidenced by this telling observation on what passes for "risk management" in some organizations - an attitude that "structured inadequacy is almost as good as adequacy and that underfunded security efforts plus risk management are about as good as properly funded security work" (p. 5). Even for the many of us who have lived through the "web years", Zalewski's recounting of the very human story of how Tim Berner-Lee's vision of a practical way to build active documents grew into the mammoth, life-permeating web platform still provides a well-organized background perspective for the material that follows. We see that the web was never envisioned to be the critical infrastructure that it became and that as design decisions made for its original purpose began to show their limitations, a bevy of vendors stepped up to address them and put their particular stamp on the developing technology. Though many recognized that standardization was part of an interoperable solution, the rapid pace of commercial innovation and technological change led to standards being largely obsolete by the time they were approved and having little effect on how the web actually worked in practice. Presentation of important web technologies (encoding, frames, cookies, etc) is both detailed and highly readable (demonstrating the author's deep knowledge of the subject). With a solid introduction to the web's anatomy, the reader is prepared for the second part, "Browser Security Features", which reviews the tactics intended to improve the security of the web experience. Major security features such as "content isolation logic", "origin inheritance", etc, are covered in their own chapters with honest discussion of their benefits and shortcomings. I must admit that your humble correspondent found this part of the book quite challenging to read and digest and, more than once, had to make use of Zalewski's copious references to catch up with the author's presentation . The third and final part provides "A Glimpse of Things to Come" while discussing new security features that are being developed (or still at the discussion stage). While perhaps not things that can be utilized in applications today, they provide an interesting glimpse into the current state of thought. Of special note is Chapter 18, "Common Web Vulnerabilities", that provides concise explanations of the major vulnerability classes discussed throughout the book. So if you find yourself slightly confused about the distinction between XSS and CSRF, a quick glance through this topically-organized chapter will make things clear. Most chapters conclude with a "Security Engineering Cheat Sheet" which provides concise guidance on dealing with the issues highlighted in the preceding material. It is tempting to say that these alone are worth the price of the book but without the preparation provided by the other material one wouldn't understand why the advice makes sense. This book goes far beyond oft heard laments such as "the web is a mess" and catalogs of vulnerabilities to take a broad, overall look at how browsers and the web came to work the way they do and the challenges faced in changing the way they work in order to improve overall security. Of particular value is the discussion of how features interact, sometimes in unexpected ways, to make what seems an innocuous or even beneficial change become a disaster waiting to happen. The practical guidance on how to avoid such pitfalls and do a better job with security using the currently available technology is both timely and to-the-point. Highly recommended for technical security professionals, web architects and senior web developers. Before beginning life as an educator and independent cybersecurity consultant, Richard Austin (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry in positions ranging from software developer to security architect. He welcomes your thoughts and comments at raustin2 at spsu dot edu ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ______________________________________________________________________ DNS Security Error Causes Consternation ______________________________________________________________________ Reported on January 24, 2012, From: Jason Livingood" Jason_Livingood@cable.comcast.com To: dnssec-deployment@dnssec-deployment.org On 18 January 2012, we at Comcast observed reports of failures of our users to reach the NASA.GOV website. End users on our network incorrectly interpreted this as an attempt by us to block access to the NASA website, on the same day as SOPA-related website protests. :-( Since we feel that the entire Internet community has room for improvement on signing processes (not to single out NASA), we decided to start doing failure analyses here and there - and share them with the community in the hope that it will help bring greater operational scrutiny and maturity to DNSSEC signing processes. So ... this is our first one. We welcome any comments or feedback! The document is available at http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_20120118_FINAL.pdf. (short URL is http://bit.ly/NASA20120118) ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Cipher calendar announcements are on Twitter; follow "ciphernews" ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 1/29/12: ICDCS-NFSP, 1st International Workshop on Network Forensics, Security and Privacy, Held in conjunction with ICDCS 2012, Macau, China; http://www.deakin.edu.au/~syu/nfsp/; Submissions are due 1/31/12: WISTP, 6th Workshop on Information Security Theory and Practice, London, UK; http://www.wistp.org/; Submissions are due 1/31/12: DFIS, 6th International Symposium on Digital Forensics and Information Security, Vancouver, Canada; http://web.ftrai.org/dfis2012; Submissions are due 2/ 5/12: ACNS, 10th International Conference on Applied Cryptography and Network Security, Singapore; http://icsd.i2r.a-star.edu.sg/acns2012; Submissions are due 2/ 5/12- 2/ 8/12: NDSS, Network & Distributed System Security Symposium, San Diego, California, USA; http://www.isoc.org/isoc/conferences/ndss/12/cfp.shtml 2/ 6/12: DSPAN, 3rd IEEE Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with The Thirteenth International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2012), San Francisco, CA, USA; http://www.ee.washington.edu/research/nsl/DSPAN_2012/; Submissions are due 2/13/12: HAISA, 6th International Symposium on Human Aspects of Information Security and Assurance, Hersonissos, Crete, Greece; http://haisa.org/; Submissions are due 2/13/12: WDFIA, 7th International Workshop on Digital Forensics and Incident Analysis, Hersonissos, Crete, Greece; http://www.wdfia.org/; Submissions are due 2/16/12: USENIX-Security, 21st USENIX Security Symposium, Bellevue, WA, USA; http://www.usenix.org/events/sec12/; Submissions are due 2/16/12- 2/17/12: ESSoS, 4th International Symposium on Engineering Secure Software and Systems, Eindhoven, The Netherlands; http://distrinet.cs.kuleuven.be/events/essos2012/ 2/18/12: WSCS, Workshop on Semantic Computing and Security, Co-located with the IEEE Security and Privacy Symposium 2012, The Westin Hotel, San Francisco, CA, USA; http://ieee-security.org/TC/SPW2012/wscs-website/wscs.php; Submissions are due 2/20/12: PETS, 12th Privacy Enhancing Technologies Symposium, Vigo, Spain; http://petsymposium.org/2012/; Submissions are due 2/20/12: PSOSM, Workshop on Privacy and Security in Online Social Media, Held in conjunction with the 21st International World Wide Web Conference (WWW 2012), Lyon, France; http://precog.iiitd.edu.in/psosm_www2012/; Submissions are due 2/23/12: LEET, 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats, Co-located with NSDI 2012, San Jose, CA, USA; http://www.usenix.org/leet12/cfpa; Submissions are due 2/24/12: MoST, Mobile Security Technologies Workshop, Co-located with IEEE Symposium on Security and Privacy 2012, The Westin St. Francis Hotel, San Francisco, CA, USA; http://www.mostconf.com; Submissions are due 2/27/12- 3/ 2/12: CT-RSA, RSA Conference, Cryptographers' Track, San Francisco, California, USA; http://ctrsa2012.cs.haifa.ac.il/ 2/27/12- 3/ 2/12: FC, 16th Financial Cryptography and Data Security, Divi Flamingo Beach Resort, Bonaire; http://fc12.ifca.ai/ 3/ 2/12: W2SP, Web 2.0 Security & Privacy Workshop, Co-located with IEEE Symposium on Security and Privacy 2012, The Westin St. Francis Hotel, San Francisco, CA, USA; http://www.w2spconf.com/2012/; Submissions are due 3/ 2/12: WECSR, 3rd Workshop on Ethics in Computer Security Research, Divi Flamingo Resort, Bonaire; http://www.cs.stevens.edu/~spock/wecsr2012/cfp.html 3/ 2/12: USEC, Workshop on Usable Security, Held in conjunction with the Financial Cryptography and Data Security (FC 2012), Divi Flamingo Beach Resort, Bonaire; http://infosecon.net/usec12/index.php 3/ 5/12: CHES, IACR Workshop on Cryptographic Hardware and Embedded Systems, Leuven, Belgium; http://www.iacr.org/workshops/ches/ches2012/start.php; Submissions are due 3/ 5/12: SECRYPT, 9th International Conference on Security and Cryptography, Rome, Italy; http://secrypt.icete.org; Submissions are due 3/ 9/12: SecIoT, Workshop on the Security of the Internet of Things, Munich, Germany; http://www.nics.uma.es/seciot12/; Submissions are due 3/19/12- 3/21/12: IFIP-CIP, 6th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, National Defense University, Fort McNair, Washington, DC, USA; http://www.ifip1110.org 3/24/12- 4/ 1/12: POST, 1st Conference on Principles of Security and Trust, Tallinn, Estonia; http://web.cs.wpi.edu/~guttman/post12/ 3/26/12: LASER, Workshop on Learning from Authoritative Security Experiment Results, Co-located with IEEE Symposium on Security and Privacy 2012, The Westin St. Francis Hotel, San Francisco, CA, USA; http://www.cert.org/laser-workshop/; Submissions are due 4/ 6/12: TrustBus, 9th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with DEXA 2012, Vienna University of Technology, Austria; http://www.ds.unipi.gr/trustbus12/; Submissions are due 4/10/12: HealthSec, 3rd USENIX Workshop on Health Security and Privacy, Bellevue, WA, USA; http://www.usenix.org/events/healthsec12/; Submissions are due 4/15/12: CloudSec, 4th International Workshop on Security in Cloud Computing, Held in conjunction with the 41st ICPP, Pittsburgh, PA, USA; http://bingweb.binghamton.edu/~ychen/CloudSec2012.htm; Submissions are due 4/16/12: SSS, 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Toronto, Canada; http://www.cs.uwaterloo.ca/sss2012/; Submissions are due 4/16/12- 4/18/12: WiSec, ACM Conference on Wireless Network Security, Tucson, Arizona, USA; http://www.sigsac.org/wisec/WiSec2012/ 4/16/12- 4/20/12: PSOSM, Workshop on Privacy and Security in Online Social Media, Held in conjunction with the 21st International World Wide Web Conference (WWW 2012), Lyon, France; http://precog.iiitd.edu.in/psosm_www2012/ 4/19/12: CSET, 5th Workshop on Cyber Security Experimentation and Test, Bellevue, WA, USA; http://www.usenix.org/events/cset12/; Submissions are due 4/20/12: ProvSec, 6th International Conference on Provable Security, Chengdu, China; http://www.ccse.uestc.edu.cn/provsec/callforpapers.html; Submissions are due 4/24/12: LEET, 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats, Co-located with NSDI 2012, San Jose, CA, USA; http://www.usenix.org/leet12/cfpa 5/ 1/12- 5/ 3/12: ASIACCS, 7th ACM Symposium on Information, Computer and Communications Security, Seoul, Republic of Korea; http://elec.sch.ac.kr/asiaccs/ 5/ 3/12- 5/ 4/12: COSADE, 3rd International Workshop on Constructive Side-Channel Analysis and Secure Design, Darmstadt, Germany; http://cosade2011.cased.de 5/ 4/12: ACM-CCS, 19th ACM Conference on Computer and Communications Security, Raleigh, North Carolina, USA; http://www.sigsac.org/ccs/CCS2012/; Submissions are due 5/20/12- 5/23/12: SP, 33rd IEEE Symposium on Security and Privacy, San Francisco Bay Area, California, USA; http://www.ieee-security.org/TC/SP2012/cfp.html 5/24/12: WSCS, Workshop on Semantic Computing and Security, Co-located with the IEEE Security and Privacy Symposium 2012, The Westin Hotel, San Francisco, CA, USA; http://ieee-security.org/TC/SPW2012/wscs-website/wscs.php 5/24/12: MoST, Mobile Security Technologies Workshop, Co-located with IEEE Symposium on Security and Privacy 2012, The Westin St. Francis Hotel, San Francisco, CA, USA; http://www.mostconf.com 5/24/12: W2SP, Web 2.0 Security & Privacy Workshop, Co-located with IEEE Symposium on Security and Privacy 2012, The Westin St. Francis Hotel, San Francisco, CA, USA; http://www.w2spconf.com/2012/ 5/24/12: LASER, Workshop on Learning from Authoritative Security Experiment Results, Co-located with IEEE Symposium on Security and Privacy 2012, The Westin St. Francis Hotel, San Francisco, CA, USA; http://www.cert.org/laser-workshop/ 6/ 1/12: IEEE Network Magazine, Special Issue on Cyber Security of Networked Critical Infrastructures; http://dl.comsoc.org/livepubs/ni/info/cfp/cfpnetwork0113.htm; Submissions are due 6/ 4/12- 6/ 6/12: SEC, 27th IFIP International Information Security and Privacy Conference, Creta Maris Hotel, Heraklion, Crete, Greece; http://www.sec2012.org 6/ 6/12- 6/ 8/12: HAISA, 6th International Symposium on Human Aspects of Information Security and Assurance, Hersonissos, Crete, Greece; http://haisa.org/ 6/ 6/12- 6/ 8/12: WDFIA, 7th International Workshop on Digital Forensics and Incident Analysis, Hersonissos, Crete, Greece; http://www.wdfia.org/ 6/10/12- 6/15/12: SFCS, 1st IEEE International Workshop on Security and Forensics in Communication Systems, Held in conjunction with IEEE ICC 2012, Ottawa, Canada; http://sites.google.com/site/sfcs2012/ 6/15/12: NSS, 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China; http://anss.org.au/nss2012/index.html; Submissions are due 6/18/12- 6/21/12: ICDCS-NFSP, 1st International Workshop on Network Forensics, Security and Privacy, Held in conjunction with ICDCS 2012, Macau, China; http://www.deakin.edu.au/~syu/nfsp/ 6/18/12- 6/21/12: ICDCS-SPCC, 3rd International Workshop on Security and Privacy in Cloud Computing, Held in conjunction with ICDCS 2012, Macau, China; http://www.ece.iit.edu/~ubisec/workshop.htm 6/19/12- 6/22/12: WISTP, 6th Workshop on Information Security Theory and Practice, London, UK; http://www.wistp.org/ 6/20/12- 6/22/12: SACMAT, 17th ACM Symposium on Access Control Models and Technologies, Newark, NJ, USA; http://www.sacmat.org 6/25/12: DSPAN, 3rd IEEE Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with The Thirteenth International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2012), San Francisco, CA, USA; http://www.ee.washington.edu/research/nsl/DSPAN_2012/ 6/26/12- 6/28/12: DFIS, 6th International Symposium on Digital Forensics and Information Security, Vancouver, Canada; http://web.ftrai.org/dfis2012 6/26/12- 6/29/12: ACNS, 10th International Conference on Applied Cryptography and Network Security, Singapore; http://icsd.i2r.a-star.edu.sg/acns2012 7/11/12- 7/13/12: PETS, 12th Privacy Enhancing Technologies Symposium, Vigo, Spain; http://petsymposium.org/2012/ 7/15/11- 7/15/12: IEEE Internet Computing, Track Articles on Computer Crime; http://www.computer.org/portal/web/computingnow/cfptrack; Submissions are due 7/24/12- 7/27/12: SECRYPT, 9th International Conference on Security and Cryptography, Rome, Italy; http://secrypt.icete.org 7/30/12- 8/ 2/12: SecIoT, Workshop on the Security of the Internet of Things, Munich, Germany; http://www.nics.uma.es/seciot12/ 8/ 6/12: CSET, 5th Workshop on Cyber Security Experimentation and Test, Bellevue, WA, USA; http://www.usenix.org/events/cset12/ 8/ 6/12- 8/ 7/12: HealthSec, 3rd USENIX Workshop on Health Security and Privacy, Bellevue, WA, USA; http://www.usenix.org/events/healthsec12/ 8/ 8/12- 8/10/12: USENIX-Security, 21st USENIX Security Symposium, Bellevue, WA, USA; http://www.usenix.org/events/sec12/ 9/ 3/12- 9/ 7/12: TrustBus, 9th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with DEXA 2012, Vienna University of Technology, Austria; http://www.ds.unipi.gr/trustbus12/ 9/ 9/12- 9/12/12: CHES, IACR Workshop on Cryptographic Hardware and Embedded Systems, Leuven, Belgium; http://www.iacr.org/workshops/ches/ches2012/start.php 9/12/12: CloudSec, 4th International Workshop on Security in Cloud Computing, Held in conjunction with the 41st ICPP, Pittsburgh, PA, USA; http://bingweb.binghamton.edu/~ychen/CloudSec2012.htm 9/26/12- 9/28/12: ProvSec, 6th International Conference on Provable Security, Chengdu, China; http://www.ccse.uestc.edu.cn/provsec/callforpapers.html 10/ 1/12-10/ 4/12: SSS, 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Toronto, Canada; http://www.cs.uwaterloo.ca/sss2012/ 10/16/12-10/18/12: ACM-CCS, 19th ACM Conference on Computer and Communications Security, Raleigh, North Carolina, USA; http://www.sigsac.org/ccs/CCS2012/ 11/21/12-11/23/12: NSS, 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China; http://anss.org.au/nss2012/index.html ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E105) ___________________________________________________________________ ICDCS-NFSP 2012 1st International Workshop on Network Forensics, Security and Privacy, Held in conjunction with ICDCS 2012, Macau, China, June 18-21, 2012. (Submissions due 29 January 2012) http://www.deakin.edu.au/~syu/nfsp/ Cyber space has become an integrated part of human society. At the same time, has also been providing convenient platforms for crimes, such as financial fraud, information phishing, distributed denial of service attacks, and fake message propagation. Especially, the emergence of social networks has introduced significant security and privacy issues to the public. It is a great and new challenge of fighting against criminals in the cyber space. This field involved various disciplines, such as networking, information theory, mathematical modelling, data mining, machine learning, image and voice processing, neural network, pattern recognition, cryptography and forensic criminology. Topics of interest include, but not limited to: - Anonymous system and forensics - IP traceback - Malware detection - Botnet identification - Networked video system - Biometric security and forensics - Emotion identification via video - Wireless forensics, security and privacy - Game theory in forensics, security and privacy - Data Mining in forensics, security and privacy - DDoS attacks - Virus source traceback - Malware source traceback - Botmaster traceback - Distributed systems and forensics - System security and forensics - Intrusion detection - Social networks forensics, security and privacy - Information theory in network security - Multimedia in network security ------------------------------------------------------------------------- WISTP 2012 6th Workshop on Information Security Theory and Practice, London, UK, June 19-22, 2012. (Submissions due 31 January 2012) http://www.wistp.org/ Future ICT technologies, like the concepts of Ambient Intelligence and Internet of Things provide a vision of the Information Society where the emphasis is on surrounding people by intelligent interactive interfaces and objects and on environments that are capable of recognising and reacting to the presence of different individuals in a seamless, unobtrusive and invisible manner. WISTP 2012 aims to address the security and privacy issues that are increasingly exposed by mobile and wireless communications and related services, along with evaluating their impact on business, individuals, and the society. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy of mobile and smart devices, as well as experimental studies of fielded systems based on wireless communication, the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law, business and policy that present these communities' perspectives on technological issues. Topics of interest include, but are not limited to: - Security, Privacy and Trust in the Internet of Things - Security and Trustworthiness in mobile and wireless networks including Mobile ad hoc networks, RFID systems, Wireless sensor networks and Vehicular networks - Security, Privacy and Trust in Smart Environments - Security, Privacy and Trust in Social Networks and Social Worlds - Trustworthy life-logging - Security, Privacy and Trust in e-Government and Mobile Commerce including Biometrics and national ID cards - Human behaviour and psychological aspects of security including User centric security and privacy - Lightweight cryptography - Privacy enhancing technologies (PETs) - Mobile code security - Mobile devices security - Smart card security - Embedded systems security - Security models and architectures including Security and privacy policies, Authentication and Access Control, and Security protocols ------------------------------------------------------------------------- DFIS 2012 6th International Symposium on Digital Forensics and Information Security, Vancouver, Canada, June 26-28, 2012. (Submissions due 31 January 2012) http://web.ftrai.org/dfis2012 Digital Forensics and Information Security (DFIS) are advanced communication and networking environments where all applications and services are focused on users. In addition, the DFIS has emerged rapidly an exciting new paradigm to provide reliable and comfortable life services. Furthermore, the benefits of DFIS will only be realized if security issues can be appropriately addressed. Specially, forensics for DFIS is very important in the security fields. This workshop is intended to foster state-of-the-art research Digital Forensics and Information Security in the area of DFIS including information and communication technologies, law, social sciences and business administration. ------------------------------------------------------------------------- ACNS 2012 10th International Conference on Applied Cryptography and Network Security, Singapore, June 26-29, 2012. (Submissions due 5 February 2012) http://icsd.i2r.a-star.edu.sg/acns2012 The conference seeks submissions from academia, industry, and government presenting novel research on all aspects of applied cryptography as well as network security and privacy. Papers describing novel paradigms, original directions, or non-traditional perspectives are also encouraged. The conference has two tracks: a research track and an industry track. Topics of interest include, but are not limited to: - Access control - Applied cryptography - Automated protocols analysis - Biometric security and privacy - Complex systems security - Critical infrastructure protection - Cryptographic primitives and protocols - Database and system security - Data protection - Digital rights management - Email and web security - Identity management - Intellectual property protection - Internet fraud - Intrusion detection and prevention - Key management - Malware - Network security protocols - Privacy, anonymity, and untraceability - Privacy-enhancing technology - Policies - Protection for the future Internet - Security in P2P systems - Security and privacy in cloud and grid systems - Security in e-commerce - Security in pervasive/ubiquitous computing - Security and privacy in distributed systems - Security and privacy in smart grids - Security and privacy in wireless networks - Security and privacy metrics - Secure mobile agents and mobile code - Trust management - Usability and security ------------------------------------------------------------------------- DSPAN 2012 3rd IEEE Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with The Thirteenth International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2012), San Francisco, CA, USA, June 25, 2012. (Submissions due 6 February 2012) http://www.ee.washington.edu/research/nsl/DSPAN_2012/ The workshop focuses on defining novel problems and developing novel techniques for data security and privacy issues in wireless and mobile networks. With the emergence of data-intensive wireless networks such as wireless sensor networks and data-centric mobile applications such as location-based services, the traditional boundaries between these three disciplines are blurring. This workshop solicits papers from two main categories: (1) papers that consider the security and privacy of data collection, transmission, storage, publishing,and sharing in wireless networks broadly defined, e.g., MANET,cellular, vehicular, ad hoc, cognitive, as well as sensor networks, and (2) papers that use data analytics techniques to address security and privacy problems in wireless networks. The workshop provides a venue for researchers to present new ideas with impact on three communities wireless networks, databases, and security. ------------------------------------------------------------------------- HAISA 2012 6th International Symposium on Human Aspects of Information Security and Assurance, Hersonissos, Crete, Greece, June 6-8, 2012. (Submissions due 13 February 2012) http://haisa.org/ It is commonly acknowledged that security requirements cannot be addressed by technical means alone, and that a significant aspect of protection comes down to the attitudes, awareness, behaviour and capabilities of the people involved. Indeed, people can potentially represent a key asset in achieving security, but factors such as lack of awareness and understanding, combined with unreasonable demands from security technologies, can dramatically impede their ability to do so. With this in mind, HAISA 2012 specifically addresses information security issues that relate to people. It concerns the methods that inform and guide users' understanding of security, and the technologies that can benefit and support them in achieving protection. HAISA 2012 welcomes papers addressing research and case studies in relation to any aspect of information security that pertains to the attitudes, perceptions and behaviour of people, and how human characteristics or technologies may be positively modified to improve the level of protection. Indicative themes include: - Information security culture - Awareness and education methods - Enhancing risk perception - Public understanding of security - Usable security - Psychological models of security software usage - User acceptance of security policies and technologies - User-friendly authentication methods - Biometric technologies and impacts - Automating security functionality Non-intrusive security - Assisting security administration - Impacts of standards, policies, compliance requirements - Organizational governance for information assurance - Simplifying risk and threat assessment - Understanding motivations for misuse - Social engineering and other human-related risks - Privacy attitudes and practices - Computer ethics and security ------------------------------------------------------------------------- WDFIA 2012 7th International Workshop on Digital Forensics and Incident Analysis, Hersonissos, Crete, Greece, June 6-8, 2012. (Submissions due 13 February 2012) http://www.wdfia.org/ The field of digital forensics is rapidly evolving and continues to gain significance in both the law enforcement and the scientific community. Being intrinsically interdisciplinary, it draws upon a wide range of subject areas such as information & communication technologies, law, social sciences and business administration. We are pleased to announce the 7th annual workshop on digital forensics and incident analysis graciously hosted at the Creta Maria Convention Centre, Crete, Greece. WDFIA 2012 is supported by IFIP WG 8, and immediately follows the IFIP SEC 2012 international conference at the same venue. The workshop aims to provide a forum for researchers and practitioners to present original, unpublished research results and innovative ideas. We welcome the submission of papers from the full spectrum of issues relating to the theory and practice of digital forensics and incident analysis. Areas of special interest include, but are not limited to: - Digital forensics tools and applications - Incident response and investigation - Forensic standards and procedures - Portable electronic device forensics - Network forensics - Data hiding and recovery - Network traffic analysis, traceback and attribution - Data mining and e-discovery and their corporate use - Legal, ethical and policy issues related to digital forensics - Digital evidence visualisation and presentation - Integrity of digital evidence and live investigations - Digital evidence chain of custody, storage and preservation - Multimedia analysis - Digital forensics case studies - Digital forensics training and education - Best practices and case studies - Forensics issues of malicious code - Anti-forensics ------------------------------------------------------------------------- USENIX-Security 2012 21st USENIX Security Symposium, Bellevue, WA, USA, August 8-10, 2012. (Submissions due 16 February 2012) http://www.usenix.org/events/sec12/ The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in computer security. Refereed paper submissions are solicited in all areas relating to systems and network security, including: - Analysis of network and security protocols - Applications of cryptographic techniques - Attacks with novel insights, techniques, or results - Authentication and authorization of users, systems, and applications - Automated tools for source code analysis - Botnets - Cryptographic implementation analysis and construction - Denial-of-service attacks and countermeasures - Embedded systems security - File and filesystem security - Forensics and diagnostics for security - Hardware security - Human-computer interaction, security, and privacy - Intrusion and anomaly detection and prevention - Malicious code analysis, anti-virus, anti-spyware - Mobile system security - Network infrastructure security - Operating system security - Privacy-enhancing technologies - Security architectures - Security education and training - Security for critical infrastructures - Security in heterogeneous and large-scale environments - Security in ubiquitous computing environments - Security policy - Self-protecting and self-healing systems - Techniques for developing secure systems - Technologies for trustworthy computing - Wireless security - Web security, including client-side and server-side security ------------------------------------------------------------------------- WSCS 2012 Workshop on Semantic Computing and Security, Co-located with the IEEE Security and Privacy Symposium 2012, The Westin Hotel, San Francisco, CA, USA, May 24, 2012. (Submissions due 18 February 2012) http://ieee-security.org/TC/SPW2012/wscs-website/wscs.php This workshop follows the successful September 2011 workshop (WSCSP) at the International Semantic Computing Symposium. This new workshop will explore additional topics and allow semantic computing researchers to have more opportunity to interact with security researchers. Semantic Computing technologies derive and use semantics from content, where "content" is wide-ranging: video, audio, text, conversation, software, devices, actions, behavior, etc. Security technology encompasses the specification of secure behavior as well as the detection of insecure behavior over computer networks. The two disciplines come together in this new and interesting combination, in a synergy-seeking, cutting-edge workshop. The delimited notions of semantics used within Security and Privacy provide a well-defined and as yet unstudied domain for semantic modeling, automated semantic interpretation, and inference, with clear practical uses and opportunities for novel and imaginative research. The workshop on Semantic Computing and Security addresses: (1) deriving semantics from data used for security and privacy research; (2) semantic verification of network activity; and (3) inferring the semantics of malicious free-form data, such as email and web pages. Topics of interest include but are not limited to: - Network dataset curation through semantic derivation - Semantic MediaWiki for vulnerability sharing and detecting emergent security properties - Network security semantics, dynamic classification - Inferred semantics of malicious code - Semantic verification of network operations - Semantic specification and analysis of security experiment design - Semantic analysis of access control policies - Semantics of data acquisition and computation provenance - Semantic analysis of malware communication - Semantics-aware trust management ------------------------------------------------------------------------- PETS 2012 12th Privacy Enhancing Technologies Symposium, Vigo, Spain, July 11-13, 2012. (Submissions due 20 February 2012) http://petsymposium.org/2012/ Privacy and anonymity are increasingly important in the online world. Corporations, governments, and other organizations are realizing and exploiting their power to track users and their behavior. Approaches to protecting individuals, groups, but also companies and governments, from profiling and censorship include decentralization, encryption, distributed trust, and automated policy disclosure. The 12th Privacy Enhancing Technologies Symposium addresses the design and realization of such privacy services for the Internet and other data systems and communication networks by bringing together anonymity and privacy experts from around the world to discuss recent advances and new perspectives. The symposium seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of privacy technologies, as well as experimental studies of fielded systems. We encourage submissions with novel technical contributions from other communities such as law, business, and data protection authorities, that present their perspectives on technological issues. As in the past, the proceedings will be published in the Springer Lecture Notes in Computer Science series, and will be available at the event. Suggested topics include but are not restricted to: - Anonymous communications and publishing systems - Attacks on privacy and privacy technologies - Censorship resistance - Data protection technologies - Economics of privacy and PETs - Fielded systems and techniques for enhancing privacy in existing systems - Location privacy - Privacy and anonymity in Peer-to-Peer, Cloud, and Ubiquitous Computing Environments - Privacy and inference control in databases - Privacy-enhanced access control or authentication/certification - Privacy-friendly payment mechanisms for PETs and other services - Privacy in Online Social Networks - Privacy policy languages and tools - Privacy threat models - Profiling and data mining - Pseudonyms, identity management, linkability, and reputation - Reliability, robustness and abuse prevention in privacy systems - Traffic analysis - Transparency enhancing tools - Usability issues and user interfaces for PETs ------------------------------------------------------------------------- PSOSM 2012 Workshop on Privacy and Security in Online Social Media, Held in conjunction with the 21st International World Wide Web Conference (WWW 2012), Lyon, France, April 16-20, 2012. (Submissions due 20 February 2012) http://precog.iiitd.edu.in/psosm_www2012/ With increase in usage of the Internet, there has been an exponential increase in the use of online social media on the Internet. Websites like Facebook, YouTube, Orkut, Twitter and Flickr have changed the way Internet is being used. There is a dire need to investigate, study and characterize privacy and security of online social media from various perspectives (computational, cultural, psychological). Real world scalable systems need to be built to detect and defend security and privacy issues on online social media. The main goals of the workshop are: (1) To create a platform to discuss latest issues, trends, and cutting-edge research approaches in security and privacy in online social media; (2) to bring researchers who are working on issues related to security and privacy on the Internet, and those studying online social media, to discuss the problems that overlap and bring these two areas together. Topics / themes include, but not limited to the following: - Information privacy disclosure, revelation and its effects in online social networks - Collateral damage due to information leakage (e.g. through photo tagging) on OSM - Privacy issues related to location based services on OSM - Effective and usable privacy setting and policies on OSM - Anonymization of social network datasets - Detection and characterization of spam, phishing, frauds, hate crime, abuse, extremism via online social media - Cyber-bullying, abuse and harassment detection, and prevention strategies - Identifying and curbing malware, phishing, and botnets on OSM - Filtering of pornography, viruses, and human trafficking related content or entities on OSM - Studying the social and economic impact of security and privacy issues on OSM - Usability (including design flaws) of secure systems on online social media - Data modeling of human behavior in context of security and privacy threats - Privacy and security issues in social gaming applications - Trust systems based on social networks - Legal and ethical issues for researchers studying security and privacy on OSM - Information credibility on online social media - Security and privacy challenges in new entrants in OSM (e.g. Google Plus) - Effect of OSM on conventional crime (robberies and theft) ------------------------------------------------------------------------- LEET 2012 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats, Co-located with NSDI 2012, San Jose, CA, USA, April 24, 2012. (Submissions due 23 February 2012) http://www.usenix.org/leet12/cfpa Now in its fifth year, LEET continues to provide a unique forum for the discussion of threats to the confidentiality of our data, the integrity of digital transactions, and the dependability of the technologies we increasingly rely on. We encourage submissions of papers that focus on the malicious activities themselves (e.g., reconnaissance, exploitation, privilege escalation, rootkit installation, attack), our responses as defenders (e.g., prevention, detection, and mitigation), or the social, political, and economic goals driving these malicious activities and the legal and ethical codes guiding our defensive responses. Topics of interest include but are not limited to: - Infection vectors for malware (worms, viruses, etc.) - Botnets, command, and control channels - Spyware - Operational experience and case studies - Forensics - Click fraud - Measurement studies - New threats and related challenges - Boutique and targeted malware - Phishing - Spam - Underground economy - Carding and identity theft - Miscreant counterintelligence - Denial-of-service attacks - Hardware vulnerabilities - Legal issues - The arms race (rootkits, anti-anti-virus, etc.) - New platforms (cellular networks, wireless networks, mobile devices) - Camouflage and detection - Reverse engineering - Vulnerability markets and zero-day economics - Online money laundering - Understanding the enemy - Data collection challenges ------------------------------------------------------------------------- MoST 2012 Mobile Security Technologies Workshop, Co-located with IEEE Symposium on Security and Privacy 2012, The Westin St. Francis Hotel, San Francisco, CA, USA, May 24, 2012. (Submissions due 24 February 2012) http://www.mostconf.com MoST is co-located with the IEEE Security & Privacy Symposium. Mobile Security Technologies (MoST) brings together researchers, practitioners, policy makers, and hardware and software developers of mobile systems to explore the latest understanding and advances in the security and privacy for mobile devices, applications, and systems. We are seeking both short position papers (2-4 pages) and longer papers (a maximum of 10 pages). The scope of MoST 2012 includes, but is not limited to, security and privacy specifically for mobile devices and services related to: - Device hardware - Operating systems - Middleware - Mobile web - Secure and efficient communication - Secure application development tools and practices - Privacy - Vulnerabilities and remediation techniques - Usable security - Identity and access control - Risks in putting trust in the device vs. in the network/cloud - Special applications, such as medical monitoring and records - Mobile advertisement - Secure applications and application markets - Economic impact of security and privacy technologies ------------------------------------------------------------------------- W2SP 2012 Web 2.0 Security & Privacy Workshop, Co-located with IEEE Symposium on Security and Privacy 2012, The Westin St. Francis Hotel, San Francisco, CA, USA, May 24, 2012. (Submissions due 2 March 2012) http://www.w2spconf.com/2012/ W2SP brings together researchers, practitioners, web programmers, policy makers, and others interested in the latest understanding and advances in the security and privacy of the web, browsers and their eco-system. We have had five years of successful W2SP workshops. This year, we will additionally invite selected papers to a special issue of the journal. We are seeking both short position papers (2? pages) and longer papers (a maximum of 10 pages). The scope of W2SP 2012 includes, but is not limited to: - Trustworthy cloud-based services - Privacy and reputation in social networks - Security and privacy as a service - Usable security and privacy - Security for the mobile web - Identity management and psuedonymity - Web services/feeds/mashups - Provenance and governance - Security and privacy policies for composible content - Next-generation browser technology - Secure extensions and plug-ins - Advertisement and affiliate fraud - Measurement study for understanding web security and privacy ------------------------------------------------------------------------- CHES 2012 IACR Workshop on Cryptographic Hardware and Embedded Systems, Leuven, Belgium, September 9-12, 2012. (Submissions due 5 March 2012) http://www.iacr.org/workshops/ches/ches2012/start.php CHES covers new results on all aspects of the design and analysis of cryptographic hardware and software implementations. The workshop builds a bridge between the cryptographic research community and the cryptographic engineering community. With participants from industry, academia, and government organizations, the number of participants has grown to over 300 in recent years. In addition to a track of high-quality presentations, CHES 2012 will offer invited talks, tutorials, a poster session, and a rump session. CHES 2012 especially encourages submissions on the following two subjects: Design Methods to Build Secure and Efficient Hardware or Software, and Leakage Resilient Cryptography Including New Model Definitions and Analysis and the Design of New Cryptosystems. All submitted papers will be reviewed by at least four Program Committee members. The topics of CHES 2012 include but are not limited to: Cryptographic implementations, including - Hardware architectures for public-key, secret-key and hash algorithms - Cryptographic processors and co-processors - Hardware accelerators for security protocols - True and pseudorandom number generators - Physical unclonable functions - Efficient software implementations of cryptography Attacks against implementations and countermeasures against these attacks, including - Side channel attacks and countermeasures - Fault attacks and countermeasures - Hardware tampering and tamper-resistance Tools and methodologies, including - Computer aided cryptographic engineering - Verification methods and tools for secure design - Metrics for the security of embedded systems - Secure programming techniques - FPGA design security - Formal methods for secure hardware Interactions between cryptographic theory and implementation issues, including - New and emerging cryptographic algorithms and protocols targeting embedded devices - Special-purpose hardware for cryptanalysis - Leakage resilient cryptography Applications, including - Cryptography in wireless applications - Cryptography for pervasive computing - Hardware IP protection and anti-counterfeiting - Reconfigurable hardware for cryptography - Smart card processors, systems and applications - Security in consumer applications - Secure storage devices - Technologies and hardware for content protection - Trusted computing platforms ------------------------------------------------------------------------- SECRYPT 2012 9th International Conference on Security and Cryptography, Rome, Italy, July 24-27, 2012. (Submissions due 5 March 2012) http://secrypt.icete.org SECRYPT is an annual international conference covering research in information and communication security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, security, and cryptography. Papers describing the application of security technology, the implementation of systems, and lessons learned are also encouraged. ------------------------------------------------------------------------- SecIoT 2012 Workshop on the Security of the Internet of Things, Munich, Germany, July 30 - August 2, 2012. (Submissions due 9 March 2012) http://www.nics.uma.es/seciot12/ While there are many definitions of the Internet of Things (IoT), all of them revolve around the same central concept: a world-wide network of interconnected objects. These objects will make use of multiple technological building blocks (e.g. wireless communication, sensors, actuators, RFID) and connectivity paradigms (e.g. cloud-based infrastructures, P2P systems) in order to allow people and things to be connected anytime anyplace, with anything and anyone. However, mainly due to the inherent heterogeneity of this vision and its broad scope, there will not be a single silver bullet security solution that will fulfill all the security requirements of the IoT. Therefore: How can we include security as a core element of the IoT? How will the IoT interact with other security mechanisms of the Future Internet? What security requirements will be truly challenged by the ultimate vision of the IoT? It is precisely the goal of this workshop to bring together researchers and industry experts in areas relevant to the security of the Internet of Things to discuss these and other significant issues. Moreover, this workshop also has the objective to serve as a forum not only for presenting cutting-edge research, but also for debating the role of security and its practical implications in the development of the IoT. ------------------------------------------------------------------------- LASER 2012 Workshop on Learning from Authoritative Security Experiment Results, Co-located with IEEE Symposium on Security and Privacy 2012, The Westin St. Francis Hotel, San Francisco, CA, USA, May 24, 2012. (Submissions due 26 March 2012) http://www.cert.org/laser-workshop/ The goal of this workshop is to provide an outlet for publication of unexpected research results in security -- to encourage people to share not only what works, but also what doesn't. This doesn't mean bad research -- it means research that had a valid hypothesis and methods, but the result was negative. Given the increased importance of computer security, the security community needs to quickly identify and learn from both success and failure. Journal papers and conferences typically contain papers that report successful experiments that extend our knowledge of the science of security, or assess whether an engineering project has performed as anticipated. Some of these results have high impact; others do not. Unfortunately, papers reporting on experiments with unanticipated results that the experimenters cannot explain, or experiments that are not statistically significant, or engineering efforts that fail to produce the expected results, are frequently not considered publishable, because they do not appear to extend our knowledge. Yet, some of these "failures" may actually provide clues to even more significant results than the original experimenter had intended. The research is useful, even though the results are unexpected. Useful research includes a well-reasoned hypothesis, a well-defined method for testing that hypothesis, and results that either disprove or fail to prove the hypothesis. It also includes a methodology documented sufficiently so that others can follow the same path. When framed in this way, "unsuccessful" research furthers our knowledge of a hypothesis and testing method. Others can reproduce the experiment itself, vary the methods, and change the hypothesis; the original result provides a place to begin. As an example, consider an experiment assessing a protocol utilizing biometric authentication as part of the process to provide access to a computer system. The null hypothesis might be that the biometric technology does not distinguish between two different people; in other words, that the biometric element of the protocol makes the approach vulnerable to a masquerade attack. Suppose the null hypothesis is verified. It would still be worth publishing this result. First, it might prevent others from trying the same biometric method. Second, it might lead them to further develop the technology - to determine whether a different style of biometrics would improve matters, or if the environment in which authentication is being attempted makes a difference. For example, a retinal scan may be a failure in recognizing people in a crowd, but successful where the users present themselves one at a time to an admission device with controlled lighting, or when multiple "tries" are included. Third, it might lead to modifying the encompassing protocol so as to make masquerading more difficult for some other reason. Equally important is research designed to reproduce the results of earlier work. Reproducibility is key to science, to validate or uncover errors or problems in earlier work. Failure to reproduce the results leads to a deeper understanding of the phenomena that the earlier work uncovers. The workshop focuses on research that has a valid hypothesis and reproducible experimental methodology, but where the results were unexpected or did not validate the hypotheses, where the methodology addressed difficult and/or unexpected issues, or that identified previously unsuspected confounding issues. We solicit research and position papers addressing these issues, especially (but not exclusively) on the following topics: - Unexpected research results in experimental security - Methods, statistical analyses, and designs for security experiments - Experimental confounds, mistakes, mitigations - Successes and failures in reproducing the experimental techniques and/or results of earlier work ------------------------------------------------------------------------- TrustBus 2012 9th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with DEXA 2012, Vienna University of Technology, Austria, September 3-7, 2012. (Submissions due 6 April 2012) http://www.ds.unipi.gr/trustbus12/ The advances in the Information and Communication Technologies (ICT) have raised new opportunities for the implementation of novel applications and the provision of high quality services over global networks. The aim is to utilize this information society era?for improving the quality of life for all citizens, disseminating knowledge, strengthening social cohesion, generating earnings and finally ensuring that organizations and public bodies remain competitive in the global electronic marketplace. Unfortunately, such a rapid technological evolution cannot be problem-free. Concerns are raised regarding the lack of trust?in electronic procedures and the extent to which information security?and user privacy?can be ensured. In answer to these concerns, the 9th International Conference on Trust, Privacy and Security in Digital Business (TrustBus?2) will provide an international forum for researchers and practitioners to exchange information regarding advancements in the state of the art and practice of trust and privacy in digital business. TrustBus?2 will bring together researchers from different disciplines, developers, and users all interested in the critical success factors of digital business systems. We are interested in papers, work-in-progress reports, and industrial experiences describing advances in all areas of digital business applications related to trust and privacy, including, but not limited to: - Anonymity and pseudonymity in business transactions - Business architectures and underlying infrastructures - Common practice, legal and regulatory issues - Cryptographic protocols - Delivery technologies and scheduling protocols - Design of business models with security requirements - Economics of Information Systems Security - Electronic cash, wallets and pay-per-view systems - Enterprise management and consumer protection - Identity and Trust Management - Intellectual property and digital rights management - Intrusion detection and information filtering - Languages for description of services and contracts - Management of privacy & confidentiality - Models for access control and authentication - Multimedia web services - New cryptographic building-blocks for e-business applications - Online transaction processing - PKI & PMI - Public administration, governmental services - P2P transactions and scenarios - Real-time Internet E-Services - Reliability and security of content and data - Reliable auction, e-procurement and negotiation technology - Reputation in services provision - Secure process integration and management - Security and Privacy models for Pervasive Information Systems - Security Policies - Shopping, trading, and contract management tools - Smartcard technology - Transactional Models - Trust and privacy issues in mobile commerce environments - Usability of security technologies and services - Trust and privacy issues in the cloud ------------------------------------------------------------------------- HealthSec 2012 3rd USENIX Workshop on Health Security and Privacy, Bellevue, WA, USA, August 6-7, 2012. (Submissions due 10 April 2012) http://www.usenix.org/events/healthsec12/ The focus of HealthSec '12 will be on the development of new techniques and policies to ensure the privacy and security of next-generation healthcare systems and devices. HealthSec is intended as a forum for lively discussion of aggressively innovative and potentially disruptive ideas on all aspects of medical and health security and privacy. We strongly encourage cross-disciplinary interactions between fields, including, but not limited to, technology, medicine, and policy. ------------------------------------------------------------------------- CloudSec 2012 4th International Workshop on Security in Cloud Computing, Held in conjunction with the 41st ICPP, Pittsburgh, PA, USA, September 12, 2012. (Submissions due 15 April 2012) http://bingweb.binghamton.edu/~ychen/CloudSec2012.htm Cloud Computing has generated interest from both industry and academia since 2007. As an extension of Grid Computing and Distributed Computing, Cloud Computing aims to provide users with flexible services in a transparent manner. Services are allocated in a cloud, which is a collection of devices and resources connected through the Internet. Before this paradigm can be widely accepted, the security, privacy and reliability provided by the services in the cloud must be well established. CloudSec 2012 will bring researchers and experts together to present and discuss the latest developments and technical solutions concerning various aspects of security issues in Cloud Computing. CloudSec 2012 seeks original unpublished papers focusing on theoretical analysis, emerging applications, novel system architecture construction and design, experimental studies, and social impacts of Cloud Computing. Both review/survey papers and technical papers are encouraged. CloudSec 2012 also welcomes short papers related to Security in Cloud Computing, which summarize speculative breakthroughs, work-in-progress, industry featured projects, open problems, new application challenges, visionary ideas, and preliminary studies. The topics include but are not limited to: - Emerging threats to Cloud-based services - Security model for new services - Security in Cloud-aware web service - Information hiding/encryption in Cloud Computing - Copyright protection in the Cloud - Securing distributed data storage in cloud - Privacy and security in Cloud Computing - Forensics in Cloud environments - Robust network architecture - Cloud Infrastructure Security - Intrusion detection/prevention - Denial-of-Service (DoS) attacks and defense - Robust job scheduling - Secure resource allocation and indexing - Secure payment for Cloud-aware services - User authentication in Cloud-aware services - Non-Repudiation solutions in the Cloud - Security for emerging Cloud programming models - Performance evaluation for security solutions - Testbed/Simulators for Cloud security research - Security hardware, i.e. hardware for encryption, etc. - Detection and prevention of hardware Trojans ------------------------------------------------------------------------- SSS 2012 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Toronto, Canada, October 1-4, 2012. (Submissions due 16 April 2012) http://www.cs.uwaterloo.ca/sss2012/ The SSS symposium is a prestigious international forum for researchers and practitioners in the design and development of fault-tolerant distributed systems with self-* properties, such as self-stabilizing, self-configuring, self-organizing, self-managing, self-repairing, self-healing, self-optimizing, self-adaptive, and self-protecting systems. Research in distributed systems is now at a crucial point in its evolution, marked by the importance of dynamic systems such as cloud networks, social networks, peer-to-peer networks, large-scale wireless sensor networks, mobile ad hoc networks, etc., and many new applications such as grid and web services, banking and e-commerce, e-health and robotics, aerospace and avionics, automotive, industrial process control, etc. have joined the traditional applications of distributed systems. ------------------------------------------------------------------------- CSET 2012 5th Workshop on Cyber Security Experimentation and Test, Bellevue, WA, USA, August 6, 2012. (Submissions due 19 April 2012) http://www.usenix.org/events/cset12/ The science of cyber security is challenging for a number of reasons. Meeting these challenges requires transformational advances, including understanding of the relationship between scientific method and cyber security evaluation, advancing capabilities of underlying experimental infrastructure, and improving data usability. CSET invites submissions on the science of cyber security evaluation, as well as experimentation, measurement, metrics, data, and simulations as those subjects relate to computer and network security. ------------------------------------------------------------------------- ProvSec 2012 6th International Conference on Provable Security, Chengdu, China, September 26-28, 2012. (Submissions due 20 April 2012) http://www.ccse.uestc.edu.cn/provsec/callforpapers.html Provable security is an important research area in modern cryptography. Cryptographic primitives or protocols without a rigorous proof cannot be regarded as secure even in practice. In fact, there are many schemes that were originally thought as secure but eventually broken, which clearly indicates the need of formal security assurance. With provable security, we are confident in using cryptographic schemes and protocols in various real-world applications. Meanwhile, schemes with provable security sometimes give only theoretical feasibility rather than a practical construction, and correctness of the proofs may be difficult to verify. ProvSec conference thus provides a platform for researchers, scholars and practitioners to exchange new ideas for solving these problems in the provable security area. Topics include all aspects of provable security for cryptographic primitives or protocols, and include but are not limited to the following areas: - Cryptographic primitives - Digital signatures - Formal security model - Lattice-based security reductions - Pairing-based provably secure cryptography - Privacy and anonymity technologies - Provable secure block ciphers and hash functions - Secure cryptographic protocols and applications - Security notions, approaches, and paradigms - Steganography and steganalysis ------------------------------------------------------------------------- ACM-CCS 2012 19th ACM Conference on Computer and Communications Security, Raleigh, North Carolina, USA, October 16-18, 2012. (Submissions due 4 May 2012) http://www.sigsac.org/ccs/CCS2012/ The annual ACM Computer and Communications Security Conference is a leading international forum for information security researchers, practitioners, developers, and users to explore cutting-edge ideas and results, and to exchange techniques, tools, and experiences. The conference seeks submissions from academia, government, and industry presenting novel research on all practical and theoretical aspects of computer and communications security. Papers should have relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make a convincing argument for the practical significance of the results. All topic areas related to computer and communications security are of interest and in scope. Accepted papers will be published by ACM Press in the conference proceedings. Outstanding papers will be invited for possible publication in a special issue of the ACM Transactions on Information and System Security. ------------------------------------------------------------------------- IEEE Network Magazine, Special Issue on Cyber Security of Networked Critical Infrastructures, January 2013, (Submission Due 1 June 2012) http://dl.comsoc.org/livepubs/ni/info/cfp/cfpnetwork0113.htm Editors: Saeed Abu-Nimeh (Damballa Inc., USA), Ernest Foo (Queensland University of Technology Australia, Australia), Igor Nai Fovino (Global Cyber Security Center, Italy), Manimaran Govindarasu (Iowa State University, USA), and Tommy Morris (Mississippi State University, USA) The daily lives of millions of people depend on processing information and material through a network of critical infrastructures. Critical infrastructures include agriculture and food, water, public health, emergency services, government, the defense industrial base, information and telecommunications, energy, transportation and shipping, banking and finance, chemical industry and hazardous materials, post, national monuments and icons, and critical manufacturing. Disruption or disturbance of critical infrastructures can lead to economical and human losses. Additionally, the control network of most critical installations is integrated with broader information and communication systems, including the company business network. Most maintenance services on process control equipment are performed remotely. Further, the cyber security of critical infrastructure systems has come into focus recently as more of these systems are exposed to the Internet. Therefore, Critical Infrastructure Protection (CIP) has become a topic of interest for academics, industries, governments, and researchers in the recent years. A common theme among critical infrastructure is the dependence upon secure cyber systems for command and control. This special issue will focus on network aspects that impact the cyber security of Critical Infrastructure Protection and Resilience. Tutorial based manuscripts which cover recent advances in one or more of the topic areas below are requested. Topics may include (but are not limited to): - Security of supervisory control and data acquisition (SCADA) systems - Security of the smart grid - Cyber security of industrial control systems - Security of complex and distributed critical infrastructures - DNS and Internet Security (as critical infrastructures) - Security metrics, benchmarks, and data sets - Attack modeling, prevention, mitigation, and defense - Early warning and intrusion detection systems - Self-healing and self-protection systems - Advanced forensic methodologies - Cyber-physical systems security approaches and algorithms - Critical infrastructure security policies, standards and regulations - Vulnerability and risk assessment methodologies for distributed critical infrastructures - Simulation and testbeds for the security evaluation of critical infrastructures ------------------------------------------------------------------------- NSS 2012 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China, November 21-23, 2012. (Submissions due 15 June 2012) http://anss.org.au/nss2012/index.html NSS is an annual international conference covering research in network and system security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of network security, privacy, applications security, and system security. Papers describing case studies, implementation experiences, and lessons learned are also encouraged. Topics of interest include but are not limited to: - Active Defense Systems - Hardware Security - Security in P2P systems - Adaptive Defense SystemsAnalysis - Benchmark of Security Systems - Identity Management - Intelligent Defense Systems - Security in Cloud and Grid Systems - Security in E-Commerce - Applied Cryptography - Authentication - Insider Threats - Intellectual Property Rights Protection - Security in Pervasive/Ubiquitous Computing - Security and Privacy in Smart Grid - Biometric Security - Complex Systems Security - Internet and Network Forensics - Intrusion Detection and Prevention - Secure Mobile Agents and Mobile Code - Security and Privacy in Wireless Networks - Database and System Security - Data Protection Key Distribution and Management - Large-scale Attacks and Defense Security Policy - Security Protocols - Data/System Integrity - Distributed Access Control - Malware - Network Resiliency - Security Simulation and Tools - Security Theory and Tools - Distributed Attack Systems - Network Security - Standards and Assurance Methods - Denial-of-Service - RFID Security and Privacy - Trusted Computing - High Performance - Network Virtualization - Security Architectures - Trust Management - High Performance Security Systems - Security for Critical Infrastructures - World Wide Web Security ------------------------------------------------------------------------- IEEE Internet Computing, Track Articles on Computer Crime, 2012, (Submission will be accepted for this track from 15 July 2011 to 15 July 2012) http://www.computer.org/portal/web/computingnow/cfptrack Editors: Nasir Memon (New York University, USA) and Oliver Spatscheck (AT&T, USA) As the Internet has grown and extended its reach into every part of people's lives, it shouldn't be surprising that criminals have seized the opportunity to expand their activities into this new realm. This has been fostered in particular by the fact that the Internet was designed as an open and trusting environment. Unfortunately many of these architectural choices are fundamental to the Internet's success and current architecture and are therefore hard to overcome. Computer crime ranges from rather simple crimes such as theft of intellectual property or computer and network resources to complex cooperate espionage or even cyber terrorism. This special track for Internet Computing seeks original articles that cover computer crime as it relates to the Internet. Appropriate topics include: - trends and classification of criminal activities on the Internet; - computer crime prevention, including approaches implemented in user interfaces, end user systems, networks, or server infrastructure; - case studies of criminal activities; - computer forensics; - impact assessments of criminal activities on the Internet; and - new architectures to prevent Internet crime Track articles run one per issue for a single calendar year. Articles will be run in the order in which they are accepted for publication. ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sven Dietrich Deborah Frincke Department of Computer Science debfrincke@gmail.com Stevens Institute of Technology +1 201 216 8078 spock AT cs.stevens.edu Vice Chair: Treasurer: Patrick McDaniel Terry Benzel Computer Science and Engineering USC Information Sciences Intnl Pennsylvania State University 4676 Admiralty Way, Suite 1001 360 A IST Building Los Angeles, CA 90292 University Park, PA 16802 (310) 822-1511 (voice) (814) 863-3599 tbenzel @isi.edu mcdaniel@cse.psu.edu Newsletter Editor: Security and Privacy Symposium, 2012 Chair: Hilarie Orman Robert Cunningham Purple Streak, Inc. MIT Lincoln Laboratories 500 S. Maple Dr. http://www.ll.mit.edu/mission Woodland Hills, UT 84653 /communications/ist/biographies cipher-editor@ieee-security.org /cunningham-bio.html ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year