_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/
_/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/
============================================================================
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 108 June 10, 2012
Hilarie Orman, Editor Sven Dietrich, Assoc. Editor
cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org
Richard Austin Yong Guan
Book Review Editor Calendar Editor
cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org
============================================================================
The newsletter is also at http://www.ieee-security.org/cipher.html
Cipher is published 6 times per year
Contents:
* Letter from the Editor
* Commentary and Opinion
o Richard Austin's review of "Practical Malware Analysis: The
Hands-On Guide to Dissecting Malicious Software"
by Michael Sikorski and Andrew Honig
o Noted in the News
- NIST request for comments re cryptographic key management design
- Publication: "The Next Wave" addresses security science
- International Espionage Targets US Networks
- Voluntary Program Imposes Restrictions on Defense Contractor Networks
- Stuxnet, US Cyber Warfare is Here
- Flame: Complicated, Clever, and Effective
- FPGA Design: Useful or Deceitful?
- Forgotten Server Releases Personal Data on Utah Patients
- LinkedIn Caught With Its Salt Down
- Cybercrime Wave: Costly or Not?
o Book reviews, Conference Reports and Commentary and News items
from past Cipher issues are available at the Cipher website
* Conference and Workshop Announcements
o Calender of Security-Related Events
o Upcoming calls-for-papers
* List of Computer Security Academic Positions, by Cynthia Irvine
* Staying in Touch
o Information for subscribers and contributors
o Recent address changes
* Links for the IEEE Computer Society TC on Security and Privacy
o Becoming a member of the TC
o TC Officers
o TC publications for sale
====================================================================
Letter from the Editor
====================================================================
Dear Readers:
This past May the Security and Privacy Symposium held its 33rd meeting
at a new venue, The Westin St. Francis Hotel in San Francisco,
California. Attendance hit a record level of over 450, and many
stayed on for one or more of the 5 the co-located workshops that
followed. Planning for the 2013 conference has already started, and
we are looking forward to another stellar event in San Francisco.
This month we are pleased to note the return of our book reviewer,
Richard Austin, with his review of "Practical Malware Analysis."
There have been many articles in the wider news media about
cybersecurity, much of it from research work and a changing
stance of the US government. We have selected several for
brief mention. Taken together, they may illustrate the harsh
reality of security: malware is the only game in town and
privacy is an illusion. Yet note that the article about
foreign espionage against US networks cites an annual cost
estimate, while another article cautions that these estimates
are usually unfounded.
Damn the viruses, overclock the processors, full speed ahead!
Hilarie Orman
cipher-editor @ ieee-security.org
====================================================================
Commentary and Opinion
====================================================================
Book reviews from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/BookReviews.html, and conference
reports are archived at
http://www.ieee-security.org/Cipher/ConfReports.html
____________________________________________________________________
Book Review By Richard Austin
May 27, 2012
____________________________________________________________________
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious
Software
by Michael Sikorski and Andrew Honig
No Starch Press 2012.
ISBN 978-1-59327-290-6 Amazon.com USD 35.97; Table of Contents:
http://nostarch.com/malware#toc
Malware analysis was once pretty much the exclusive province of
malware authors and anti-malware vendors but, as the authors point out
(p. xxviii), in the days of "advanced persistent threats" and other
forms of targeted digital malice, it is becoming critical to be able
to answer tough analytical questions. What exactly did the malware
do, how can it be detected in the future, how can the scope of the
infection be determined and how can one be really sure that the
it has been removed?
The authors' articulate, well-designed presentation goes a long way
toward making the practice of malware analysis a standard part of the
technical security professionals' repertoire. The book has several
unique features that enhance its value for self-study:
* Most chapters include labs that apply the techniques discussed in
the chapter
* Solutions to the labs are provided in a 255-page appendix that
includes both a short "sign-post" solution and a detailed
walk-through
* Sage advice on creating a virtual environment to allow safely
working with malware
* Author-written malware (downloaded from the companion website
http://practicalmalwareanalysis.com/) for use in the labs (NOTE:
though instructional and written for the book, this is real malware
so be sure to handle appropriately)
Do note that the book is Windows-focused (Windows is still the largest
malware target though other platforms are rising fast) and that it is
a very technical book. Managerially-focused professionals will find
anything past the first few chapters very tough sledding. This is
also not a book you casually read on a rainy Sunday afternoon; working
through at least some of the labs that follow each chapter is required
to garner the maximum benefit from the book.
The authors organize their presentation into three parts dealing with
analysis (basic analysis, advanced static analysis and advanced
dynamic analysis), a fourth part dealing with malware functionality
(what malware actually has to do in order to carry out its mission), a
particularly fascinating fifth part that covers how malware authors
harden their creations to resist detection and analysis, and a final
part that deals with those interesting topics (such as shellcode
analysis and 64-bit malware) that don't really fit in the earlier
sections.
The presentation is focused on practical application rather than
theory, and it is peppered with timely warnings regarding
paralysis-of-analysis and knowing when to say your analysis is
sufficiently complete. Though all the chapters have their virtues,
chapter 14, "Malware-Focused Network Signatures", is of particular
note for its application of the results of malware analysis to
detecting the malware (or artifacts of its operation) in network
traffic using Snort.
A wide variety of tools are introduced (some Open Source, some free
and some commercial) and their use illustrated (and practiced in the
labs). Appendix B provides a consolidated list and the reader will
want to spend the hour or so downloading them before adventuring much
past the second chapter. While some might criticize the publisher for
not providing the tools on DVD with the book, actually visiting the
sites to get the tools is a good exercise and exposes the reader to
additional documentation and other tools that might be useful. Do be
aware that some anti-malware programs will take grave exception to
some of these tools; it would be wise to exclude your download
directory from their purview.
As you probably suspect by now, readers will be exposed to a lot of
assembler code. The authors provide an excellent introductory chapter
on x86 disassembly and another chapter on recognizing source
constructs in the disassembled code. When code snippets appear in the
text (and they frequently do), the authors provide clear explanations
rather than such matters being left as "an exercise for the student".
If you find yourself (like me) needing some additional background,
Intel's instruction set documentation freely available at
http://www.intel.com/content/dam/doc/manual/64-ia-32-architectures-software-developer-vol-1-2a-2b-3a-3b-manual.pdf.
In summary, this is an awesome book on a very topical subject written
by knowledgeable authors who possess the rare gift of being able to
communicate their knowledge through the written word. Before
starting, set aside the time required to set up the virtual
infrastructure, download the tools and work through the labs. Your
investment of time and effort will pay great dividends the first time
you're faced with explaining what a piece of malware did and why
you're sure it was completely eradicated.
Before beginning life as an educator and independent cybersecurity
consultant, Richard Austin (http://cse.spsu.edu/raustin2) spent 30+
years in the IT industry in positions ranging from software developer
to security architect. He welcomes your thoughts and comments at
raustin2 at spsu dot edu
====================================================================
News Briefs
====================================================================
News briefs from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/NewsBriefs.html
____________________________________________________________________
Information from NIST, Request for Comments
____________________________________________________________________
Second Public Draft, Special Publication 800-130, A Framework for
Designing Cryptographic Key Mana
Public Comment Period: April 13, 2012 through July 30, 2012.
Email Comments to: ckmsdesignframework@nist.gov
Second Public Draft Details:
NIST requests comments on SP 800-130, A Framework for Designing
Cryptographic Key Management Systems. This is a revision of the
document that was provided for public comment in June 2010. Comments
are requested by July 30, 2012 and should be sent to
ckmsdesignframework@nist.gov, with "Comments on SP 800-130" in the
subject line. Another document, SP 800-152, which provides a basic
profile of this framework document for the Federal government, will be
available for initial comment later this year.
Links:
Draft SP 800-130 (PDF) on CSRC website:
http://csrc.nist.gov/publications/drafts/800-130/second-draft_sp-800-130_april-2012.pdf
____________________________________________________________________
NSA Publication Addresses Security Science
Contributed by Carl Landwehr
____________________________________________________________________
The current issue of "Next Wave" focuses on developing a blueprint
for a science of cybersecurity. It includes an introduction by Bob
Meushaw and seven articles looking at this topic from different
perspectives by Fred Schneider, Alessandro Chiesa and Eran Tromer,
Anupam Datta and John Mitchell, Dusko Pavlovic, Roy Maxion, Adam
Shostack, and Carl Landwehr. Copies are freely available in hard copy
(only) from:
National Security Agency
Attn: Kathleen Prewitt, Managing Editor
Suite 6541
Ft. George G. Meade, MD 20755-6541
or by email to: TNW@tycho.ncsc.mil
___________________________________________________________________
International Espionage Targets US Networks
From the Washington Post, April 17, 2012
____________________________________________________________________
Several nations are trying to penetrate U.S. cyber-networks, says
ex-FBI official Shawn Henry.
http://www.washingtonpost.com/world/national-security/several-nations-trying-to-penetrate-us-cyber-networks-says-ex-fbi-official/2012/04/17/gIQAFAGUPT_story.html
___________________________________________________________________
Voluntary Program Imposes Restrictions on Defense Contractor
Networks
From The Washington Post, May 11, 2012
___________________________________________________________________
The Pentagon will expand a cybersecurity program for defense contractors.
The system scans incoming email and selectively blocks outgoing accesses.
http://www.washingtonpost.com/world/national-security/pentagon-to-expand-cybersecurity-program-for-defense-contractors/2012/05/11/gIQALhjbHU_story.html
___________________________________________________________________
Stuxnet, US Cyber Warfare is Here
From the New York Times, June 1, 2012
___________________________________________________________________
The US Department of Defense has signalled its participation in
offensive cyberwarfare several times in the past year. Now more
information about its involvement in the Stuxnet targeting of Iran's
nuclear program is available.
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html
___________________________________________________________________
Flame: Complicated, Clever, and Effective
From CNN Security Blogs, June 5th, 2012
___________________________________________________________________
The origin of the Flame virus remains unknown, but the capabilities are
wide-reaching. Allegedly, some of the code compromises Microsoft authenticity
checks by generating false credentials, but the details have yet to
be revealed. MD5 is a likely suspect.
http://security.blogs.cnn.com/2012/06/05/decoding-the-flame-virus/?hpt=hp_c3
___________________________________________________________________
FPGA Design: Useful or Deceitful?
From PC World, June 1, 2012
___________________________________________________________________
FPGA security called into question. The company Microsemi says its chip
has a debugging mode, some analysts call it a backdoor.
http://www.pcworld.com/businesscenter/article/256666/microsemi_denies_existence_of_backdoor_in_its_chips_researchers_disagree.html?tk=out
___________________________________________________________________
Forgotten Server Releases Personal Data on Utah Patients
From the Deseret News, May 16, 2012
___________________________________________________________________
Analyzing a data breach that released personal information for nearly 800K
people, the state of Utah uncovered many procedural errors, and the state's
IT director lost his job.
http://www.deseretnews.com/article/865555954/Multiple-mistakes-led-to-massive-health-data-breach-director-says.html
___________________________________________________________________
LinkedIn Caught With Its Salt Down
From CNNMoneyTech, June 6, 2012
___________________________________________________________________
A password file from LinkedIn was revealed by persons unknown. The
file was easily subject to a dictionary attack because the passwords
were hashed without the well-known technique of "salting" the password.
Because the usernames were not part of the disclosure, it did not
compromise user accounts significantly.
http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/index.htm?hpt=hp_c1>LinkedIn password compromise
___________________________________________________________________
Cybercrime Wave: Costly or Not?
From the New York Times, April 14, 2011
___________________________________________________________________
The Cybercrime Wave that Wasn't
An op-ed piece addresses the question of the economic impact of
cybercrime, finding little data to support numbers that have been
widely cited.
http://www.nytimes.com/2012/04/15/opinion/sunday/the-cybercrime-wave-that-wasnt.html?_r=1
====================================================================
Listing of academic positions available
by Cynthia Irvine
====================================================================
http://cisr.nps.edu/jobscipher.html
--------------
This job listing is maintained as a service to the academic
community. If you have an academic position in computer security and
would like to have in it included on this page, send the following
information:
Institution,
City, State,
Position title,
date position announcement closes, and
URL of position description
to: irvine@cs.nps.navy.mil
====================================================================
Conference and Workshop Announcements
Upcoming Calls-For-Papers and Events
====================================================================
The complete Cipher Calls-for-Papers is located at
http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html
The Cipher event Calendar is at
http://www.ieee-security.org/Calendar/cipher-hypercalendar.html
____________________________________________________________________
Cipher Event Calendar
____________________________________________________________________
Calendar of Security and Privacy Related Events
maintained by Hilarie Orman
Date (Month/Day/Year), Event, Locations, web page for more info.
5/31/12: IEEE Transactions on Information Forensics and Security,
Special Issue on Privacy and Trust Management in Cloud and
Distributed Systems;
http://www.signalprocessingsociety.org/uploads/special_issues_deadlines/privacy_policy.pdf;
Submissions are due
6/ 1/12: IEEE Network Magazine,
Special Issue on Cyber Security of Networked Critical Infrastructures;
http://dl.comsoc.org/livepubs/ni/info/cfp/cfpnetwork0113.htm;
Submissions are due
6/ 1/12: ACSAC, 28th Annual Computer Security Applications Conference,
Buena Vista Palace Hotel & Spa in the Walt Disney World Resort,
Florida, USA;
http://www.acsac.org;
Submissions are due
6/ 1/12: ICDFI, 1st International Conference on Digital Forensics and
Investigation,
Beijing China; http://secmeeting.ihep.ac.cn;
Submissions are due
6/ 1/12: MANSEC-CC, 1st International workshop on Management and Security
technologies for Cloud Computing,
Held in conjunction with the 2012 IEEE GLOBECOM,
Disneyland Hotel, Anaheim, California, USA;
http://www.icsd.aegean.gr/ccsl/mansec-cc/
Submissions are due
6/ 1/12: DPM, 7th International Workshop on Data Privacy Management,
Co-located with ESORICS 2012,
Pisa, Italy; http://www-ma4.upc.edu/DPM2012/main.html;
Submissions are due
6/ 4/12: Nordsec, 17th Nordic Conference in Secure IT Systems,
Karlskrona, Sweden;
http://www.bth.se/com/nordsec2012.nsf/pages/nordsec2012
Submissions are due
6/ 4/12- 6/ 6/12: SEC, 27th IFIP International Information Security and
Privacy Conference,
Creta Maris Hotel, Heraklion, Crete, Greece;
http://www.sec2012.org
6/ 6/12- 6/ 8/12: HAISA, 6th International Symposium on Human Aspects of
Information Security and Assurance,
Hersonissos, Crete, Greece;
http://haisa.org/
6/ 6/12- 6/ 8/12: WDFIA, 7th International Workshop on Digital Forensics and
Incident Analysis, Hersonissos, Crete, Greece;
http://www.wdfia.org/
6/10/12- 6/15/12: SFCS, 1st IEEE International Workshop on Security and
Forensics in Communication Systems,
Held in conjunction with IEEE ICC 2012,
Ottawa, Canada; http://sites.google.com/site/sfcs2012/
6/15/12: NSS, 6th International Conference on Network and System Security,
Wu Yi Shan, Fujian, China;
http://anss.org.au/nss2012/index.html;
Submissions are due
6/15/12: HICSS-CSS, 46th HAWAII International Conference on System Sciences,
Internet and the Digital Economy Track,
Cybercrime and Security Strategy Mini-track,
Grand Wailea, Maui, Hawaii, USA;
http://www.hicss.hawaii.edu/hicss_46/apahome46.htm
Submissions are due
6/18/12- 6/21/12: ICDCS-NFSP, 1st International Workshop on Network Forensics,
Security and Privacy, Held in conjunction with ICDCS 2012,
Macau, China;
http://www.deakin.edu.au/~syu/nfsp/
6/18/12- 6/21/12: ICDCS-SPCC, 3rd International Workshop on Security and
Privacy in Cloud Computing, Held in conjunction with ICDCS 2012,
Macau, China; http://www.ece.iit.edu/~ubisec/workshop.htm
6/19/12- 6/22/12: WISTP, 6th Workshop on Information Security Theory and
Practice,
London, UK; http://www.wistp.org/
6/20/12- 6/22/12: SACMAT, 17th ACM Symposium on Access Control Models and
Technologies,
Newark, NJ, USA; http://www.sacmat.org
6/22/12: GameSec, 3rd Conference on Decision and Game Theory for Security,
Budapest, Hungary;
http://www.gamesec-conf.org
Submissions are due
6/24/12: WIFS, IEEE International Workshop on Information Forensics
and Security,
Tenerife, Spain; http://www.wifs12.org/
Submissions are due
6/25/12: DSPAN, 3rd IEEE Workshop on Data Security and PrivAcy in wireless
Networks, Held in conjunction with The Thirteenth International
Symposium on a World of Wireless, Mobile and Multimedia
Networks (WoWMoM 2012),
San Francisco, CA, USA;
http://www.ee.washington.edu/research/nsl/DSPAN_2012/
6/25/12- 6/27/12: Mobisec, 4th International Conference on Security and
Privacy in Mobile Information and Communication Systems,
Frankfurt, Germany; http://mobisec.org/2012
6/25/12- 6/27/12: eGSSN, International Workshop on Trust, Security and
Privacy in e-Government, e-Systems & Social Networking,
Held in conjunction with the 11th IEEE International Conference
on Trust, Security and Privacy in Computing and
Communications (TrustCom 2012), Liverpool, UK;
http://webs.um.es/jmalcaraz/eGSSN12
6/26/12- 6/28/12: DFIS, 6th International Symposium on Digital Forensics and
Information Security, Vancouver, Canada;
http://web.ftrai.org/dfis2012
6/26/12- 6/29/12: ACNS, 10th International Conference on Applied Cryptography
and Network Security, Singapore
http://icsd.i2r.a-star.edu.sg/acns2012
6/29/12: STAST, 2nd International Workshop on Socio-Technical Aspects of
Security and Trust, Co-located with Computer Security Foundation
Symposium (CSF 2012), Harvard University, Cambridge, MA, USA;
http://www.stast2012.uni.lu
7/ 2/12: NPSec, 7th Workshop on Secure Network Protocols,
Austin, Texas, USA;
http://www.cse.msu.edu/~feichen/NPSec2012/
Submissions are due
7/ 4/12: SAEPOG, Secure Autonomous Electric Power Grids Workshop,
Co-located with the Sixth IEEE International Conference on
Self-Adaptive and Self-Organizing Systems (SASO 2012),
Lyon, France;
https://sites.google.com/site/saepog/
Submissions are due
7/ 9/12: RFIDsec-Asia, Workshop on RFID and IoT Security,
Taipei, Taiwan;
http://rfidsec2012.cs.ntust.edu.tw
Submissions are due
7/11/12- 7/13/12: PETS, 12th Privacy Enhancing Technologies Symposium,
Vigo, Spain;
http://petsymposium.org/2012/
7/13/12: ICISS, 8th International Conference on Information Systems Security,
Guwahati, India;
http://www.iitg.ernet.in/iciss2012/
Submissions are due
7/15/11- 7/15/12: IEEE Internet Computing, Track Articles on Computer Crime;
http://www.computer.org/portal/web/computingnow/cfptrack;
Submissions are due
7/16/12: CCSW, ACM Cloud Computing Security Workshop,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
http://crypto.cs.stonybrook.edu/ccsw12
Submissions are due
7/16/12: STC, 7th ACM Workshop on Scalable Trusted Computing,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
http://www.cs.utsa.edu/~acmstc/stc2012/
Submissions are due
7/16/12: AISec, 5th ACM Workshop on Artificial Intelligence and Security,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
http://research.microsoft.com/en-us/events/aisec2012/default.aspx
Submissions are due
7/16/12: BADGERS, ACM Workshop on Building Analysis Datasets and Gathering
Experience Returns for Security,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
https://researcher.ibm.com/view_project.php?id=3360
Submissions are due
7/16/12- 7/20/12: SAPSE, 4th IEEE International Workshop on Security
Aspects of Process and Services Engineering,
Held in conjunction with the IEEE Signature Conference on Computers,
Software, and Applications (COMPSAC 2012), Izmir, Turkey;
http://compsac.cs.iastate.edu/workshop_details.php?id=48&y
7/18/12- 7/19/12: LASER, Workshop on Learning from Authoritative Security
Experiment
Results, Arlington, VA, USA;
http://www.cert.org/laser-workshop/
7/24/12- 7/27/12: SECRYPT, 9th International Conference on Security and
Cryptography,
Rome, Italy;
http://secrypt.icete.org
7/30/12- 8/ 2/12: SecIoT, Workshop on the Security of the Internet of Things,
Munich, Germany;
http://www.nics.uma.es/seciot12/
8/ 1/12: NDSS, 20th Annual Network and Distributed System Security Symposium,
Catamaran Resort Hotel and Spa San Diego, California, USA;
http://www.internetsociety.org/events/ndss-symposium-2013
Submissions are due
8/ 3/12: eCrime-Summit, 7th IEEE eCrime Researchers Summit,
Held in conjunction with the 2012 APWG General Meeting,
Las Croabas, Puerto Rico;
http://ecrimeresearch.org
Submissions are due
8/ 6/12: CSET, 5th Workshop on Cyber Security Experimentation and Test,
Bellevue, WA, USA;
http://www.usenix.org/events/cset12/
8/ 6/12- 8/ 7/12: HealthSec, 3rd USENIX Workshop on Health Security and Privacy
Bellevue, WA, USA;
http://www.usenix.org/events/healthsec12/
8/ 8/12- 8/10/12: USENIX-Security, 21st USENIX Security Symposium,
Bellevue, WA, USA;
http://www.usenix.org/events/sec12/
8/20/12- 8/24/12: SecSE, 6th International Workshop on Secure Software
Engineering,
Held in conjunction with ARES 2012, Prague, Czech Republic;
http://www.sintef.org/secse
8/20/12- 8/24/12: WSDF, 5th International Workshop on Digital Forensics,
Held in conjunction with ARES 2012, Prague, Czech Republic;
http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=49&Itemid=95
8/20/12- 8/24/12: MoCrySEn, 1st International Workshop on Modern Cryptography
and Security Engineering, Held in conjunction with ARES 2012,
Prague, Czech Republic;
http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=65&Itemid=120
9/ 3/12- 9/ 7/12: TrustBus, 9th International Conference on Trust, Privacy, and
Security in Digital Business,
Held in conjunction with DEXA 2012,
Vienna University of Technology, Austria;
http://www.ds.unipi.gr/trustbus12/
9/ 9/12- 9/12/12: CHES, IACR Workshop on Cryptographic Hardware and Embedded
Systems,
Leuven, Belgium;
http://www.iacr.org/workshops/ches/ches2012/start.php
9/10/12: SAEPOG, Secure Autonomous Electric Power Grids Workshop,
Co-located with the Sixth IEEE International Conference on
Self-Adaptive and Self-Organizing Systems (SASO 2012),
Lyon, France; https://sites.google.com/site/saepog/
9/12/12: CloudSec, 4th International Workshop on Security in Cloud Computing,
Held in conjunction with the 41st ICPP,
Pittsburgh, PA, USA;
http://bingweb.binghamton.edu/~ychen/CloudSec2012.htm
9/12/12- 9/13/12: DPM, 7th International Workshop on Data Privacy Management,
Co-located with ESORICS 2012,
Pisa, Italy;
http://www-ma4.upc.edu/DPM2012/main.html
9/17/12- 9/18/12: CRITIS, 7th International Workshop on Critical Information
Infrastructures Security, Radisson Blu Lillehammer Hotel,
Turisthotellveien 6, 2609 Lillehammer, Norway;
http://critis12.hig.no
9/19/12- 9/21/12: NSPW, New Security Paradigms Workshop,
Bertinoro, Italy; http://www.nspw.org
9/21/12- 9/23/12: ICDFI, 1st International Conference on Digital Forensics
and Investigation,
Beijing China;
http://secmeeting.ihep.ac.cn
9/26/12- 9/28/12: ProvSec, 6th International Conference on Provable Security,
Chengdu, China;
http://www.ccse.uestc.edu.cn/provsec/callforpapers.html
9/30/12: ESSoS, 5th International Symposium on Engineering Secure Software
and Systems, Paris, France;
http://distrinet.cs.kuleuven.be/events/essos2013/
Submissions are due
10/ 1/12: IEEE Network Magazine,
Special Issue on Security in Cognitive Radio Networks;
http://www.comsoc.org/files/Publications/Magazines/ni/cfp/cfpnetwork0513.htm;
Submissions are due
10/ 1/12-10/ 4/12: SSS, 14th International Symposium on Stabilization,
Safety, and Security of Distributed Systems,
Toronto, Canada; http://www.cs.uwaterloo.ca/sss2012/
10/ 8/12-10/11/12: SRDS, 31st International Symposium on Reliable Distributed
Systems,
Irvine, California, USA;
http://web.mst.edu/~cswebdb/srds2012/
10/13/12: FC, 17th International Conference on Financial Cryptography
and Data Security,
Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan;
http://fc13.ifca.ai/cfp.html
Submissions are due
10/15/12: BADGERS, ACM Workshop on Building Analysis Datasets and Gathering
Experience Returns for Security,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
https://researcher.ibm.com/view_project.php?id=3360
10/16/12-10/18/12: ACM-CCS, 19th ACM Conference on Computer and Communications
Security,
Raleigh, North Carolina, USA;
http://www.sigsac.org/ccs/CCS2012/
10/19/12: CCSW, ACM Cloud Computing Security Workshop,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
http://crypto.cs.stonybrook.edu/ccsw12
10/19/12: STC, 7th ACM Workshop on Scalable Trusted Computing,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
http://www.cs.utsa.edu/~acmstc/stc2012/
10/19/12: AISec, 5th ACM Workshop on Artificial Intelligence and Security,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
http://research.microsoft.com/en-us/events/aisec2012/default.aspx
10/20/12-10/25/12: LCN-SICK, Workshop on Security in Communications Networks,
Held in Conjunction with IEEE LCN 2012, Clearwater, FL, USA;
http://www.sick-workshop.org/
10/23/12-10/24/12: eCrime-Summit, 7th IEEE eCrime Researchers Summit,
Held in conjunction with the 2012 APWG General Meeting,
Las Croabas, Puerto Rico;
http://ecrimeresearch.org
10/30/12: NPSec, 7th Workshop on Secure Network Protocols,
Austin, Texas, USA;
http://www.cse.msu.edu/~feichen/NPSec2012/
10/31/12-11/ 2/12: Nordsec, 17th Nordic Conference in Secure IT Systems,
Karlskrona, Sweden;
http://www.bth.se/com/nordsec2012.nsf/pages/nordsec2012
11/ 5/12-11/ 6/12: GameSec, 3rd Conference on Decision and Game Theory for
Security,
Budapest, Hungary;
http://www.gamesec-conf.org
11/ 8/12-11/ 9/12: RFIDsec-Asia, Workshop on RFID and IoT Security,
Taipei, Taiwan;
http://rfidsec2012.cs.ntust.edu.tw
11/21/12-11/23/12: NSS, 6th International Conference on Network and System
Security,
Wu Yi Shan, Fujian, China;
http://anss.org.au/nss2012/index.html
12/ 2/12-12/ 5/12: WIFS, IEEE International Workshop on Information Forensics
and Security, Tenerife, Spain;
http://www.wifs12.org/
12/ 3/12-12/ 7/12: ACSAC, 28th Annual Computer Security Applications Conference,
Buena Vista Palace Hotel & Spa in the Walt Disney World Resort,
Florida, USA;
http://www.acsac.org
12/ 3/12-12/ 7/12: MANSEC-CC, 1st International workshop on Management and
Security technologies for Cloud Computing,
Held in conjunction with the 2012 IEEE GLOBECOM,
Disneyland Hotel, Anaheim, California, USA;
http://www.icsd.aegean.gr/ccsl/mansec-cc/
12/ 9/12-12/14/12: LISA, 26th Large Installation System Administration
Conference,
San Diego, CA, USA;
http://www.usenix.org/lisa12/
12/15/12-12/19/12: ICISS, 8th International Conference on Information Systems
Security, Guwahati, India;
http://www.iitg.ernet.in/iciss2012/
1/ 7/13- 1/10/13: HICSS-CSS, 46th HAWAII International Conference on System
Sciences, Internet and the Digital Economy Track,
Cybercrime and Security Strategy Mini-track,
Grand Wailea, Maui, Hawaii, USA;
http://www.hicss.hawaii.edu/hicss_46/apahome46.htm
2/24/13- 2/27/13: NDSS, 20th Annual Network and Distributed System Security
Symposium,
Catamaran Resort Hotel and Spa San Diego, California, USA;
http://www.internetsociety.org/events/ndss-symposium-2013
2/27/13- 3/ 1/13: ESSoS, 5th International Symposium on Engineering Secure
Software and Systems, Paris, France;
http://distrinet.cs.kuleuven.be/events/essos2013/
4/ 1/13- 4/ 5/13: FC, 17th International Conference on Financial Cryptography
and Data Security,
Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan;
http://fc13.ifca.ai/cfp.html
____________________________________________________________________
Journal, Conference and Workshop Calls-for-Papers
(new since Cipher E107)
___________________________________________________________________
-------------------------------------------------------------------------
IEEE Transactions on Information Forensics and Security,
Special Issue on Privacy and Trust Management in Cloud and Distributed Systems,
June 1, 2013, (Submission Due 31 May 2012)
http://www.signalprocessingsociety.org/uploads/special_issues_deadlines
/privacy_policy.pdf
Editors: Karl Aberer (Ecole Polytechnique Federale de Lausanne, Switzerland),
Sen-ching Samson Cheung (University of Kentucky, USA),
Jayant Haritsa (Indian Institute of Science, India),
Bill Horne (Hewlett-Packard Laboratories, USA),
Kai Hwang (University of Southern California, USA),
and Yan (Lindsay) Sun (University of Rhode Island, USA)
With the increasing drive towards availability of data and services anytime
anywhere, privacy risks have significantly increased. Unauthorized disclosure,
modification, usage, or uncontrolled access to privacy-sensitive data may
result in high human and financial costs. In the distributed computing
environments, trust plays a crucial role in mitigating the privacy risk by
guaranteeing meaningful interactions, data sharing, and communications.
Trust management is a key enabling technology for security and privacy
enhancement. While privacy preservation and trust management are already
challenging problems, it is imperative to explore how privacy-oriented and
trust-oriented approaches can integrate to bring new solutions in
safeguarding information sharing and protecting critical cyber-infrastructure.
Furthermore, there are questions about whether existing trust models and
privacy preserving schemes are robust against attacks. This Call for
Papers invites researchers to contribute original articles that cover a
broad range of topics related to privacy preservation and trust management
in cloud and distributed systems, with a focus on emerging networking
contexts such as social media, cloud computing, and power grid systems.
Example topics include but are not limited to:
- Privacy Enhanced Technology: privacy preserving data mining, publishing,
and disclosure; access control, anonymity, audit, and authentication;
applied cryptography, cryptanalysis, and digital signatures in PET; abuse
cases and threat modeling; theoretical models and formal methods; application
of physical security for privacy enhancement.
- Trust and Reputation Management: trust management architectures and trust
models; quantitative metrics and computation; security of trust management
protocols/systems; evaluation and test bed; trust related privacy enhancement
solutions.
- Privacy and Trust in Emerging Complex Systems including: social networking;
cloud computing; power grid systems; sensor networks; Internet of Things;
multimedia surveillance networks.
- Other Related Topics such as trust and privacy policies; human factors and
usability; censorship; economics of trust and privacy; behavior modeling.
-------------------------------------------------------------------------
IEEE Network Magazine,
Special Issue on Cyber Security of Networked Critical Infrastructures,
January 2013,
(Submission Due 1 June 2012)
http://dl.comsoc.org/livepubs/ni/info/cfp/cfpnetwork0113.htm
Editors: Saeed Abu-Nimeh (Damballa Inc., USA),
Ernest Foo (Queensland University of Technology Australia, Australia),
Igor Nai Fovino (Global Cyber Security Center, Italy),
Manimaran Govindarasu (Iowa State University, USA),
and Tommy Morris (Mississippi State University, USA)
The daily lives of millions of people depend on processing information and
material through a network of critical infrastructures. Critical infrastructures
include agriculture and food, water, public health, emergency services,
government, the defense industrial base, information and telecommunications,
energy, transportation and shipping, banking and finance, chemical industry
and hazardous materials, post, national monuments and icons, and critical
manufacturing. Disruption or disturbance of critical infrastructures can
lead to economical and human losses. Additionally, the control network of
most critical installations is integrated with broader information and
communication systems, including the company business network. Most
maintenance services on process control equipment are performed remotely.
Further, the cyber security of critical infrastructure systems has come
into focus recently as more of these systems are exposed to the Internet.
Therefore, Critical Infrastructure Protection (CIP) has become a topic of
interest for academics, industries, governments, and researchers in the
recent years. A common theme among critical infrastructure is the dependence
upon secure cyber systems for command and control. This special issue will
focus on network aspects that impact the cyber security of Critical
Infrastructure Protection and Resilience. Tutorial based manuscripts which
cover recent advances in one or more of the topic areas below are requested.
Topics may include (but are not limited to):
- Security of supervisory control and data acquisition (SCADA) systems
- Security of the smart grid
- Cyber security of industrial control systems
- Security of complex and distributed critical infrastructures
- DNS and Internet Security (as critical infrastructures)
- Security metrics, benchmarks, and data sets
- Attack modeling, prevention, mitigation, and defense
- Early warning and intrusion detection systems
- Self-healing and self-protection systems
- Advanced forensic methodologies
- Cyber-physical systems security approaches and algorithms
- Critical infrastructure security policies, standards and regulations
- Vulnerability and risk assessment methodologies for distributed
critical infrastructures
- Simulation and testbeds for the security evaluation of critical
infrastructures
-------------------------------------------------------------------------
Nordsec 2012 17th Nordic Conference in Secure IT Systems,
Karlskrona, Sweden, October 31 - November 2, 2012.
(Submissions due 4 June 2012)
http://www.bth.se/com/nordsec2012.nsf/pages/nordsec2012
Since 1996, the NordSec conferences have brought together computer
security researchers and practitioners from around the world, particular
from the Nordic countries and Northern Europe. The conference focuses on
applied IT security and is intended to encourage interaction between
academic and industrial research. Contributions should reflect original
research, developments, studies and practical experience within all areas
of IT security. NordSec 2012 welcomes contributions over a broad range of
topics in IT security, including, but not limited to, the following areas:
- Applied Cryptography
- Information Warfare & Cyber Security
- Communication & Network Security
- Wireless and Mobile Security
- Computer Crime and Forensics
- Hardware Security
- Virtual Platform Security
- Web and Cloud Security
- Identity Management
- Authentication and Biometrics
- Firewalls and Intrusion Detection
- New Ideas and Paradigms in Security
- Operating System Security
- PKI Systems and Key Escrow
- Privacy & Anonymity
- Security Education and Training
- Security Evaluations and Assurance
- Security Management and Audit
- Social-Engineering and Phishing
- Software and Application Security
- Trust and Reputation Management
-------------------------------------------------------------------------
NSS 2012 6th International Conference on Network and System Security,
Wu Yi Shan, Fujian, China, November 21-23, 2012.
(Submissions due 15 June 2012)
http://anss.org.au/nss2012/index.html
NSS is an annual international conference covering research in network
and system security. The conference seeks submissions from academia,
industry, and government presenting novel research on all theoretical
and practical aspects of network security, privacy, applications
security, and system security. Papers describing case studies,
implementation experiences, and lessons learned are also encouraged.
Topics of interest include but are not limited to:
- Active Defense Systems
- Hardware Security
- Security in P2P systems
- Adaptive Defense SystemsAnalysis
- Benchmark of Security Systems
- Identity Management
- Intelligent Defense Systems
- Security in Cloud and Grid Systems
- Security in E-Commerce
- Applied Cryptography
- Authentication
- Insider Threats
- Intellectual Property Rights Protection
- Security in Pervasive/Ubiquitous Computing
- Security and Privacy in Smart Grid
- Biometric Security
- Complex Systems Security
- Internet and Network Forensics
- Intrusion Detection and Prevention
- Secure Mobile Agents and Mobile Code
- Security and Privacy in Wireless Networks
- Database and System Security
- Data Protection Key Distribution and Management
- Large-scale Attacks and Defense Security Policy
- Security Protocols
- Data/System Integrity
- Distributed Access Control
- Malware
- Network Resiliency
- Security Simulation and Tools
- Security Theory and Tools
- Distributed Attack Systems
- Network Security
- Standards and Assurance Methods
- Denial-of-Service
- RFID Security and Privacy
- Trusted Computing
- High Performance
- Network Virtualization
- Security Architectures
- Trust Management
- High Performance Security Systems
- Security for Critical Infrastructures
- World Wide Web Security
-------------------------------------------------------------------------
HICSS-CSS 2013 46th HAWAII International Conference on System Sciences,
Internet and the Digital Economy Track,
Cybercrime and Security Strategy Mini-track,
Grand Wailea, Maui, Hawaii, USA, January 7 - 10, 2013.
(Submissions due 15 June 2012)
http://www.hicss.hawaii.edu/hicss_46/apahome46.htm
We invite you to submit a paper for mini-track "Cybercrime and Security
Strategy" scheduled for the 46th Hawaii International Conference on System
Sciences (HICSS). The diffusion of computer technologies worldwide has
resulted in an unprecedented global expansion of computer-based criminal
activity. There appears to be a need for research into cybercrime
activities, and their causes. At the same time, it has become imperative
to effectively protect information assets. The endeavor of this mini-track
is to also enhance understanding about the issues associated with information
security strategy. Few topics of interest include (but not limited to):
- Cyber crime activities, and their motivations
- Cyber security policy
- Cyber-infrastructure protection
- Legal and ethical challenges to cyber crime
- Digital forensics
- Cyber crime and societal implications
- Information security strategy
- Planning for information security
- Organizational barriers to security
- Understanding security culture
-------------------------------------------------------------------------
GameSec 2012 3rd Conference on Decision and Game Theory for Security,
Budapest, Hungary, November 5-6, 2012.
(Submissions due 22 June 2012)
http://www.gamesec-conf.org
The conference will explore security as a multifaceted economic problem by
considering the complexities of the underlying technical infrastructure,
and human and social factors. Securing resources involves decision making
on multiple levels and multiple time scales, given the limited resources
available to both malicious attackers and administrators defending networked
systems. The GameSec conference aims to bring together researchers who are
working on the theoretical foundations and behavioral aspects of enhancing
security capabilities in a principled manner. Previous GameSec contributions
included analytic models based on game, information, communication,
optimization, decision, and control theories that were applied to diverse
security topics. In addition, we welcome research that highlights the
connection between economic incentives and real world security, reputation,
trust and privacy problems. The conference is soliciting full and short
papers on all economic aspects of security and privacy. Submitted papers
will be evaluated based on their significance, originality, technical
quality, and exposition. They should clearly establish the research
contribution, their relevance to security and privacy, and their relation
to prior research. General theoretic contributions are welcome if they
discuss potential scenarios of application in the areas of security and
privacy.
-------------------------------------------------------------------------
WIFS 2012 IEEE International Workshop on Information Forensics and Security,
Tenerife, Spain, December 2-5, 2012.
(Submissions due 24 June 2012)
http://www.wifs12.org/
The IEEE International Workshop on Information Forensics and Security
(WIFS) is the primary annual event organized by the IEEE's Information
Forensics and Security Technical Committee (IEEE IFS TC). Being the
main annual event organized by IEEE IFS TC, the scope of WIFS is broader
than other more specific conferences, and it represents the most
prominent venue for researchers to exchange ideas and identify
potential areas of collaboration. Focusing on these targets, the
conference will feature three keynote speakers, up to four tutorials,
a track of lecture and poster sessions.
-------------------------------------------------------------------------
NPSec 2012 7th Workshop on Secure Network Protocols,
Austin, Texas, USA, October 30, 2012.
(Submissions due 2 July 2012)
http://www.cse.msu.edu/~feichen/NPSec2012/
NPSec focuses on two general areas. The first focus is on the development
and analysis of secure or hardened protocols for the operation
(establishment and maintenance) of network infrastructure, including
such targets as secure multidomain, ad hoc, sensor or overlay networks,
or other related target areas. This can include new protocols,
enhancements to existing protocols, protocol analysis, and new attacks on
existing protocols. The second focus is on employing such secure network
protocols to create or enhance network applications. Examples include
collaborative firewalls, incentive strategies for multiparty networks,
and deployment strategies to enable secure applications. Papers of
special merit might be considered for fast track publication in the
Computer Communications journal.
-------------------------------------------------------------------------
SAEPOG 2012 Secure Autonomous Electric Power Grids Workshop,
Co-located with the Sixth IEEE International Conference on Self-Adaptive and
Self-Organizing Systems (SASO 2012), Lyon, France, September 10, 2012.
(Submissions due 4 July 2012)
https://sites.google.com/site/saepog/
Electric energy grids worldwide are becoming smarter and more adaptive to
efficiently bring power from a wide variety of production technologies to
a broad consumer base. With this increase in complexity and adaptivity we
see an ever-increasing demand for predictable power availability and
cost-optimizing control of power consumption (and local generation where
available) among consumers. "Security" in the grid has many dimensions,
from protecting national resources against human adversaries to simply
guaranteeing the availability of power to customers. This workshop is
concerned with creating autonomous electric power grids that are secure
in all senses of the word.
Traditional power management models rely heavily on a centralized authority
to dispatch generation and curtail load without any means for consumers to
affect the decision process. The increasing dependence on renewable sources
of energy invalidates the currently prevailing paradigm "supply follows
demand" for energy management, since power generation from wind or solar
panels is not controllable and only partially predictable. The resulting
new paradigm "demand follows supply" inherently depends on the discovery
and exploitation of demand flexibility which implies the necessity of a
decentralized energy information system with distributed system intelligence
for power management and control. Obviously, distributed control also
implies potential security concerns for the system and those who rely on it.
This situation calls for power generation, storage, and distribution systems
that are "aware" of the supply and demand situation and can adapt the load
automatically, quickly, and stably. This workshop, will examine how autonomous
self-adaptive and self-organizing systems may be designed for energy
management and control in the future smart grid ranging from national
or international high-voltage transportation systems to low-voltage local
distribution systems. We will also consider smart combination with other
networks like natural gas or thermal grids. We will discuss how existing
systems can be made more autonomic (e.g., self-*) and how the designers of
new systems can ensure that these systems deliver power within design
constraints reliably.
The important management challenge is to create dependable, decentralized
control and collaboration of the many stakeholders like transportation system
operators, distribution system operators and demand-side managers. This is a
highly complex system whose complexity is not determined merely by its size.
Future power grids are loosely integrated cyber-physical-human systems that
combine traditional power control with smart information, communication, and
technology, etc. The daunting security and management challenges that arise
from these interdependent couplings will require much research for many years
to come.
-------------------------------------------------------------------------
RFIDsec-Asia 2012 Workshop on RFID and IoT Security,
Taipei, Taiwan, November 8-9, 2012.
(Submissions due 9 July 2012)
http://rfidsec2012.cs.ntust.edu.tw
The workshop series of RFIDsec Asia, the Asia branch of RFIDsec, aims to
provide researchers, enterprises and governments a platform to investigate,
discuss and propose new solutions on security and privacy issues of RFID/IoT
(Internet of Things) technologies and applications. Papers with original
research in theory and practical system design concerning RFID/IoT security
are solicited. Topics of the workshop include but are not limited to:
- New applications for secure RFID/ IoT systems
- Data integrity and privacy protection techniques for RFID/ IoT
- Attacks and countermeasures on RFID/IoT systems
- Design and analysis on secure RFID/IoT hardware
- Risk assessment and management on RFID/IoT applications
- Trust model, data aggregation and information sharing for EPCglobal
network and sensor network
- Resource-efficient implementation of cryptography
- Integration of secure RFID/IoT systems
- Cryptographic protocols for RFID/IoT systems
-------------------------------------------------------------------------
ICISS 2012 8th International Conference on Information Systems Security,
Guwahati, India, December 15-19, 2012.
(Submissions due 13 July 2012)
http://www.iitg.ernet.in/iciss2012/
The conference series ICISS provides a forum for disseminating latest
research results in information and systems security. Submissions are
encouraged from academia, industry and government addressing theoretical
and practical problems in information and systems security and related
areas. Research community and academics are invited to submit theoretical
and application oriented full and short papers making a significant
research contribution on Information Systems Security. Papers with
original research and unpublished work are to be submitted. Topics of
interest include (but not limited to):
- Application Security
- Formal Methods in Security
- Operating System Security
- Authentication and Access Control
- Intrusion Detection, Prevention & Response
- Privacy and Anonymity
- Biometric Security
- Intrusion Tolerance and Recovery
- Security in P2P, Sensor and Ad Hoc Networks
- Data Security
- Key Management and Cryptographic Protocols
- Software Security
- Digital Forensics and Diagnostics
- Language-based Security
- Vulnerability Detection and Mitigation
- Digital Rights Management
- Malware Analysis and Mitigation
- Web Security
- Distributed System Security
- Network Security
-------------------------------------------------------------------------
IEEE Internet Computing, Track Articles on Computer Crime, 2012,
(Submission will be accepted for this track from 15 July 2011 to 15 July 2012)
http://www.computer.org/portal/web/computingnow/cfptrack
Editors: Nasir Memon (New York University, USA)
and Oliver Spatscheck (AT&T, USA)
As the Internet has grown and extended its reach into every part of
people's lives, it shouldn't be surprising that criminals have seized the
opportunity to expand their activities into this new realm. This has been
fostered in particular by the fact that the Internet was designed as an open
and trusting environment. Unfortunately many of these architectural choices are
fundamental to the Internet's success and current architecture and are therefore
hard to overcome. Computer crime ranges from rather simple crimes such as theft
of intellectual property or computer and network resources to complex cooperate
espionage or even cyber terrorism. This special track for Internet Computing
seeks original articles that cover computer crime as it relates to the Internet.
Appropriate topics include:
- trends and classification of criminal activities on the Internet;
- computer crime prevention, including approaches implemented in user
interfaces, end user systems, networks, or server infrastructure;
- case studies of criminal activities;
- computer forensics;
- impact assessments of criminal activities on the Internet; and
- new architectures to prevent Internet crime
Track articles run one per issue for a single calendar year. Articles will be
run in the order in which they are accepted for publication.
-------------------------------------------------------------------------
CCSW 2012 ACM Cloud Computing Security Workshop,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA, October 19, 2012.
(Submissions due 16 July 2012)
http://crypto.cs.stonybrook.edu/ccsw12
Notwithstanding the latest buzzword (grid, cloud, utility computing, SaaS,
etc.), large-scale computing and cloud-like infrastructures are here to
stay. How exactly they will look like tomorrow is still for the markets
to decide, yet one thing is certain: clouds bring with them new untested
deployment and associated adversarial models and vulnerabilities. It is
essential that our community becomes involved at this early stage. The
CCSW workshop aims to bring together researchers and practitioners in
all security aspects of cloud-centric and outsourced computing, including:
- practical cryptographic protocols for cloud security
- secure cloud resource virtualization mechanisms
- secure data management outsourcing (e.g., database as a service)
- practical privacy and integrity mechanisms for outsourcing
- foundations of cloud-centric threat models
- secure computation outsourcing
- remote attestation mechanisms in clouds
- sandboxing and VM-based enforcements
- trust and policy management in clouds
- secure identity management mechanisms
- new cloud-aware web service security paradigms and mechanisms
- cloud-centric regulatory compliance issues and mechanisms
- business and security risk models and clouds
- cost and usability models and their interaction with security in clouds
- scalability of security in global-size clouds
- trusted computing technology and clouds
- binary analysis of software for remote attestation and cloud protection
- network security (DOS, IDS etc.) mechanisms for cloud contexts
- security for emerging cloud programming models
- energy/cost/efficiency of security in clouds
-------------------------------------------------------------------------
STC 2012 7th ACM Workshop on Scalable Trusted Computing,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA, October 19, 2012.
(Submissions due 16 July 2012)
http://www.cs.utsa.edu/~acmstc/stc2012/
Built on the continuous success of ACM STC 2006-2011, this workshop focuses
on fundamental technologies of trusted and high assurance computing and its
applications in large-scale systems with varying degrees of trust. The
workshop is intended to serve as a forum for researchers as well as
practitioners to disseminate and discuss recent advances and emerging
issues. The workshop solicits two types of original papers: full papers
and short/work-in-progress/position-papers. A paper submitted to this
workshop must not be in parallel submission to any other journal, magazine,
conference or workshop with proceedings. Topics of interests include but
not limited to:
- security policies and models of trusted computing
- architecture and implementation technologies for trusted platform
- limitations, alternatives and tradeoffs regarding trusted computing
- trusted computing in cloud and data center
- cloud-based attestation services
- trusted smartphone devices and systems
- trust in smart grid, energy, and Internet of Things
- trusted emerging and future Internet infrastructure
- trusted online social network
- trust in authentications, users and computing services
- hardware based trusted computing
- software based trusted computing
- pros and cons of hardware based approach
- remote attestation of trusted devices
- censorship-freeness in trusted computing
- cryptographic support in trusted computing
- case study in trusted computing
- principles for handling scales
- scalable trust supports and services in cloud
- trusted embedded computing and systems
- virtualization and trusted computing
-------------------------------------------------------------------------
AISec 2012 5th ACM Workshop on Artificial Intelligence and Security,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA, October 19, 2012.
(Submissions due 16 July 2012)
http://research.microsoft.com/en-us/events/aisec2012/default.aspx
The applications of artificial intelligence, machine learning, and data mining
for security and privacy problems continue to grow. One recent trend is the
growth of Big Data Analytics and the establishment of Security Information
and Event Management systems built to obtain security intelligence and
situational awareness. With the advent of cloud computing, every advantage
the cloud offers, such as large-scale machine learning and data-driven
abuse detection, is being leveraged to improve security. We invite original
research papers describing the use of AI or machine learning in security
and privacy problems. We also invite position and open problem papers
discussing the role of AI or machine learning in security and privacy.
Submitted papers of these types may not substantially overlap papers that
have been published previously or that are simultaneously submitted to a
journal or conference/workshop proceedings. Finally we welcome a new
systematization of knowledge category of papers this year, which should
distill the AI or machine learning contributions of a previously published
series of security papers. Topics of interest include, but are not
limited to:
- Adversarial Learning
- Robust Statistics
- Online Learning
- Computer Forensics
- Spam detection
- Botnet detection
- Intrusion detection
- Malware identification
- Big data analytics for security
- Adaptive side-channel attacks
- Privacy-preserving data mining
- Design and analysis of CAPTCHAs
- Phishing detection and prevention
- AI approaches to trust and reputation
- Vulnerability testing through intelligent probing (e.g. fuzzing)
- Content-driven security policy management & access control
- Techniques and methods for generating training and test sets
- Anomalous behavior detection (e.g. for the purposes of fraud
prevention, authentication)
-------------------------------------------------------------------------
BADGERS 2012 ACM Workshop on Building Analysis Datasets and Gathering
Experience Returns for Security,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA, October 15, 2012.
(Submissions due 16 July 2012)
https://researcher.ibm.com/view_project.php?id=3360
The BADGERS workshop is concerned with the use of Big Data for security
and is intended to report on initiatives for Internet-scale security-related
data collection and analysis. It will provide an environment to describe
existing real-world, large-scale datasets, and to share with the security
community the return on experiences acquired by analyzing such collected data.
Furthermore, novel approaches to collect and study such data sets are welcome.
Main topics of interest:
- scalable data collection from networks, hosts, or applications
- real-time gathering and aggregation of diverse sets of raw data
- summarization of raw data with respect to security goals
- attack-resilient data collection
- characterization of dataset external validity
- scalability of security analysis with data volume
- scalability of security analysis with concurrent-attack volume
- combined historical and real-time security analysis
- evaluating result accuracy for large datasets
- real-time, incremental anonymization for data sharing
- successful, failed, and novel models of data sharing
- sharing of analysis results and supporting data
- Internet-scale sharing of security knowledge
- legal issues around data collection and sharing
-------------------------------------------------------------------------
NDSS 2013 20th Annual Network and Distributed System Security Symposium,
Catamaran Resort Hotel and Spa San Diego, California, USA, February 24-27, 2013.
(Submissions due 1 August 2012)
http://www.internetsociety.org/events/ndss-symposium-2013
The Network and Distributed System Security Symposium fosters information
exchange among researchers and practitioners of network and distributed
system security. The target audience includes those interested in practical
aspects of network and distributed system security, with a focus on actual
system design and implementation. A major goal is to encourage and enable
the Internet community to apply, deploy, and advance the state of available
network and distributed systems security technologies. Special emphasis
will be made to accept papers in the core theme of network and distributed
systems security. Consequently, papers that cover networking protocols and
distributed systems algorithms are especially invited to be submitted.
Moreover, practical papers in these areas are also very welcome. Submissions
are solicited in, but not limited to, the following areas:
- Anti-malware techniques: detection, analysis, and prevention
- Combating cyber-crime: anti-phishing, anti-spam, anti-fraud techniques
- Future Internet architecture and design
- High-availability wired and wireless networks
- Implementation, deployment and management of network security policies
- Integrating security in Internet protocols: routing, naming, network
management
- Intellectual property protection: protocols, implementations, metering,
watermarking, digital rights management
- Intrusion prevention, detection, and response
- Privacy and anonymity technologies
- Public key infrastructures, key management, certification, and revocation
- Special problems and case studies: e.g., tradeoffs between security
and efficiency, usability, reliability and cost
- Security for collaborative applications: teleconferencing and
video-conferencing
- Security for Cloud Computing
- Security for electronic commerce: e.g., payment, barter, EDI, notarization,
timestamping, endorsement, & licensing
- Security for emerging technologies: sensor networks, wireless/mobile
(and ad hoc) networks, and personal communication systems
- Security for future home networks, Internet of Things, body-area networks
- Security for large-scale systems and critical infrastructures (e.g.,
electronic voting, smart grid)
- Security for peer-to-peer and overlay network systems
- Security for Vehicular Ad-hoc Networks (VANETs)
- Security of Web-based applications and services
- Trustworthy Computing mechanisms to secure network protocols and
distributed systems
-------------------------------------------------------------------------
eCrime-Summit 2012 7th IEEE eCrime Researchers Summit,
Held in conjunction with the 2012 APWG General Meeting,
Las Croabas, Puerto Rico, October 23-24, 2012.
(Submissions due 3 August 2012)
http://ecrimeresearch.org
eCRS 2012 will bring together academic researchers, security practitioners,
and law enforcement to discuss all aspects of electronic crime and ways to
combat it, Topics of interests include (but are not limited to):
- Case studies of current attack methods, including phishing, malware,
rogue antivirus, pharming, crimeware, botnets, and emerging techniques
- Case studies of online advertising fraud, including click fraud,
malvertising, cookie stuffing, and affiliate fraud
- Case studies of large-scale take-downs, such as coordinated botnet disruption
- Technical, legal, political, social and psychological aspects of fraud and
fraud prevention
- Economics of online crime, including measurement studies of underground
economies and models of e-crime
- Uncovering and disrupting online criminal collaboration and gangs
- Financial infrastructure of e-crime, including payment processing and money
laundering
- Techniques to assess the risks and yields of attacks and the effectiveness of
countermeasures
- Delivery techniques, including spam, voice mail, social network and web search
manipulation; and countermeasures
- Techniques to avoid detection, tracking and take-down; and ways to block such
techniques
- Best practices for detecting and avoiding damages to critical internet
infrastructure, such as DNS and SCADA, from electronic crime activities
-------------------------------------------------------------------------
ESSoS 2013 5th International Symposium on Engineering Secure Software and
Systems, Paris, France, February 27 - March 1, 2013.
(Submissions due 30 September 2012)
http://distrinet.cs.kuleuven.be/events/essos2013/
Trustworthy, secure software is a core ingredient of the modern world. Hostile,
networked environments, like the Internet, can allow vulnerabilities in
software to be exploited from anywhere. To address this, high-quality
security building blocks (e.g., cryptographic components) are necessary,
but insufficient. Indeed, the construction of secure software is
challenging because of the complexity of modern applications, the growing
sophistication of security requirements, the multitude of available
software technologies and the progress of attack vectors. Clearly, a
strong need exists for engineering techniques that scale well and that
demonstrably improve the software's security properties. The goal of this
symposium is to bring together researchers and practitioners to advance the
states of the art and practice in secure software engineering. Being one of
the few conference-level events dedicated to this topic, it explicitly aims
to bridge the software engineering and security engineering communities,
and promote cross-fertilization. The Symposium seeks submissions on subjects
related to its goals. This includes a diversity of topics including (but not
limited to):
- scalable techniques for threat modeling and analysis of vulnerabilities
- specification and management of security requirements and policies
- security architecture and design for software and systems
- model checking for security
- specification formalisms for security artifacts
- verification techniques for security properties
- systematic support for security best practices
- security testing
- security assurance cases
- programming paradigms, models and DLS's for security
- program rewriting techniques
- processes for the development of secure software and systems
- security-oriented software reconfiguration and evolution
- security measurement
- automated development
- trade-off between security and other non-functional requirements
(in particular economic considerations)
- support for assurance, certification and accreditation
- empirical secure software engineering
-------------------------------------------------------------------------
IEEE Network Magazine,
Special Issue on Security in Cognitive Radio Networks,
May 2013,
(Submission Due 1 October 2012)
http://www.comsoc.org/files/Publications/Magazines/ni/cfp/cfpnetwork0513.htm
Editors: Kui Ren (Illinois Institute of Technology, USA),
Haojin Zhu (Shanghai Jiao Tong University, USA),
Zhu Han (University of Houston, USA),
and Radha Poovendran (University of Washington, USA)
Cognitive radio (CR) is an emerging advanced radio technology in wireless
access, with many promising benefits including dynamic spectrum sharing,
robust cross-layer adaptation, and collaborative networking. Based on a
software-defined radio (SDR), cognitive radios are fully programmable and
can sense their environment and dynamically adapt their transmission frequencies,
power levels, modulation schemes, and networking protocols for improving
network and application performance. It is anticipated that cognitive radio
technology will be the next wave of innovation in information and
communications technologies. Although the recent years have seen major
and remarkable developments in the field of cognitive networking
technologies, the security aspects of cognitive radio networks have
attracted less attention so far. Due to the particular characteristics
of the CR system, entirely new classes of security threats and challenges
are introduced such as licensed user emulation, selfish misbehaviors and
unauthorized use of spectrum bands. These new types of attacks take the
advantage the inherent characteristics of CR, and could severely disrupt
the basic functionalities of CR systems. Therefore, for achieving
successful deployment of CR technologies in practice, there is a critical
need for new security designs and implementations to make CR networks
secure and robust against these new attacks. Topics of interest include,
but are not limited to:
- General security architecture for CR networks
- Cross-layer security design of CR networks
- Secure routing in multi-hop CR networks
- Physical layer security for CR networks
- Geo-location for security in CR networks
- Defending and mitigating jamming-based DoS attacks in CR networks
- Defending against energy depletion attacks in resource-constrained CR networks
- Attack modeling, prevention, mitigation, and defense in CR systems,
including primary user emulation attacks, authentication methods of primary
users, spectrum sensing data falsification, spectrum misusage and selfish
misbehaviors and unauthorized use of spectrum bands
- Methods for detecting, isolating and expelling misbehaving cognitive nodes
- Security policies, standards and regulations for CR networks
- Implementation and testbed for security evaluation in CR systems
- Privacy protection in CR networks
- Security issues for database-based CR networks
- Security in CR networks for the smart grid
- Intrusion detection systems in CR networks
-------------------------------------------------------------------------
FC 2013 17th International Conference on Financial Cryptography and Data
Security,
Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan, April 1-5, 2013.
(Submissions due 13 October 2012)
http://fc13.ifca.ai/cfp.html
Financial Cryptography and Data Security is a major international forum for
research, advanced development, education, exploration, and debate regarding
information assurance, with a specific focus on commercial contexts. The
conference covers all aspects of securing transactions and systems. Original
works focusing on both fundamental and applied real-world deployments on all
aspects surrounding commerce security are solicited. Submissions need not be
exclusively concerned with cryptography. Systems security and
inter-disciplinary efforts are particularly encouraged. Topics include:
- Anonymity and Privacy
- Auctions and Audits
- Authentication and Identification
- Biometrics
- Certification and Authorization
- Cloud Computing Security
- Commercial Cryptographic Applications
- Data Outsourcing Security
- Information Security
- Game Theoretic Security
- Securing Emerging Computational Paradigms
- Identity Theft
- Fraud Detection
- Phishing and Social Engineering
- Digital Rights Management
- Digital Cash and Payment Systems
- Digital Incentive and Loyalty Systems
- Microfinance and Micropayments
- Contactless Payment and Ticketing Systems
- Secure Banking and Financial Web Services
- Security and Privacy in Mobile Devices and Applications
- Security and Privacy in Automotive and Transport Systems and Applications
- Smartcards, Secure Tokens and Secure Hardware
- Privacy-enhancing Systems
- Reputation Systems
- Security and Privacy in Social Networks
- Security and Privacy in Sound and Secure Financial Systems Based on
Social Networks
- Risk Assessment and Management
- Risk Perceptions and Judgments
- Legal and Regulatory Issues
- Security Economics
- Spam
- Transactions and Contracts
- Trust Management
- Underground-Market Economics
- Usable Security
- Virtual Economies
- Voting Systems
-------------------------------------------------------------------------
====================================================================
====================================================================
Information on the Technical Committee on Security and Privacy
====================================================================
____________________________________________________________________
Information for Subscribers and Contributors
____________________________________________________________________
SUBSCRIPTIONS:
Two options, each with two options:
1. To receive the full ascii CIPHER issues as e-mail, send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe".
OR
send a note to cipher-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
2. To receive a short e-mail note announcing when a new issue of
CIPHER is available for Web browsing send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe postcard".
OR
send a note to cipher-postcard-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
To remove yourself from the subscription list, send e-mail to
cipher-admin@ieee-security.org with subject line "unsubscribe" or
"unsubscribe postcard" or, if you have subscribed directly to the
xmission.com mailing list, use your password (sent monthly) to
unsubscribe per the instructions at
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard
Those with access to hypertext browsers may prefer to read Cipher
that way. It can be found at URL http://www.ieee-security.org/cipher.html
CONTRIBUTIONS:
to cipher @ ieee-security.org are invited. Cipher is a NEWSletter,
not a bulletin board or forum. It has a fixed set of departments,
defined by the Table of Contents. Please indicate in the
subject line for which department your contribution is intended.
Calendar and Calls-for-Papers entries should be sent to
cipher-cfp @ ieee-security.org
and they will be automatically included in both departments. To
facilitate the semi-automated handling, please send either a text
version of the CFP or a URL from which a text version can be easily
obtained. For Calendar entries, please include a URL and/or e-mail
address for the point-of-contact. For Calls for Papers, please submit
a one paragraph summary. See this and past issues for examples. ALL
CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS
APPLY. All reuses of Cipher material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy,
publications using Cipher material should obtain permission from the
contributors.
____________________________________________________________________
Recent Address Changes
____________________________________________________________________
Address changes from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/AddressChanges.html
_____________________________________________________________________
How to become <> a member of the
IEEE Computer Society's TC on Security and Privacy
_____________________________________________________________________
You may easily join the TC on Security & Privacy by completing
the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm
______________________________________________________________________
TC Publications for Sale
______________________________________________________________________
IEEE Security and Privacy Symposium
The 2010 hardcopy proceedings are available at $25 each. The DVD with all
technical papers from all years of the SP Symposium and the CSF
Symposium (through 2009) is $10, plus shipping and handling.
The 2009 hardcopy proceedings are not available. The DVD with all
technical papers from all years of the SP Symposium and the CSF
Symposium is $5, plus shipping and handling.
The 2008 hardcopy proceedings are $10 plus shipping and handling;
the 29 year CD is $5.00, plus shipping and handling.
The 2007 proceedings are available in hardcopy for $10.00, the
28 year CD is $5.00, plus shipping and handling.
The 2006 Symposium proceedings and 11-year CD are sold out.
The 2005, 2004, and 2003 Symposium proceedings are available for $10
plus shipping and handling.
Shipping is $5.00/volume within the US, overseas surface mail is
$8/volume, and overseas airmail is $14/volume, based on an order of 3
volumes or less. The shipping charge for a CD is $3 per CD (no charge
if included with a hard copy order). Send a check made out to the
IEEE Symposium on Security and Privacy to the 2011 treasurer (below)
with the order description, including shipping method and shipping
address.
Robin Sommer
Treasurer, IEEE Symposium Security and Privacy 2011
International Computer Science Institute
Center for Internet Research
1947 Center St., Suite 600
Berkeley, CA 94704
USA
oakland11-treasurer@ieee-security.org
IEEE CS Press
You may order some back issues from IEEE CS Press at
http://www.computer.org/cspress/catalog/proc9.htm
Computer Security Foundations Symposium
Copies of the proceedings of the Computer Security Foundations
Workshop (now Symposium) are available for $10 each. Copies of
proceedings are available starting with year 10 (1997). Photocopy
versions of year 1 are also $10.
Contact Jonathan Herzog if interested in purchase.
Jonathan Herzog
jherzog@alum.mit.edu
____________________________________________________________________________
TC Officers and SP Steering Committee
____________________________________________________________________________
Chair: Security and Privacy Symposium Chair Emeritus:
Sven Dietrich Deborah Frincke
Department of Computer Science debfrincke@gmail.com
Stevens Institute of Technology
+1 201 216 8078
spock AT cs.stevens.edu
Vice Chair: Treasurer:
Patrick McDaniel Terry Benzel
Computer Science and Engineering USC Information Sciences Intnl
Pennsylvania State University 4676 Admiralty Way, Suite 1001
360 A IST Building Los Angeles, CA 90292
University Park, PA 16802 (310) 822-1511 (voice)
(814) 863-3599 tbenzel @isi.edu
mcdaniel@cse.psu.edu
Newsletter Editor: Security and Privacy Symposium, 2012 Chair:
Hilarie Orman Robert Cunningham
Purple Streak, Inc. MIT Lincoln Laboratories
500 S. Maple Dr. http://www.ll.mit.edu/mission
Woodland Hills, UT 84653 /communications/ist/biographies
cipher-editor@ieee-security.org /cunningham-bio.html
________________________________________________________________________
BACK ISSUES:
Cipher is archived at: http://www.ieee-security.org/cipher.html
Cipher is published 6 times per year