_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 108 June 10, 2012 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" by Michael Sikorski and Andrew Honig o Noted in the News - NIST request for comments re cryptographic key management design - Publication: "The Next Wave" addresses security science - International Espionage Targets US Networks - Voluntary Program Imposes Restrictions on Defense Contractor Networks - Stuxnet, US Cyber Warfare is Here - Flame: Complicated, Clever, and Effective - FPGA Design: Useful or Deceitful? - Forgotten Server Releases Personal Data on Utah Patients - LinkedIn Caught With Its Salt Down - Cybercrime Wave: Costly or Not? o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calender of Security-Related Events o Upcoming calls-for-papers * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This past May the Security and Privacy Symposium held its 33rd meeting at a new venue, The Westin St. Francis Hotel in San Francisco, California. Attendance hit a record level of over 450, and many stayed on for one or more of the 5 the co-located workshops that followed. Planning for the 2013 conference has already started, and we are looking forward to another stellar event in San Francisco. This month we are pleased to note the return of our book reviewer, Richard Austin, with his review of "Practical Malware Analysis." There have been many articles in the wider news media about cybersecurity, much of it from research work and a changing stance of the US government. We have selected several for brief mention. Taken together, they may illustrate the harsh reality of security: malware is the only game in town and privacy is an illusion. Yet note that the article about foreign espionage against US networks cites an annual cost estimate, while another article cautions that these estimates are usually unfounded. Damn the viruses, overclock the processors, full speed ahead! Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin May 27, 2012 ____________________________________________________________________ Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig No Starch Press 2012. ISBN 978-1-59327-290-6 Amazon.com USD 35.97; Table of Contents: http://nostarch.com/malware#toc Malware analysis was once pretty much the exclusive province of malware authors and anti-malware vendors but, as the authors point out (p. xxviii), in the days of "advanced persistent threats" and other forms of targeted digital malice, it is becoming critical to be able to answer tough analytical questions. What exactly did the malware do, how can it be detected in the future, how can the scope of the infection be determined and how can one be really sure that the it has been removed? The authors' articulate, well-designed presentation goes a long way toward making the practice of malware analysis a standard part of the technical security professionals' repertoire. The book has several unique features that enhance its value for self-study: * Most chapters include labs that apply the techniques discussed in the chapter * Solutions to the labs are provided in a 255-page appendix that includes both a short "sign-post" solution and a detailed walk-through * Sage advice on creating a virtual environment to allow safely working with malware * Author-written malware (downloaded from the companion website http://practicalmalwareanalysis.com/) for use in the labs (NOTE: though instructional and written for the book, this is real malware so be sure to handle appropriately) Do note that the book is Windows-focused (Windows is still the largest malware target though other platforms are rising fast) and that it is a very technical book. Managerially-focused professionals will find anything past the first few chapters very tough sledding. This is also not a book you casually read on a rainy Sunday afternoon; working through at least some of the labs that follow each chapter is required to garner the maximum benefit from the book. The authors organize their presentation into three parts dealing with analysis (basic analysis, advanced static analysis and advanced dynamic analysis), a fourth part dealing with malware functionality (what malware actually has to do in order to carry out its mission), a particularly fascinating fifth part that covers how malware authors harden their creations to resist detection and analysis, and a final part that deals with those interesting topics (such as shellcode analysis and 64-bit malware) that don't really fit in the earlier sections. The presentation is focused on practical application rather than theory, and it is peppered with timely warnings regarding paralysis-of-analysis and knowing when to say your analysis is sufficiently complete. Though all the chapters have their virtues, chapter 14, "Malware-Focused Network Signatures", is of particular note for its application of the results of malware analysis to detecting the malware (or artifacts of its operation) in network traffic using Snort. A wide variety of tools are introduced (some Open Source, some free and some commercial) and their use illustrated (and practiced in the labs). Appendix B provides a consolidated list and the reader will want to spend the hour or so downloading them before adventuring much past the second chapter. While some might criticize the publisher for not providing the tools on DVD with the book, actually visiting the sites to get the tools is a good exercise and exposes the reader to additional documentation and other tools that might be useful. Do be aware that some anti-malware programs will take grave exception to some of these tools; it would be wise to exclude your download directory from their purview. As you probably suspect by now, readers will be exposed to a lot of assembler code. The authors provide an excellent introductory chapter on x86 disassembly and another chapter on recognizing source constructs in the disassembled code. When code snippets appear in the text (and they frequently do), the authors provide clear explanations rather than such matters being left as "an exercise for the student". If you find yourself (like me) needing some additional background, Intel's instruction set documentation freely available at http://www.intel.com/content/dam/doc/manual/64-ia-32-architectures-software-developer-vol-1-2a-2b-3a-3b-manual.pdf. In summary, this is an awesome book on a very topical subject written by knowledgeable authors who possess the rare gift of being able to communicate their knowledge through the written word. Before starting, set aside the time required to set up the virtual infrastructure, download the tools and work through the labs. Your investment of time and effort will pay great dividends the first time you're faced with explaining what a piece of malware did and why you're sure it was completely eradicated. Before beginning life as an educator and independent cybersecurity consultant, Richard Austin (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry in positions ranging from software developer to security architect. He welcomes your thoughts and comments at raustin2 at spsu dot edu ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ Information from NIST, Request for Comments ____________________________________________________________________ Second Public Draft, Special Publication 800-130, A Framework for Designing Cryptographic Key Mana Public Comment Period: April 13, 2012 through July 30, 2012.
Email Comments to: ckmsdesignframework@nist.gov Second Public Draft Details: NIST requests comments on SP 800-130, A Framework for Designing Cryptographic Key Management Systems. This is a revision of the document that was provided for public comment in June 2010. Comments are requested by July 30, 2012 and should be sent to ckmsdesignframework@nist.gov, with "Comments on SP 800-130" in the subject line. Another document, SP 800-152, which provides a basic profile of this framework document for the Federal government, will be available for initial comment later this year. Links: Draft SP 800-130 (PDF) on CSRC website: http://csrc.nist.gov/publications/drafts/800-130/second-draft_sp-800-130_april-2012.pdf ____________________________________________________________________ NSA Publication Addresses Security Science Contributed by Carl Landwehr ____________________________________________________________________ The current issue of "Next Wave" focuses on developing a blueprint for a science of cybersecurity. It includes an introduction by Bob Meushaw and seven articles looking at this topic from different perspectives by Fred Schneider, Alessandro Chiesa and Eran Tromer, Anupam Datta and John Mitchell, Dusko Pavlovic, Roy Maxion, Adam Shostack, and Carl Landwehr. Copies are freely available in hard copy (only) from: National Security Agency Attn: Kathleen Prewitt, Managing Editor Suite 6541 Ft. George G. Meade, MD 20755-6541 or by email to: TNW@tycho.ncsc.mil ___________________________________________________________________ International Espionage Targets US Networks From the Washington Post, April 17, 2012 ____________________________________________________________________ Several nations are trying to penetrate U.S. cyber-networks, says ex-FBI official Shawn Henry. http://www.washingtonpost.com/world/national-security/several-nations-trying-to-penetrate-us-cyber-networks-says-ex-fbi-official/2012/04/17/gIQAFAGUPT_story.html ___________________________________________________________________ Voluntary Program Imposes Restrictions on Defense Contractor Networks From The Washington Post, May 11, 2012 ___________________________________________________________________ The Pentagon will expand a cybersecurity program for defense contractors. The system scans incoming email and selectively blocks outgoing accesses. http://www.washingtonpost.com/world/national-security/pentagon-to-expand-cybersecurity-program-for-defense-contractors/2012/05/11/gIQALhjbHU_story.html ___________________________________________________________________ Stuxnet, US Cyber Warfare is Here From the New York Times, June 1, 2012 ___________________________________________________________________ The US Department of Defense has signalled its participation in offensive cyberwarfare several times in the past year. Now more information about its involvement in the Stuxnet targeting of Iran's nuclear program is available. http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html ___________________________________________________________________ Flame: Complicated, Clever, and Effective From CNN Security Blogs, June 5th, 2012 ___________________________________________________________________ The origin of the Flame virus remains unknown, but the capabilities are wide-reaching. Allegedly, some of the code compromises Microsoft authenticity checks by generating false credentials, but the details have yet to be revealed. MD5 is a likely suspect. http://security.blogs.cnn.com/2012/06/05/decoding-the-flame-virus/?hpt=hp_c3 ___________________________________________________________________ FPGA Design: Useful or Deceitful? From PC World, June 1, 2012 ___________________________________________________________________ FPGA security called into question. The company Microsemi says its chip has a debugging mode, some analysts call it a backdoor. http://www.pcworld.com/businesscenter/article/256666/microsemi_denies_existence_of_backdoor_in_its_chips_researchers_disagree.html?tk=out ___________________________________________________________________ Forgotten Server Releases Personal Data on Utah Patients From the Deseret News, May 16, 2012 ___________________________________________________________________ Analyzing a data breach that released personal information for nearly 800K people, the state of Utah uncovered many procedural errors, and the state's IT director lost his job. http://www.deseretnews.com/article/865555954/Multiple-mistakes-led-to-massive-health-data-breach-director-says.html ___________________________________________________________________ LinkedIn Caught With Its Salt Down From CNNMoneyTech, June 6, 2012 ___________________________________________________________________ A password file from LinkedIn was revealed by persons unknown. The file was easily subject to a dictionary attack because the passwords were hashed without the well-known technique of "salting" the password. Because the usernames were not part of the disclosure, it did not compromise user accounts significantly. http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/index.htm?hpt=hp_c1>LinkedIn password compromise ___________________________________________________________________ Cybercrime Wave: Costly or Not? From the New York Times, April 14, 2011 ___________________________________________________________________ The Cybercrime Wave that Wasn't An op-ed piece addresses the question of the economic impact of cybercrime, finding little data to support numbers that have been widely cited. http://www.nytimes.com/2012/04/15/opinion/sunday/the-cybercrime-wave-that-wasnt.html?_r=1 ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 5/31/12: IEEE Transactions on Information Forensics and Security, Special Issue on Privacy and Trust Management in Cloud and Distributed Systems; http://www.signalprocessingsociety.org/uploads/special_issues_deadlines/privacy_policy.pdf; Submissions are due 6/ 1/12: IEEE Network Magazine, Special Issue on Cyber Security of Networked Critical Infrastructures; http://dl.comsoc.org/livepubs/ni/info/cfp/cfpnetwork0113.htm; Submissions are due 6/ 1/12: ACSAC, 28th Annual Computer Security Applications Conference, Buena Vista Palace Hotel & Spa in the Walt Disney World Resort, Florida, USA; http://www.acsac.org; Submissions are due 6/ 1/12: ICDFI, 1st International Conference on Digital Forensics and Investigation, Beijing China; http://secmeeting.ihep.ac.cn; Submissions are due 6/ 1/12: MANSEC-CC, 1st International workshop on Management and Security technologies for Cloud Computing, Held in conjunction with the 2012 IEEE GLOBECOM, Disneyland Hotel, Anaheim, California, USA; http://www.icsd.aegean.gr/ccsl/mansec-cc/ Submissions are due 6/ 1/12: DPM, 7th International Workshop on Data Privacy Management, Co-located with ESORICS 2012, Pisa, Italy; http://www-ma4.upc.edu/DPM2012/main.html; Submissions are due 6/ 4/12: Nordsec, 17th Nordic Conference in Secure IT Systems, Karlskrona, Sweden; http://www.bth.se/com/nordsec2012.nsf/pages/nordsec2012 Submissions are due 6/ 4/12- 6/ 6/12: SEC, 27th IFIP International Information Security and Privacy Conference, Creta Maris Hotel, Heraklion, Crete, Greece; http://www.sec2012.org 6/ 6/12- 6/ 8/12: HAISA, 6th International Symposium on Human Aspects of Information Security and Assurance, Hersonissos, Crete, Greece; http://haisa.org/ 6/ 6/12- 6/ 8/12: WDFIA, 7th International Workshop on Digital Forensics and Incident Analysis, Hersonissos, Crete, Greece; http://www.wdfia.org/ 6/10/12- 6/15/12: SFCS, 1st IEEE International Workshop on Security and Forensics in Communication Systems, Held in conjunction with IEEE ICC 2012, Ottawa, Canada; http://sites.google.com/site/sfcs2012/ 6/15/12: NSS, 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China; http://anss.org.au/nss2012/index.html; Submissions are due 6/15/12: HICSS-CSS, 46th HAWAII International Conference on System Sciences, Internet and the Digital Economy Track, Cybercrime and Security Strategy Mini-track, Grand Wailea, Maui, Hawaii, USA; http://www.hicss.hawaii.edu/hicss_46/apahome46.htm Submissions are due 6/18/12- 6/21/12: ICDCS-NFSP, 1st International Workshop on Network Forensics, Security and Privacy, Held in conjunction with ICDCS 2012, Macau, China; http://www.deakin.edu.au/~syu/nfsp/ 6/18/12- 6/21/12: ICDCS-SPCC, 3rd International Workshop on Security and Privacy in Cloud Computing, Held in conjunction with ICDCS 2012, Macau, China; http://www.ece.iit.edu/~ubisec/workshop.htm 6/19/12- 6/22/12: WISTP, 6th Workshop on Information Security Theory and Practice, London, UK; http://www.wistp.org/ 6/20/12- 6/22/12: SACMAT, 17th ACM Symposium on Access Control Models and Technologies, Newark, NJ, USA; http://www.sacmat.org 6/22/12: GameSec, 3rd Conference on Decision and Game Theory for Security, Budapest, Hungary; http://www.gamesec-conf.org Submissions are due 6/24/12: WIFS, IEEE International Workshop on Information Forensics and Security, Tenerife, Spain; http://www.wifs12.org/ Submissions are due 6/25/12: DSPAN, 3rd IEEE Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with The Thirteenth International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2012), San Francisco, CA, USA; http://www.ee.washington.edu/research/nsl/DSPAN_2012/ 6/25/12- 6/27/12: Mobisec, 4th International Conference on Security and Privacy in Mobile Information and Communication Systems, Frankfurt, Germany; http://mobisec.org/2012 6/25/12- 6/27/12: eGSSN, International Workshop on Trust, Security and Privacy in e-Government, e-Systems & Social Networking, Held in conjunction with the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2012), Liverpool, UK; http://webs.um.es/jmalcaraz/eGSSN12 6/26/12- 6/28/12: DFIS, 6th International Symposium on Digital Forensics and Information Security, Vancouver, Canada; http://web.ftrai.org/dfis2012 6/26/12- 6/29/12: ACNS, 10th International Conference on Applied Cryptography and Network Security, Singapore http://icsd.i2r.a-star.edu.sg/acns2012 6/29/12: STAST, 2nd International Workshop on Socio-Technical Aspects of Security and Trust, Co-located with Computer Security Foundation Symposium (CSF 2012), Harvard University, Cambridge, MA, USA; http://www.stast2012.uni.lu 7/ 2/12: NPSec, 7th Workshop on Secure Network Protocols, Austin, Texas, USA; http://www.cse.msu.edu/~feichen/NPSec2012/ Submissions are due 7/ 4/12: SAEPOG, Secure Autonomous Electric Power Grids Workshop, Co-located with the Sixth IEEE International Conference on Self-Adaptive and Self-Organizing Systems (SASO 2012), Lyon, France; https://sites.google.com/site/saepog/ Submissions are due 7/ 9/12: RFIDsec-Asia, Workshop on RFID and IoT Security, Taipei, Taiwan; http://rfidsec2012.cs.ntust.edu.tw Submissions are due 7/11/12- 7/13/12: PETS, 12th Privacy Enhancing Technologies Symposium, Vigo, Spain; http://petsymposium.org/2012/ 7/13/12: ICISS, 8th International Conference on Information Systems Security, Guwahati, India; http://www.iitg.ernet.in/iciss2012/ Submissions are due 7/15/11- 7/15/12: IEEE Internet Computing, Track Articles on Computer Crime; http://www.computer.org/portal/web/computingnow/cfptrack; Submissions are due 7/16/12: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; http://crypto.cs.stonybrook.edu/ccsw12 Submissions are due 7/16/12: STC, 7th ACM Workshop on Scalable Trusted Computing, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; http://www.cs.utsa.edu/~acmstc/stc2012/ Submissions are due 7/16/12: AISec, 5th ACM Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; http://research.microsoft.com/en-us/events/aisec2012/default.aspx Submissions are due 7/16/12: BADGERS, ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; https://researcher.ibm.com/view_project.php?id=3360 Submissions are due 7/16/12- 7/20/12: SAPSE, 4th IEEE International Workshop on Security Aspects of Process and Services Engineering, Held in conjunction with the IEEE Signature Conference on Computers, Software, and Applications (COMPSAC 2012), Izmir, Turkey; http://compsac.cs.iastate.edu/workshop_details.php?id=48&y 7/18/12- 7/19/12: LASER, Workshop on Learning from Authoritative Security Experiment Results, Arlington, VA, USA; http://www.cert.org/laser-workshop/ 7/24/12- 7/27/12: SECRYPT, 9th International Conference on Security and Cryptography, Rome, Italy; http://secrypt.icete.org 7/30/12- 8/ 2/12: SecIoT, Workshop on the Security of the Internet of Things, Munich, Germany; http://www.nics.uma.es/seciot12/ 8/ 1/12: NDSS, 20th Annual Network and Distributed System Security Symposium, Catamaran Resort Hotel and Spa San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2013 Submissions are due 8/ 3/12: eCrime-Summit, 7th IEEE eCrime Researchers Summit, Held in conjunction with the 2012 APWG General Meeting, Las Croabas, Puerto Rico; http://ecrimeresearch.org Submissions are due 8/ 6/12: CSET, 5th Workshop on Cyber Security Experimentation and Test, Bellevue, WA, USA; http://www.usenix.org/events/cset12/ 8/ 6/12- 8/ 7/12: HealthSec, 3rd USENIX Workshop on Health Security and Privacy Bellevue, WA, USA; http://www.usenix.org/events/healthsec12/ 8/ 8/12- 8/10/12: USENIX-Security, 21st USENIX Security Symposium, Bellevue, WA, USA; http://www.usenix.org/events/sec12/ 8/20/12- 8/24/12: SecSE, 6th International Workshop on Secure Software Engineering, Held in conjunction with ARES 2012, Prague, Czech Republic; http://www.sintef.org/secse 8/20/12- 8/24/12: WSDF, 5th International Workshop on Digital Forensics, Held in conjunction with ARES 2012, Prague, Czech Republic; http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=49&Itemid=95 8/20/12- 8/24/12: MoCrySEn, 1st International Workshop on Modern Cryptography and Security Engineering, Held in conjunction with ARES 2012, Prague, Czech Republic; http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=65&Itemid=120 9/ 3/12- 9/ 7/12: TrustBus, 9th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with DEXA 2012, Vienna University of Technology, Austria; http://www.ds.unipi.gr/trustbus12/ 9/ 9/12- 9/12/12: CHES, IACR Workshop on Cryptographic Hardware and Embedded Systems, Leuven, Belgium; http://www.iacr.org/workshops/ches/ches2012/start.php 9/10/12: SAEPOG, Secure Autonomous Electric Power Grids Workshop, Co-located with the Sixth IEEE International Conference on Self-Adaptive and Self-Organizing Systems (SASO 2012), Lyon, France; https://sites.google.com/site/saepog/ 9/12/12: CloudSec, 4th International Workshop on Security in Cloud Computing, Held in conjunction with the 41st ICPP, Pittsburgh, PA, USA; http://bingweb.binghamton.edu/~ychen/CloudSec2012.htm 9/12/12- 9/13/12: DPM, 7th International Workshop on Data Privacy Management, Co-located with ESORICS 2012, Pisa, Italy; http://www-ma4.upc.edu/DPM2012/main.html 9/17/12- 9/18/12: CRITIS, 7th International Workshop on Critical Information Infrastructures Security, Radisson Blu Lillehammer Hotel, Turisthotellveien 6, 2609 Lillehammer, Norway; http://critis12.hig.no 9/19/12- 9/21/12: NSPW, New Security Paradigms Workshop, Bertinoro, Italy; http://www.nspw.org 9/21/12- 9/23/12: ICDFI, 1st International Conference on Digital Forensics and Investigation, Beijing China; http://secmeeting.ihep.ac.cn 9/26/12- 9/28/12: ProvSec, 6th International Conference on Provable Security, Chengdu, China; http://www.ccse.uestc.edu.cn/provsec/callforpapers.html 9/30/12: ESSoS, 5th International Symposium on Engineering Secure Software and Systems, Paris, France; http://distrinet.cs.kuleuven.be/events/essos2013/ Submissions are due 10/ 1/12: IEEE Network Magazine, Special Issue on Security in Cognitive Radio Networks; http://www.comsoc.org/files/Publications/Magazines/ni/cfp/cfpnetwork0513.htm; Submissions are due 10/ 1/12-10/ 4/12: SSS, 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Toronto, Canada; http://www.cs.uwaterloo.ca/sss2012/ 10/ 8/12-10/11/12: SRDS, 31st International Symposium on Reliable Distributed Systems, Irvine, California, USA; http://web.mst.edu/~cswebdb/srds2012/ 10/13/12: FC, 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan; http://fc13.ifca.ai/cfp.html Submissions are due 10/15/12: BADGERS, ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; https://researcher.ibm.com/view_project.php?id=3360 10/16/12-10/18/12: ACM-CCS, 19th ACM Conference on Computer and Communications Security, Raleigh, North Carolina, USA; http://www.sigsac.org/ccs/CCS2012/ 10/19/12: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; http://crypto.cs.stonybrook.edu/ccsw12 10/19/12: STC, 7th ACM Workshop on Scalable Trusted Computing, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; http://www.cs.utsa.edu/~acmstc/stc2012/ 10/19/12: AISec, 5th ACM Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; http://research.microsoft.com/en-us/events/aisec2012/default.aspx 10/20/12-10/25/12: LCN-SICK, Workshop on Security in Communications Networks, Held in Conjunction with IEEE LCN 2012, Clearwater, FL, USA; http://www.sick-workshop.org/ 10/23/12-10/24/12: eCrime-Summit, 7th IEEE eCrime Researchers Summit, Held in conjunction with the 2012 APWG General Meeting, Las Croabas, Puerto Rico; http://ecrimeresearch.org 10/30/12: NPSec, 7th Workshop on Secure Network Protocols, Austin, Texas, USA; http://www.cse.msu.edu/~feichen/NPSec2012/ 10/31/12-11/ 2/12: Nordsec, 17th Nordic Conference in Secure IT Systems, Karlskrona, Sweden; http://www.bth.se/com/nordsec2012.nsf/pages/nordsec2012 11/ 5/12-11/ 6/12: GameSec, 3rd Conference on Decision and Game Theory for Security, Budapest, Hungary; http://www.gamesec-conf.org 11/ 8/12-11/ 9/12: RFIDsec-Asia, Workshop on RFID and IoT Security, Taipei, Taiwan; http://rfidsec2012.cs.ntust.edu.tw 11/21/12-11/23/12: NSS, 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China; http://anss.org.au/nss2012/index.html 12/ 2/12-12/ 5/12: WIFS, IEEE International Workshop on Information Forensics and Security, Tenerife, Spain; http://www.wifs12.org/ 12/ 3/12-12/ 7/12: ACSAC, 28th Annual Computer Security Applications Conference, Buena Vista Palace Hotel & Spa in the Walt Disney World Resort, Florida, USA; http://www.acsac.org 12/ 3/12-12/ 7/12: MANSEC-CC, 1st International workshop on Management and Security technologies for Cloud Computing, Held in conjunction with the 2012 IEEE GLOBECOM, Disneyland Hotel, Anaheim, California, USA; http://www.icsd.aegean.gr/ccsl/mansec-cc/ 12/ 9/12-12/14/12: LISA, 26th Large Installation System Administration Conference, San Diego, CA, USA; http://www.usenix.org/lisa12/ 12/15/12-12/19/12: ICISS, 8th International Conference on Information Systems Security, Guwahati, India; http://www.iitg.ernet.in/iciss2012/ 1/ 7/13- 1/10/13: HICSS-CSS, 46th HAWAII International Conference on System Sciences, Internet and the Digital Economy Track, Cybercrime and Security Strategy Mini-track, Grand Wailea, Maui, Hawaii, USA; http://www.hicss.hawaii.edu/hicss_46/apahome46.htm 2/24/13- 2/27/13: NDSS, 20th Annual Network and Distributed System Security Symposium, Catamaran Resort Hotel and Spa San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2013 2/27/13- 3/ 1/13: ESSoS, 5th International Symposium on Engineering Secure Software and Systems, Paris, France; http://distrinet.cs.kuleuven.be/events/essos2013/ 4/ 1/13- 4/ 5/13: FC, 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan; http://fc13.ifca.ai/cfp.html ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E107) ___________________________________________________________________ ------------------------------------------------------------------------- IEEE Transactions on Information Forensics and Security, Special Issue on Privacy and Trust Management in Cloud and Distributed Systems, June 1, 2013, (Submission Due 31 May 2012) http://www.signalprocessingsociety.org/uploads/special_issues_deadlines /privacy_policy.pdf Editors: Karl Aberer (Ecole Polytechnique Federale de Lausanne, Switzerland), Sen-ching Samson Cheung (University of Kentucky, USA), Jayant Haritsa (Indian Institute of Science, India), Bill Horne (Hewlett-Packard Laboratories, USA), Kai Hwang (University of Southern California, USA), and Yan (Lindsay) Sun (University of Rhode Island, USA) With the increasing drive towards availability of data and services anytime anywhere, privacy risks have significantly increased. Unauthorized disclosure, modification, usage, or uncontrolled access to privacy-sensitive data may result in high human and financial costs. In the distributed computing environments, trust plays a crucial role in mitigating the privacy risk by guaranteeing meaningful interactions, data sharing, and communications. Trust management is a key enabling technology for security and privacy enhancement. While privacy preservation and trust management are already challenging problems, it is imperative to explore how privacy-oriented and trust-oriented approaches can integrate to bring new solutions in safeguarding information sharing and protecting critical cyber-infrastructure. Furthermore, there are questions about whether existing trust models and privacy preserving schemes are robust against attacks. This Call for Papers invites researchers to contribute original articles that cover a broad range of topics related to privacy preservation and trust management in cloud and distributed systems, with a focus on emerging networking contexts such as social media, cloud computing, and power grid systems. Example topics include but are not limited to: - Privacy Enhanced Technology: privacy preserving data mining, publishing, and disclosure; access control, anonymity, audit, and authentication; applied cryptography, cryptanalysis, and digital signatures in PET; abuse cases and threat modeling; theoretical models and formal methods; application of physical security for privacy enhancement. - Trust and Reputation Management: trust management architectures and trust models; quantitative metrics and computation; security of trust management protocols/systems; evaluation and test bed; trust related privacy enhancement solutions. - Privacy and Trust in Emerging Complex Systems including: social networking; cloud computing; power grid systems; sensor networks; Internet of Things; multimedia surveillance networks. - Other Related Topics such as trust and privacy policies; human factors and usability; censorship; economics of trust and privacy; behavior modeling. ------------------------------------------------------------------------- IEEE Network Magazine, Special Issue on Cyber Security of Networked Critical Infrastructures, January 2013, (Submission Due 1 June 2012) http://dl.comsoc.org/livepubs/ni/info/cfp/cfpnetwork0113.htm Editors: Saeed Abu-Nimeh (Damballa Inc., USA), Ernest Foo (Queensland University of Technology Australia, Australia), Igor Nai Fovino (Global Cyber Security Center, Italy), Manimaran Govindarasu (Iowa State University, USA), and Tommy Morris (Mississippi State University, USA) The daily lives of millions of people depend on processing information and material through a network of critical infrastructures. Critical infrastructures include agriculture and food, water, public health, emergency services, government, the defense industrial base, information and telecommunications, energy, transportation and shipping, banking and finance, chemical industry and hazardous materials, post, national monuments and icons, and critical manufacturing. Disruption or disturbance of critical infrastructures can lead to economical and human losses. Additionally, the control network of most critical installations is integrated with broader information and communication systems, including the company business network. Most maintenance services on process control equipment are performed remotely. Further, the cyber security of critical infrastructure systems has come into focus recently as more of these systems are exposed to the Internet. Therefore, Critical Infrastructure Protection (CIP) has become a topic of interest for academics, industries, governments, and researchers in the recent years. A common theme among critical infrastructure is the dependence upon secure cyber systems for command and control. This special issue will focus on network aspects that impact the cyber security of Critical Infrastructure Protection and Resilience. Tutorial based manuscripts which cover recent advances in one or more of the topic areas below are requested. Topics may include (but are not limited to): - Security of supervisory control and data acquisition (SCADA) systems - Security of the smart grid - Cyber security of industrial control systems - Security of complex and distributed critical infrastructures - DNS and Internet Security (as critical infrastructures) - Security metrics, benchmarks, and data sets - Attack modeling, prevention, mitigation, and defense - Early warning and intrusion detection systems - Self-healing and self-protection systems - Advanced forensic methodologies - Cyber-physical systems security approaches and algorithms - Critical infrastructure security policies, standards and regulations - Vulnerability and risk assessment methodologies for distributed critical infrastructures - Simulation and testbeds for the security evaluation of critical infrastructures ------------------------------------------------------------------------- Nordsec 2012 17th Nordic Conference in Secure IT Systems, Karlskrona, Sweden, October 31 - November 2, 2012. (Submissions due 4 June 2012) http://www.bth.se/com/nordsec2012.nsf/pages/nordsec2012 Since 1996, the NordSec conferences have brought together computer security researchers and practitioners from around the world, particular from the Nordic countries and Northern Europe. The conference focuses on applied IT security and is intended to encourage interaction between academic and industrial research. Contributions should reflect original research, developments, studies and practical experience within all areas of IT security. NordSec 2012 welcomes contributions over a broad range of topics in IT security, including, but not limited to, the following areas: - Applied Cryptography - Information Warfare & Cyber Security - Communication & Network Security - Wireless and Mobile Security - Computer Crime and Forensics - Hardware Security - Virtual Platform Security - Web and Cloud Security - Identity Management - Authentication and Biometrics - Firewalls and Intrusion Detection - New Ideas and Paradigms in Security - Operating System Security - PKI Systems and Key Escrow - Privacy & Anonymity - Security Education and Training - Security Evaluations and Assurance - Security Management and Audit - Social-Engineering and Phishing - Software and Application Security - Trust and Reputation Management ------------------------------------------------------------------------- NSS 2012 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China, November 21-23, 2012. (Submissions due 15 June 2012) http://anss.org.au/nss2012/index.html NSS is an annual international conference covering research in network and system security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of network security, privacy, applications security, and system security. Papers describing case studies, implementation experiences, and lessons learned are also encouraged. Topics of interest include but are not limited to: - Active Defense Systems - Hardware Security - Security in P2P systems - Adaptive Defense SystemsAnalysis - Benchmark of Security Systems - Identity Management - Intelligent Defense Systems - Security in Cloud and Grid Systems - Security in E-Commerce - Applied Cryptography - Authentication - Insider Threats - Intellectual Property Rights Protection - Security in Pervasive/Ubiquitous Computing - Security and Privacy in Smart Grid - Biometric Security - Complex Systems Security - Internet and Network Forensics - Intrusion Detection and Prevention - Secure Mobile Agents and Mobile Code - Security and Privacy in Wireless Networks - Database and System Security - Data Protection Key Distribution and Management - Large-scale Attacks and Defense Security Policy - Security Protocols - Data/System Integrity - Distributed Access Control - Malware - Network Resiliency - Security Simulation and Tools - Security Theory and Tools - Distributed Attack Systems - Network Security - Standards and Assurance Methods - Denial-of-Service - RFID Security and Privacy - Trusted Computing - High Performance - Network Virtualization - Security Architectures - Trust Management - High Performance Security Systems - Security for Critical Infrastructures - World Wide Web Security ------------------------------------------------------------------------- HICSS-CSS 2013 46th HAWAII International Conference on System Sciences, Internet and the Digital Economy Track, Cybercrime and Security Strategy Mini-track, Grand Wailea, Maui, Hawaii, USA, January 7 - 10, 2013. (Submissions due 15 June 2012) http://www.hicss.hawaii.edu/hicss_46/apahome46.htm We invite you to submit a paper for mini-track "Cybercrime and Security Strategy" scheduled for the 46th Hawaii International Conference on System Sciences (HICSS). The diffusion of computer technologies worldwide has resulted in an unprecedented global expansion of computer-based criminal activity. There appears to be a need for research into cybercrime activities, and their causes. At the same time, it has become imperative to effectively protect information assets. The endeavor of this mini-track is to also enhance understanding about the issues associated with information security strategy. Few topics of interest include (but not limited to): - Cyber crime activities, and their motivations - Cyber security policy - Cyber-infrastructure protection - Legal and ethical challenges to cyber crime - Digital forensics - Cyber crime and societal implications - Information security strategy - Planning for information security - Organizational barriers to security - Understanding security culture ------------------------------------------------------------------------- GameSec 2012 3rd Conference on Decision and Game Theory for Security, Budapest, Hungary, November 5-6, 2012. (Submissions due 22 June 2012) http://www.gamesec-conf.org The conference will explore security as a multifaceted economic problem by considering the complexities of the underlying technical infrastructure, and human and social factors. Securing resources involves decision making on multiple levels and multiple time scales, given the limited resources available to both malicious attackers and administrators defending networked systems. The GameSec conference aims to bring together researchers who are working on the theoretical foundations and behavioral aspects of enhancing security capabilities in a principled manner. Previous GameSec contributions included analytic models based on game, information, communication, optimization, decision, and control theories that were applied to diverse security topics. In addition, we welcome research that highlights the connection between economic incentives and real world security, reputation, trust and privacy problems. The conference is soliciting full and short papers on all economic aspects of security and privacy. Submitted papers will be evaluated based on their significance, originality, technical quality, and exposition. They should clearly establish the research contribution, their relevance to security and privacy, and their relation to prior research. General theoretic contributions are welcome if they discuss potential scenarios of application in the areas of security and privacy. ------------------------------------------------------------------------- WIFS 2012 IEEE International Workshop on Information Forensics and Security, Tenerife, Spain, December 2-5, 2012. (Submissions due 24 June 2012) http://www.wifs12.org/ The IEEE International Workshop on Information Forensics and Security (WIFS) is the primary annual event organized by the IEEE's Information Forensics and Security Technical Committee (IEEE IFS TC). Being the main annual event organized by IEEE IFS TC, the scope of WIFS is broader than other more specific conferences, and it represents the most prominent venue for researchers to exchange ideas and identify potential areas of collaboration. Focusing on these targets, the conference will feature three keynote speakers, up to four tutorials, a track of lecture and poster sessions. ------------------------------------------------------------------------- NPSec 2012 7th Workshop on Secure Network Protocols, Austin, Texas, USA, October 30, 2012. (Submissions due 2 July 2012) http://www.cse.msu.edu/~feichen/NPSec2012/ NPSec focuses on two general areas. The first focus is on the development and analysis of secure or hardened protocols for the operation (establishment and maintenance) of network infrastructure, including such targets as secure multidomain, ad hoc, sensor or overlay networks, or other related target areas. This can include new protocols, enhancements to existing protocols, protocol analysis, and new attacks on existing protocols. The second focus is on employing such secure network protocols to create or enhance network applications. Examples include collaborative firewalls, incentive strategies for multiparty networks, and deployment strategies to enable secure applications. Papers of special merit might be considered for fast track publication in the Computer Communications journal. ------------------------------------------------------------------------- SAEPOG 2012 Secure Autonomous Electric Power Grids Workshop, Co-located with the Sixth IEEE International Conference on Self-Adaptive and Self-Organizing Systems (SASO 2012), Lyon, France, September 10, 2012. (Submissions due 4 July 2012) https://sites.google.com/site/saepog/ Electric energy grids worldwide are becoming smarter and more adaptive to efficiently bring power from a wide variety of production technologies to a broad consumer base. With this increase in complexity and adaptivity we see an ever-increasing demand for predictable power availability and cost-optimizing control of power consumption (and local generation where available) among consumers. "Security" in the grid has many dimensions, from protecting national resources against human adversaries to simply guaranteeing the availability of power to customers. This workshop is concerned with creating autonomous electric power grids that are secure in all senses of the word. Traditional power management models rely heavily on a centralized authority to dispatch generation and curtail load without any means for consumers to affect the decision process. The increasing dependence on renewable sources of energy invalidates the currently prevailing paradigm "supply follows demand" for energy management, since power generation from wind or solar panels is not controllable and only partially predictable. The resulting new paradigm "demand follows supply" inherently depends on the discovery and exploitation of demand flexibility which implies the necessity of a decentralized energy information system with distributed system intelligence for power management and control. Obviously, distributed control also implies potential security concerns for the system and those who rely on it. This situation calls for power generation, storage, and distribution systems that are "aware" of the supply and demand situation and can adapt the load automatically, quickly, and stably. This workshop, will examine how autonomous self-adaptive and self-organizing systems may be designed for energy management and control in the future smart grid ranging from national or international high-voltage transportation systems to low-voltage local distribution systems. We will also consider smart combination with other networks like natural gas or thermal grids. We will discuss how existing systems can be made more autonomic (e.g., self-*) and how the designers of new systems can ensure that these systems deliver power within design constraints reliably. The important management challenge is to create dependable, decentralized control and collaboration of the many stakeholders like transportation system operators, distribution system operators and demand-side managers. This is a highly complex system whose complexity is not determined merely by its size. Future power grids are loosely integrated cyber-physical-human systems that combine traditional power control with smart information, communication, and technology, etc. The daunting security and management challenges that arise from these interdependent couplings will require much research for many years to come. ------------------------------------------------------------------------- RFIDsec-Asia 2012 Workshop on RFID and IoT Security, Taipei, Taiwan, November 8-9, 2012. (Submissions due 9 July 2012) http://rfidsec2012.cs.ntust.edu.tw The workshop series of RFIDsec Asia, the Asia branch of RFIDsec, aims to provide researchers, enterprises and governments a platform to investigate, discuss and propose new solutions on security and privacy issues of RFID/IoT (Internet of Things) technologies and applications. Papers with original research in theory and practical system design concerning RFID/IoT security are solicited. Topics of the workshop include but are not limited to: - New applications for secure RFID/ IoT systems - Data integrity and privacy protection techniques for RFID/ IoT - Attacks and countermeasures on RFID/IoT systems - Design and analysis on secure RFID/IoT hardware - Risk assessment and management on RFID/IoT applications - Trust model, data aggregation and information sharing for EPCglobal network and sensor network - Resource-efficient implementation of cryptography - Integration of secure RFID/IoT systems - Cryptographic protocols for RFID/IoT systems ------------------------------------------------------------------------- ICISS 2012 8th International Conference on Information Systems Security, Guwahati, India, December 15-19, 2012. (Submissions due 13 July 2012) http://www.iitg.ernet.in/iciss2012/ The conference series ICISS provides a forum for disseminating latest research results in information and systems security. Submissions are encouraged from academia, industry and government addressing theoretical and practical problems in information and systems security and related areas. Research community and academics are invited to submit theoretical and application oriented full and short papers making a significant research contribution on Information Systems Security. Papers with original research and unpublished work are to be submitted. Topics of interest include (but not limited to): - Application Security - Formal Methods in Security - Operating System Security - Authentication and Access Control - Intrusion Detection, Prevention & Response - Privacy and Anonymity - Biometric Security - Intrusion Tolerance and Recovery - Security in P2P, Sensor and Ad Hoc Networks - Data Security - Key Management and Cryptographic Protocols - Software Security - Digital Forensics and Diagnostics - Language-based Security - Vulnerability Detection and Mitigation - Digital Rights Management - Malware Analysis and Mitigation - Web Security - Distributed System Security - Network Security ------------------------------------------------------------------------- IEEE Internet Computing, Track Articles on Computer Crime, 2012, (Submission will be accepted for this track from 15 July 2011 to 15 July 2012) http://www.computer.org/portal/web/computingnow/cfptrack Editors: Nasir Memon (New York University, USA) and Oliver Spatscheck (AT&T, USA) As the Internet has grown and extended its reach into every part of people's lives, it shouldn't be surprising that criminals have seized the opportunity to expand their activities into this new realm. This has been fostered in particular by the fact that the Internet was designed as an open and trusting environment. Unfortunately many of these architectural choices are fundamental to the Internet's success and current architecture and are therefore hard to overcome. Computer crime ranges from rather simple crimes such as theft of intellectual property or computer and network resources to complex cooperate espionage or even cyber terrorism. This special track for Internet Computing seeks original articles that cover computer crime as it relates to the Internet. Appropriate topics include: - trends and classification of criminal activities on the Internet; - computer crime prevention, including approaches implemented in user interfaces, end user systems, networks, or server infrastructure; - case studies of criminal activities; - computer forensics; - impact assessments of criminal activities on the Internet; and - new architectures to prevent Internet crime Track articles run one per issue for a single calendar year. Articles will be run in the order in which they are accepted for publication. ------------------------------------------------------------------------- CCSW 2012 ACM Cloud Computing Security Workshop, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA, October 19, 2012. (Submissions due 16 July 2012) http://crypto.cs.stonybrook.edu/ccsw12 Notwithstanding the latest buzzword (grid, cloud, utility computing, SaaS, etc.), large-scale computing and cloud-like infrastructures are here to stay. How exactly they will look like tomorrow is still for the markets to decide, yet one thing is certain: clouds bring with them new untested deployment and associated adversarial models and vulnerabilities. It is essential that our community becomes involved at this early stage. The CCSW workshop aims to bring together researchers and practitioners in all security aspects of cloud-centric and outsourced computing, including: - practical cryptographic protocols for cloud security - secure cloud resource virtualization mechanisms - secure data management outsourcing (e.g., database as a service) - practical privacy and integrity mechanisms for outsourcing - foundations of cloud-centric threat models - secure computation outsourcing - remote attestation mechanisms in clouds - sandboxing and VM-based enforcements - trust and policy management in clouds - secure identity management mechanisms - new cloud-aware web service security paradigms and mechanisms - cloud-centric regulatory compliance issues and mechanisms - business and security risk models and clouds - cost and usability models and their interaction with security in clouds - scalability of security in global-size clouds - trusted computing technology and clouds - binary analysis of software for remote attestation and cloud protection - network security (DOS, IDS etc.) mechanisms for cloud contexts - security for emerging cloud programming models - energy/cost/efficiency of security in clouds ------------------------------------------------------------------------- STC 2012 7th ACM Workshop on Scalable Trusted Computing, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA, October 19, 2012. (Submissions due 16 July 2012) http://www.cs.utsa.edu/~acmstc/stc2012/ Built on the continuous success of ACM STC 2006-2011, this workshop focuses on fundamental technologies of trusted and high assurance computing and its applications in large-scale systems with varying degrees of trust. The workshop is intended to serve as a forum for researchers as well as practitioners to disseminate and discuss recent advances and emerging issues. The workshop solicits two types of original papers: full papers and short/work-in-progress/position-papers. A paper submitted to this workshop must not be in parallel submission to any other journal, magazine, conference or workshop with proceedings. Topics of interests include but not limited to: - security policies and models of trusted computing - architecture and implementation technologies for trusted platform - limitations, alternatives and tradeoffs regarding trusted computing - trusted computing in cloud and data center - cloud-based attestation services - trusted smartphone devices and systems - trust in smart grid, energy, and Internet of Things - trusted emerging and future Internet infrastructure - trusted online social network - trust in authentications, users and computing services - hardware based trusted computing - software based trusted computing - pros and cons of hardware based approach - remote attestation of trusted devices - censorship-freeness in trusted computing - cryptographic support in trusted computing - case study in trusted computing - principles for handling scales - scalable trust supports and services in cloud - trusted embedded computing and systems - virtualization and trusted computing ------------------------------------------------------------------------- AISec 2012 5th ACM Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA, October 19, 2012. (Submissions due 16 July 2012) http://research.microsoft.com/en-us/events/aisec2012/default.aspx The applications of artificial intelligence, machine learning, and data mining for security and privacy problems continue to grow. One recent trend is the growth of Big Data Analytics and the establishment of Security Information and Event Management systems built to obtain security intelligence and situational awareness. With the advent of cloud computing, every advantage the cloud offers, such as large-scale machine learning and data-driven abuse detection, is being leveraged to improve security. We invite original research papers describing the use of AI or machine learning in security and privacy problems. We also invite position and open problem papers discussing the role of AI or machine learning in security and privacy. Submitted papers of these types may not substantially overlap papers that have been published previously or that are simultaneously submitted to a journal or conference/workshop proceedings. Finally we welcome a new systematization of knowledge category of papers this year, which should distill the AI or machine learning contributions of a previously published series of security papers. Topics of interest include, but are not limited to: - Adversarial Learning - Robust Statistics - Online Learning - Computer Forensics - Spam detection - Botnet detection - Intrusion detection - Malware identification - Big data analytics for security - Adaptive side-channel attacks - Privacy-preserving data mining - Design and analysis of CAPTCHAs - Phishing detection and prevention - AI approaches to trust and reputation - Vulnerability testing through intelligent probing (e.g. fuzzing) - Content-driven security policy management & access control - Techniques and methods for generating training and test sets - Anomalous behavior detection (e.g. for the purposes of fraud prevention, authentication) ------------------------------------------------------------------------- BADGERS 2012 ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA, October 15, 2012. (Submissions due 16 July 2012) https://researcher.ibm.com/view_project.php?id=3360 The BADGERS workshop is concerned with the use of Big Data for security and is intended to report on initiatives for Internet-scale security-related data collection and analysis. It will provide an environment to describe existing real-world, large-scale datasets, and to share with the security community the return on experiences acquired by analyzing such collected data. Furthermore, novel approaches to collect and study such data sets are welcome. Main topics of interest: - scalable data collection from networks, hosts, or applications - real-time gathering and aggregation of diverse sets of raw data - summarization of raw data with respect to security goals - attack-resilient data collection - characterization of dataset external validity - scalability of security analysis with data volume - scalability of security analysis with concurrent-attack volume - combined historical and real-time security analysis - evaluating result accuracy for large datasets - real-time, incremental anonymization for data sharing - successful, failed, and novel models of data sharing - sharing of analysis results and supporting data - Internet-scale sharing of security knowledge - legal issues around data collection and sharing ------------------------------------------------------------------------- NDSS 2013 20th Annual Network and Distributed System Security Symposium, Catamaran Resort Hotel and Spa San Diego, California, USA, February 24-27, 2013. (Submissions due 1 August 2012) http://www.internetsociety.org/events/ndss-symposium-2013 The Network and Distributed System Security Symposium fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available network and distributed systems security technologies. Special emphasis will be made to accept papers in the core theme of network and distributed systems security. Consequently, papers that cover networking protocols and distributed systems algorithms are especially invited to be submitted. Moreover, practical papers in these areas are also very welcome. Submissions are solicited in, but not limited to, the following areas: - Anti-malware techniques: detection, analysis, and prevention - Combating cyber-crime: anti-phishing, anti-spam, anti-fraud techniques - Future Internet architecture and design - High-availability wired and wireless networks - Implementation, deployment and management of network security policies - Integrating security in Internet protocols: routing, naming, network management - Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management - Intrusion prevention, detection, and response - Privacy and anonymity technologies - Public key infrastructures, key management, certification, and revocation - Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, reliability and cost - Security for collaborative applications: teleconferencing and video-conferencing - Security for Cloud Computing - Security for electronic commerce: e.g., payment, barter, EDI, notarization, timestamping, endorsement, & licensing - Security for emerging technologies: sensor networks, wireless/mobile (and ad hoc) networks, and personal communication systems - Security for future home networks, Internet of Things, body-area networks - Security for large-scale systems and critical infrastructures (e.g., electronic voting, smart grid) - Security for peer-to-peer and overlay network systems - Security for Vehicular Ad-hoc Networks (VANETs) - Security of Web-based applications and services - Trustworthy Computing mechanisms to secure network protocols and distributed systems ------------------------------------------------------------------------- eCrime-Summit 2012 7th IEEE eCrime Researchers Summit, Held in conjunction with the 2012 APWG General Meeting, Las Croabas, Puerto Rico, October 23-24, 2012. (Submissions due 3 August 2012) http://ecrimeresearch.org eCRS 2012 will bring together academic researchers, security practitioners, and law enforcement to discuss all aspects of electronic crime and ways to combat it, Topics of interests include (but are not limited to): - Case studies of current attack methods, including phishing, malware, rogue antivirus, pharming, crimeware, botnets, and emerging techniques - Case studies of online advertising fraud, including click fraud, malvertising, cookie stuffing, and affiliate fraud - Case studies of large-scale take-downs, such as coordinated botnet disruption - Technical, legal, political, social and psychological aspects of fraud and fraud prevention - Economics of online crime, including measurement studies of underground economies and models of e-crime - Uncovering and disrupting online criminal collaboration and gangs - Financial infrastructure of e-crime, including payment processing and money laundering - Techniques to assess the risks and yields of attacks and the effectiveness of countermeasures - Delivery techniques, including spam, voice mail, social network and web search manipulation; and countermeasures - Techniques to avoid detection, tracking and take-down; and ways to block such techniques - Best practices for detecting and avoiding damages to critical internet infrastructure, such as DNS and SCADA, from electronic crime activities ------------------------------------------------------------------------- ESSoS 2013 5th International Symposium on Engineering Secure Software and Systems, Paris, France, February 27 - March 1, 2013. (Submissions due 30 September 2012) http://distrinet.cs.kuleuven.be/events/essos2013/ Trustworthy, secure software is a core ingredient of the modern world. Hostile, networked environments, like the Internet, can allow vulnerabilities in software to be exploited from anywhere. To address this, high-quality security building blocks (e.g., cryptographic components) are necessary, but insufficient. Indeed, the construction of secure software is challenging because of the complexity of modern applications, the growing sophistication of security requirements, the multitude of available software technologies and the progress of attack vectors. Clearly, a strong need exists for engineering techniques that scale well and that demonstrably improve the software's security properties. The goal of this symposium is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The Symposium seeks submissions on subjects related to its goals. This includes a diversity of topics including (but not limited to): - scalable techniques for threat modeling and analysis of vulnerabilities - specification and management of security requirements and policies - security architecture and design for software and systems - model checking for security - specification formalisms for security artifacts - verification techniques for security properties - systematic support for security best practices - security testing - security assurance cases - programming paradigms, models and DLS's for security - program rewriting techniques - processes for the development of secure software and systems - security-oriented software reconfiguration and evolution - security measurement - automated development - trade-off between security and other non-functional requirements (in particular economic considerations) - support for assurance, certification and accreditation - empirical secure software engineering ------------------------------------------------------------------------- IEEE Network Magazine, Special Issue on Security in Cognitive Radio Networks, May 2013, (Submission Due 1 October 2012) http://www.comsoc.org/files/Publications/Magazines/ni/cfp/cfpnetwork0513.htm Editors: Kui Ren (Illinois Institute of Technology, USA), Haojin Zhu (Shanghai Jiao Tong University, USA), Zhu Han (University of Houston, USA), and Radha Poovendran (University of Washington, USA) Cognitive radio (CR) is an emerging advanced radio technology in wireless access, with many promising benefits including dynamic spectrum sharing, robust cross-layer adaptation, and collaborative networking. Based on a software-defined radio (SDR), cognitive radios are fully programmable and can sense their environment and dynamically adapt their transmission frequencies, power levels, modulation schemes, and networking protocols for improving network and application performance. It is anticipated that cognitive radio technology will be the next wave of innovation in information and communications technologies. Although the recent years have seen major and remarkable developments in the field of cognitive networking technologies, the security aspects of cognitive radio networks have attracted less attention so far. Due to the particular characteristics of the CR system, entirely new classes of security threats and challenges are introduced such as licensed user emulation, selfish misbehaviors and unauthorized use of spectrum bands. These new types of attacks take the advantage the inherent characteristics of CR, and could severely disrupt the basic functionalities of CR systems. Therefore, for achieving successful deployment of CR technologies in practice, there is a critical need for new security designs and implementations to make CR networks secure and robust against these new attacks. Topics of interest include, but are not limited to: - General security architecture for CR networks - Cross-layer security design of CR networks - Secure routing in multi-hop CR networks - Physical layer security for CR networks - Geo-location for security in CR networks - Defending and mitigating jamming-based DoS attacks in CR networks - Defending against energy depletion attacks in resource-constrained CR networks - Attack modeling, prevention, mitigation, and defense in CR systems, including primary user emulation attacks, authentication methods of primary users, spectrum sensing data falsification, spectrum misusage and selfish misbehaviors and unauthorized use of spectrum bands - Methods for detecting, isolating and expelling misbehaving cognitive nodes - Security policies, standards and regulations for CR networks - Implementation and testbed for security evaluation in CR systems - Privacy protection in CR networks - Security issues for database-based CR networks - Security in CR networks for the smart grid - Intrusion detection systems in CR networks ------------------------------------------------------------------------- FC 2013 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan, April 1-5, 2013. (Submissions due 13 October 2012) http://fc13.ifca.ai/cfp.html Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance, with a specific focus on commercial contexts. The conference covers all aspects of securing transactions and systems. Original works focusing on both fundamental and applied real-world deployments on all aspects surrounding commerce security are solicited. Submissions need not be exclusively concerned with cryptography. Systems security and inter-disciplinary efforts are particularly encouraged. Topics include: - Anonymity and Privacy - Auctions and Audits - Authentication and Identification - Biometrics - Certification and Authorization - Cloud Computing Security - Commercial Cryptographic Applications - Data Outsourcing Security - Information Security - Game Theoretic Security - Securing Emerging Computational Paradigms - Identity Theft - Fraud Detection - Phishing and Social Engineering - Digital Rights Management - Digital Cash and Payment Systems - Digital Incentive and Loyalty Systems - Microfinance and Micropayments - Contactless Payment and Ticketing Systems - Secure Banking and Financial Web Services - Security and Privacy in Mobile Devices and Applications - Security and Privacy in Automotive and Transport Systems and Applications - Smartcards, Secure Tokens and Secure Hardware - Privacy-enhancing Systems - Reputation Systems - Security and Privacy in Social Networks - Security and Privacy in Sound and Secure Financial Systems Based on Social Networks - Risk Assessment and Management - Risk Perceptions and Judgments - Legal and Regulatory Issues - Security Economics - Spam - Transactions and Contracts - Trust Management - Underground-Market Economics - Usable Security - Virtual Economies - Voting Systems ------------------------------------------------------------------------- ==================================================================== ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sven Dietrich Deborah Frincke Department of Computer Science debfrincke@gmail.com Stevens Institute of Technology +1 201 216 8078 spock AT cs.stevens.edu Vice Chair: Treasurer: Patrick McDaniel Terry Benzel Computer Science and Engineering USC Information Sciences Intnl Pennsylvania State University 4676 Admiralty Way, Suite 1001 360 A IST Building Los Angeles, CA 90292 University Park, PA 16802 (310) 822-1511 (voice) (814) 863-3599 tbenzel @isi.edu mcdaniel@cse.psu.edu Newsletter Editor: Security and Privacy Symposium, 2012 Chair: Hilarie Orman Robert Cunningham Purple Streak, Inc. MIT Lincoln Laboratories 500 S. Maple Dr. http://www.ll.mit.edu/mission Woodland Hills, UT 84653 /communications/ist/biographies cipher-editor@ieee-security.org /cunningham-bio.html ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year