_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/
_/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/
============================================================================
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 109 July 23, 2012
Hilarie Orman, Editor Sven Dietrich, Assoc. Editor
cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org
Richard Austin Yong Guan
Book Review Editor Calendar Editor
cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org
============================================================================
The newsletter is also at http://www.ieee-security.org/cipher.html
Cipher is published 6 times per year
Contents:
* Letter from the Editor
* Commentary and Opinion
o Richard Austin's review of Wireless Network Security: A Beginner's Guide
by Tyler Wrightson
o Grum Gone, Less Spam?
o Internet Name Malware Largely Quashed
o Book reviews, Conference Reports and Commentary and News items
from past Cipher issues are available at the Cipher website
* List of Computer Security Academic Positions, by Cynthia Irvine
* Conference and Workshop Announcements
o Calendar of events
o Upcoming calls-for-papers and events
* Staying in Touch
o Information for subscribers and contributors
o Recent address changes
* Links for the IEEE Computer Society TC on Security and Privacy
o Becoming a member of the TC
o TC Officers
o TC publications for sale
====================================================================
Letter from the Editor
====================================================================
Dear Readers:
If you are worried about your WiFi network, Richard Austin's book
review this month can guide you to some insights and helpful
strategies.
If you are worried about spam email, you might take some comfort in
knowing that there is a 17% reprieve due to a skillfully planned
takedown of a major botnet. If you are reading this, you do not have
to worry about the "DNSchanger" software that perverted the mapping
from names to Internet addresses.
It is interesting to note that both the botnet and DNS threats were
removed by large-scale coordinated efforts involving security
experts and Internet asset controllers. We have moved far beyond
end user solutions, and security is now a global effort.
If you want to learn more about the present and future of security
from the researchers who develop defenses and secure designs, try
attending one or more of the workshops or conferences as part of your
summer vacation.
Visit the Internet, a place where there is no there,
Hilarie Orman
cipher-editor @ ieee-security.org
====================================================================
News Briefs
====================================================================
News briefs from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/NewsBriefs.html
====================================================================
Commentary and Opinion
====================================================================
Book reviews from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports
are archived at http://www.ieee-security.org/Cipher/ConfReports.html
____________________________________________________________________
Book Review By Richard Austin
July 19, 2012
Wireless Network Security: A Beginner's Guide
by Tyler Wrightson
____________________________________________________________________
McGraw-Hill 2012.
ISBN 978-0-07-176094-2
amazon.com USD 27.99
Table of Contents: http://www.mcgraw-hill.com.au/html/9780071760942.html#
Your humble correspondent normally avoids anything security-related
with "a beginner's guide" in the title, expecting it to be a
superficial rehash of some checklist or another. But with my
familiarity with wireless being slightly beyond getting a laptop to
(finally) connect to a hotspot, I took a chance on this book and was
pleasantly surprised.
Wrightson opens the book with a general introduction to information
security in the context of wireless communications. Risk assessment
and mitigation and the other usual suspects are gently (and lightly
introduced). He follows up with a discussion of the denizens of the
wireless world (access points, clients, etc.) and provides suggestions
on building a basic lab to support working through the examples in the
book.
After the introductory material, Wrightson devotes three chapters to
attacks on wireless networks and their users. He opens with "Theory
of Attacks on Wireless Networks" providing background for
understanding the next two chapters ("Attacking Wireless Networks" and
"Attacking Wireless Clients"). Common techniques such as
reconnaissance, SSID decloaking (a catchy term I will shamelessly
appropriate from now on), passive interception, etc., are clearly
presented with the aid of effective illustrations. He provides a
clear introduction to WEP and WPA and illustrates principles behind
common attacks on them.
"Attacking Wireless Networks" is an excellent introduction to the
common tools (Kismet, airodump-ng, etc.) and how they're used in
mounting attacks. Wrightson uses Back|Track 5 as the platform so the
reader can follow along by simply booting up a virtual machine without
having to navigate tool installations and their dependencies.
"Attacking Wireless Clients" focusses, as you might expect, on attacks
that target the wireless clients rather than the networks they connect
to. Techniques such as creating a bogus access point in preparation
for mounting a middle-person attack are described in detail and
clearly illustrated.
By this point the reader may be tempted to unplug the access point
and eschew wireless communications completely, so it's fortunate that
Wrightson devotes the next several chapters to defense of wireless
communications. The discussion opens with a theory chapter that
provides sage advice on how wireless deployments should be planned and
implemented. Defenses that can actually mitigate risks (firewalls,
IDS/IPS, etc.) are distinguished from security theater (MAC filtering,
SSID cloaking, and so on).
The next three chapters provide a detailed walkthrough of deploying
secure wireless networks (e.g., WPA2 Enterprise). Though I suspect it
was done to make the chapters independent, there is much duplicated
material that could have been pulled out into a common prologue.
Wrightson then turns to the challenging task of providing guest wireless
access. He reviews alternatives such as captive portals and
short-term credentials and provides pros and cons so that a defensible
choice can be made. Guest wireless access has been done wrong so many
times that I think this chapter alone justifies the price of the book.
The final chapter covers dealing with rogue access points and a bit on
the future of wireless security. Wrightson wisely notes that an "ounce of
prevention" in precluding use of an unauthorized access point (through
801.x port-based access control for example) is much less resource
intensive than hunting one down after the fact.
An appendix provides a gentle introduction to Linux that will be quite
useful to readers unfamiliar with that platform (and are encountering
a specialized distribution such as Back|Track for the first time).
This is an excellent introduction to wireless security and their
security implications. The technologies and tools are clearly
presented with copious illustrations and the level of presentation
will accommodate the wireless security neophyte while not boring a
mid-level expert to tears. If the reader invests the time and
resources in building a lab to follow along with the text, s/he will
develop a solid, basic understanding of what "wireless security" is
and how it can be implemented in practice. This is definitely a
recommended read for its intended audience.
----------------------------
It has been said that "of making many books there is no end; and much
study is a weariness of the flesh" so Richard Austin
(http://cse.spsu.edu/raustin2) fearlessly samples the wares of the
publishing houses and shares his opinion as to which wares might best
occupy your time. He welcomes your thoughts and comments via raustin
at ieee dot org
====================================================================
News Items from the Media
====================================================================
Grum Gone
July 20, 2012
Wired
http://www.wired.co.uk/news/archive/2012-07/20/spam-botnet-taken-down
Ian Steadman
"The world's third-biggest botnet, responsible for 18 billion emails
every day and 17.4 percent of global spam traffic, has been shut down
by security researchers."
---------------------------------------------------------------------
Internet Name Malware Largely Quashed
July 9, 2012
AP via Fox News
http://www.foxnews.com/scitech/2012/07/08/users-need-to-to-check-computer-for-malware-or-risk-losing-internet/
Security experts collaborated to give the infamous "DNS changer"
malware was given a gradual exit from the Internet, and by the July 9
deadline, few users suffered loss of service.
====================================================================
Listing of academic positions available
by Cynthia Irvine
====================================================================
Full list: http://cisr.nps.edu/jobscipher.html
Recent listings:
Posted July 2012
Naval Postgraduate School
Monterey, California
CS Department Faculty Positions
Open until filled
http://www.nps.edu/Academics/Schools/GSOIS/Departments/CS/Faculty/Openings/CSFacultyOpenings.html
Posted July 2012
Imperial College London
London, UK
Lectureship
Closing Date 16 August 2012
http://www3.imperial.ac.uk/computing/vacancies#L
Posted June 2011 (still open as of July 2012)
University of Waterloo
Waterloo, ON, Canada
Postdoctoral Research Position
Open until filled
http://crysp.uwaterloo.ca/prospective/postdoc/
Posted May 2011 (still open as of July 2012)
University of Massachusetts Amherst
Amherst, MA, USA
Positions: Research Scientist, Postdoctoral Research Associate,
Undergraduate Researcher, Graduate Research Assistant
Open until filled
http://spqr.cs.umass.edu/jobs.php
--------------
This job listing is maintained as a service to the academic
community. If you have an academic position in computer security and
would like to have in it included on this page, send the following
information:
Institution,
City, State,
Position title,
date position announcement closes, and
URL of position description
to: irvine@cs.nps.navy.mil
====================================================================
Conference and Workshop Announcements
====================================================================
====================================================================
Upcoming Calls-For-Papers and Events
====================================================================
The complete Cipher Calls-for-Papers is located at
http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html
The Cipher event Calendar is at
http://www.ieee-security.org/Calendar/cipher-hypercalendar.html
Cipher calendar entries are announced on Twitter; follow ciphernews
____________________________________________________________________
Cipher Event Calendar
____________________________________________________________________
Calendar of Security and Privacy Related Events
maintained by Hilarie Orman
Cipher calendar announcements are on Twitter; follow "ciphernews"
7/24/12- 7/27/12: SECRYPT, 9th International Conference on Security and
Cryptography,
Rome, Italy;
http://secrypt.icete.org
7/30/12- 8/ 2/12: SecIoT, Workshop on the Security of the Internet of Things,
Munich, Germany;
http://www.nics.uma.es/seciot12/
8/ 1/12: NDSS, 20th Annual Network and Distributed System Security Symposium,
Catamaran Resort Hotel and Spa San Diego, California, USA;
http://www.internetsociety.org/events/ndss-symposium-2013;
Submissions are due
8/ 3/12: eCrime-Summit, 7th IEEE eCrime Researchers Summit,
Held in conjunction with the 2012 APWG General Meeting,
Las Croabas, Puerto Rico;
http://ecrimeresearch.org; Submissions are due
8/ 6/12: CSET, 5th Workshop on Cyber Security Experimentation and Test,
Bellevue, WA, USA; http://www.usenix.org/events/cset12/
8/ 6/12- 8/ 7/12: HealthSec, 3rd USENIX Workshop on Health Security
and Privacy,
Bellevue, WA, USA; http://www.usenix.org/events/healthsec12/
8/ 8/12- 8/10/12: USENIX-Security, 21st USENIX Security Symposium,
Bellevue, WA, USA;
http://www.usenix.org/events/sec12/
8/20/12: INSCRYPT, 8th China International Conference on Information Security
and Cryptology, Beijing, China;
http://inscrypt2012.im.pwr.wroc.pl/2012/Inscrypt_2012.html;
Submissions are due
8/20/12- 8/24/12: SecSE, 6th International Workshop on Secure Software
Engineering,
Held in conjunction with ARES 2012, Prague, Czech Republic;
http://www.sintef.org/secse
8/20/12- 8/24/12: WSDF, 5th International Workshop on Digital Forensics,
Held in conjunction with ARES 2012, Prague, Czech Republic;
http://www.ares-conference.eu/conf/index.php?option=com_content&
view=article&id=49&Itemid=95
8/20/12- 8/24/12: MoCrySEn, 1st International Workshop on Modern Cryptography
and Security Engineering, Held in conjunction with ARES 2012,
Prague, Czech Republic;
http://www.ares-conference.eu/conf/index.php?option=com_content&
view=article&id=65&Itemid=120
8/31/12: CODASPY, 3nd ACM Conference on Data and Application Security and
Privacy, San Antonio, Texas, USA;
http://www.codaspy.org;
Submissions are due
9/ 3/12- 9/ 7/12: TrustBus, 9th International Conference on Trust, Privacy, and
Security in Digital Business,
Held in conjunction with DEXA 2012,
Vienna University of Technology, Austria;
http://www.ds.unipi.gr/trustbus12/
9/ 7/12: SPW (Call for Workshop proposals), 2nd IEEE CS Security and
Privacy Workshops,
Co-located with the IEEE Symposium on Security and Privacy (SP 2013),
Westin St. Francis Hotel, San Francisco, CA, USA;
http://www.codaspy.org;
Submissions are due
9/ 9/12- 9/12/12: CHES, IACR Workshop on Cryptographic Hardware and Embedded
Systems,
Leuven, Belgium;
http://www.iacr.org/workshops/ches/ches2012/start.php
9/10/12: SAEPOG, Secure Autonomous Electric Power Grids Workshop,
Co-located with the Sixth IEEE International Conference on
Self-Adaptive and Self-Organizing Systems (SASO 2012),
Lyon, France; https://sites.google.com/site/saepog/
9/12/12: CloudSec, 4th International Workshop on Security in Cloud Computing,
Held in conjunction with the 41st ICPP,
Pittsburgh, PA, USA;
http://bingweb.binghamton.edu/~ychen/CloudSec2012.htm
9/12/12- 9/13/12: DPM, 7th International Workshop on Data Privacy Management,
Co-located with ESORICS 2012,
Pisa, Italy; http://www-ma4.upc.edu/DPM2012/main.html
9/17/12- 9/18/12: CRITIS, 7th International Workshop on Critical Information
Infrastructures Security, Radisson Blu Lillehammer Hotel,
Turisthotellveien 6, 2609 Lillehammer, Norway;
http://critis12.hig.no
9/19/12- 9/21/12: NSPW, New Security Paradigms Workshop,
Bertinoro, Italy;
http://www.nspw.org
9/21/12- 9/23/12: ICDFI, 1st International Conference on Digital Forensics
and Investigation,
Beijing China;
http://secmeeting.ihep.ac.cn
9/26/12- 9/28/12: ProvSec, 6th International Conference on Provable Security,
Chengdu, China;
http://www.ccse.uestc.edu.cn/provsec/callforpapers.html
9/30/12: ESSoS, 5th International Symposium on Engineering Secure Software
and Systems, Paris, France;
http://distrinet.cs.kuleuven.be/events/essos2013/;
Submissions are due
10/ 1/12: IEEE Network Magazine,
Special Issue on Security in Cognitive Radio Networks;
http://www.comsoc.org/files/Publications/Magazines/ni/cfp/cfpnetwork0513.htm;
Submissions are due
10/ 1/12-10/ 4/12: SSS, 14th International Symposium on Stabilization,
Safety, and Security of Distributed Systems,
Toronto, Canada; http://www.cs.uwaterloo.ca/sss2012/
10/ 8/12-10/11/12: SRDS, 31st International Symposium on Reliable Distributed
Systems,
Irvine, California, USA;
http://web.mst.edu/~cswebdb/srds2012/
10/13/12: FC, 17th International Conference on Financial Cryptography
and Data Security,
Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan;
http://fc13.ifca.ai/cfp.html;
Submissions are due
10/15/12: BADGERS, ACM Workshop on Building Analysis Datasets and Gathering
Experience Returns for Security,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
https://researcher.ibm.com/view_project.php?id=3360
10/16/12-10/18/12: ACM-CCS, 19th ACM Conference on Computer and Communications
Security,
Raleigh, North Carolina, USA;
http://www.sigsac.org/ccs/CCS2012/
10/19/12: CCSW, ACM Cloud Computing Security Workshop,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
http://crypto.cs.stonybrook.edu/ccsw12
10/19/12: STC, 7th ACM Workshop on Scalable Trusted Computing,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
http://www.cs.utsa.edu/~acmstc/stc2012/
10/19/12: AISec, 5th ACM Workshop on Artificial Intelligence and Security,
Held in conjunction with ACM CCS 2012,
Sheraton Raleigh Hotel, Raleigh, NC, USA;
http://research.microsoft.com/en-us/events/aisec2012/default.aspx
10/20/12-10/25/12: LCN-SICK, Workshop on Security in Communications Networks,
Held in Conjunction with IEEE LCN 2012, Clearwater, FL, USA;
http://www.sick-workshop.org/
10/23/12-10/24/12: eCrime-Summit, 7th IEEE eCrime Researchers Summit,
Held in conjunction with the 2012 APWG General Meeting,
Las Croabas, Puerto Rico;
http://ecrimeresearch.org
10/26/12: IDMAN, 3rd IFIP WG 11.6 Working Conference on Policies & Research
in Identity Management, London, UK;
http://www.idman2013.com;
Submissions are due
10/30/12: NPSec, 7th Workshop on Secure Network Protocols,
Austin, Texas, USA;
http://www.cse.msu.edu/~feichen/NPSec2012/
10/31/12-11/ 2/12: Nordsec, 17th Nordic Conference in Secure IT Systems,
Karlskrona, Sweden;
http://www.bth.se/com/nordsec2012.nsf/pages/nordsec2012
11/ 5/12-11/ 6/12: GameSec, 3rd Conference on Decision and Game Theory for
Security,
Budapest, Hungary;
http://www.gamesec-conf.org
11/ 8/12-11/ 9/12: RFIDsec-Asia, Workshop on RFID and IoT Security,
Taipei, Taiwan;
http://rfidsec2012.cs.ntust.edu.tw
11/10/12: Springer International Journal of Information Security journal,
Special Issue on Security in Cloud Computing;
http://www.springer.com/computer/security+and+cryptology/journal/10207;
Submissions are due
11/21/12-11/23/12: NSS, 6th International Conference on Network and System
Security,
Wu Yi Shan, Fujian, China;
http://anss.org.au/nss2012/index.html
11/28/12-12/ 1/12: INSCRYPT, 8th China International Conference on
Information Security and Cryptology, Beijing, China;
http://inscrypt2012.im.pwr.wroc.pl/2012/Inscrypt_2012.html
12/ 2/12-12/ 5/12: WIFS, IEEE International Workshop on Information Forensics
and Security, Tenerife, Spain;
http://www.wifs12.org/
12/ 3/12-12/ 7/12: ACSAC, 28th Annual Computer Security Applications Conference,
Buena Vista Palace Hotel & Spa in the Walt Disney World Resort,
Florida, USA;
http://www.acsac.org
12/ 3/12-12/ 7/12: MANSEC-CC, 1st International workshop on Management and
Security technologies for Cloud Computing,
Held in conjunction with the 2012 IEEE GLOBECOM,
Disneyland Hotel, Anaheim, California, USA;
http://www.icsd.aegean.gr/ccsl/mansec-cc/
12/ 9/12-12/14/12: LISA, 26th Large Installation System Administration
Conference,
San Diego, CA, USA;
http://www.usenix.org/lisa12/
12/15/12-12/19/12: ICISS, 8th International Conference on Information Systems
Security, Guwahati, India;
http://www.iitg.ernet.in/iciss2012/
1/ 7/13- 1/10/13: HICSS-CSS, 46th HAWAII International Conference on System
Sciences, Internet and the Digital Economy Track,
Cybercrime and Security Strategy Mini-track,
Grand Wailea, Maui, Hawaii, USA;
http://www.hicss.hawaii.edu/hicss_46/apahome46.htm
2/18/13- 2/20/13: CODASPY, 3nd ACM Conference on Data and Application Security
and Privacy,
San Antonio, Texas, USA; http://www.codaspy.org
2/24/13- 2/27/13: NDSS, 20th Annual Network and Distributed System Security
Symposium,
Catamaran Resort Hotel and Spa San Diego, California, USA;
http://www.internetsociety.org/events/ndss-symposium-2013
2/27/13- 3/ 1/13: ESSoS, 5th International Symposium on Engineering Secure
Software and Systems, Paris, France;
http://distrinet.cs.kuleuven.be/events/essos2013/
4/ 1/13- 4/ 5/13: FC, 17th International Conference on Financial Cryptography
and Data Security,
Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan;
http://fc13.ifca.ai/cfp.html
4/ 8/13- 4/ 9/13: IDMAN, 3rd IFIP WG 11.6 Working Conference on
Policies & Research in Identity Management,
London, UK; http://www.idman2013.com
5/23/13- 5/24/13: SPW (Call for Workshop proposals), 2nd IEEE CS Security and
Privacy Workshops,
Co-located with the IEEE Symposium on Security and Privacy (SP 2013),
Westin St. Francis Hotel, San Francisco, CA, USA;
http://www.codaspy.org
____________________________________________________________________
Journal, Conference and Workshop Calls-for-Papers
(new since Cipher E108)
___________________________________________________________________
NDSS 2013 20th Annual Network and Distributed System Security Symposium,
Catamaran Resort Hotel and Spa San Diego, California, USA, February 24-27, 2013.
(Submissions due 1 August 2012)
http://www.internetsociety.org/events/ndss-symposium-2013
The Network and Distributed System Security Symposium fosters information
exchange among researchers and practitioners of network and distributed
system security. The target audience includes those interested in practical
aspects of network and distributed system security, with a focus on actual
system design and implementation. A major goal is to encourage and enable
the Internet community to apply, deploy, and advance the state of available
network and distributed systems security technologies. Special emphasis
will be made to accept papers in the core theme of network and distributed
systems security. Consequently, papers that cover networking protocols and
distributed systems algorithms are especially invited to be submitted.
Moreover, practical papers in these areas are also very welcome. Submissions
are solicited in, but not limited to, the following areas:
- Anti-malware techniques: detection, analysis, and prevention
- Combating cyber-crime: anti-phishing, anti-spam, anti-fraud techniques
- Future Internet architecture and design
- High-availability wired and wireless networks
- Implementation, deployment and management of network security policies
- Integrating security in Internet protocols: routing, naming, network
management
- Intellectual property protection: protocols, implementations, metering,
watermarking, digital rights management
- Intrusion prevention, detection, and response
- Privacy and anonymity technologies
- Public key infrastructures, key management, certification, and revocation
- Special problems and case studies: e.g., tradeoffs between security and
efficiency, usability, reliability and cost
- Security for collaborative applications: teleconferencing and
video-conferencing
- Security for Cloud Computing
- Security for electronic commerce: e.g., payment, barter, EDI, notarization,
timestamping, endorsement, & licensing
- Security for emerging technologies: sensor networks, wireless/mobile
(and ad hoc) networks, and personal communication systems
- Security for future home networks, Internet of Things, body-area networks
- Security for large-scale systems and critical infrastructures (e.g.,
electronic voting, smart grid)
- Security for peer-to-peer and overlay network systems
- Security for Vehicular Ad-hoc Networks (VANETs)
- Security of Web-based applications and services
- Trustworthy Computing mechanisms to secure network protocols and
distributed systems
-------------------------------------------------------------------------
eCrime-Summit 2012 7th IEEE eCrime Researchers Summit,
Held in conjunction with the 2012 APWG General Meeting,
Las Croabas, Puerto Rico, October 23-24, 2012.
(Submissions due 3 August 2012)
http://ecrimeresearch.org
eCRS 2012 will bring together academic researchers, security practitioners,
and law enforcement to discuss all aspects of electronic crime and ways to
combat it, Topics of interests include (but are not limited to):
- Case studies of current attack methods, including phishing, malware,
rogue antivirus, pharming, crimeware, botnets, and emerging techniques
- Case studies of online advertising fraud, including click fraud,
malvertising, cookie stuffing, and affiliate fraud
- Case studies of large-scale take-downs, such as coordinated botnet disruption
- Technical, legal, political, social and psychological aspects of fraud and
fraud prevention
- Economics of online crime, including measurement studies of underground
economies and models of e-crime
- Uncovering and disrupting online criminal collaboration and gangs
- Financial infrastructure of e-crime, including payment processing and money
laundering
- Techniques to assess the risks and yields of attacks and the effectiveness of
countermeasures
- Delivery techniques, including spam, voice mail, social network and web search
manipulation; and countermeasures
- Techniques to avoid detection, tracking and take-down; and ways to block such
techniques
- Best practices for detecting and avoiding damages to critical internet
infrastructure, such as DNS and SCADA, from electronic crime activities
-------------------------------------------------------------------------
INSCRYPT 2012 8th China International Conference on Information Security
and Cryptology, Beijing, China, November 28 - December 1, 2012.
(Submissions due 20 August 2012)
http://inscrypt2012.im.pwr.wroc.pl/2012/Inscrypt_2012.html
Inscrypt 2012 seeks high-quality research contributions in the form of well
developed papers. Topics of interest encompass research advances in ALL areas
of information security, cryptology, and their applications:
- Access Control
- Authentication and Authorization
- Biometric security
- Block cipher modes of operation
- Cloud computing security
- Database security
- Digital asset security and protection
- Electronic Commerce Security
- Foundations of Cryptography
- Hash functions and MACs
- Information Hiding and Watermarking
- Intrusion Detection
- Key Management and Key Recovery
- Mobile network Security
- Network Security
- Operating system security
- Privacy protection
- Risk evaluation and security modeling
- Secret Key and Public Key Cryptography
- Security issues in Internet of Things
- Security and Cryptographic Protocols
- Software security and protection
- System security
-------------------------------------------------------------------------
CODASPY 2013 3nd ACM Conference on Data and Application Security and Privacy,
San Antonio, Texas, USA, February 18-20, 2013.
(Submissions due 31 August 2012)
http://www.codaspy.org
Data and applications security and privacy has rapidly expanded as a research
field with many important challenges to be addressed. The goal of the ACM
Conference on Data and Applications Security (CODASPY) is to discuss novel,
exciting research topics in data and application security and privacy and to
lay out directions for further research and development in this area. The
conference seeks paper and poster submissions from diverse communities,
including corporate and academic researchers, open-source projects,
standardization bodies, governments, system and security administrators,
software engineers and application domain experts. Topics of interest
include, but are not limited to:
- Application-layer security policies
- Access control for applications
- Access control for databases
- Data-dissemination controls
- Data forensics
- Enforcement-layer security policies
- Privacy-preserving techniques
- Private information retrieval
- Search on protected/encrypted data
- Secure auditing
- Secure collaboration
- Secure data provenance
- Secure electronic commerce
- Secure information sharing
- Secure knowledge management
- Secure multiparty computations
- Secure software development
- Securing data/apps on untrusted platforms
- Securing the semantic web
- Security and privacy in GIS/spatial data
- Security and privacy for mobile apps and devices
- Security and privacy in healthcare
- Security policies for databases
- Social computing security and privacy
- Social networking security and privacy
- Trust metrics for applications, data, and users
- Usable security and privacy
- Web application security
-------------------------------------------------------------------------
ESSoS 2013 5th International Symposium on Engineering Secure Software and
Systems, Paris, France, February 27 - March 1, 2013.
(Submissions due 30 September 2012)
http://distrinet.cs.kuleuven.be/events/essos2013/
Trustworthy, secure software is a core ingredient of the modern world. Hostile,
networked environments, like the Internet, can allow vulnerabilities in
software to be exploited from anywhere. To address this, high-quality
security building blocks (e.g., cryptographic components) are necessary,
but insufficient. Indeed, the construction of secure software is
challenging because of the complexity of modern applications, the growing
sophistication of security requirements, the multitude of available
software technologies and the progress of attack vectors. Clearly, a
strong need exists for engineering techniques that scale well and that
demonstrably improve the software's security properties. The goal of this
symposium is to bring together researchers and practitioners to advance the
states of the art and practice in secure software engineering. Being one of
the few conference-level events dedicated to this topic, it explicitly aims
to bridge the software engineering and security engineering communities,
and promote cross-fertilization. The Symposium seeks submissions on subjects
related to its goals. This includes a diversity of topics including (but not
limited to):
- scalable techniques for threat modeling and analysis of vulnerabilities
- specification and management of security requirements and policies
- security architecture and design for software and systems
- model checking for security
- specification formalisms for security artifacts
- verification techniques for security properties
- systematic support for security best practices
- security testing
- security assurance cases
- programming paradigms, models and DLS's for security
- program rewriting techniques
- processes for the development of secure software and systems
- security-oriented software reconfiguration and evolution
- security measurement
- automated development
- trade-off between security and other non-functional requirements
(in particular economic considerations)
- support for assurance, certification and accreditation
- empirical secure software engineering
-------------------------------------------------------------------------
IEEE Network Magazine,
Special Issue on Security in Cognitive Radio Networks,
May 2013,
(Submission Due 1 October 2012)
http://www.comsoc.org/files/Publications/Magazines/ni/cfp/cfpnetwork0513.htm
Editors: Kui Ren (Illinois Institute of Technology, USA),
Haojin Zhu (Shanghai Jiao Tong University, USA),
Zhu Han (University of Houston, USA),
and Radha Poovendran (University of Washington, USA)
Cognitive radio (CR) is an emerging advanced radio technology in
wireless access, with many promising benefits including dynamic
spectrum sharing, robust cross-layer adaptation, and collaborative
networking. Based on a software-defined radio (SDR), cognitive radios
are fully programmable and can sense their environment and dynamically
adapt their transmission frequencies, power levels, modulation
schemes, and networking protocols for improving network and
application performance. It is anticipated that cognitive radio
technology will be the next wave of innovation in information and
communications technologies. Although the recent years have seen major
and remarkable developments in the field of cognitive networking
technologies, the security aspects of cognitive radio networks have
attracted less attention so far. Due to the particular characteristics
of the CR system, entirely new classes of security threats and
challenges are introduced such as licensed user emulation, selfish
misbehaviors and unauthorized use of spectrum bands. These new types
of attacks take the advantage the inherent characteristics of CR, and
could severely disrupt the basic functionalities of CR
systems. Therefore, for achieving successful deployment of CR
technologies in practice, there is a critical need for new security
designs and implementations to make CR networks secure and robust
against these new attacks. Topics of interest include, but are not
limited to:
- General security architecture for CR networks
- Cross-layer security design of CR networks
- Secure routing in multi-hop CR networks
- Physical layer security for CR networks
- Geo-location for security in CR networks
- Defending and mitigating jamming-based DoS attacks in CR networks
- Defending against energy depletion attacks in resource-constrained CR networks
- Attack modeling, prevention, mitigation, and defense in CR systems,
including primary user emulation attacks, authentication methods of primary
users, spectrum sensing data falsification, spectrum misusage and selfish
misbehaviors and unauthorized use of spectrum bands
- Methods for detecting, isolating and expelling misbehaving cognitive nodes
- Security policies, standards and regulations for CR networks
- Implementation and testbed for security evaluation in CR systems
- Privacy protection in CR networks
- Security issues for database-based CR networks
- Security in CR networks for the smart grid
- Intrusion detection systems in CR networks
-------------------------------------------------------------------------
FC 2013 17th International Conference on Financial Cryptography and Data
Security,
Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan,
April 1-5, 2013.
(Submissions due 13 October 2012)
http://fc13.ifca.ai/cfp.html
Financial Cryptography and Data Security is a major international forum for
research, advanced development, education, exploration, and debate regarding
information assurance, with a specific focus on commercial contexts. The
conference covers all aspects of securing transactions and systems. Original
works focusing on both fundamental and applied real-world deployments on all
aspects surrounding commerce security are solicited. Submissions need not be
exclusively concerned with cryptography. Systems security and
inter-disciplinary efforts are particularly encouraged. Topics include:
- Anonymity and Privacy
- Auctions and Audits
- Authentication and Identification
- Biometrics
- Certification and Authorization
- Cloud Computing Security
- Commercial Cryptographic Applications
- Data Outsourcing Security
- Information Security
- Game Theoretic Security
- Securing Emerging Computational Paradigms
- Identity Theft
- Fraud Detection
- Phishing and Social Engineering
- Digital Rights Management
- Digital Cash and Payment Systems
- Digital Incentive and Loyalty Systems
- Microfinance and Micropayments
- Contactless Payment and Ticketing Systems
- Secure Banking and Financial Web Services
- Security and Privacy in Mobile Devices and Applications
- Security and Privacy in Automotive and Transport Systems and Applications
- Smartcards, Secure Tokens and Secure Hardware
- Privacy-enhancing Systems
- Reputation Systems
- Security and Privacy in Social Networks
- Security and Privacy in Sound and Secure Financial Systems Based on
Social Networks
- Risk Assessment and Management
- Risk Perceptions and Judgments
- Legal and Regulatory Issues
- Security Economics
- Spam
- Transactions and Contracts
- Trust Management
- Underground-Market Economics
- Usable Security
- Virtual Economies
- Voting Systems
-------------------------------------------------------------------------
IDMAN 2013 3rd IFIP WG 11.6 Working Conference on Policies & Research in
Identity Management, London, UK, April 8-9, 2013.
(Submissions due 26 October 2012)
http://www.idman2013.com
IDMAN conference focuses on the theory, technologies and applications of
identity management. The world of the 21st century is, more than ever, global
and impersonal. As a result of increasing cyber fraud and cyber terrorism,
the demand for better technical methods of identification is growing, not
only in companies and organisations but also in the world at large. Moreover,
in our society digital identities increasingly play a role in the provision
of eGovernment and eCommerce services. For practical reasons, Identity
Management Systems are needed that are usable and interoperable. At the
same time, individuals increasingly leave trails of personal data when
using the Internet, which allows them to be profiled and which may be
stored for many years to come. Technical trends such as Cloud Computing
and pervasive computing make personal data processing non-transparent, and
make it increasingly difficult for users to control their personal spheres.
As part of this tendency, surveillance and monitoring are increasingly
present in society, both in the public and private domains. Whilst the
original intention is to contribute to security and safety, surveillance
and monitoring might, in some cases, have unintended or even contradictory
effects. Moreover, the omnipresence of surveillance and monitoring systems
might directly conflict with public and democratic liberties. These
developments raise substantial new challenges for privacy and identity
management at the technical, social, ethical, regulatory, and legal levels.
Identity management challenges the information security research community
to focus on interdisciplinary and holistic approaches, while retaining the
benefits of previous research efforts. Papers offering research
contributions to the area of identity management are solicited for
submission to the 3rd IFIP WG-11.6 IDMAN conference. Papers may present
theory, applications or practical experience in the field of identity
management, from a technical, legal or socio-economic perspective,
including, but not necessarily limited to:
- Novel identity management technologies and approaches
- Interoperable identity management solutions
- Privacy-enhancing technologies
- Identity management for mobile and ubiquitous computing
- Identity management solutions for eHealth, eGovernmeant and eCommerce
- Privacy and Identity (Management) in and for cloud computing
- Privacy and Identity in social networks
- Risk analysis techniques for privacy risk and privacy impact assessment
- Privacy management of identity management
- Identity theft prevention
- Attribute based authentication and access control
- User-centric identity management
- Legal, socio-economic, philosophical and ethical aspects
- Impact on society and politics
- Related developments in social tracking, tracing and sorting
- Quality of identity data, processes and applications
- User centered, usable and inclusive identity management
- Attacks on identity management infrastructures
- Methods of identification and authentication
- Identification and authentication procedures
- Applications of anonymous credentials
- (Privacy-preserving) identity profiling and fraud detection
- Government PKIs
- (Possible) role of pseudonymous and anonymous identity in identity
management
- Electronic IDs: European and worldwide policies and cooperation in the
field of identity management
- Surveillance and monitoring
- (Inter)national policies on unique identifiers /social security
numbers / personalisation IDs
- Vulnerabilities in electronic identification protocols
- Federative identity management and de-perimeterisation
- Biometric verification
- (Inter)national applications of biometrics
- Impersonation, identity fraud, identity forge and identity theft
- Tracing, monitoring and forensics
- Proliferation/omnipresence of identification
- Threats to democracy and political control
-------------------------------------------------------------------------
Springer International Journal of Information Security journal,
Special Issue on Security in Cloud Computing, Fall 2013,
(Submission Due 10 November 2012)
http://www.springer.com/computer/security+and+cryptology/journal/10207
Editors: Stefanos Gritzalis (University of the Aegean, Greece),
Chris Mitchell (Royal Holloway, University of London, UK),
Bhavani Thuraisingham (University of Texas at Dallas, USA),
and Jianying Zhou (Institute for Infocomm Research, Singapore)
This special issue of the International Journal of Information Security aims
at providing researchers and professionals with insights on the
state-of-the-art in Security in Cloud Computing. It will publish original,
novel and high quality research contributions from industry, government,
business, and academia. Topics of interest may include (but are not limited to)
one or more of the following themes:
- Auditing in Cloud Computing
- Business and security risk models
- Cloud Infrastructure Security
- Cloud-centric security modeling and threats
- Copyright protection in the Cloud era
- Cryptography in the Cloud era
- Emerging threats in Cloud-based services
- Forensics in Cloud environments
- Legal and regulatory issues in the Cloud era
- Multi-tenancy related security/privacy issues
- Performance evaluation for security solutions
- Privacy in Cloud computing
- Secure identity management mechanisms
- Secure job deployment and scheduling
- Secure virtualization and resource allocation mechanisms
- Securing distributed data storage in the Cloud
- Security and privacy in big data management
- Security and privacy in mobile Cloud
- Security and privacy requirements engineering in the Cloud
- Security for emerging Cloud programming models
- Security management in the Cloud
- Security modelling and threats in Cloud computing
- Trust and policy management in the Cloud
- User authentication and access control in Cloud-aware services
____________________________________________________________________
Information for Subscribers and Contributors
____________________________________________________________________
SUBSCRIPTIONS:
Two options, each with two options:
1. To receive the full ascii CIPHER issues as e-mail, send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe".
OR
send a note to cipher-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
2. To receive a short e-mail note announcing when a new issue of
CIPHER is available for Web browsing send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe postcard".
OR
send a note to cipher-postcard-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
To remove yourself from the subscription list, send e-mail to
cipher-admin@ieee-security.org with subject line "unsubscribe" or
"unsubscribe postcard" or, if you have subscribed directly to the
xmission.com mailing list, use your password (sent monthly) to
unsubscribe per the instructions at
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard
Those with access to hypertext browsers may prefer to read Cipher
that way. It can be found at URL http://www.ieee-security.org/cipher.html
CONTRIBUTIONS:
to cipher @ ieee-security.org are invited. Cipher is a NEWSletter,
not a bulletin board or forum. It has a fixed set of departments,
defined by the Table of Contents. Please indicate in the
subject line for which department your contribution is intended.
Calendar and Calls-for-Papers entries should be sent to
cipher-cfp @ ieee-security.org
and they will be automatically included in both departments. To
facilitate the semi-automated handling, please send either a text
version of the CFP or a URL from which a text version can be easily
obtained. For Calendar entries, please include a URL and/or e-mail
address for the point-of-contact. For Calls for Papers, please submit
a one paragraph summary. See this and past issues for examples. ALL
CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS
APPLY. All reuses of Cipher material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy,
publications using Cipher material should obtain permission from the
contributors.
____________________________________________________________________
Recent Address Changes
____________________________________________________________________
Address changes from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/AddressChanges.html
_____________________________________________________________________
How to become <> a member of the
IEEE Computer Society's TC on Security and Privacy
_____________________________________________________________________
You may easily join the TC on Security & Privacy by completing
the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm
______________________________________________________________________
TC Publications for Sale
______________________________________________________________________
IEEE Security and Privacy Symposium
The 2010 hardcopy proceedings are available at $25 each. The DVD with all
technical papers from all years of the SP Symposium and the CSF
Symposium (through 2009) is $10, plus shipping and handling.
The 2009 hardcopy proceedings are not available. The DVD with all
technical papers from all years of the SP Symposium and the CSF
Symposium is $5, plus shipping and handling.
The 2008 hardcopy proceedings are $10 plus shipping and handling;
the 29 year CD is $5.00, plus shipping and handling.
The 2007 proceedings are available in hardcopy for $10.00, the
28 year CD is $5.00, plus shipping and handling.
The 2006 Symposium proceedings and 11-year CD are sold out.
The 2005, 2004, and 2003 Symposium proceedings are available for $10
plus shipping and handling.
Shipping is $5.00/volume within the US, overseas surface mail is
$8/volume, and overseas airmail is $14/volume, based on an order of 3
volumes or less. The shipping charge for a CD is $3 per CD (no charge
if included with a hard copy order). Send a check made out to the
IEEE Symposium on Security and Privacy to the 2011 treasurer (below)
with the order description, including shipping method and shipping
address.
Robin Sommer
Treasurer, IEEE Symposium Security and Privacy 2011
International Computer Science Institute
Center for Internet Research
1947 Center St., Suite 600
Berkeley, CA 94704
USA
oakland11-treasurer@ieee-security.org
IEEE CS Press
You may order some back issues from IEEE CS Press at
http://www.computer.org/cspress/catalog/proc9.htm
Computer Security Foundations Symposium
Copies of the proceedings of the Computer Security Foundations
Workshop (now Symposium) are available for $10 each. Copies of
proceedings are available starting with year 10 (1997). Photocopy
versions of year 1 are also $10.
Contact Jonathan Herzog if interested in purchase.
Jonathan Herzog
jherzog@alum.mit.edu
____________________________________________________________________________
TC Officers and SP Steering Committee
____________________________________________________________________________
Chair: Security and Privacy Symposium Chair Emeritus:
Sven Dietrich Robert Cunningham
Department of Computer Science MIT Lincoln Laboratories
Stevens Institute of Technology http://www.ll.mit.edu/mission
+1 201 216 8078 /communications/ist/biographies
spock AT cs.stevens.edu /cunningham-bio.html
Vice Chair: Treasurer:
Patrick McDaniel Terry Benzel
Computer Science and Engineering USC Information Sciences Intnl
Pennsylvania State University 4676 Admiralty Way, Suite 1001
360 A IST Building Los Angeles, CA 90292
University Park, PA 16802 (310) 822-1511 (voice)
(814) 863-3599 tbenzel @isi.edu
mcdaniel@cse.psu.edu
Newsletter Editor and Security and Privacy Symposium, 2013 Chair:
TC Awards Chair: Robin Sommer
Hilarie Orman http://www.icir.org/robin
Purple Streak, Inc.
500 S. Maple Dr.
Woodland Hills, UT 84653
cipher-editor@ieee-security.org
________________________________________________________________________
BACK ISSUES:
Cipher is archived at: http://www.ieee-security.org/cipher.html
Cipher is published 6 times per year