_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 111 November 19, 2012 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of "Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide" by Lee Allen o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * News Items o US Banks DoSed o Spyware vs. Dissidents * Conference and Workshop Announcements o Calendar of Events o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes - Kevin Fu * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: For this 2012 winter issue of Cipher we have a book review from Richard Austin covering the arcane subject of penetration testing. This is a white hat activity that draws on black hat knowledge, and its elevation to a profession makes it worthy of an interesting book. In the popular press we have been reading about the odd attempt of the US CIA head to achieve communications security through the obscurity of a Gmail account's draft folder. This weak subterfuge proved to be his professional undoing. The Internet seems alluringly opaque, but privacy is largely an illusion. Information escapes confinement like tunneling quanta. Cybersecurity is a growing field, and this issue of Cipher lists several academic institution's openings for faculty members. The size and number of conferences is ever increasing, and there are prestigious venues for publication in every month of the year. Submit a paper, attend a conference, keep up with a field that pervades our modern lives. Be thankful for your servers that haven't been hacked, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin November 12, 2012 Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide by Lee Allen ____________________________________________________________________ Packt Publishing 2012. ISBN 978-1-84951-774-4 amazon.com USD 59.99, Table of Contents: http://www.packtpub.com/advanced-penetration-testing-for-highly-secured-environments/book Penetration testing is definitely one of the high profile "glory" activities in information security today - the tests can seemingly create intrusions out of thin air that wriggle their way through our carefully designed defenses to remind us that we're really nowhere near as secure as we thought. However, the practice has always been a guild-governed art with limited information on operations beyond the shelves of books on exploiting software and other technical accoutrements. Allen has taken the dialog much further with an excellent overview of the penetration testing process from the planning steps of the engagement through the test itself and reporting results. The book opens with a very insightful chapter on the planning process for a penetration test that includes good advice on working with the client to determine scope, test objectives and limitations. The need for meticulous documentation is addressed early with introductions to MagicTree and the Dradis framework (quite useful when a team is carrying out the test). Back|Track is the toolbox used throughout the book and Allen wastes no time in getting the reader started by installing it in a virtual machine for use in the numerous exercises that occur in later chapters. The following two chapters follow the natural progression of reconnaissance and target selection. With targets and their vulnerabilities identified, the next three chapters delve into the details of exploiting those vulnerabilities. Allen makes the solid point that identifying a vulnerability is one thing but actually using it to, for example, open a root-level shell provides solid verification to the client that a serious weakness exists. Chapter 7, "Post Exploitation", is unique in that it recognizes that our adversaries' objective is not limited to just identifying and exploiting vulnerabilities but rather to accomplish some objective (capture credentials, access confidential information, etc.). He wisely observes that the penetration tester, unlike an actual adversary, is limited by the scope of her contract (e.g., is data modification allowed or can a persistent backdoor be created) and he must have negotiated these limits in advance during the planning process. Chapter 8, "Bypassing Firewalls and Avoiding Detection", covers how to negotiate the defensive lines of the target while remaining below the detection threshold. This is an important chapter because many organizations do have good defenses in place and a successful penetration may involve negotiating multiple defensive layers to reach the actual target. Chapter 9 covers the critical task of documenting the test and reporting the findings to the client. Too often the results of a well-performed penetration test are ignored by the client due to poorly communicated results that fail to convincingly convey the results of the test in such a way as to motivate the client to take action. The final two chapters cover setting up a virtual lab environment for training and a walkthrough of an actual penetration test. This is an applied book for the technical security professional and will require significant time to set up and work through the many examples. Allen does not sugar-coat the process and the reader will have opportunities to experience and work through/around the quirks of the tools that sometimes seem to the larger part of performing the technical portions of the test. The exercises do seem to be a bit disjoint at times and would have benefited from a clearer progression from one to the other. But looping back and starting over is something the professional penetration tester has to do quite often, so Allen may have written the book this way quite deliberately. Working through the exercises also provides a solid introduction to the cornucopia of tools available in Back|Track and how they fit together to accomplish the goals of the penetration test. Definitely a recommended read for the technical information security professional who might also want to share some of the sage advice on how to scope and plan for a penetration test with more managerially focused professionals. -------------------------------------------------------- It has been said "of making many books there is no end; and much study is a weariness of the flesh" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and shares his opinion as to which might profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== News Briefs ==================================================================== Attacks on 6 Banks Frustrate Customers New York Times, September 30, 2012 http://www.nytimes.com/2012/10/01/business/cyberattacks-on-6-american-banks-frustrate-customers.html?_r=2& by Nicole Perlroth Five major US banks were the targets of denial of service attacks from sources that have not been identified. Frustrated users were shut off from their online banking. -------------------------------------- Ahead of Spyware Conference, More Evidence of Abuse New York Times, October 10, 2012 http://bits.blogs.nytimes.com/2012/10/10/ahead-of-spyware-conference-more-evidence-of-abuse/?src=recg By Nicole Perlroth There is more evidence that spyware has been used by governments to keep an eye on suspected dissidents. The commercially produced software was not advertised for this purpose. ------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Recent additions: Posted Oct 2012 California State University Long Beach Long Beach, California Assistant Professor Closing Date: Jan, 15, 2013 open until filled http://www.csulb.edu/divisions/aa/personnel/jobs/posting/1070/index.html Posted Oct 2012 Dartmouth Hanover, New Hampshire Assistant Professor Closing date: Jan 1, 2013 http://www.cs.dartmouth.edu/site-content/site/assistant-professor-position-2012-2013.php Posted Oct 2012 Naval Postgraduate School, Cyber Academic Group Linthicum, Maryland Research Associate Open until filled http://www.nps.edu/Academics/Schools/GSOIS/Departments/CyberAcademicGroup.html Posted Oct 2012 University of Helsinki, Department of Computer Science Helsinki, Finland Postdoctoral Researcher Closing Date: Dec 1, 2012 http://www.helsinki.fi/recruitment/index.html?id=59816 Posted Oct 2012 U.S. Naval Academy Annapolis, Maryland Tenure-track faculty - all ranks Open until filled http://www.usna.edu/CS/jobs/jobAdCS_AY13_2.pdf Posted Sep 2012 Naval Postgraduate School Monterey, California CS Department Faculty Positions Open until filled http://www.nps.edu/Academics/Schools/GSOIS/Departments/CS/Faculty/Openings/CSFacultyOpenings.html Posted Sep 2012 Digital Security - Radboud University Nijmegen Nijmegen, The Netherlands Tenure track Assistant Professor Closes October 15, 2012 "http://www.pz.science.ru.nl/WP/2011.12/Tenure Track to Assistent Professor at the Faculty of Science dec 2011.pdf" -------------- Received by Cipher, not included on NPS website: Virgina Tech National Capital Region Associate Professor Screening begins Dec. 31, 2012 http://www.cs.vt.edu/FacultySearch -------------- Full list: http://cisr.nps.edu/jobscipher.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 11/21/12-11/23/12: NSS, 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China; http://anss.org.au/nss2012/index.html 11/28/12-12/ 1/12: INSCRYPT, 8th China International Conference on Information Security and Cryptology, Beijing, China; http://inscrypt2012.im.pwr.wroc.pl/2012/Inscrypt_2012.html 12/ 2/12-12/ 5/12: WIFS, IEEE International Workshop on Information Forensics and Security, Tenerife, Spain; http://www.wifs12.org/ 12/ 3/12: ASIACCS, 8th ACM Symposium on Information, Computer and Communications Security, Hangzhou, China; http://hise.hznu.edu.cn/asiaccs/index.html; Submissions are due 12/ 3/12: ISPEC, 9th Information Security Practice and Experience Conference, Lanzhou, China; http://icsd.i2r.a-star.edu.sg/ispec2013/; Submissions are due 12/ 3/12-12/ 7/12: ACSAC, 28th Annual Computer Security Applications Conference, Buena Vista Palace Hotel & Spa in the Walt Disney World Resort, Florida, USA; http://www.acsac.org 12/ 3/12-12/ 7/12: MANSEC-CC, 1st International workshop on Management and Security technologies for Cloud Computing, Held in conjunction with the 2012 IEEE GLOBECOM, Disneyland Hotel, Anaheim, California, USA; http://www.icsd.aegean.gr/ccsl/mansec-cc/ 12/ 9/12-12/14/12: LISA, 26th Large Installation System Administration Conference, San Diego, CA, USA; http://www.usenix.org/lisa12/ 12/10/12: HOST, IEEE International Symposium on Hardware-oriented Security and Trust, Austin Convention Center, Austin, TX, USA; http://www.hostsymposium.org/; Submissions are due 12/15/12: NSS, 7th International Conference on Network and System Security, Madrid, Spain; http://anss.org.au/nss2013/index.htm; Submissions are due 12/15/12-12/19/12: ICISS, 8th International Conference on Information Systems Security, Guwahati, India; http://www.iitg.ernet.in/iciss2012/ 12/31/12: IFIP1110-CIP, 7th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA; http://www.ifip1110.org/Conferences/WG11-10CallForPapers2013.pdf; Submissions are due 1/ 6/13: SACMAT, 18th ACM Symposium on Access Control Models and Technologies, Amsterdam, The Netherlands; http://www.sacmat.org/; Submissions are due 1/ 7/13: SPW, 21st International Workshop on Security Protocols, Sidney Sussex College, Cambridge, England; http://spw.stca.herts.ac.uk/; Submissions are due 1/ 7/13- 1/10/13: HICSS-CSS, 46th HAWAII International Conference on System Sciences, Internet and the Digital Economy Track, Cybercrime and Security Strategy Mini-track, Grand Wailea, Maui, Hawaii, USA; http://www.hicss.hawaii.edu/hicss_46/apahome46.htm 1/25/13: IFIP-TM, 7th IFIP International Conference on Trust Management, Malaga, Spain; http://conf2013.ifiptm.org/; Submissions are due 1/28/13- 1/30/13: IFIP119-DF, 9th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org/Conferences/WG11-9-CFP-2013.pdf 1/30/13: International Journal of Cloud Computing, Special Issue on Information Assurance and System Security in Cloud Computing; http://www.inderscience.com/info/ingeneral/cfp.php?id=1991; Submissions are due 1/30/13: CSF, 26th IEEE Computer Security Foundations Symposium, Tulane University, New Orleans Louisiana, USA; http://csf2013.seas.harvard.edu/; Submissions are due 2/ 1/13: ACNS, 11th International Conference on Applied Cryptography and Network Security, Banff, Alberta, Canada; http://acns2013.cpsc.ucalgary.ca/; Submissions are due 2/15/13: TRUST, 6th International Conference on Trust and Trustworthy Computing, London, UK; http://trust2013.sba-research.org; Submissions are due 2/18/13- 2/20/13: CODASPY, 3nd ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA; http://www.codaspy.org 2/24/13- 2/27/13: NDSS, 20th Annual Network and Distributed System Security Symposium, Catamaran Resort Hotel and Spa San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2013 2/27/13- 3/ 1/13: ESSoS, 5th International Symposium on Engineering Secure Software and Systems, Paris, France; http://distrinet.cs.kuleuven.be/events/essos2013/ 3/ 1/13: CNS, 1st IEEE Conference on Communications and Network Security, Washington D.C., USA; http://www.ieee-cns.org; Submissions are due 3/ 7/13: SOUPS, Symposium On Usable Privacy and Security, Northumbria University, Newcastle, UK; http://cups.cs.cmu.edu/soups/; Submissions are due 3/18/13- 3/20/13: IFIP1110-CIP, 7th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA; http://www.ifip1110.org/Conferences/WG11-10CallForPapers2013.pdf 3/18/13- 3/20/13: SPW, 21st International Workshop on Security Protocols, Sidney Sussex College, Cambridge, England; http://spw.stca.herts.ac.uk/ 4/ 1/13- 4/ 5/13: FC, 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan; http://fc13.ifca.ai/cfp.html 4/ 8/13- 4/ 9/13: IDMAN, 3rd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, London, UK; http://www.idman2013.com 5/ 8/13- 5/10/13: ASIACCS, 8th ACM Symposium on Information, Computer and Communications Security, Hangzhou, China; http://hise.hznu.edu.cn/asiaccs/index.html 5/12/13- 5/14/13: ISPEC, 9th Information Security Practice and Experience Conference, Lanzhou, China; http://icsd.i2r.a-star.edu.sg/ispec2013/ 5/19/13- 5/22/13: SP, 34th IEEE Symposium on Security and Privacy, San Francisco, California, USA; http://www.ieee-security.org/TC/SP2013/ 5/23/13- 5/24/13: SPW (Call for Workshop proposals), 2nd IEEE CS Security and Privacy Workshops, Co-located with the IEEE Symposium on Security and Privacy (SP 2013), Westin St. Francis Hotel, San Francisco, CA, USA; http://www.codaspy.org 6/ 2/13- 6/ 3/13: HOST, IEEE International Symposium on Hardware-oriented Security and Trust Austin Convention Center, Austin, TX, USA; http://www.hostsymposium.org/ 6/ 3/13- 6/ 4/13: NSS, 7th International Conference on Network and System Security, Madrid, Spain; http://anss.org.au/nss2013/index.htm 6/ 3/13- 6/ 7/13: IFIP-TM, 7th IFIP International Conference on Trust Management, Malaga, Spain; http://conf2013.ifiptm.org/ 6/12/13- 6/14/13: SACMAT, 18th ACM Symposium on Access Control Models and Technologies, Amsterdam, The Netherlands; http://www.sacmat.org/ 6/17/13- 6/19/13: TRUST, 6th International Conference on Trust and Trustworthy Computing, London, UK; http://trust2013.sba-research.org 6/25/13- 6/28/13: ACNS, 11th International Conference on Applied Cryptography and Network Security, Banff, Alberta, Canada; http://acns2013.cpsc.ucalgary.ca/ 6/26/13- 6/28/13: CSF, 26th IEEE Computer Security Foundations Symposium, Tulane University, New Orleans Louisiana, USA; http://csf2013.seas.harvard.edu/ 7/24/13- 7/26/13: SOUPS, Symposium On Usable Privacy and Security, Northumbria University, Newcastle, UK; http://cups.cs.cmu.edu/soups/ 10/14/13-10/16/13: CNS, 1st IEEE Conference on Communications and Network Security, Washington D.C., USA; http://www.ieee-cns.org ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E110) Maintained by Yong Guan ___________________________________________________________________ ASIACCS 2013 8th ACM Symposium on Information, Computer and Communications Security, Hangzhou, China, May 8-10, 2013. (Submissions due 3 December 2012) http://hise.hznu.edu.cn/asiaccs/index.html ASIACCS is a major international forum for information security researchers, practitioners, developers, and users to explore and exchange the newest cyber security ideas, breakthroughs, findings, techniques, tools, and experiences. We invite submissions from academia, government, and industry presenting novel research on all theoretical and practical aspects of computer and network security. Areas of interest for ASIACCS 2013 include, but are not limited to: - access control - accounting and audit - applied cryptography - authentication - cloud computing security - data/system integrity - data and application security - digital rights management - formal methods for security - hardware-based security - identity management - inference control and disclosure - intrusion detection - key management - malware and botnets - mobile computing security - operating system security - phishing and countermeasures - privacy-enhancing technology - security architecture - security in ubiquitous computing - security management - security verification - smartcards - software security - trusted computing - usable security and privacy - wireless security - web security ------------------------------------------------------------------------- ISPEC 2013 9th Information Security Practice and Experience Conference, Lanzhou, China, May 12-14, 2013. (Submissions due 3 December 2012) http://icsd.i2r.a-star.edu.sg/ispec2013/ ISPEC is an annual conference that brings together researchers and practitioners to provide a confluence of new information security technologies, their applications and their integration with IT systems in various vertical sectors. Authors are invited to submit full papers presenting new research results related to information security technologies and applications. Areas of interest include, but are not limited to: - Access control - Applied cryptography - Availability, resilience, and usability - Cryptanalysis - Database Security - Digital rights management - Information security in vertical applications - Multimedia security - Network security - Privacy and anonymity - Risk evaluation and security certification - Security of smart cards and RFID systems - Security policies - Security protocols - Security systems - Trust model and management - Trusted computing ------------------------------------------------------------------------- HOST 2013 IEEE International Symposium on Hardware-oriented Security and Trust, Austin Convention Center, Austin, TX, USA, June 2-3, 2013. (Submissions due 10 December 2012) http://www.hostsymposium.org/ Pervasive computing is now penetrating a wider range of domains and applications, including many safety-critical cyber-physical systems that we increasingly depend on. Trusted hardware platforms make up the backbone for successful deployment and operation of these systems. However, recent advances in tampering and reverse engineering show that important challenges in guaranteeing the trust of these components await us. For example, malicious alterations inserted into electronic designs can allow for backdoors into the system. Furthermore, new forms of attacks that exploit side-channel signals are being developed. Third, intellectual-property protection is becoming a major concern in the globalized, horizontal semiconductor business model. HOST 2013 is a forum for novel solutions to address these challenges. Innovative test mechanisms may reveal Trojans in a design before they are able to do harm. Implementation attacks may be thwarted using side-channel resistant design or fault-tolerant designs. New security-aware design tools can assist a designer in implementing critical and trusted functionality, quickly and efficiently. The IEEE International Symposium on Hardware Oriented Security and Trust seeks original contributions in the area of hardware-oriented security. This includes tools, design methods, architectures, circuits, and novel applications of secure hardware. HOST 2013 seeks contributions based on, but not limited to, the following topics: - Counterfeit detection and avoidance - Cyber-physical security and trust - Trojan detection and isolation - Implementation attacks and countermeasures - Side channel analysis and fault analysis - Intellectual property protection and metering - Hardware architectures for cryptography - Hardware security primitives: PUFs and TRNGs - Reliability-security optimization and tradeoffs - Applications of secure hardware - Tools and methodologies for secure hardware design ------------------------------------------------------------------------- NSS 2013 7th International Conference on Network and System Security, Madrid, Spain, June 3-4, 2013. (Submissions due 15 December 2012) http://anss.org.au/nss2013/index.htm NSS is an annual international conference covering research in network and system security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of network security, privacy, applications security, and system security. Papers describing case studies, implementation experiences, and lessons learned are also encouraged. Topics of interest include but are not limited to: - Active Defense Systems - Adaptive Defense Systems - Analysis, Benchmark of Security Systems - Applied Cryptography - Authentication - Biometric Security - Complex Systems Security - Database and System Security - Data Protection - Data/System Integrity - Distributed Access Control - Distributed Attack Systems - Denial-of-Service - High Performance Network Virtualization - High Performance Security Systems - Hardware Security - Identity Management - Intelligent Defense Systems - Insider Threats - Intellectual Property Rights Protection - Internet and Network Forensics - Intrusion Detection and Prevention - Key Distribution and Management - Large-scale Attacks and Defense - Malware - Network Resiliency - Network Security - RFID Security and Privacy - Security Architectures - Security for Critical Infrastructures - Security in P2P systems - Security in Cloud and Grid Systems - Security in E-Commerce - Security in Pervasive/Ubiquitous Computing - Security and Privacy in Smart Grid - Security and Privacy in Wireless Networks - Secure Mobile Agents and Mobile Code - Security Policy - Security Protocols - Security Simulation and Tools - Security Theory and Tools - Standards and Assurance Methods - Trusted Computing - Trust Management - World Wide Web Security ------------------------------------------------------------------------- IFIP1110-CIP 2013 7th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA, March 18-20, 2013. (Submissions due 31 December 2012) http://www.ifip1110.org/Conferences/WG11-10CallForPapers2013.pdf The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Following the success of the first six conferences, the Seventh Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection will again provide a forum for presenting original, unpublished research results and innovative ideas related to all aspects of critical infrastructure protection. Papers and panel proposals are solicited. Submissions will be refereed by members of Working Group 11.10 and other internationally-recognized experts in critical infrastructure protection. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.10. The conference will be limited to seventy participants to facilitate interactions among researchers and intense discussions of research and implementation issues. A selection of papers from the conference will be published in an edited volume - the seventh in the series entitled Critical Infrastructure Protection (Springer) - in the fall of 2013. Revised and/or extended versions of outstanding papers from the conference will be published in the International Journal of Critical Infrastructure Protection (Elsevier). Papers are solicited in all areas of critical infrastructure protection. Areas of interest include, but are not limited to: - Infrastructure vulnerabilities, threats and risks - Security challenges, solutions and implementation issues - Infrastructure sector interdependencies and security implications - Risk analysis and risk assessment methodologies - Modeling and simulation of critical infrastructures - Legal, economic and policy issues related to critical infrastructure protection - Secure information sharing - Infrastructure protection case studies - Distributed control systems/SCADA security - Telecommunications network security ------------------------------------------------------------------------- SACMAT 2013 18th ACM Symposium on Access Control Models and Technologies, Amsterdam, The Netherlands, June 12-14, 2013. (Submissions due 6 January 2013) http://www.sacmat.org/ The ACM Symposium on Access Control Models and Technologies (SACMAT) continues the tradition, first established by the ACM Workshop on Role-Based Access Control, of being the premier forum for the presentation of research results and experience reports on leading edge issues of access control, including models, systems, applications, and theory. The missions of the symposium are to share novel access control solutions that fulfil the needs of heterogeneous applications and environments, and to identify new directions for future research and development. SACMAT provides researchers and practitioners with a unique opportunity to share their perspectives with others interested in the various aspects of access control. Papers offering novel research contributions in all aspects of access control are solicited for submission to the 18th ACM Symposium on Access Control Models and Technologies (SACMAT 2013). Topics of interest include but are not limited to: - Access control models and extensions - Access control requirements - Access control design methodology - Access control mechanisms, systems, and tools - Access control in distributed and mobile systems - Access control for innovative applications - Administration of access control policies - Economic models for access Control - Hardware enhanced access Control - Identity management - Policy/Role engineering - Safety analysis and enforcement - Standards for access control - Trust management - Trust and risk models in access control - Theoretical foundations for access control models - Usability in access control systems - Usage control ------------------------------------------------------------------------- SPW 2013 21st International Workshop on Security Protocols, Sidney Sussex College, Cambridge, England, March 18-20, 2013. (Submissions due 7 January 2013) http://spw.stca.herts.ac.uk/ The theme of this year's workshop is "What's Happening on the Other Channel?" Many protocols use a secondary channel, either explicitly (as in multichannel protocols) but more usually implicitly, for example to exchange master keys, or their hashes. The role of the Other Channel is fundamental, and often problematic, and yet protocol composers typically take them as a given. Sometimes the Other Channel really is completely covert, but sometimes it just has properties that are different. And it's not only security properties that are relevant here: bandwidth, latency and error rate are often important considerations too. Even a line-of-sight channel usually doesn't quite have the properties that we unthinkingly attributed to it. Moriarty has been subscribing to the Other Channel for years: perhaps it's time for Alice and Bob to tune in too. This theme is not intended to restrict the topic of your paper, but to help provide a particular perspective and to focus the discussions. Our intention is to stimulate discussion likely to lead to conceptual advances, or to promising new lines of investigation, rather than merely to consider finished work. ------------------------------------------------------------------------- IFIP-TM 2013 7th IFIP International Conference on Trust Management, Malaga, Spain, June 3-7, 2013. (Submissions due 25 January 2013) http://conf2013.ifiptm.org/ IFIPTM 2013 will be the 7th International Conference on Trust Management under the auspices of IFIP. The mission of the IFIPTM 2013 Conference is to share research solutions to problems of Trust and Trust management, and to identify new issues and directions for future research and development work. IFIPTM 2013 invites submissions presenting novel research on all topics related to Trust, Security and Privacy. ------------------------------------------------------------------------- International Journal of Cloud Computing, Special Issue on Information Assurance and System Security in Cloud Computing, Fall 2013, (Submission Due 30 January 2013) http://www.inderscience.com/info/ingeneral/cfp.php?id=1991 Editors: Yu Chen (Binghamton University, USA), Kai Hwang (University of Southern California, USA), Wei-Shinn Ku (Auburn University, USA), and Douglas Summerville (Binghamton University, USA) Cloud computing has attracted interest from both industry and academia since 2007, which has been recognized as the new paradigm of IT industry. Cloud computing provides users with flexible services in a transparent manner. Services are allocated in a "cloud", which is a collection of devices and resources connected through the Internet. Before this paradigm can be widely accepted, the security, privacy and reliability provided by the services in the cloud must be well established. The special issue seeks original unpublished papers focusing on various aspects of security issues in cloud computing environments. Aiming at presenting and discussing the latest developments, this special issue welcomes papers addressing theoretical analysis, emerging applications, novel system architecture construction and design, experimental studies, and social impacts of cloud computing. Both review/survey papers and technical papers are encouraged. The topics include but are not limited to: - Emerging threats to Cloud-based services - Security model for new services - Security in Cloud-aware web service - Information hiding/encryption in Cloud Computing - Copyright protection in the Cloud - Securing distributed data storage in cloud - Privacy and security in Cloud Computing - Forensics in Cloud environments - Robust Cloud network architecture - Cloud Infrastructure Security - Intrusion detection/prevention - Denial-of-Service (DoS) attacks and defense - Robust job scheduling - Secure resource allocation and indexing - Secure payment for Cloud-aware services - User authentication in Cloud-aware services - Non-Repudiation solutions in the Cloud - Security for emerging Cloud programming models - Performance evaluation for security solutions - Testbed/Simulators for Cloud security research - Hardware-based Security solutions, i.e. hardware for encryption, etc. - Detection and prevention of hardware Trojans ------------------------------------------------------------------------- CSF 2013 26th IEEE Computer Security Foundations Symposium, Tulane University, New Orleans Louisiana, USA, June 26 - 28, 2013. (Submissions due 30 January 2013) http://csf2013.seas.harvard.edu/ The Computer Security Foundations Symposium is an annual conference for researchers in computer security. CSF seeks papers on foundational aspects of computer security, e.g., formal security models, relationships between security properties and defenses, principled techniques and tools for design and analysis of security mechanisms as well as their application to practice. While CSF welcomes submissions beyond the topics listed below, the main focus of CSF is foundational security: submissions that lack foundational aspects risk rejection. New theoretical results in computer security are welcome. Possible topics include, but are not limited to: - Access control - Accountability - Anonymity and Privacy - Authentication - Cryptographic protocols - Data and system integrity - Database security - Data provenance - Decidability and complexity - Distributed systems security - Electronic voting - Executable content - Formal methods for security - Game Theory and Decision Theory - Hardware-based security - Information flow - Intrusion detection - Language-based security - Network security - Resource usage control - Security for mobile computing - Security models - Socio-technical security - Trust and trust management ------------------------------------------------------------------------- ACNS 2013 11th International Conference on Applied Cryptography and Network Security, Banff, Alberta, Canada, June 25-28, 2013. (Submissions due 1 February 2013) http://acns2013.cpsc.ucalgary.ca/ The 11th International Conference on Applied Cryptography and Network Security seeks submissions from academia, industry, and government presenting novel research on all aspects of applied cryptography as well as network security and privacy. Papers describing novel paradigms, original directions, or non-traditional perspectives are also encouraged. The conference has two tracks: a research track and an industry track. Topics of interest include, but are not limited to: - Access control - Applied cryptography - Automated protocols analysis - Biometric security and privacy - Complex systems security - Critical infrastructure protection - Cryptographic primitives and protocols - Database and system security - Data protection - Digital rights management - Email and web security - Identity management - Intellectual property protection - Internet fraud - Intrusion detection and prevention - Key management - Malware - Network security protocols - Privacy, anonymity, and untraceability - Privacy-enhancing technology - Protection for the future Internet - Secure mobile agents and mobile code - Security in e-commerce - Security in P2P systems - Security in pervasive/ubiquitous computing - Security and privacy in cloud and grid systems - Security and privacy in distributed systems - Security and privacy in smart grids - Security and privacy in wireless networks - Security and privacy metrics - Trust management - Usability and security ------------------------------------------------------------------------- TRUST 2013 6th International Conference on Trust and Trustworthy Computing, London, UK, June 17-19, 2013. (Submissions due 15 February 2013) http://trust2013.sba-research.org TRUST 2013 is an international conference on the technical and socio-economic aspects of trustworthy infrastructures. It provides an excellent interdisciplinary forum for researchers, practitioners, and decision makers to explore new ideas and discuss experiences in building, designing, using and understanding trustworthy computing systems. The conference solicits original papers on any aspect (technical, social or socio-economic) of the design, application and usage of trusted and trustworthy computing. Papers can address design, application and usage of trusted and trustworthy computing in a broad range of concepts including, but not limited to, trustworthy infrastructures, cloud computing, services, hardware, software and protocols. ------------------------------------------------------------------------- CNS 2013 1st IEEE Conference on Communications and Network Security, Washington D.C., USA, October 14-16, 2013. (Submissions due 1 March 2013) http://www.ieee-cns.org Cyber security has become an important research and development area for academia, government, and industry in recent years. As government and industry investment in cyber security research continues to grow, there will be a dramatic increase in the amount of new results generated by the research community, which must be disseminated widely amongst the research community in order to provide the peer review feedback that is needed to ensure that high-quality solutions that address important and emerging security issues are developed. As a leading professional society focusing on communications technologies, IEEE Communications Society (ComSoc) has identified the need for a high-quality security conference that would focus on communications-oriented aspects of security. IEEE ComSoc has thus decided to launch a new conference dedicated to Communications and Network Security. This new conference is positioned to be a core ComSoc conference (at a level comparable to IEEE INFOCOM ) and will serve as a premier forum for cyber security researchers, practitioners, policy makers, and users to exchange ideas, techniques and tools, raise awareness, and share experience related to security and privacy. IEEE CNS seeks original high-quality technical papers from academia, government, and industry. Topics of interest encompass all practical and theoretical aspects of communications and network security, all the way from the physical layer to the various network layers to the variety of applications reliant on a secure communication substrate. Submissions with main contribution in other areas, such as information security, software security, system security, or applied cryptography, will also be considered if a clear connection to secure communications/networking is demonstrated. Particular topics of interest include, but are not limited to: - Security and Privacy in the Internet, peer-to-peer networks, overlay networks - Security and Privacy in Wi-Fi, Wi-Max, ad hoc, mesh, sensor, and RFID networks - Security and Privacy in emerging technologies: social networks, cognitive radio networks, disruption/delay tolerant networks, vehicular networks, cloud computing, smart grid - Cross-layer methods for enhancing security - Information-theoretic security - Anonymization and privacy in communication systems - Traffic analysis, location privacy and obfuscation of mobile device information - Physical layer security methods: confidentiality and authentication - Secure routing, network management - Intrusion detection - Computer and network forensics - Vulnerability, exploitation tools, Malware, Botnet, DDoS attacks - Key management and PKI - Security metrics and performance evaluation, traffic analysis techniques - Web, e-commerce, m-commerce, and e-mail security - Social, economic and policy issues of trust, security and privacy - Ensuring the availability of communications, survivability of networks in the presence of denial of service - Jamming and jamming-resistance - Multipath routing around network holes ------------------------------------------------------------------------- SOUPS 2013 Symposium On Usable Privacy and Security, Northumbria University, Newcastle, UK, July 24-26, 2013. (Submissions due 7 March 2013) http://cups.cs.cmu.edu/soups/ The 2013 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, lightning talks and demos, and workshops and tutorials. We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to: - innovative security or privacy functionality and design - new applications of existing models or technology - field studies of security or privacy technology - usability evaluations of new or existing security or privacy features - security testing of new or existing usability features - longitudinal studies of deployed security or privacy features - the impact of organizational policy or procurement decisions - lessons learned from the deployment and use of usable privacy and security features - reports of replicating previously published studies and experiments - reports of failed usable security studies or experiments, with the focus on the lessons learned from such experience ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Kevin Fu University of Michigan Computer Science and Engineering Beyster Building Room 4628 2260 Hayward Street Ann Arbor, MI 48109-2121 Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sven Dietrich Robert Cunningham Department of Computer Science MIT Lincoln Laboratories Stevens Institute of Technology http://www.ll.mit.edu/mission +1 201 216 8078 /communications/ist/biographies spock AT cs.stevens.edu /cunningham-bio.html Vice Chair: Treasurer: Patrick McDaniel Terry Benzel Computer Science and Engineering USC Information Sciences Intnl Pennsylvania State University 4676 Admiralty Way, Suite 1001 360 A IST Building Los Angeles, CA 90292 University Park, PA 16802 (310) 822-1511 (voice) (814) 863-3599 tbenzel @isi.edu mcdaniel@cse.psu.edu Newsletter Editor and Security and Privacy Symposium, 2013 Chair: TC Awards Chair: Robin Sommer Hilarie Orman http://www.icir.org/robin Purple Streak, Inc. 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year