_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 112 January 21, 2013 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * News o NSA Sponsors Best Paper Competition, Deadline is Very Soon o Xavier Leroy Winner of Microsoft Verified Software Award o Health-care Sector Cybersecurity Lacking o Banks DDoSed o NSA Aids DDoSed Banks o Rocra Malware Discovered: Stealthy and Thorough * Commentary and Opinion o Richard Austin's review of "Critical Thinking for Strategic Intelligence" by K. H. Pherson and R. H. Pherson o Richard Austin's review of "All In One CISSP Exam Guide" by Shon Harris o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Highlighting the importance of cybersecurity in national defense, the US National Security Agency announced last month that it was sponsoring an award for the best security paper of the past year. The nomination period ends very soon, so please consider nominating your favorite stellar author immediately. Richard Austin reviews a book this month with a topic that would have seemed out-of-scope 30 years ago, when hacking computer accounts was a form of silly hubris. Today it is the stuff of international espionage, and intelligence analysts need to carefully dissect and evaluate the actors and threats to national security. Read all about it through this review and the book itself. Our news items this month underscore the global nature of cybersystem attacks, their sophistication, targets, and stealth. Now that health care is becoming just another cloud-based data application, can we expect widespread attacks, data theft or even alteration? Some researchers have reason to expect the worst. Sun Tzu, inventor of the honeypot: "Hold out baits to entice the enemy. Feign disorder, and crush him", Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== NSA Announcement, November 30, 2012, Best Security Paper of 2012 Competition, http://www.nsa.gov/public_info/press_room/2012/cybersecurity_paper.shtml NSA organized a "Science of Security" (SoS) Community meeting that was held last week (Nov 29-30) at National Harbor (immediately following NSF's Secure and Trustworthy Cyberspace PI meeting at the same place. At the conclusion of the SoS meeting, NSA's Director of Research, Mike Wertheimer, announced a new NSA-sponsored competition to identify the "best scientific cybersecurity paper" published in the past fiscal year (i.e., October 2011 - September 2012). Nominations are invited immediately and will close on January 31, 2013. A set of "Distinguished Experts" will provide NSA with their individual assessments of nominated papers. The experts named so far are: Dr. Daniel Geer, In-Q-Tel Professor David Wagner, University of California at Berkeley Professor Ronald Rivest, MIT Mr. Phillip Venables, Goldman Sachs Professor Angela Sasse, University College London Professor Fred Schneider, Cornell University Dr. John McLean, Naval Research Laboratory Assessment will be based on: - Scientific merit and significance of the work reported, - The degree to which the paper exemplifies how to perform and report scientific research in cybersecurity Winners are expected to be announced June 1, 2013. ------------------------------------------------------------------------ 10 Arrested in Theft of Web Data, By Brian X. Chen and John H. Cushman Jr. New York Times December 12, 2012 http://www.nytimes.com/2012/12/13/technology/10-arrested-in-social-network-hacking.html?src=recg&_r=0 Summary: The US Justice Department announced the arrest of 10 people worldwide for allegedly operating the "Butterfly" botnet which aided in the theft of personal data and credit card data from millions of computers. In a modern twist, the malware spread through links on Facebook pages, infiltrating user accounts and posting links to infected sites, luring "friends" into the botnet. ------------------------------------------------------------------------ Microsoft Research: 2012 Verified Software Milestone Award Winner December 19, 2012 Press Release We are delighted to announce that the recipient of the 2012 Microsoft Research Verified Software Milestone Award is Xavier Leroy of the Paris-Rocquencourt (http://www-rocq.inria.fr) research center of INRIA, France, for the CompCert Project (http://compcert.inria.fr). Specifically, the award is given in recognition for Xavier's role as architect of the CompCert C Verified Compiler as well as his leadership of the development team. The formal presentation of the Award will be made to Xavier at POPL 2013 (http://popl.mpi-sws.org/2013/), which takes place in Rome - January 23-25, 2013. "Microsoft Research is delighted to celebrate the advances made by Dr Leroy in the vital field of software verification. Compilers are the basis for all the software we generate, and by ruling out compiler-introduced bugs, the CompCert project has taken a huge leap in producing strengthening guarantees for reliable critical embedded software across platforms. We congratulate Dr Leroy on his significant achievement in winning this Award." Dr. Judith Bishop, Principal Research Director, Computer Science, Microsoft Research, Redmond The full award citation is provided along with further details of the award process at the VSI website, i.e. http://dream.inf.ed.ac.uk/vsi Kind regards, Andrew Ireland & Jim Woodcock (Chairs of the Award Committee) ------------------------------------------------------------------------ Health-care sector vulnerable to hackers, researchers say By Robert O'Harrow Jr., Washington Post Published: December 25, 2012 http://www.washingtonpost.com/investigations/health-care-sector-vulnerable-to-hackers-researchers-say/2012/12/25/72933598-3e50-11e2-ae43-cf491b837f7b_story.html Summary: Various researchers, including Avi Rubin of Johns Hopkins University, have found that computer systems used by the health care industry have serious security flaws. Federal guidance on cybersecurity for health data systems seems to be confusing and insufficient. Rubin recounts an amusing story: A nurse had the job of typing in a physician’s password constantly so that the doctor would not have to do it. She walked around the room logging the doctor into every machine, every hour. ------------------------------------------------------------------------ U.S. Banks Again Hit by Wave of Cyberattacks By Nicole Perlroth New York Times Bits Blog January 4, 2013 http://bits.blogs.nytimes.com/2013/01/04/u-s-banks-again-hit-by-wave-of-cyberattacks/?src=recg Summary: A large-scale DDoS attack directed at US banks is suspected to be the work of Iranians. The attack has been traced to data centers. Security researchers still do not know how the data centers used in the first wave of attacks were infected in the first place, how widespread the infection rate was and — perhaps most troubling - whether the servers could be used to damage other sensitive targets in the future. ------------------------------------------------------------------------ Banks seek NSA help amid attacks on their computer systems Ellen Nakashima The Washington Post January 11, 2013 http://www.washingtonpost.com/world/national-security/banks-seek-nsa-help-amid-attacks-on-their-computer-systems/2013/01/10/4aebc1e2-5b31-11e2-beee-6e38f5215402_story.html Summary: The DDoS attacks have caused US banks to ask for help from the National Security Agency. Although this kind of cooperation is not unprecedented, the article notes that "The ability to share information between the FBI and the banks has been eased by the granting of more than 250 classified-level security clearances to bank officials in the past five years, industry officials said." ------------------------------------------------------------------------ Computer malware targets Europe agencies By Ellen Nakashima Washington Post Published: January 14, 2013 http://www.washingtonpost.com/world/national-security/computer-malware-targets-europe-agencies/2013/01/14/a8cf2d5c-5c09-11e2-beee-6e38f5215402_story.html Summary: The malware known as "Red October" or "Rocra" has been carrying out fairly thorough cyber-espionage tasks for five years, working quietly and without notice. Kaspersky Labs has analyzed the software and believes that it is targeting several specific industries. The number of targets is unknown. News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 1/15/2013 ____________________________________________________________________ Critical Thinking for Strategic Intelligence by K. H. Pherson and R. H. Pherson Sage 2012. ISBN ISBN 978-1-4522-2667-5 amazon.com USD 35.00 Table of Contents: http://www.uk.sagepub.com/books/Book237757#tabview=toc The information security threat environment is undergoing significant change (or even evolution). Though "commodity threats" targeting any vulnerability are still present, directed threats against specific organizations or even specific information within an organization have become much more frequent. Whether the threat agent is a community actor pursuing a modern view of civil disobedience, a competitor or national adversary pursuing economic espionage (either directly or through a thinly veiled proxy) or even a non-state actor such as a criminal or terrorist organization, these directed threats have the potential to inflict (and have inflicted) serious damage to the targeted organization. Might this evolution in the threat environment need to be matched by a similar evolution in how we think about risk and its management? If one believed change was needed, where would one look for ideas? The intelligence community has a long history and much practice in the area of threat analysis and assessment based on amorphous, incomplete and conflicting information. This month's review takes a look at book that describes how intelligence analysts exercise their craft. The book opens with six short chapters devoted to how an analyst gets started and avoids common pitfalls such as producing a product that doesn't fit the needs of its audience or worse, answers the wrong questions. Understanding the customer and their expectations/needs is a core necessity in risk management and lack of this understanding has doomed many otherwise solid risk assessments in our field. The next section is devoted to finding and evaluating relevant information. Two chapters delve into assessing the weight that should be assigned to information. In our field, we are inundated with threat assessments, detailed analyses of intrusions, etc., which either may be based on fact or designed to showcase the capabilities of a particular vendor's product. Using the techniques from this section will help assign a probative weight to these information sources as we use them in preparing our product. The five chapters of the next section "What is my argument?" are absolute gems that justify the price of the book. Ranging from "Are my key assumptions well-founded?" to "How might I be spectacularly wrong?" they provide solid advice on how to avoid drawing conclusions that appear perfectly logical but are actually based on bias, being wedded to a particular theory or failure to consider alternative explanations. The final section covers the critical task of communicating your conclusion. Too often, excellent analyses and appropriate conclusions are ignored by decision makers because they are poorly communicated. Of particular note is chapter 17, "How should I portray probability and levels of confidence?" which introduces standard vocabulary for describing the fog of uncertainty that surrounds any analytical conclusion (whether uncertainty is measured qualitatively or quantitatively). Though it's titled "How do I know when I am finished?" chapter 20 covers the often ignored final review process that should be applied before a product is released. Having seen many risk assessments that offer easy reasons for being ignored due to spelling or grammar errors, not using the expected format or even having wandered from the core questions during presentation, the solid advice in this chapter will be ignored at your peril. The final section provides materials for five case studies that are used in end-of-chapter exercises throughout the book. Textbook answers for the exercises would have been helpful to the self-study reader but are not provided. This is not a book on conducting information security risk assessments - the only material that is directly relevant to our field is in the first case study dealing with STUXNET and its impact on Iran's nuclear program. However, the book provides a wealth of material on how to produce a quality analytic product that meets the needs of the decision makers that are its consumer and these skills are sorely needed in our profession. It should be noted that many of the "Structured Analytic Techniques" or SAT's used in analysis are only broadly sketched in this book and you will need to refer to its companion volume, "Structured Analytic Techniques for Intelligence Analysis" by R. Heuer and R. Pherson (CQ Press, 2011, ISBN 978-1-60871-018-8) for full details. I highly recommend this book as a way to improve your ability to conduct analyses and effectively present their results. I would very much appreciate your thoughts on how you might use these techniques or even other fields with relevant methodologies we might be able to use. ------------------------------------------------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines on which might profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ____________________________________________________________________ Book Review By Richard Austin 1/15/2013 ____________________________________________________________________ All In One CISSP Exam Guide by Shon Harris MacGraw-Hill 2013. In the New Year, many information security professionals will have made a resolution to pursue some sort of industry certification. While there are many worthwhile certifications available, the CISSP is a very common goal. Shon Harris has been developing CISSP preparation materials for many years and the sixth edition of her "All In One CISSP Exam Guide" (McGraw-Hill, 2013) has just been released. This is a mammoth book that provides (in its 1400+ pages) a substantial introduction to the ISC(2) "Common Body of Knowledge". The companion CD-ROM provides a video module on cryptography taken from the author's video training as well as 1400 practice questions for the certification examination. Though no one book is sufficient preparation for the CISSP exam, this is a worthwhile and valuable resource to add to your preparation library. After your exam, it will serve as an excellent desk reference on security topics. The CISSP exam itself is quite challenging and is in some ways quite different from many other certification exams. As noted in the candidate bulletin, the exam is made up of 250 multiple choice questions where the candidate is tasked to identify the best answer out of the four possible answers. This is quite different from many exams where the task is to distinguish the correct answer from three incorrect ones. Often on the CISSP exam, all four answers will be somewhat correct but one will be the best. Practice in handling these types of questions will go a long way toward successfully completing the exam and Shon Harris has produces a new edition of her "CISSP Practice Exam" (2ed, McGraw-Hill, 2013). This book includes 250+ simulated exam questions with detailed explanations of which out of the 4 answers is the best answer. Do be aware, this is not a "brain dump" and the odds of your seeing any of these practice questions on the actual exam are quite small. However, working through these practice questions will introduce you to the thought processes involved in handling questions on the real exam. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Recent announcements: Posted Jan 2013 Max Planck Institute for Software Systems (MPI-SWS) Kaiserslautern and Saarbruecken, Germany Tenure-track and tenured faculty Deadline: January 31, 2013 https://www.mpi-sws.org/index.php?n=careers/tenure-track Posted Dec 2012 New York University, Abu Dhabi Abu Dhabi, UAE Assistant, Associate or Full Professor Date position announcement closes: January 15, 2013 http://nyuad.nyu.edu/about/careers/faculty-positions.html (Announced to Cipher on Dec 14 2012) Department of Computer Science, Virginia Tech National Capital Region Associate Professor in Cybersecurity Screening begins Dec. 31, 2012 and continues until position is filled https://listings.jobs.vt.edu/postings/28397 (Announced to Cipher on Dec 19 2012) Stony Brook University Long Island, New York Multiple tenure track positions Review will begin immediately and continue until positions are filled https://hiring.cs.stonybrook.edu Posted Nov 2012 University of Texas at El Paso El Paso, Texas Assistant Professor Applications encouraged by November 15, 2012 http://www.cs.utep.edu/DeptCS/hiring/open-position2013.html -------------- Full list: http://cisr.nps.edu/jobscipher.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 1/25/13: IFIP-TM, 7th IFIP International Conference on Trust Management, Ma'laga, Spain; http://conf2013.ifiptm.org/; Submissions are due 1/28/13- 1/30/13: IFIP119-DF, 9th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org/Conferences/WG11-9-CFP-2013.pdf 1/30/13: International Journal of Cloud Computing, Special Issue on Information Assurance and System Security in Cloud Computing; http://www.inderscience.com/info/ingeneral/cfp.php?id=1991; Submissions are due 1/30/13: CSF, 26th IEEE Computer Security Foundations Symposium, Tulane University, New Orleans Louisiana, USA; http://csf2013.seas.harvard.edu/; Submissions are due 1/31/13: IEEE Transactions on Network and Service Management, Special Issue on Management of Cloud Services; http://www.comsoc.org/tnsm/; Submissions are due 1/31/13: NFSP, 2nd International Workshop on Network Forensics, Security and Privacy, Held in conjunction with the 33rd International Conference on Distributed Computing Systems (ICDCS 2013), Philadelphia, PA, USA; http://www.faculty.umassd.edu/honggang.wang/nfsp2013/; Submissions are due 1/31/13: WISTP, 7th Workshop in Information Security Theory and Practice, Heraklion, Greece; http://www.wistp.org; Submissions are due 2/ 1/13: ACNS, 11th International Conference on Applied Cryptography and Network Security, Banff, Alberta, Canada; http://acns2013.cpsc.ucalgary.ca/; Submissions are due 2/ 1/13: AsiaPKC, ACM Asia Public-Key Cryptography Workshop, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), Hangzhou, China; http://www.cs.utsa.edu/~shxu/acm-asiapkc13/; Submissions are due 2/ 1/13: SESP, 1st International Workshop on Security in Embedded Systems and Smartphones, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), Hangzhou, China; http://doe.cs.northwestern.edu/SESP/; Submissions are due 2/ 1/13: SCC, International Workshop on Security in Cloud Computing, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), Hangzhou, China; http://www.cs.cityu.edu.hk/~congwang/asiaccs-scc/; Submissions are due 2/10/13: Elsevier Computer Communications Journal, Special Issue on Opportunistic Networking; http://www.journals.elsevier.com/computer-communications/call-for-papers/ special-issue-on-opportunistic-networking/; Submissions are due 2/10/13: DIMVA, 10th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Berlin, Germany; http://www.dimva.org/dimva2013; Submissions are due 2/15/13: TRUST, 6th International Conference on Trust and Trustworthy Computing, London, UK; http://trust2013.sba-research.org; Submissions are due 2/15/13: DBSEC, 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Rutgers University, Newark, NJ, USA; http://dbsec2013.business.rutgers.edu/; Submissions are due 2/18/13- 2/20/13: CODASPY, 3nd ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA; http://www.codaspy.org 2/21/13: USENIX-Security, 22nd USENIX Security Symposium, Washington, DC. USA; https://www.usenix.org/conference/usenixsecurity13; Submissions are due 2/22/13: MoST, Mobile Security Technologies Workshop, Co-located with the 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013) and an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2013), San Francisco, CA, USA; http://mostconf.org/2013/; Submissions are due 2/24/13- 2/27/13: NDSS, 20th Annual Network and Distributed System Security Symposium, Catamaran Resort Hotel and Spa San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2013 2/27/13- 3/ 1/13: ESSoS, 5th International Symposium on Engineering Secure Software and Systems, Paris, France; http://distrinet.cs.kuleuven.be/events/essos2013/ 2/28/13: D-SPAN, 4th IEEE Workshop on Data Security and Privacy in Wireless Networks, Co-located with the 14th International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2013), Madrid, Spain; http://www.ee.washington.edu/research/nsl/DSPAN_2013/; Submissions are due 3/ 1/13: CNS, 1st IEEE Conference on Communications and Network Security, Washington D.C., USA; http://www.ieee-cns.org; Submissions are due 3/ 1/13: W2SP, Web 2.0 Security & Privacy Workshop, Co-located with the 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013) and an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2013), San Francisco, CA, USA; http://www.w2spconf.com/2013/; Submissions are due 3/ 1/13: CHES, Workshop on Cryptographic Hardware and Embedded Systems, Co-located with the 33rd Annual International Cryptology Conference (CRYPTO 2013), Santa Barbara, California, USA; http://www.chesworkshop.org/ches2013/; Submissions are due 3/ 4/13: PRISMS, International Conference on Privacy and Security in Mobile Systems, Atlantic City, NJ, USA; http://www.gws2013.org/prisms/; Submissions are due 3/ 7/13: SOUPS, Symposium On Usable Privacy and Security, Northumbria University, Newcastle, UK; http://cups.cs.cmu.edu/soups/; Submissions are due 3/11/13: VOTE-ID, 4th International Conference on E-voting and Identity, University of Surrey, Guildford, UK; http://www.voteid13.org/; Submissions are due 3/15/13: HST, 13th annual IEEE Conference on Technologies for Homeland Security, Waltham, Massachusetts, USA; http://www.ieee-hst.org; Submissions are due 3/17/13: PST, 11th International Conference on Privacy, Security and Trust, Tarragona, Catalonia; http://unescoprivacychair.urv.cat/pst2013/index.php?m=cfp; Submissions are due 3/18/13- 3/20/13: IFIP1110-CIP, 7th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA; http://www.ifip1110.org/Conferences/WG11-10CallForPapers2013.pdf 3/18/13- 3/20/13: SPW, 21st International Workshop on Security Protocols, Sidney Sussex College, Cambridge, England; http://spw.stca.herts.ac.uk/ 4/ 1/13- 4/ 5/13: FC, 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan; http://fc13.ifca.ai/cfp.html 4/ 2/13: RFIDSEC, 9th Workshop on RFID Security, Graz, Austria; http://rfidsec2013.iaik.tugraz.at/; Submissions are due 4/ 8/13- 4/ 9/13: IDMAN, 3rd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, London, UK; http://www.idman2013.com 5/ 7/13: AsiaPKC, ACM Asia Public-Key Cryptography Workshop, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), Hangzhou, China; http://www.cs.utsa.edu/~shxu/acm-asiapkc13/ 5/ 7/13: SESP, 1st International Workshop on Security in Embedded Systems and Smartphones, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), Hangzhou, China; http://doe.cs.northwestern.edu/SESP/ 5/ 7/13: SCC, International Workshop on Security in Cloud Computing, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), Hangzhou, China; http://www.cs.cityu.edu.hk/~congwang/asiaccs-scc/ 5/ 8/13- 5/10/13: ASIACCS, 8th ACM Symposium on Information, Computer and Communications Security, Hangzhou, China; http://hise.hznu.edu.cn/asiaccs/index.html 5/12/13- 5/14/13: ISPEC, 9th Information Security Practice and Experience Conference, Lanzhou, China; http://icsd.i2r.a-star.edu.sg/ispec2013/ 5/19/13- 5/22/13: SP, 34th IEEE Symposium on Security and Privacy, San Francisco, California, USA; http://www.ieee-security.org/TC/SP2013/ 5/23/13- 5/24/13: SPW (Call for Workshop proposals), 2nd IEEE CS Security and Privacy Workshops, Co-located with the IEEE Symposium on Security and Privacy (SP 2013), Westin St. Francis Hotel, San Francisco, CA, USA; http://www.codaspy.org 5/23/13: MoST, Mobile Security Technologies Workshop, Co-located with the 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013) and an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2013), San Francisco, CA, USA; http://mostconf.org/2013/ 5/24/13: W2SP, Web 2.0 Security & Privacy Workshop, Co-located with the 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013) and an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2013), San Francisco, CA, USA; http://www.w2spconf.com/2013/ 5/28/13- 5/30/13: WISTP, 7th Workshop in Information Security Theory and Practice, Heraklion, Greece; http://www.wistp.org 6/ 2/13- 6/ 3/13: HOST, IEEE International Symposium on Hardware-oriented Security and Trust, Austin Convention Center, Austin, TX, USA; http://www.hostsymposium.org/ 6/ 3/13- 6/ 4/13: NSS, 7th International Conference on Network and System Security, Madrid, Spain; http://anss.org.au/nss2013/index.htm 6/ 3/13- 6/ 7/13: IFIP-TM, 7th IFIP International Conference on Trust Management, Ma'laga, Spain; http://conf2013.ifiptm.org/ 6/ 4/13: D-SPAN, 4th IEEE Workshop on Data Security and Privacy in Wireless Networks, Co-located with the 14th International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2013), Madrid, Spain; http://www.ee.washington.edu/research/nsl/DSPAN_2013/ 6/12/13- 6/14/13: SACMAT, 18th ACM Symposium on Access Control Models and Technologies, Amsterdam, The Netherlands; http://www.sacmat.org/ 6/17/13- 6/19/13: TRUST, 6th International Conference on Trust and Trustworthy Computing, London, UK; http://trust2013.sba-research.org 6/24/13- 6/27/13: PRISMS, International Conference on Privacy and Security in Mobile Systems, Atlantic City, NJ, USA; http://www.gws2013.org/prisms/ 6/25/13- 6/28/13: ACNS, 11th International Conference on Applied Cryptography and Network Security, Banff, Alberta, Canada; http://acns2013.cpsc.ucalgary.ca/ 6/26/13- 6/28/13: CSF, 26th IEEE Computer Security Foundations Symposium, Tulane University, New Orleans Louisiana, USA; http://csf2013.seas.harvard.edu/ 7/ 8/13: NFSP, 2nd International Workshop on Network Forensics, Security and Privacy, Held in conjunction with the 33rd International Conference on Distributed Computing Systems (ICDCS 2013), Philadelphia, PA, USA; http://www.faculty.umassd.edu/honggang.wang/nfsp2013/ 7/ 9/13- 7/11/13: RFIDSEC, 9th Workshop on RFID Security, Graz, Austria; http://rfidsec2013.iaik.tugraz.at/ 7/10/13- 7/12/13: PST, 11th International Conference on Privacy, Security and Trust, Tarragona, Catalonia; http://unescoprivacychair.urv.cat/pst2013/index.php?m=cfp 7/15/13- 7/17/13: DBSEC, 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Rutgers University, Newark, NJ, USA; http://dbsec2013.business.rutgers.edu/ 7/17/13- 7/19/13: VOTE-ID, 4th International Conference on E-voting and Identity, University of Surrey, Guildford, UK; http://www.voteid13.org/ 7/18/13- 7/19/13: DIMVA, 10th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Berlin, Germany; http://www.dimva.org/dimva2013 7/24/13- 7/26/13: SOUPS, Symposium On Usable Privacy and Security, Northumbria University, Newcastle, UK; http://cups.cs.cmu.edu/soups/ 8/14/13- 8/16/13: USENIX-Security, 22nd USENIX Security Symposium, Washington, DC. USA; https://www.usenix.org/conference/usenixsecurity13 8/20/13- 8/23/13: CHES, Workshop on Cryptographic Hardware and Embedded Systems, Co-located with the 33rd Annual International Cryptology Conference (CRYPTO 2013), Santa Barbara, California, USA; http://www.chesworkshop.org/ches2013/ 10/14/13-10/16/13: CNS, 1st IEEE Conference on Communications and Network Security, Washington D.C., USA; http://www.ieee-cns.org 11/12/13-11/14/13: HST, 13th annual IEEE Conference on Technologies for Homeland Security, Waltham, Massachusetts, USA; http://www.ieee-hst.org ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E111) ___________________________________________________________________ IFIP-TM 2013 7th IFIP International Conference on Trust Management, Ma'laga, Spain, June 3-7, 2013. (Submissions due 25 January 2013) http://conf2013.ifiptm.org/ IFIPTM 2013 will be the 7th International Conference on Trust Management under the auspices of IFIP. The mission of the IFIPTM 2013 Conference is to share research solutions to problems of Trust and Trust management, and to identify new issues and directions for future research and development work. IFIPTM 2013 invites submissions presenting novel research on all topics related to Trust, Security and Privacy. ------------------------------------------------------------------------- International Journal of Cloud Computing, Special Issue on Information Assurance and System Security in Cloud Computing, Fall 2013, (Submission Due 30 January 2013) http://www.inderscience.com/info/ingeneral/cfp.php?id=1991 Editors: Yu Chen (Binghamton University, USA), Kai Hwang (University of Southern California, USA), Wei-Shinn Ku (Auburn University, USA), and Douglas Summerville (Binghamton University, USA) Cloud computing has attracted interest from both industry and academia since 2007, which has been recognized as the new paradigm of IT industry. Cloud computing provides users with flexible services in a transparent manner. Services are allocated in a "cloud", which is a collection of devices and resources connected through the Internet. Before this paradigm can be widely accepted, the security, privacy and reliability provided by the services in the cloud must be well established. The special issue seeks original unpublished papers focusing on various aspects of security issues in cloud computing environments. Aiming at presenting and discussing the latest developments, this special issue welcomes papers addressing theoretical analysis, emerging applications, novel system architecture construction and design, experimental studies, and social impacts of cloud computing. Both review/survey papers and technical papers are encouraged. The topics include but are not limited to: - Emerging threats to Cloud-based services - Security model for new services - Security in Cloud-aware web service - Information hiding/encryption in Cloud Computing - Copyright protection in the Cloud - Securing distributed data storage in cloud - Privacy and security in Cloud Computing - Forensics in Cloud environments - Robust Cloud network architecture - Cloud Infrastructure Security - Intrusion detection/prevention - Denial-of-Service (DoS) attacks and defense - Robust job scheduling - Secure resource allocation and indexing - Secure payment for Cloud-aware services - User authentication in Cloud-aware services - Non-Repudiation solutions in the Cloud - Security for emerging Cloud programming models - Performance evaluation for security solutions - Testbed/Simulators for Cloud security research - Hardware-based Security solutions, i.e. hardware for encryption, etc. - Detection and prevention of hardware Trojans ------------------------------------------------------------------------- CSF 2013 26th IEEE Computer Security Foundations Symposium, Tulane University, New Orleans Louisiana, USA, June 26 - 28, 2013. (Submissions due 30 January 2013) http://csf2013.seas.harvard.edu/ The Computer Security Foundations Symposium is an annual conference for researchers in computer security. CSF seeks papers on foundational aspects of computer security, e.g., formal security models, relationships between security properties and defenses, principled techniques and tools for design and analysis of security mechanisms as well as their application to practice. While CSF welcomes submissions beyond the topics listed below, the main focus of CSF is foundational security: submissions that lack foundational aspects risk rejection. New theoretical results in computer security are welcome. Possible topics include, but are not limited to: - Access control - Accountability - Anonymity and Privacy - Authentication - Cryptographic protocols - Data and system integrity - Database security - Data provenance - Decidability and complexity - Distributed systems security - Electronic voting - Executable content - Formal methods for security - Game Theory and Decision Theory - Hardware-based security - Information flow - Intrusion detection - Language-based security - Network security - Resource usage control - Security for mobile computing - Security models - Socio-technical security - Trust and trust management ------------------------------------------------------------------------- IEEE Transactions on Network and Service Management, Special Issue on Management of Cloud Services, Fall 2013, (Submission Due 31 January 2013) http://www.comsoc.org/tnsm/ Editors: Gregorio Martinez (University of Murcia, Spain), Roy Campbell (University of Illinois, USA), and Jose M. Alcaraz Calero (Hewlett-Packard Laboratories, UK) Cloud computing is becoming recognized as a revolutionary new way to use computing and storage services more efficiently. Revenues for public cloud services for one company, Amazon Web Services, have reached almost $1 billion a year. Yet cloud computing is challenging traditional management methods as it encompasses the business support, provisioning, configuration, portability, and interoperability of cloud providers supporting cloud consumers and brokers as outlined in the NIST Cloud Computing Reference Architecture. Business support includes the management of customers, contracts, and inventory as well as accounting, billing, reporting, auditing, pricing, and rating. Provisioning and configuration must consider rapid provisioning, resource changing, monitoring, reporting, metering, and service level agreements (SLA). Portability and interoperability concerns both efficient and inexpensive data and application migration across multiple cloud environments. This can include data portability, data object migration, bulk data transfer; a unified management interface to support service interoperability across multiple cloud providers; and the migration of applications, services, machine images or virtual machine instances from one cloud provider to another. Cloud provisions like multi-tenancy, interoperability, scalability, reliability, efficiency, support of on-demand service composition, privacy, security and advanced audit are posing a set of challenges to the management field still largely to be addressed. This special issue is intending to serve as a work of reference compiling the major achievements in the management of cloud services with emphasis on the field of network and service management. The final objective is to make cloud services and technologies more mature so as to boost and to facilitate a higher widespread uptake of cloud systems in the industry. Topics of interest, include, but are not limited to the following: - Cloud service orchestration, APIs and usage control - Cloud service auditing, monitoring, and metering - Design of components of a management as a service layer - Management of cloud federations - Mobility management in cloud scenarios - Multi-cloud applications - New models and paradigms for cloud service management - Novel and emerging standards for interoperability between clouds - QoS/QoE and SLA management in the cloud - Secure and private management of cloud data ------------------------------------------------------------------------- NFSP 2013 2nd International Workshop on Network Forensics, Security and Privacy, Held in conjunction with the 33rd International Conference on Distributed Computing Systems (ICDCS 2013), Philadelphia, PA, USA, July 8, 2013. (Submissions due 31 January 2013) http://www.faculty.umassd.edu/honggang.wang/nfsp2013/ Cyberspace has been reshaped as an integration of businesses, governments and individuals, such as e-business, communication and social life. At the same time, it has also been providing convenient platforms for crimes, such as financial fraud, information phishing, distributed denial of service attacks, and fake message propagation. Especially, the emergence of social networks has raised significant security and privacy issues to the public. We have seen news of various network related security attacks from time to time, and defenders are usually vulnerable to detect, mitigate and traceback to the source of attacks. It is a new research challenge of fighting against criminals in the cyber space. The potential solutions involve various disciplines, such as networking, watermarking, information theory, game theory, mathematical and statistical modelling, data mining, artificial intelligence, multimedia processing, neural network, pattern recognition, cryptography and forensic criminology, etc. ------------------------------------------------------------------------- WISTP 2013 7th Workshop in Information Security Theory and Practice, Heraklion, Greece, May 28-30, 2013. (Submissions due 31 January 2013) http://www.wistp.org Current developments in IT are characterized by an increasing use of personal mobile devices and an increasing reliance on IT for supporting industrial applications in the physical world. A new persepctive on socio-technical and cyber-physical systems is required that sees in IT more than just an infrastructure but focuses on the ever closer integration between social and technical processes as well. Application markets, such as Google Play and Apple App Store drive a mobile ecosystem, offering new business models with high turnovers and new opportunities, which however, also attract cybercriminals and raise new privacy concerns. In the area of cyber-physical systems, research has to go beyond securing the IT infrastructure and to consider attacks launched by combining manipulations in physical space and cyber space. The workshop seeks submissions from academia and industry presenting novel research on all aspects of security and privacy of mobile devices, such as Android and iOS platforms, as well as studies on securing cyber-physical systems. ------------------------------------------------------------------------- ACNS 2013 11th International Conference on Applied Cryptography and Network Security, Banff, Alberta, Canada, June 25-28, 2013. (Submissions due 1 February 2013) http://acns2013.cpsc.ucalgary.ca/ The 11th International Conference on Applied Cryptography and Network Security seeks submissions from academia, industry, and government presenting novel research on all aspects of applied cryptography as well as network security and privacy. Papers describing novel paradigms, original directions, or non-traditional perspectives are also encouraged. The conference has two tracks: a research track and an industry track. Topics of interest include, but are not limited to: - Access control - Applied cryptography - Automated protocols analysis - Biometric security and privacy - Complex systems security - Critical infrastructure protection - Cryptographic primitives and protocols - Database and system security - Data protection - Digital rights management - Email and web security - Identity management - Intellectual property protection - Internet fraud - Intrusion detection and prevention - Key management - Malware - Network security protocols - Privacy, anonymity, and untraceability - Privacy-enhancing technology - Protection for the future Internet - Secure mobile agents and mobile code - Security in e-commerce - Security in P2P systems - Security in pervasive/ubiquitous computing - Security and privacy in cloud and grid systems - Security and privacy in distributed systems - Security and privacy in smart grids - Security and privacy in wireless networks - Security and privacy metrics - Trust management - Usability and security ------------------------------------------------------------------------- AsiaPKC 2013 ACM Asia Public-Key Cryptography Workshop, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), Hangzhou, China, May 7, 2013. (Submissions due 1 February 2013) http://www.cs.utsa.edu/~shxu/acm-asiapkc13/ Public-key cryptography plays an essential role in processing various kinds of data while assuring different flavors of cryptographic properties. The theme of this workshop is focused on novel public-key cryptosystems and techniques that can be used to solve a wide range of real-life application problems. This workshop solicits original contributions on both applied and theoretic aspects of public-key cryptography. Topics of interest to the workshop include, but at not limited to: - Applied public-key cryptography for solving emerging application problems - Provably-secure public-key primitives and protocols - Key management for, and by, public-key cryptosystems - Privacy-preserving cryptographic computations - Two-party and multi-party computations - Homomorphic public-key cryptosystems - Attributed-based and functional public-key cryptography - Digital signatures with special properties - System security properties of public-key cryptography - Post-quantum public-key cryptography - Fast implementation of public-key cryptosystems ------------------------------------------------------------------------- SESP 2013 1st International Workshop on Security in Embedded Systems and Smartphones, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), Hangzhou, China, May 7, 2013. (Submissions due 1 February 2013) http://doe.cs.northwestern.edu/SESP/ Embedded computing has recently become more and more present in devices used in everyday life. A wide variety of applications, from consumer electronics to biomedical systems, require building up powerful yet cheap embedded devices. In this context, embedded software has turned out to be more and more complex, posing new security challenging issues. We broadly view that smartphones as mobile embedded systems. This workshop aims to bring together the research efforts from both the academia and industry in all security and privacy aspects related to embedded systems and smart phones. We encourage submissions on all theoretical and practical aspects, as well as experimental studies of deployed systems. Topics of interests include (but are not limited to) the following subject categories related to embedded systems and smart phone: - Secure embedded system architecture - System-level security design and simulation techniques for Embedded Systems - Verification and validation of Embedded Systems - Security and privacy for Cyber physical systems (Internet of Things) and networked sensor devices - Security implications for multicore, SoC-based, and heterogeneous Embedded Systems and applications - Secure data management in Embedded Systems - Middleware and virtual machines security in Embedded Systems - Secure management of virtualized resources - Authenticating users to devices and services - Mobile Web Browsers - Usability - Rogue application detection and recovery - Vulnerability detection and remediation - Secure application development - Cloud support for mobile and embedded system security ------------------------------------------------------------------------- SCC 2013 International Workshop on Security in Cloud Computing, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), Hangzhou, China, May 7, 2013. (Submissions due 1 February 2013) http://www.cs.cityu.edu.hk/~congwang/asiaccs-scc/ Cloud computing has emerged as today's most exciting computing paradigm shift in information technology. With the efficient sharing of abundant computing resources in the cloud, users can economically enjoy the on-demand high quality cloud applications and services without committing large capital outlays locally. While the cloud benefits are compelling, its unique attributes also raise many security and privacy challenges in areas such as data security, recovery, privacy, access control, trusted computing, as well as legal issues in areas such as regulatory compliance, auditing, and many others. This workshop aims to bring together the research efforts from both the academia and industry in all security aspects related to cloud computing. We encourage submissions on all theoretical and practical aspects, as well as experimental studies of deployed systems. Topics of interests include (but are not limited to) the following subject categories: - Secure cloud architecture - Cloud access control and key management - Identification and privacy in cloud - Integrity assurance for data outsourcing - Integrity and verifiable computation - Computation over encrypted data - Software and data segregation security - Secure management of virtualized resources - Trusted computing technology - Joint security and privacy aware protocol design - Failure detection and prediction - Secure data management within and across data centers - Availability, recovery and auditing - Secure computation outsourcing - Secure mobile cloud ------------------------------------------------------------------------- Elsevier Computer Communications Journal, Special Issue on Opportunistic Networking, Fall 2013 (TBD), (Submission Due 10 February 2013) http://www.journals.elsevier.com/computer-communications/call-for-papers/ special-issue-on-opportunistic-networking/ Editors: Chiara Boldrini (IIT-CNR, Italy), Kyunghan Lee (Ulsan National Institute of Science and Technology, Korea), Melek Onen (EURECOM, France), Joerg Ott (Aalto University, Finland), and Elena Pagani (Universita' degli Studi di Milano, Italy) The widespread availability of mobile portable devices enriched with a variety of sensing capabilities, coupled with the impelling need of communication anytime and anywhere, has rapidly raised the interest towards new approaches to communications between users. Opportunistic networks are an instance of the delay tolerant paradigm applied to networks made up of users' portable devices (such as smartphones and tablets). As such, they are able to cope with challenged network conditions that are often present in real life, such as high node mobility, variable connectivity, and disconnections, which would impair communications in traditional Mobile Ad Hoc Networks. In this scenario, user mobility becomes one of the main drivers to enable message delivery. In fact, according to the store-carry-and-forward paradigm, user devices store messages and carry them around while they move in the network, exchanging them upon encounter with other nodes, and eventually delivering them to their destination or to interested users. This new communication paradigm enables legacy applications in challenged scenarios, as well as it paves the way to innovative solutions. While opportunistic networks initially received attention to support communication where an infrastructure is not available (for disaster recovery or in rural areas), nowadays a number of applications can be envisaged ranging from content sharing, through mobile social networking, to participatory and urban sensing. All these applications rely on data forwarding amongst devices. As a consequence, two aspects become relevant, that is, the need for mechanisms guaranteeing trusted and secure communications while preserving users' privacy (in the absence of infrastructure and sometimes even end-to-end connectivity), and incentive mechanisms able to boost the participation in the network. This Special Issue of Computer Communications seeks contributions pushing the state of the art in Opportunistic Networking. Topics of interest include (but are not limited to) the following: - Mobility measurements and models, mobility trace analysis - Measurements, models, and analysis for user behaviors on mobile devices - Unicast and multicast routing - Transport, congestion control, and reliability issues - Content dissemination, content caching, service composition, opportunistic computing - Trust, security & privacy in opportunistic forwarding, incentive mechanisms, reputation systems, and key management - Application support and middleware for opportunistic networks - New applications and services relying on opportunistic networking - Systems and experience for real-world deployments ------------------------------------------------------------------------- DIMVA 2013 10th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Berlin, Germany, July 18-19 2013. (Submissions due 10 February 2013) http://www.dimva.org/dimva2013 The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year, DIMVA brings together international experts from academia, industry, and government to present and discuss novel research in these areas. DIMVA solicits submission of high-quality, original scientific papers presenting novel research on malware analysis, intrusion detection, and related systems security topics. ------------------------------------------------------------------------- TRUST 2013 6th International Conference on Trust and Trustworthy Computing, London, UK, June 17-19, 2013. (Submissions due 15 February 2013) http://trust2013.sba-research.org TRUST 2013 is an international conference on the technical and socio-economic aspects of trustworthy infrastructures. It provides an excellent interdisciplinary forum for researchers, practitioners, and decision makers to explore new ideas and discuss experiences in building, designing, using and understanding trustworthy computing systems. The conference solicits original papers on any aspect (technical, social or socio-economic) of the design, application and usage of trusted and trustworthy computing. Papers can address design, application and usage of trusted and trustworthy computing in a broad range of concepts including, but not limited to, trustworthy infrastructures, cloud computing, services, hardware, software and protocols. ------------------------------------------------------------------------- DBSEC 2013 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Rutgers University, Newark, NJ, USA, July 15-17, 2013. (Submissions due 15 February 2013) http://dbsec2013.business.rutgers.edu/ The 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in data and applications security. Both papers and panel proposals are also solicited. Papers may present theory, techniques, applications, or practical experience on topics of relevance to IFIP WG 11.3: - Access Control - Applied cryptography in data security - Identity theft and countermeasures - Integrity maintenance - Intrusion detection - Knowledge discovery and privacy - Logics for security and privacy - Organizational security - Privacy-preserving data management - Secure transaction processing - Secure information integration - Secure Semantic Web - Secure sensor monitoring - Secure Web Services - Threats, vulnerabilities, and risk management - Trust management Additional topics of interest include (but are not limited to): Critical Infrastructure Protection, Cyber Terrorism, Information Warfare, Database Forensics, Electronic Commerce Security, and Security in Digital Health Care ------------------------------------------------------------------------- USENIX-Security 2013 22nd USENIX Security Symposium, Washington, DC. USA, August 14-16, 2013. (Submissions due 21 February 2013) https://www.usenix.org/conference/usenixsecurity13 The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The USENIX Security Symposium is primarily a systems security conference. Papers whose contributions are primarily new cryptographic algorithms or protocols, cryptanalysis, electronic commerce primitives, etc., may not be appropriate for this conference. Refereed paper submissions are solicited in all areas relating to systems and network security, including: - Analysis of network and security protocols - Applications of cryptographic techniques - Attacks with novel insights, techniques, or results - Authentication and authorization of users, systems, and applications - Automated tools for source code analysis - Botnets - Cryptographic implementation analysis and construction - Denial-of-service attacks and countermeasures - Embedded systems security - File and filesystem security - Forensics and diagnostics for security - Hardware security - Human-computer interaction, security, and privacy - Intrusion and anomaly detection and prevention - Malicious code analysis, anti-virus, anti-spyware - Mobile system security - Network infrastructure security - Operating system security - Privacy-enhancing technologies - Security architectures - Security education and training - Security for critical infrastructures - Security in heterogeneous and large-scale environments - Security in ubiquitous computing environments - Security policy - Self-protecting and self-healing systems - Techniques for developing secure systems - Technologies for trustworthy computing - Wireless security - Web security, including client-side and server-side security ------------------------------------------------------------------------- MoST 2013 Mobile Security Technologies Workshop, Co-located with the 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013) and an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2013), San Francisco, CA, USA, May 23, 2013. (Submissions due 22 February 2013) http://mostconf.org/2013/ Mobile Security Technologies (MoST) brings together researchers, practitioners, policy makers, and hardware and software developers of mobile systems to explore the latest understanding and advances in the security and privacy for mobile devices, applications, and systems. We are seeking both short position papers (2-4 pages) and longer papers (a maximum of 10 pages). The scope of MoST 2013 includes, but is not limited to, security and privacy specifically for mobile devices and services related to: - Device hardware - Operating systems - Middleware - Mobile web - Secure and efficient communication - Secure application development tools and practices - Privacy - Vulnerabilities and remediation techniques - Usable security - Identity and access control - Risks in putting trust in the device vs. in the network/cloud - Special applications, such as medical monitoring and records - Mobile advertisement - Secure applications and application markets - Economic impact of security and privacy technologies ------------------------------------------------------------------------- D-SPAN 2013 4th IEEE Workshop on Data Security and Privacy in Wireless Networks, Co-located with the 14th International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2013), Madrid, Spain, June 4, 2013. (Submissions due 28 February 2013) http://www.ee.washington.edu/research/nsl/DSPAN_2013/ The workshop focuses on research developments related to data security and privacy in wireless and mobile networks. This workshop solicits papers from two main categories: (1) papers that consider the security and privacy of data collection, transmission, storage, publishing, and sharing in wireless networks broadly defined, e.g., MANET, cellular, vehicular, ad hoc, cognitive, and sensor networks; and (2) papers that use data analytics to address security and privacy problems in wireless networks. The workshop provides a venue for researchers to present new ideas with impact on three communities - wireless networks, databases, and security. Topics of interest include, but are not limited to: - Secure Localization and location privacy - Privacy and anonymity in wireless and mobile networks - Secure query processing, data collection, and aggregation for wireless sensor networks - Secure and private data streaming - Key extraction, distribution, and management in wireless networks - Secure data processing in mobile ad-hoc networks (MANET) - Secure data collection in body-area networks - Throughput-security tradeoffs in wireless networks - Wireless and mobile security for health and smart grid applications ------------------------------------------------------------------------- CNS 2013 1st IEEE Conference on Communications and Network Security, Washington D.C., USA, October 14-16, 2013. (Submissions due 1 March 2013) http://www.ieee-cns.org Cyber security has become an important research and development area for academia, government, and industry in recent years. As government and industry investment in cyber security research continues to grow, there will be a dramatic increase in the amount of new results generated by the research community, which must be disseminated widely amongst the research community in order to provide the peer review feedback that is needed to ensure that high-quality solutions that address important and emerging security issues are developed. As a leading professional society focusing on communications technologies, IEEE Communications Society (ComSoc) has identified the need for a high-quality security conference that would focus on communications-oriented aspects of security. IEEE ComSoc has thus decided to launch a new conference dedicated to Communications and Network Security. This new conference is positioned to be a core ComSoc conference (at a level comparable to IEEE INFOCOM ) and will serve as a premier forum for cyber security researchers, practitioners, policy makers, and users to exchange ideas, techniques and tools, raise awareness, and share experience related to security and privacy. IEEE CNS seeks original high-quality technical papers from academia, government, and industry. Topics of interest encompass all practical and theoretical aspects of communications and network security, all the way from the physical layer to the various network layers to the variety of applications reliant on a secure communication substrate. Submissions with main contribution in other areas, such as information security, software security, system security, or applied cryptography, will also be considered if a clear connection to secure communications/networking is demonstrated. Particular topics of interest include, but are not limited to: - Security and Privacy in the Internet, peer-to-peer networks, overlay networks - Security and Privacy in Wi-Fi, Wi-Max, ad hoc, mesh, sensor, and RFID networks - Security and Privacy in emerging technologies: social networks, cognitive radio networks, disruption/delay tolerant networks, vehicular networks, cloud computing, smart grid - Cross-layer methods for enhancing security - Information-theoretic security - Anonymization and privacy in communication systems - Traffic analysis, location privacy and obfuscation of mobile device information - Physical layer security methods: confidentiality and authentication - Secure routing, network management - Intrusion detection - Computer and network forensics - Vulnerability, exploitation tools, Malware, Botnet, DDoS attacks - Key management and PKI - Security metrics and performance evaluation, traffic analysis techniques - Web, e-commerce, m-commerce, and e-mail security - Social, economic and policy issues of trust, security and privacy - Ensuring the availability of communications, survivability of networks in the presence of denial of service - Jamming and jamming-resistance - Multipath routing around network holes ------------------------------------------------------------------------- W2SP 2013 Web 2.0 Security & Privacy Workshop, Co-located with the 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013) and an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2013), San Francisco, CA, USA, May 24, 2013. (Submissions due 1 March 2013) http://www.w2spconf.com/2013/ W2SP brings together researchers, practitioners, web programmers, policy makers, and others interested in the latest understanding and advances in the security and privacy of the web, browsers and their eco-system. We are seeking both short position papers (2-4 pages) and longer papers (a maximum of 10 pages). The scope of W2SP 2013 includes, but is not limited to: - Trustworthy cloud-based services - Privacy and reputation in social networks - Security and privacy as a service - Usable security and privacy - Security for the mobile web - Identity management and psuedonymity - Web services/feeds/mashups - Provenance and governance - Security and privacy policies for composible content - Next-generation browser technology - Secure extensions and plug-ins - Advertisement and affiliate fraud - Measurement study for understanding web security and privacy ------------------------------------------------------------------------- CHES 2013 Workshop on Cryptographic Hardware and Embedded Systems, Co-located with the 33rd Annual International Cryptology Conference (CRYPTO 2013), Santa Barbara, California, USA, August 20-23, 2013. (Submissions due 1 March 2013) http://www.chesworkshop.org/ches2013/ CHES covers new results on all aspects of the design and analysis of cryptographic hardware and software implementations. The workshop builds a bridge between the cryptographic research community and the cryptographic engineering community. With participants from industry, academia, and government organizations, the number of participants has grown to over 300 in recent years. CHES 2013 will be co-located with the 33rd Annual International Cryptology Conference, CRYPTO 2013, in Santa Barbara, California, USA. This will provide unique interaction opportunities for the communities of both conferences. In addition to a track of high-quality presentations, CHES 2013 will offer invited talks, tutorials, a poster session, and a rump session. The topics of CHES 2013 include but are not limited to: - Cryptographic implementations - Attacks against implementations and countermeasures against these attacks - Tools and methodologies - Interactions between cryptographic theory and implementation issues - Applications ------------------------------------------------------------------------- PRISMS 2013 International Conference on Privacy and Security in Mobile Systems, Atlantic City, NJ, USA, June 24-27, 2013. (Submissions due 4 March 2013) http://www.gws2013.org/prisms/ PRISMS is the successor of MobiSec (International Conference on Security and Privacy in Mobile Information and Communication Systems). The conference under a new name (PRISMS) is organized this year with the co-sponsorship of IEEE. Its focus is the convergence of information and communication technology in mobile scenarios. This convergence is realised in intelligent mobile devices, accompanied by the advent of next-generation communication networks. Privacy and security aspects need to be covered at all layers of mobile networks, from mobile devices, to privacy respecting credentials and mobile identity management, up to machine-to-machine communications. In particular, mobile devices such as Smartphones and Internet Tablets have been very successful in commercialization. However, their security mechanisms are not always able to deal with the growing trend of information-stealing attacks. As mobile communication and information processing becomes a commodity, economy and society require protection of this precious resource. Mobility and trust in networking go hand in hand for future generations of users, who need privacy and security at all layers of technology. In addition, the introduction of new data collection practices and data-flows (e.g. sensing data) from the mobile device makes it more difficult to understand the new security and privacy threats introduced. PRISMS strives to bring together the leading-edge of academia and industry in mobile systems security, as well as practitioners, standards developers and policymakers. Contributions may range from architecture designs and implementations to cryptographic solutions for mobile and resource-constrained devices. ------------------------------------------------------------------------- SOUPS 2013 Symposium On Usable Privacy and Security, Northumbria University, Newcastle, UK, July 24-26, 2013. (Submissions due 7 March 2013) http://cups.cs.cmu.edu/soups/ The 2013 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, lightning talks and demos, and workshops and tutorials. We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to: - innovative security or privacy functionality and design - new applications of existing models or technology - field studies of security or privacy technology - usability evaluations of new or existing security or privacy features - security testing of new or existing usability features - longitudinal studies of deployed security or privacy features - the impact of organizational policy or procurement decisions - lessons learned from the deployment and use of usable privacy and security features - reports of replicating previously published studies and experiments - reports of failed usable security studies or experiments, with the focus on the lessons learned from such experience ------------------------------------------------------------------------- VOTE-ID 2013 4th International Conference on E-voting and Identity, University of Surrey, Guildford, UK, July 17-19, 2013. (Submissions due 11 March 2013) http://www.voteid13.org/ Electronic voting is a very active research area covering a broad range of issues, from computer security and cryptographic issues to human psychology and legal issues. The aim of Vote-ID is to bring together researchers and practitioners from academia, industry and governmental institutions, all working on e-voting systems. The scope covers all aspects of electronic voting systems, including, but not limited to: - Design and evaluation of e-voting systems - Security requirements and formal analysis - Voter authentication and identity management - Cryptographic voting schemes - Verifiable election technologies - Methods for reconciling voter identification with vote privacy - Usability and accessibility - Deployment and lifecycle concerns - Implementation issues and trade-offs - Legal, political and other interdisciplinary issues ------------------------------------------------------------------------- HST 2013 13th annual IEEE Conference on Technologies for Homeland Security, Waltham, Massachusetts, USA, November 12 - 14, 2013. (Submissions due 15 March 2013) http://www.ieee-hst.org The 13th annual IEEE Conference on Technologies for Homeland Security (HST '13), will be held 12 - 14 November will bring together innovators from leading academic, industry, business, Homeland Security Centers of Excellence, and government programs to provide a forum to discuss ideas, concepts, and experimental results. Produced by IEEE with technical support from DHS S&T, IEEE Boston Section, and IEEE-USA and organizational support from MIT Lincoln Laboratory, Raytheon, Battelle, and MITRE, this year's event will once again showcase selected technical paper and posters highlighting emerging technologies in the areas of Cyber Security, Attack and Disaster Preparation, Recovery, and Response, Land and Maritime Border Security and Biometrics & Forensics. ------------------------------------------------------------------------- PST 2013 11th International Conference on Privacy, Security and Trust, Tarragona, Catalonia, July 10-12, 2013. (Submissions due 17 March 2013) http://unescoprivacychair.urv.cat/pst2013/index.php?m=cfp PST2013 provides a forum for researchers world-wide to unveil their latest work in privacy, security and trust and to show how this research can be used to enable innovation. PST2013 will include one day of tutorials followed by two days of high-quality research papers whose topics include, but are NOT limited to, the following: - Privacy Preserving / Enhancing Technologies - Critical Infrastructure Protection - Network and Wireless Security - Operating Systems Security - Intrusion Detection Technologies - Secure Software Development and Architecture - PST Challenges in e-Services, e.g. e-Health, e-Government, e-Commerce - Network Enabled Operations - Digital forensics - Information Filtering, Data Mining and Knowledge from Data - National Security and Public Safety - Cryptographic techniques for privacy preservation - Security Metrics - Recommendation, Reputation and Delivery Technologies - Continuous Authentication - Trust Technologies, Technologies for Building Trust in e-Business Strategy - Observations of PST in Practice, Society, Policy and Legislation - Digital Rights Management - Identity and Trust management - PST and Cloud Computing - Human Computer Interaction and PST - Implications of, and Technologies for, Lawful Surveillance - Biometrics, National ID Cards, Identity Theft - PST and Web Services / SOA - Privacy, Traceability, and Anonymity - Trust and Reputation in Self-Organizing Environments - Anonymity and Privacy vs. Accountability - Access Control and Capability Delegation - Representations and Formalizations of Trust in Electronic and Physical Social Systems ------------------------------------------------------------------------- RFIDSEC 2013 9th Workshop on RFID Security, Graz, Austria, July 9-11, 2013. (Submissions due 2 April 2013) http://rfidsec2013.iaik.tugraz.at/ RFIDsec is the premier workshop devoted to security and privacy in Radio Frequency Identification (RFID) with participants throughout the world. RFIDsec brings together researchers from academia and industry for topics of importance to improving the security and privacy of RFID, NFC, contactless technologies, and the Internet of Things. RFIDsec bridges the gap between cryptographic researchers and RFID developers through invited talks and contributed presentations. Topics of the workshop include but are not limited to: - New applications for secure RFID, NFC, and other constrained systems - Resource-efficient implementations of cryptography o Small-footprint hardware and/or software o Low-power and/or low energy implementations - Attacks on RFID systems: Side-channel attacks, Fault attacks, Hardware tampering - Data protection and privacy-enhancing techniques - Cryptographic protocols: Authentication protocols, Key distribution, Scalability issues - Integration of secure RFID systems: Infrastructures, Middleware and security, Data mining and other systemic approaches to RFID security - RFID hardware security: Physical Unclonable Functions (PUFs), RFID Trojans - Case studies ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html John Pescatore is joining the SANS organization. His new email address will be pescatorej@sans.org _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sven Dietrich Robert Cunningham Department of Computer Science MIT Lincoln Laboratories Stevens Institute of Technology http://www.ll.mit.edu/mission +1 201 216 8078 /communications/ist/biographies spock AT cs.stevens.edu /cunningham-bio.html Vice Chair: Treasurer: Patrick McDaniel Terry Benzel Computer Science and Engineering USC Information Sciences Intnl Pennsylvania State University 4676 Admiralty Way, Suite 1001 360 A IST Building Los Angeles, CA 90292 University Park, PA 16802 (310) 822-1511 (voice) (814) 863-3599 tbenzel @isi.edu mcdaniel@cse.psu.edu Newsletter Editor and Security and Privacy Symposium, 2013 Chair: TC Awards Chair: Robin Sommer Hilarie Orman http://www.icir.org/robin Purple Streak, Inc. 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year