_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/
_/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/
============================================================================
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 113 March 18, 2013
Hilarie Orman, Editor Sven Dietrich, Assoc. Editor
cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org
Richard Austin Yong Guan
Book Review Editor Calendar Editor
cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org
============================================================================
The newsletter is also at http://www.ieee-security.org/cipher.html
Cipher is published 6 times per year
Contents:
* Letter from the Editor
* Commentary and Opinion and News
o Richard Austin's review of "Reverse Deception: Organized Cyber
Threat Counter-Exploitation"
by S. Bodmer, M. Kilger, G. Carpenter and J. Jones
o Security in the News:
- RC4 Encryption Demonstrably Breakable
- Evernote Cloud Storage, User Data Compromised
- Warrantless Surveillance Foes Win a Round
- Pentagon Announces Cyber Command Expansions
- Experts say Chinese are behind cyberbarrage
- Cyberespionage Campaign Directed at US
- Is All of China's Cyberwarfare Capability Housed in One Building?
- US Company Traces Cyberattacks to China
- US Weighs Rules for CyberCommand
- Military Honors for CyberWarriors?
- An Executive Order Gives US Agencies Ability to Share Cyberthread
Information with Companies
- Companies Talk About CyberTroubles and Share Information
- US to China: Stop Hacking!
- US Considers Motives for Hack Attacks
- President Obama and US Corporate Chiefs Meet, Help Sought for Passing
Legislation
- US Cybercommand Chief Tells Congress About Defenses
- China Asks For International Rules on Hacking
- Australian central bank Lightly Hacked
- Social Media Editor and the Dark Side
o Book reviews, Conference Reports and Commentary and News items
from past Cipher issues are available at the Cipher website
* List of Computer Security Academic Positions, by Cynthia Irvine
* Conference and Workshop Announcements
o Calendar of Events
o Upcoming calls-for-papers and events
* Staying in Touch
o Information for subscribers and contributors
o Recent address changes
* Links for the IEEE Computer Society TC on Security and Privacy
o Becoming a member of the TC
o TC Officers
o TC publications for sale
====================================================================
Letter from the Editor
====================================================================
Dear Readers:
S&P and S&PW, and CSF are coming! Yes, the IEEE Computer Society's
Technical Committee on Security and Privacy's annual flagship
conferences are nearly upon us. The "Oakland" event moved to San
Francisco's St Francis Hotel last year, and it will be there again in
May. The Workshops of Security and Privacy are also at the
St. Francis, on the two days following. Registration is available
through the conference website (http://ieee-security.org). The list
of papers for S&P is available now, over 40 papers showing the best of
security research today.
In June, the Computer Security Foundations Symposium
(http://csf2013.seas.harvard.edu/) will be held in New Orleans. This
gathering is has an orientation towards logic and design, and its
co-location with the "Logic in Computer Science" conference will
result in a logical concentration of some magnitude.
The US government's executive branch has embarked on a media blitz in
its efforts to get legislation giving it more power to combat
cyberattacks and cyberespionage. We count 14 major news articles
related to to this subject alone. Privacy advocates do not support
the broader powers, and some, notably Bruce Schneier in an opinion
piece for CNN, feel that we are already living in an
"Internet surveillance state."
http://www.cnn.com/2013/03/16/opinion/schneier-internet-surveillance/index.html?hpt=hp_bn7
Richard Austin, our widely read book reviewer, recommends a book about
defense as deception in this issue.
Final note: You are walking around with a "phone" with two 1.2GHz
processors, GPS, WiFi, a camera, and 50 random apps, and you ask if
it is "secure"? There is probably a reality channel somewhere devoted
just to you!
Be circumspect in its presence.
Hilarie Orman
cipher-editor @ ieee-security.org
====================================================================
Commentary and Opinion
====================================================================
Book reviews from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports
are archived at http://www.ieee-security.org/Cipher/ConfReports.html
____________________________________________________________________
Book Review By Richard Austin
3/14/2013
____________________________________________________________________
Reverse Deception: Organized Cyber Threat Counter-Exploitation
by S. Bodmer, M. Kilger, G. Carpenter and J. Jones
McGraw-Hill 2012.
ISBN 978-07-177249-5 amazon.com USD 26.40
Though deception in various forms (such as spoofing a network address,
posing as a trusted colleague, malware masquerading as a vendor
security update) plays a significant part in many successful
intrusions, security professionals have likely never considered how
deception could become a tool in defending their networks and the assets.
Deceptions, whether conducted by an adversary or defender, are complex
tasks that rely on a good understanding of goals and tactics. This
understanding begins with knowledge of the adversary (capabilities,
motivations, and tactics). The authors introduce some useful
terminology in the introduction (and develop it fully in later
chapters) by distinguishing between advanced persistent threats,
persistent threats and opportunistic threats.
Most of us are familiar with the "opportunistic threats" (also called
"commodity threats"), such as common varieties of malware which target
any vulnerable host they happen to encounter. Persistent threats are
more targeted at specific types of information and include the
capability (persistence) to remain active for an extended period. The
dreaded "advanced persistent threat" is a qualitative enhancement of
the persistent threat and implies a better funded, technically
capable adversary willing to take multiple steps in achieving his
objective (for example, compromise the vendor of a common security
product used by the target organization in order to illicitly access
its sensitive intellectual property). The authors introduce 9
dimensions (e.g., objectives, resources, adversary risk tolerance,
etc.) for classifing a threat on the opportunistic-APT
continuum.
The deception process, as the authors are careful to note, is a
two-way street where both sides of the interaction may be actively
attempting to deceive the other at various times during the
engagement. This maddening situation is aptly called the "hall of
mirrors". To be successful in deceiving an adversary, the deception
must be carefully planned and supported - for example, a HoneyNet with
a trove of fascinating documents will quickly lost its attraction
unless the documents have appropriate creation dates and can be seen
to change and be updated over time. Readers are frequently reminded
that deception always has the purpose (guide the adversary into some
preferred action or inaction) of reaching some desirable conclusion,
and these purposes must be clearly identified before the deception is
undertaken.
When one use a phrase like "engage an adversary", visions of lawsuits
spring to mind. The vision is possible if one does
not prepare appropriately before taking action even within the
confines of one's own perimeter. As the authors note, the key is to
work with competent legal counsel to assure that the contemplated
course of action is legally permissible. This "Duh!" advice is
followed by a solid discussion of how to actually talk to an attorney
so he understands what you are proposing to do and why it makes sense
to do it; then he can advise you appropriately. This attitude of
actively partnering with legal advisors would go a long way toward
ending the entrenched perception that one "shouldn't bother asking
legal because they will just say NO!".
Historical examples, relevant case studies (thoroughly sanitized),
good illustrations and many examples illustrate the concepts in
operation. Copious references are provided so readers can dig deeper
into topics of interest.
As with any book by multiple authors, there is some unevenness of
presentation that should have been addressed in the final editing
process. There are also some mystifying statements such as "When it
comes to cyber espionage, if your adversary can dive into all your
secrets without performing any type of kinetic warfare" (p. 148).
Since espionage is not generally considered an act of war, I suspect
the author was making the point that cyber espionage does not
necessarily require risky real-work actions such as recruiting and
operating agents, gaining physical access to an adversary's bases,
etc. Acronyms abound so readers are well advised to maintain a list
in order to avoid flipping back and forth to decode "SSCT" or "TTP".
This book is a masterful presentation of deception, how it works, how
to understand it and how it may be used as another tool in defending
your organization's assets. Given our constantly evolving threat
environment, contributions to increasing our understanding and
enhancing our defensive arsenal are sorely needed. Definitely a
recommended read.
____________________________________________________________________
It has been said "Be careful, for writing books is endless, and much
study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2)
fearlessly samples the wares of the publishing houses and opines on
which might profitably occupy your scarce reading time. He welcomes
your thoughts and comments via raustin at ieee dot org
====================================================================
News Briefs
====================================================================
RC4 Encryption Demonstrably Breakable
Cryptographers show mathematically crackable flaws in common web encryption
Andy Greenberg, Forbes Staff, 3/13/2013
http://www.forbes.com/sites/andygreenberg/2013/03/13/cryptographers-show-mathematically-crackable-flaws-in-common-web-encryption
The RC4 encryption algorithm, widely used on the Internet because of
its simple design and speed, is less secure than previously believed.
----------------
Evernote User Data Compromised
CNN.com
Doug Gross
March 4, 2013
50 million compromised in Evernote hack
http://www.cnn.com/2013/03/04/tech/web/evernote-hacked/index.html?hpt=hp_t3
Data in the cloud may have pie-in-sky security. The firm Evernote
announced that its usernames and email addresses (but not passwords)
had been revealed to hackers. The passwords are encrypted, but we
hope that RC4 was not the algorithm (see earlier article in this list).
----------------
The Washington Post
By Ellen Nakashima
Mar 16, 2013
FBI survillance tool is ruled unconstitutional
http://www.washingtonpost.com/world/national-security/fbi-survillance-tool-is-ruled-unconstitutional/2013/03/15/d4796396-8db9-11e2-9f54-f3fdd70acad2_story.html
National security letters, a warrantless communication surveillance
method used by the FBI, has been ruled unconstitional by a Federal
Appeals Court in California.
----------------
The Washington Post
By Ellen Nakashima
Jan 28, 2013
Pentagon to boost cybersecurity force
http://www.washingtonpost.com/world/national-security/pentagon-to-boost-cybersecurity-force/2013/01/19/d87d9dc2-5fec-11e2-b05a-605528f6b712_story.html
The Pentagon announced plans for a three-pronged "CyberCommand" to
utilize 5 times as many people as are currently involved in such
activities.
----------------
Chinese cyber attacks on West are widespread, experts say
CNN.com
By Kevin Voigt
Feb 1, 2013
http://www.cnn.com/2013/02/01/tech/china-cyber-attacks/index.html?iid=article_sidebar
Apparently successful "spear-phishing" attacks against major US
newspapers originate in China, according to unnamed experts.
----------------
U.S. said to be target of massive cyber-espionage campaign
The Washington Post
By Ellen Nakashima
Feb 10, 2013
http://www.washingtonpost.com/world/national-security/us-said-to-be-target-of-massive-cyber-espionage-campaign/2013/02/10/7b4687d8-6fc1-11e2-aa58-243de81040ba_story.html
According to a classified report called the "National Intelligence
Estimate", the US is the target of cyberespionage mounted by several
countries. "Cyber-espionage, which was once viewed as a concern
mainly by U.S. intelligence and the military, is increasingly seen as
a direct threat to the nation's economic interests."
----------------
China's Army Is Seen as Tied to Hacking Against U.S.
New York Times
By David E. Sanger, David Barboza and Nicole Perlroth
Feb 19, 2013
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html
Is one building in China the source of concerted attacks against US cyberassets?
----------------
Report ties cyberattacks on U.S. computers to Chinese military
The Washington Post
By William Wan and Ellen Nakashima
Feb 19, 2013
http://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html
A 60-page report by a US company, Mandiant, is the first
non-governmental assessment of the source of attacks on US computers
to lay the blam on the Chinese military.
----------------
Broad Powers Seen for Obama in Cyberstrikes
The New York Times
By David E. Sanger and Thom Shanker
Feb 4, 2013
http://www.nytimes.com/2013/02/04/us/broad-powers-seen-for-obama-in-cyberstrikes.html
The US executive branch has been considering rules governing actions
of its new "Cyber Command". "The implications of pre-emption in
cyberwar were specifically analyzed at length in writing the new
rules. One major issue involved in the administration’s review,
according to one official involved, was defining "what constitutes
reasonable and proportionate force" in halting or retaliating against
a cyberattack."
----------------
Pentagon creates new medal for extraordinary work by cyber and drone warriors.
The Washington Post
Feb 13, 2013
http://www.washingtonpost.com/politics/pentagon-creates-new-medal-to-for-extraordinary-work-by-cyber-drone-warriors/2013/02/13/a0e104e4-75fe-11e2-9889-60bfcbb02149_story.html
[Cipher Ed.: This story has been withdrawn from the Washington Post website].
----------------
Obama Order Gives Firms Cyberthreat Information
New York Times
By Michael S. Schmidt and Nicole Perlroth
February 12, 2013
http://www.nytimes.com/2013/02/13/us/executive-order-on-cybersecurity-is-issued.html
A stopgap measure aimed at bolstering US resistance to cyberattacks,
the President signed an executive order for sharing threat information
between the government and private companies.
----------------
Security tools reveal cyberintruders' trickery
USA Today
Byron Acohido
February 27, 2013
http://www.usatoday.com/story/tech/2013/02/27/proactive-intelligence-corporate-network-breaches/1949879/
The buzz at the annual RSA Conference was about how large
organizations are putting more effort into discovering how they were
hacked, and they are also starting to share that information.
----------------
U.S. Demands That China End Hacking and Set Cyber Rules
New York Times
By Mark Landler and David E. Sanger
March 11, 2013
http://www.nytimes.com/2013/03/12/world/asia/us-demands-that-china-end-hacking-and-set-cyber-rules.html
Tom Donilon, President Obama's national security advisor, said that
the White House wants China to crackdown on hackers and enter into a
dialogue about standards.
----------------
U.S. Weighs Risks and Motives of Hacking by China or Iran
New York Times
By Nicole Perlroth, David E. Sanger and Michael S. Schmidt
Mar 4, 2013
http://www.nytimes.com/2013/03/04/us/us-weighs-risks-and-motives-of-hacking-by-china-or-iran.html?pagewanted=1
The US government expresses some confusion over the perpetrators of
large-scale hacking attacks. Although the countries of origin appear
to be China and Iran, the administration is unsure whether
individuals, the military, or both, are behind the majority of the
attacks.
----------------
Obama Discusses Computer Security With Corporate Chiefs
New York Times
By Michael D. Shear and Nicole Perlroth
Mar 14, 2013
http://bits.blogs.nytimes.com/2013/03/13/obama-discusses-computer-security-with-corporate-chiefs/?src=recg>
The White House was the location for a meeting on March 13 for the
purpose of enlisting support for pending legislation giving the
executive branch powers and funds to combat cyberespionage and to
thwart or counter cyberwarfare. The legislation was proposed but not
passedin 2011. Last month, an executive order was signed, setting the
stage for information sharing with privated companies, and this
meeting may have resulted as a consequence of that order.
----------------
Security Chief Says Computer Attacks Will Be Met
New York Times
By Mark Mazzetti and David E. Sanger
Mar 14, 2013
http://www.nytimes.com/2013/03/13/us/intelligence-official-warns-congress-that-cyberattacks-pose-threat-to-us.html?src=recg&_r=0
Gen. Keith Alexander, head of the US Cybercommand, talked to Congress
about the defensive part of his 3-part command structure.
----------------
China Calls for Global Hacking Rules
New York Times
By David Barboza
Mar 14, 2013
http://www.nytimes.com/2013/03/11/world/asia/china-calls-for-global-hacking-rules.html?src=recg
China joined the media blitz about cyberespionage by calling for new
dialogue on rules and cooperation while denying official involvement
in misdeeds.
----------------
Australian Central Bank Hit by Cyberattack
New York Times
Reuters
Mar 14, 2013
http://www.nytimes.com/2013/03/12/technology/australian-central-bank-hit-by-cyberattack.html?src=recg
The Australian central bank, said that although news reports about it
being hacked were partially true, the bank believes that it was
successful in isolating the attacks and avoiding any information
disclosure.
----------------
Thomson Reuters Editor Is Charged in Hacking of News Site
New York Times
By Amy Chozick
Mar 15, 2013
http://mediadecoder.blogs.nytimes.com/2013/03/14/thomson-reuters-editor-indicted-on-charges-of-aiding-hackers-group/>
An admitted Twitter addict, Thomson Reuters' deputy social media
editor Matthew Keys may also be a malicious hacker. He has been
charged with hacking the Los Angeles Time website and altering
headlines.
----------------
News briefs from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/NewsBriefs.html
====================================================================
Listing of academic positions available
by Cynthia Irvine
====================================================================
New since Cipher E112:
Posted Mar 2013
University of Versailles-St-Quentin-en-Yvelines
PRiSM Laboratory - "Cryptology and Information Security" group
Versailles, France
Assistant Professor position
Deadline for applications: March 28, 2013
http://www.prism.uvsq.fr/~logo/MCF-0781944P-4071_en.htm<
--------------
http://cisr.nps.edu/jobscipher.html
This job listing is maintained as a service to the academic
community. If you have an academic position in computer security and
would like to have in it included on this page, send the following
information:
Institution,
City, State,
Position title,
date position announcement closes, and
URL of position description
to: irvine@cs.nps.navy.mil
====================================================================
Conference and Workshop Announcements
Upcoming Calls-For-Papers and Events
====================================================================
The complete Cipher Calls-for-Papers is located at
http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html
The Cipher event Calendar is at
http://www.ieee-security.org/Calendar/cipher-hypercalendar.html
Cipher calendar entries are announced on Twitter; follow ciphernews
____________________________________________________________________
Cipher Event Calendar
____________________________________________________________________
Calendar of Security and Privacy Related Events
maintained by Hilarie Orman
Date (Month/Day/Year), Event, Locations, web page for more info.
3/18/13: SECRYPT, 10th International Conference on Security and Cryptography,
Reykjavik, Iceland;
http://secrypt.icete.org;
Submissions are due
3/18/13- 3/20/13: IFIP1110-CIP, 7th Annual IFIP WG 11.10
International Conference on Critical Infrastructure
Protection
Washington, DC, USA;
http://www.ifip1110.org/Conferences/WG11-10CallForPapers2013.pdf
3/18/13- 3/20/13: SPW, 21st International Workshop on Security Protocols,
Sidney Sussex College, Cambridge, England;
http://spw.stca.herts.ac.uk/
3/22/13: MWSN, IEEE International Workshop on Security and Privacy of Mobile,
Wireless and Sensor Networks, New Orleans, LA, USA;
http://www2.cs.uh.edu/mwsn/;
Submissions are due
3/30/13: ECTCM, 1st International Workshop on Emerging Cyberthreats and
Countermeasures, Co-located with ARES 2013,
University Regensburg, Germany;
http://www.ectcm.net;
Submissions are due
4/ 1/13: International Journal of Distributed Sensor Networks,
Special Issue on Intrusion Detection and Security Mechanisms for
Wireless Sensor Networks;
http://www.hindawi.com/journals/ijdsn/si/430493/cfp/;
Submissions are due
4/ 1/13: CSAW, Cloud Security Auditing Workshop,
Held in conjunction with the IEEE 9th World Congress on Services,
Santa Clara, CA, USA;
http://www.csaw2013.org;
Submissions are due
4/ 1/13- 4/ 5/13: FC, 17th International Conference on Financial Cryptography
and Data Security,
Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan;
http://fc13.ifca.ai/cfp.html
4/ 2/13: RFIDSEC, 9th Workshop on RFID Security,
Graz, Austria;
http://rfidsec2013.iaik.tugraz.at/;
Submissions are due
4/ 8/13- 4/ 9/13: IDMAN, 3rd IFIP WG 11.6 Working Conference on
Policies & Research in Identity Management,
London, UK; http://www.idman2013.com
4/10/13: FCS, Workshop on Foundations of Computer Security,
Tulane University, New Orleans, Louisiana, USA;
http://prosecco.inria.fr/personal/bblanche/fcs13/;
Submissions are due
4/15/13: CMS, 14th Joint IFIP TC6 and TC11 Conference on Communications
and Multimedia Security
Magdeburg, Germany; http://www.cms2013.de;
Submissions are due
4/15/13: SeCIHD, 3rd IFIP International Workshop on Security and
Cognitive Informatics for Homeland Defense,
Held in conjunction with the 8th ARES Conference (ARES 2013),
Regensburg, Germany; http://isyou.info/conf/secihd13/;
Submissions are due
4/15/13: TGC, 8th International Symposium on Trustworthy Global Computing,
Buenos Aires, Argentina; http://sysma.lab.imtlucca.it/tgc2013/;
Submissions are due
4/29/13: PRISMS, International Conference on Privacy and Security in
Mobile Systems
Atlantic City, NJ, USA; http://www.gws2013.org/prisms/;
Submissions are due
5/ 6/13: ICICS, 15th International Conference on Information and
Communications Security
Beijing, China; http://icsd.i2r.a-star.edu.sg/icics2013/;
Submissions are due
5/ 6/13: SeTTIT, Workshop on Security Tools and Techniques for
Internet of Things,
Co-located with the BODYNETS 2013 conference,
Boston, Massachusetts, USA; http://settit.bodynets.org/2013/show/home
Submissions are due
5/ 7/13: AsiaPKC, ACM Asia Public-Key Cryptography Workshop,
Held in conjunction with the the 8th ACM Symposium on Information,
Computer and Communications Security (ASIACCS 2013)
Hangzhou, China; http://www.cs.utsa.edu/~shxu/acm-asiapkc13/
5/ 7/13: SESP, 1st International Workshop on Security in Embedded
Systems and Smartphones,
Held in conjunction with the the 8th ACM Symposium on Information,
Computer and Communications Security (ASIACCS 2013)
Hangzhou, China; http://doe.cs.northwestern.edu/SESP/
5/ 7/13: SCC, International Workshop on Security in Cloud Computing,
Held in conjunction with the the 8th ACM Symposium on Information,
Computer and Communications Security (ASIACCS 2013), Hangzhou, China;
http://www.cs.cityu.edu.hk/~congwang/asiaccs-scc/
5/ 8/13: CCS, 20th ACM Conference on Computer and Communications Security,
Berlin, Germany; http://www.sigsac.org/ccs/CCS2013/;
Submissions are due
5/ 8/13- 5/10/13: ASIACCS, 8th ACM Symposium on Information, Computer and
Communications Security, Hangzhou, China;
http://hise.hznu.edu.cn/asiaccs/index.html
5/10/13: SECURECOMM, 9th International ICST Conference on Security
and Privacy in Communication Networks
Sydney, Australia; http://securecomm.org/2013/;
Submissions are due
5/12/13- 5/14/13: ISPEC, 9th Information Security Practice and
Experience Conference,
Lanzhou, China; http://icsd.i2r.a-star.edu.sg/ispec2013/
5/13/13: IWSEC, 8th International Workshop on Security,
Okinawaken Shichouson Jichikaikan, Japan;
http://www.iwsec.org/2013;
Submissions are due
5/19/13- 5/22/13: SP, 34th IEEE Symposium on Security and Privacy,
San Francisco, California, USA; http://www.ieee-security.org/TC/SP2013/
5/23/13- 5/24/13: SPW (Call for Workshop proposals), 2nd IEEE CS Security and
Privacy Workshops,
Co-located with the IEEE Symposium on Security and Privacy (SP 2013),
Westin St. Francis Hotel, San Francisco, CA, USA;
http://www.codaspy.org
5/23/13: MoST, Mobile Security Technologies Workshop,
Co-located with the 34th IEEE Symposium on Security and Privacy
(IEEE S&P 2013) and an event of the IEEE Computer Society's Security
and Privacy Workshops (SPW 2013), San Francisco, CA, USA;
http://mostconf.org/2013/
5/24/13: W2SP, Web 2.0 Security & Privacy Workshop,
Co-located with the 34th IEEE Symposium on Security and Privacy
(IEEE S&P 2013) and an event of the IEEE Computer Society's Security
and Privacy Workshops (SPW 2013), San Francisco, CA, USA;
http://www.w2spconf.com/2013/
5/28/13- 5/30/13: WISTP, 7th Workshop in Information Security Theory
and Practice,
Heraklion, Greece; http://www.wistp.org
5/30/13: SOUPS-RISK, Workshop on Risk Perception in IT Security and Privacy,
Newcastle, UK; http://cups.cs.cmu.edu/soups/2013/risk.html;
Submissions are due
6/ 2/13- 6/ 3/13: HOST, IEEE International Symposium on
Hardware-oriented Security and Trust,
Austin Convention Center, Austin, TX, USA;
http://www.hostsymposium.org/
6/ 3/13- 6/ 4/13: NSS, 7th International Conference on Network and
System Security,
Madrid, Spain; http://anss.org.au/nss2013/index.htm
6/ 3/13- 6/ 7/13: IFIP-TM, 7th IFIP International Conference on Trust
Management,
Ma'laga, Spain;
http://conf2013.ifiptm.org/
6/ 4/13: D-SPAN, 4th IEEE Workshop on Data Security and Privacy in
Wireless Networks,
Co-located with the 14th International Symposium on a
World of Wireless, Mobile and Multimedia Networks (WoWMoM 2013),
Madrid, Spain;
http://www.ee.washington.edu/research/nsl/DSPAN_2013/
6/12/13- 6/14/13: SACMAT, 18th ACM Symposium on Access Control Models
and Technologies,
Amsterdam, The Netherlands; http://www.sacmat.org/
6/17/13- 6/19/13: TRUST, 6th International Conference on Trust and Trustworthy
Computing,
London, UK; http://trust2013.sba-research.org
6/23/13: MWSN, IEEE International Workshop on Security and Privacy of Mobile,
Wireless and Sensor Networks
New Orleans, LA, USA; http://www2.cs.uh.edu/mwsn/
6/24/13- 6/27/13: PRISMS, International Conference on Privacy and Security in
Mobile Systems, Atlantic City, NJ, USA; http://www.gws2013.org/prisms/
6/25/13- 6/28/13: ACNS, 11th International Conference on Applied Cryptography
and Network Security, Banff, Alberta, Canada;
http://acns2013.cpsc.ucalgary.ca/
6/26/13- 6/28/13: CSF, 26th IEEE Computer Security Foundations Symposium,
Tulane University, New Orleans Louisiana, USA;
http://csf2013.seas.harvard.edu/
6/27/13- 7/ 2/13: CSAW, Cloud Security Auditing Workshop,
Held in conjunction with the IEEE 9th World Congress on Services,
Santa Clara, CA, USA;
http://www.csaw2013.org
6/29/13: FCS, Workshop on Foundations of Computer Security,
Tulane University, New Orleans, Louisiana, USA;
http://prosecco.inria.fr/personal/bblanche/fcs13/
6/30/13: SIN, 6th International Conference on Security of Information
and Networks
Aksaray, Turkey; http://www.sinconf.org;
Submissions are due
7/ 1/13: RFIDsec-Asia, Workshop on RFID and IoT Security,
Guangzhou, China;
http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm;
Submissions are due
7/ 8/13: VizSec, 10th International Symposium on Visualization for
Cyber Security, Atlanta GA, USA;
http://www.vizsec.org/;
Submissions are due
7/ 8/13: NFSP, 2nd International Workshop on Network Forensics, Security and
Privacy,
Held in conjunction with the 33rd International Conference on
Distributed Computing Systems (ICDCS 2013), Philadelphia, PA, USA;
http://www.faculty.umassd.edu/honggang.wang/nfsp2013/
7/ 9/13- 7/11/13: RFIDSEC, 9th Workshop on RFID Security,
Graz, Austria; http://rfidsec2013.iaik.tugraz.at/
7/10/13- 7/12/13: PST, 11th International Conference on Privacy,
Security and Trust,
Tarragona, Catalonia;
http://unescoprivacychair.urv.cat/pst2013/index.php?m=cfp
7/15/13- 7/17/13: DBSEC, 27th Annual IFIP WG 11.3 Working Conference
on Data and Applications Security and Privacy,
Rutgers University, Newark, NJ, USA;
http://dbsec2013.business.rutgers.edu/
7/17/13- 7/19/13: VOTE-ID, 4th International Conference on E-voting
and Identity,
University of Surrey, Guildford, UK; http://www.voteid13.org/
7/18/13- 7/19/13: DIMVA, 10th International Conference on Detection
of Intrusions and Malware & Vulnerability Assessment
Berlin, Germany; http://www.dimva.org/dimva2013
7/24/13- 7/26/13: SOUPS, Symposium On Usable Privacy and Security,
Northumbria University, Newcastle, UK; http://cups.cs.cmu.edu/soups/
7/24/13- 7/26/13: SOUPS-RISK, Workshop on Risk Perception in IT Security
and Privacy,
Newcastle, UK; http://cups.cs.cmu.edu/soups/2013/risk.html
7/29/13- 7/31/13: SECRYPT, 10th International Conference on Security and
Cryptography,
Reykjavik, Iceland; http://secrypt.icete.org
8/14/13- 8/16/13: USENIX-Security, 22nd USENIX Security Symposium,
Washington, DC. USA;
https://www.usenix.org/conference/usenixsecurity13
8/20/13- 8/23/13: CHES, Workshop on Cryptographic Hardware and Embedded Systems
Co-located with the 33rd Annual International Cryptology
Conference (CRYPTO 2013), Santa Barbara, California, USA;
http://www.chesworkshop.org/ches2013/
8/30/13- 8/31/13: TGC, 8th International Symposium on Trustworthy
Global Computing,
Buenos Aires, Argentina; http://sysma.lab.imtlucca.it/tgc2013/
9/ 2/13- 9/ 6/13: ECTCM, 1st International Workshop on Emerging
Cyberthreats and Countermeasures,
Co-located with ARES 2013, University Regensburg, Germany;
http://www.ectcm.net
9/ 2/13- 9/ 6/13: SeCIHD, 3rd IFIP International Workshop on Security and
Cognitive Informatics for Homeland Defense,
Held in conjunction with the 8th ARES Conference (ARES 2013),
Regensburg, Germany; http://isyou.info/conf/secihd13/
9/25/13- 9/26/13: CMS, 14th Joint IFIP TC6 and TC11 Conference on
Communications and Multimedia Security
Magdeburg, Germany;
http://www.cms2013.de
9/25/13- 9/27/13: SECURECOMM, 9th International ICST Conference on Security
and Privacy in Communication Networks
Sydney, Australia; http://securecomm.org/2013/
9/30/13-10/ 2/13: SeTTIT, Workshop on Security Tools and Techniques for
Internet of Things,
Co-located with the BODYNETS 2013 conference,
Boston, Massachusetts, USA;
http://settit.bodynets.org/2013/show/home
10/14/13: VizSec, 10th International Symposium on Visualization for
Cyber Security, Atlanta GA, USA;
http://www.vizsec.org/
10/14/13-10/16/13: CNS, 1st IEEE Conference on Communications and
Network Security,
Washington D.C., USA; http://www.ieee-cns.org
11/ 4/13-11/ 8/13: CCS, 20th ACM Conference on Computer and
Communications Security,
Berlin, Germany; http://www.sigsac.org/ccs/CCS2013/
11/12/13-11/14/13: HST, 13th annual IEEE Conference on Technologies for
Homeland Security
Waltham, Massachusetts, USA; http://www.ieee-hst.org
11/18/13-11/20/13: IWSEC, 8th International Workshop on Security,
Okinawaken Shichouson Jichikaikan, Japan;
http://www.iwsec.org/2013
11/20/13-11/22/13: ICICS, 15th International Conference on Information and
Communications Security
Beijing, China; http://icsd.i2r.a-star.edu.sg/icics2013/
11/26/13-11/28/13: SIN, 6th International Conference on Security of Information
and Networks
Aksaray, Turkey; http://www.sinconf.org
11/27/13: RFIDsec-Asia, Workshop on RFID and IoT Security,
Guangzhou, China;
http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm
____________________________________________________________________
Journal, Conference and Workshop Calls-for-Papers
(new since Cipher E112)
___________________________________________________________________
SECRYPT 2013 10th International Conference on Security and Cryptography,
Reykjavik, Iceland, July 29-31, 2013.
(Submissions due 18 March 2013)
http://secrypt.icete.org
SECRYPT is an annual international conference covering research in information
and communication security. The 10th International Conference on Security
and Cryptography (SECRYPT 2013) will be held in Reykjavik, Iceland. The
conference seeks submissions from academia, industry, and government
presenting novel research on all theoretical and practical aspects of
data protection, privacy, security, and cryptography. Papers describing
the application of security technology, the implementation of systems,
and lessons learned are also encouraged. The conference topics include,
but are not limited to:
- Access Control
- Applied Cryptography
- Biometrics Security and Privacy
- Critical Infrastructure Protection
- Data Integrity
- Data Protection
- Database Security and Privacy
- Digital Forensics
- Digital Rights Management
- Ethical and Legal Implications of Security and Privacy
- Formal Methods for Security
- Human Factors and Human Behavior Recognition Techniques
- Identification, Authentication and Non-repudiation
- Identity Management
- Information Hiding
- Information Systems Auditing
- Insider Threats and Countermeasures
- Intellectual Property Protection
- Intrusion Detection & Prevention
- Management of Computing Security
- Network Security
- Organizational Security Policies
- Peer-to-Peer Security
- Personal Data Protection for Information Systems
- Privacy
- Privacy Enhancing Technologies
- Reliability and Dependability
- Risk Assessment
- Secure Software Development Methodologies
- Security and privacy in Complex Systems
- Security and Privacy in Crowdsourcing
- Security and Privacy in IT Outsourcing
- Security and Privacy in Location-based Services
- Security and Privacy in Mobile Systems
- Security and Privacy in Pervasive/Ubiquitous Computing
- Security and Privacy in Smart Grids
- Security and Privacy in Social Networks
- Security and Privacy in the Cloud
- Security and Privacy in Web Services
- Security and Privacy Policies
- Security Area Control
- Security Deployment
- Security Engineering
- Security in Distributed Systems
- Security Information Systems Architecture
- Security Management
- Security Metrics and Measurement
- Security Protocols
- Security requirements
- Security Verification and Validation
- Sensor and Mobile Ad Hoc Network Security
- Service and Systems Design and QoS Network Security
- Software Security
- Trust management and Reputation Systems
- Ubiquitous Computing Security
- Wireless Network Security
-------------------------------------------------------------------------
MWSN 2013 IEEE International Workshop on Security and Privacy of Mobile,
Wireless and Sensor Networks, New Orleans, LA, USA, June 23, 2013.
(Submissions due 22 March 2013)
http://www2.cs.uh.edu/mwsn/
To cope with the rapid increase in mobile users and the increasing
demand for mobile, wireless and sensor networks (MWSNs), it is becoming
imperative to provide the necessary security protocols and privacy
guarantees to users of MWSNs. In turn, these specific demands in
security and privacy require new methodologies that are specifically
designed to cope with the strict requirements of the networks. In
general, the real-world performance of MWSNs crucially depends on
the selected protocols, and their suitability and efficiency for the
layers of the implementation. A satisfactory security design and
protocol are therefore crucial for the performance of MWSNs. It is
a great challenge to achieve efficient and robust realizations of
such highly dynamic and secure MWSNs. Moreover, the study of security
and privacy in the context of MWSNs provides insights into problems
and solutions that are orthogonal to programming languages, programming
paradigms, computer hardware, and other aspects of the implementation.
The objective for this workshop is to address those topics, which we
believe will play an important role in current and future research on
and education of MWSNs.
-------------------------------------------------------------------------
ECTCM 2013 1st International Workshop on Emerging Cyberthreats and
Countermeasures,
Co-located with ARES 2013, University Regensburg, Germany, September 2-6, 2013.
(Submissions due 30 March 2013)
The First International Workshop on Emerging Cyberthreats and Countermeasures
aims at bringing together researchers and practitioners working in different
areas related to cybersecurity. After organizing three informal workshops on
Early Warning Systems in IT in the past three years, we strongly believe
that the next step is to give the workshop a more formal structure in context
of an internationally acclaimed scientific conference. The focus of this
year's workshop is on IT Early Warning, Malware Detection and Analysis,
Targeted Attacks, Cryptanalysis, and Privacy Protection. Contributions
demonstrating both current weaknesses and threats as well as new
countermeasures are welcome.
-------------------------------------------------------------------------
International Journal of Distributed Sensor Networks,
Special Issue on Intrusion Detection and Security Mechanisms for Wireless
Sensor Networks, July 2013,
(Submission Due 1 April 2013)
http://www.hindawi.com/journals/ijdsn/si/430493/cfp/
Editors: S. Khan (Kohat University of Science and Technology, Pakistan),
Jaime Lloret (Polytechnic University of Valencia, Spain),
and Jonathan Loo (Middlesex University, UK)
Wireless sensor networks are gaining significant interest from academia
and industry. Wireless sensor networks are multihop, self-organizing,
self-healing, and distributed in nature. These characteristics also increase
vulnerability and expose sensor networks to various kinds of security attacks.
Advance security mechanisms and intrusion detection systems (IDSs) can play an
important role in detecting and preventing security attacks. This special issue
aims to gather recent advances in the area of security aspect of wireless sensor
networks. It welcomes research and review articles that focus on the challenges
and the state-of-the-art solutions. The papers will be peer reviewed and will be
selected on the basis of their quality and relevance to the topic of this
special issue. Potential topics include, but are not limited to:
- Intrusion detection systems
- Secure neighbor discovery, localization, and mobility
- Security architectures, deployments, and solutions
- Denial of service attacks and countermeasures
- Intrusion prevention techniques
- Adaptive defense systems
- Trust establishment and privacy
- Confidentiality, integrity, and availability assurance
- Authentication and access control
- Secure routing protocols
- Cryptography, encryption algorithms, and key management schemes
- Experimental validation and experiences with testbed and/or deployment
-------------------------------------------------------------------------
CSAW 2013 Cloud Security Auditing Workshop,
Held in conjunction with the IEEE 9th World Congress on Services,
Santa Clara, CA, USA, June 27 - July 2, 2013.
(Submissions due 1 April 2013)
http://www.csaw2013.org
Security concerns are a major impediment to the widespread adoption of
cloud services. Cloud services often deal with sensitive information and
operations. Thus, cloud service providers must provision services to rapidly
identify security threats for increased information assurance. In addition,
when a threat is identified or an attack is detected, incident reporting
should be timely and precise to allow cloud tenants and users to respond
appropriately. Detection and reporting require meta-information to be
captured across the cloud in order to audit and monitor it for potential
threats that may lead to attacks and to discern when and where an attack
has already occurred. Capturing security relevant information and auditing
the results to determine the existence of security threats in the cloud is
challenging for multiple reasons. Cloud tenants rely on the cloud for
diverse tasks and have services and data that may require isolation or
be provisioned for composition with other services in cloud applications.
Organizations may not have the logging capabilities in place for their
services or may not be predisposed to share the information. Cloud management
services are needed to log relevant events at their endpoints, including
user interactions and interactions within the cloud federation. Consistent
formats for capturing events and generating logs to be hosted within the cloud
are not specified as part of current service level agreements (SLAs). Near
real-time analysis is needed for prediction of potential threats in order
to respond quickly to prevent an attack. Centralized analysis of information
captured may present too much overhead for timely alerts and incident
reporting. But distributed analysis must guarantee that the partial
information it uses is sufficient to determine a threat. All analyses
must consider the configuration of the cloud and its tenant services and
resources. The goal of this one day workshop is to bring together researchers
and practitioners to explore and assess varied and viable technologies for
capturing security relevant events throughout the cloud and performing
monitoring and analyses on the captured information to detect, prevent,
and mitigate security threats. List of topics include:
- Languages and protocols for specifying, composing, and analyzing
security-relevant, distributed logs of audit data from a cloud-wide
perspective
- Cloud security, threat modeling, and analysis, including
centralized/distributed attack detection and prediction/prevention
algorithms based on audited information, and automated tools for
capturing, integrating, and analyzing cloud audit data
- Algorithms and protocols for audit data stream delivery, manipulation,
and analysis for big cloud audit data
- Access control and information flow control models for disclosure and
modification of sensitive cloud audit data
- Methods for expressing and representing the cloud infrastructure and
configuration to influence logging and monitoring processes
- Information assurance (authenticity, integrity, confidentiality and
availability) of cloud audit data, including security and privacy policies
and compliance with security controls such as NIST sp800-53 and Cloud
Security Alliance guidance 3.0
- Service-level agreements that formalize and guarantee logging and
analysis capabilities
-------------------------------------------------------------------------
RFIDSEC 2013 9th Workshop on RFID Security,
Graz, Austria, July 9-11, 2013.
(Submissions due 2 April 2013)
http://rfidsec2013.iaik.tugraz.at/
RFIDsec is the premier workshop devoted to security and privacy in
Radio Frequency Identification (RFID) with participants throughout the
world. RFIDsec brings together researchers from academia and industry for
topics of importance to improving the security and privacy of RFID, NFC,
contactless technologies, and the Internet of Things. RFIDsec bridges the
gap between cryptographic researchers and RFID developers through invited
talks and contributed presentations. Topics of the workshop include but
are not limited to:
- New applications for secure RFID, NFC, and other constrained systems
- Resource-efficient implementations of cryptography o Small-footprint
hardware and/or software o Low-power and/or low energy implementations
- Attacks on RFID systems: Side-channel attacks, Fault attacks, Hardware
tampering
- Data protection and privacy-enhancing techniques
- Cryptographic protocols: Authentication protocols, Key distribution,
Scalability issues
- Integration of secure RFID systems: Infrastructures, Middleware and
security, Data mining and other systemic approaches to RFID security
- RFID hardware security: Physical Unclonable Functions (PUFs), RFID
Trojans
- Case studies
-------------------------------------------------------------------------
FCS 2013 Workshop on Foundations of Computer Security,
Tulane University, New Orleans, Louisiana, USA, June 29, 2013.
(Submissions due 10 April 2013)
http://prosecco.inria.fr/personal/bblanche/fcs13/
The aim of the workshop FCS'13 is to provide a forum for continued
activity in different areas of computer security, bringing computer
security researchers in closer contact with the LICS community and
giving LICS attendees an opportunity to talk to experts in computer
security, on the one hand, and contribute to bridging the gap between
logical methods and computer security foundations, on the other. We
are interested both in new results in theories of computer security
and also in more exploratory presentations that examine open questions
and raise fundamental concerns about existing theories, as well as in
new results on developing and applying automated reasoning techniques
and tools for the formal specification and analysis of security protocols.
We thus solicit submissions of papers both on mature work and on work in
progress. Possible topics include, but are not limited to:
- Automated reasoning techniques
- Composition issues
- Formal specification
- Foundations of verification
- Information flow analysis
- Language-based security
- Logic-based design
- Program transformation
- Security models
- Static analysis
- Statistical methods
- Tools
- Trust management
-------------------------------------------------------------------------
CMS 2013 14th Joint IFIP TC6 and TC11 Conference on Communications and
Multimedia Security, Magdeburg, Germany, September 25-26, 2013.
(Submissions due 15 April 2013)
http://www.cms2013.de
The conference provides a forum for engineers and scientists in
information security. Both state-of-the-art issues and practical
experiences as well as new trends in these areas will be once more the
focus of interest just like at preceding conferences. The conference
will address in particular security and privacy issues in mobile
contexts, web services (including social networking) and ubiquitous
environments. We solicit papers describing original ideas and research
results on topics that include, but are not limited to: applied
cryptography, biometrics, forensics, secure documents and archives,
multimedia systems security, digital watermarking, distributed DRM
policies, attack resistant rndering engines, adaptive anomaly
detection, censorship resistance, risk management, mobility and
security/privacy, mobile identities, privacy enhanced identity
management, security/privacy policies and preferences, social networks
security/privacy, security/privacy in geo-localized applications,
security/privacy in VoIP`, security policies (including usage
control), web services security, economics of network and information
security (NIS), SOA security, ubiquitous and ambient computing
security, cloud computing security/privacy, wireless and ad hoc
network security, RFID tags and (multimedia) sensor nodes security,
security technology effectiveness, incentivizing security.
-------------------------------------------------------------------------
SeCIHD 2013 3rd IFIP International Workshop on Security and Cognitive
Informatics for Homeland Defense,
Held in conjunction with the 8th ARES Conference (ARES 2013),
Regensburg, Germany, September 2-6, 2013.
(Submissions due 15 April 2013)
http://isyou.info/conf/secihd13/
In the last years significant work has been undertaken by Governments
and local agencies with respect to the protection of critical infrastructures
and public-private sector coordination in the event of a cyber-attack.
Threats to cities and their social infrastructures, e.g. from crime, and
terrorism, endanger human life directly and indirectly. Resilience of
critical infrastructures is gaining importance as a core concept to cope
with such threats. In general, this means strengthening social
infrastructures to prevent or mitigate such threats and to consistently
deliver the intended services in a trustworthy and "normal" way even in
changing situations. Information and communication infrastructure (ICT)
is a primary part of the social infrastructure and therefore one of the
central objects of these attacks. As a consequence, effective response
capabilities must be properly organized and closely coordinated because,
at the time of a cyber-attack, it is not possible to immediately determine
whether the attacker is a script kiddie, an insider, a rogue actor
(organized crime, terrorist organization, or radical), or a nation state.
Unlike traditional Defense categories (i.e., land, air, and sea), the
capabilities required to respond to an attack on critical infrastructures
will necessarily involve infrastructure owned and operated by both the public
and the private sector. Exercising for effective digital systems security
becomes thus a crucial task in order to strengthen the resilience of IT systems
against arising threats. Advanced information technologies that are able to
analyze and interpret complex patterns or situations and take the proper
decisions in terms on countermeasures the basic building blocks of the above
solutions. In this context, it is worth noting research that combines security
and defense aspects with achievements in designing advanced systems for the
acquisition and sophisticated semantic analysis of complex image patterns and
group behaviors. Such systems use cognitive models of semantic interpretation
and can be applied to develop e.g., algorithms and protocols used for the
security of computer systems themselves, but also to ensure the confidentiality
and security of communication networks. Thus, the aim of this workshop is
collecting and discussing new ideas and solutions that can be used to develop
globally understood safe solutions connected with activities to strengthen
national defense capability. The workshop topics include (but are not
limited to):
- Homeland Security and Information Processing
- Investigative and Computer System Related Forensic Techniques, Trends and
Methods
- Network Forensics, Wireless and Mobile Forensics
- Cyber-Defense Threat Analysis
- Emergency Management, Including Prevention, Planning, Response, and Recovery
- Secure Communications, Cyber-Attack Countermeasures
- Vulnerability Analysis and Countermeasures
- Anomaly Detection
- Information Sharing and Secrecy
- Cryptographic Models for Homeland Defense
- Personal Security and Biometric
- Intelligent Robots and Unmanned Vehicles
- Target and Pattern Recognition
- Sensor and Data Analysis
- Semantic Image and Data Processing
- Information Fusion
- Emerging Threats in Intelligent Energy Systems
- Advanced Vision Algorithms
- Security and Privacy in Ambient Intelligence
- Context and Location-aware Computing
- Embedded Systems in Security
- Knowledge-based Systems for Internet Security
- Security Issues and Protocols for Internet Services
- Privacy and Trust for Internet Services
- Artificial Intelligence and Computational Intelligence
- Cognitive Informatics
- Security and Privacy in Power-Grid Systems
- Cognitive Models of the Brain
- Mathematical Foundations of Computing and Cryptography
- Biologically Inspired Information Systems and Secret Data Management
- Cognitive Image and Scene Understanding
- Intelligent Health Technologies
-------------------------------------------------------------------------
TGC 2013 8th International Symposium on Trustworthy Global Computing,
Buenos Aires, Argentina, August 30-31, 2013.
(Submissions due 15 April 2013)
http://sysma.lab.imtlucca.it/tgc2013/
The Symposium on Trustworthy Global Computing is an international annual
venue dedicated to safe and reliable computation in the so-called global
computers, i.e., those computational abstractions emerging in large-scale
infrastructures such as service-oriented architectures, autonomic systems
and cloud computing. The TGC series focuses on providing frameworks, tools,
algorithms and protocols for designing open-ended, large-scaled applications
and for reasoning about their behaviour and properties in a rigorous way.
The related models of computation incorporate code and data mobility over
distributed networks that connect heterogeneous devices and have dynamically
changing topologies. We solicit papers in all areas of global computing,
including (but not limited to):
- theories, languages, models and algorithms
- language concepts and abstraction mechanisms
- security, trust, privacy and reliability
- resource usage and information flow policies
- software development and software principles
- model checkers, theorem provers and static analyzers
-------------------------------------------------------------------------
PRISMS 2013 International Conference on Privacy and Security in Mobile Systems,
Atlantic City, NJ, USA, June 24-27, 2013.
(Submissions due 29 April 2013)
http://www.gws2013.org/prisms/
PRISMS is the successor of MobiSec (International Conference on Security
and Privacy in Mobile Information and Communication Systems). The conference
under a new name (PRISMS) is organized this year with the co-sponsorship of
IEEE. Its focus is the convergence of information and communication technology
in mobile scenarios. This convergence is realised in intelligent mobile
devices, accompanied by the advent of next-generation communication networks.
Privacy and security aspects need to be covered at all layers of mobile
networks, from mobile devices, to privacy respecting credentials and mobile
identity management, up to machine-to-machine communications. In particular,
mobile devices such as Smartphones and Internet Tablets have been very
successful in commercialization. However, their security mechanisms are not
always able to deal with the growing trend of information-stealing attacks.
As mobile communication and information processing becomes a commodity,
economy and society require protection of this precious resource. Mobility
and trust in networking go hand in hand for future generations of users,
who need privacy and security at all layers of technology. In addition, the
introduction of new data collection practices and data-flows (e.g. sensing data)
from the mobile device makes it more difficult to understand the new security
and privacy threats introduced. PRISMS strives to bring together the
leading-edge of academia and industry in mobile systems security, as well
as practitioners, standards developers and policymakers. Contributions
may range from architecture designs and implementations to cryptographic
solutions for mobile and resource-constrained devices.
-------------------------------------------------------------------------
ICICS 2013 15th International Conference on Information and Communications
Security, Beijing, China, November 20-22, 2013.
(Submissions due 6 May 2013)
http://icsd.i2r.a-star.edu.sg/icics2013/
The 2013 International Conference on Information and Communications
Security will be the 15th event in the ICICS conference series, started
in 1997, that brings together individuals involved in multiple disciplines
of Information and Communications Security in order to foster exchange of
ideas. Original papers on all aspects of Information and Communications
Security are solicited for submission to ICICS 2013. Areas of interest
include, but are not limited to:
- Access control
- Information Hiding and Watermarking
- Anonymity
- Intellectual Property Protection
- Anti-Virus and Anti-Worms
- Intrusion Detection
- Authentication and Authorization
- Key Management and Key Recovery
- Biometric Security
- Language-based Security
- Cloud Security
- Network Security
- Computer / Digital Forensics
- Operating System Security
- Data and System Integrity
- Privacy Protection
- Database Security
- Risk Evaluation and Security Certification
- Distributed Systems Security
- Security for Mobile Computing
- Electronic Commerce Security
- Security Models
- Engineering issues of Crypto/Security Systems
- Security Protocols
- Fraud Control
- Smartphone Security
- Grid Security
- Trusted and Trustworthy Computing
-------------------------------------------------------------------------
SeTTIT 2013 Workshop on Security Tools and Techniques for Internet of Things,
Co-located with the BODYNETS 2013 conference,
Boston, Massachusetts, USA, September 30 - October 2, 2013.
(Submissions due 6 May 2013)
http://settit.bodynets.org/2013/show/home
E-health systems have the objective to continuously monitor the state of
patients in order to increase knowledge and understanding of their physical
status. Being a system of systems, the Internet of Things (IoT) has to master
the challenge of integrating heterogeneous systems across technology boundaries.
Timely delivery of observation data is a key aspect to identifying potential
diseases and anomalies. IoT systems are vulnerable to attacks since
communication is mostly wireless and thus vulnerable to eavesdropping,
things are usually unattended and thus vulnerable to physical attacks,
and most IoT elements are short on both the energy and computing resources
necessary for the implementation of complex security-supporting schemes.
Among the plethora of applications that can benefit from the IoT, the
workshop will have a particular focus on security aspects in eHealth and
in the broad-sense of well-being. Security aspects in other application
domains of the IoT are also of interest. The workshop will address security
issues that are particular to the context of using IoT for eHealth including
threat modeling, risk assessment, privacy, access control, and fault-tolerance.
Theoretical, modeling, implementation, and experimentation issues will be
discussed to build an accurate general view on the security of medical BANs.
One of the major challenges that will be underlined by the workshop
participants is the combination of different security models needed for the
sub-networks of the IoT (e.g., BAN, PAN, LAN, MANET) with consideration of
the severe computational, storage, and energy limitations of the elementary
smart nodes. We encourage contributions describing innovative work addressing
the use of information and communication technologies in medical applications.
Topics of interest include, but are not limited to:
- Definition of accurate metrics to assess the threats and the risks
associated to IoT for eHealth
- Identification and description of new attack scenarios that are specific
to IoT architectures
- Context-awareness for IoT security in eHealth
- Soft trust management in IoT
- Risk-based adaptive security for IoT
- Analytics and predictive models for adaptive security in IoT
- Adaptive security decision-making models for IoT
- Evaluation and validation models for adaptive security in IoT
- Lightweight cryptographic protocols for IoT
- Investigation of the security properties that should be fulfilled by the
transmission of patient data across body area networks
- Designing secure heterogeneous BAN architectures for eHealth applications
- Implementing practical testbeds that allow the analysis of the security
performance of BANs
- Monitoring the security level of the eHealth applications relying on IoT
- Analyzing the results of experiments conducted using real patient data and
studying the security performance of the associated architectures
-------------------------------------------------------------------------
CCS 2013 20th ACM Conference on Computer and Communications Security,
Berlin, Germany, November 4-8, 2013.
(Submissions due 8 May 2013)
http://www.sigsac.org/ccs/CCS2013/
Securecomm seeks high-quality research contributions in the form of
well-developed The ACM Conference on Computer and Communications Security
(CCS) is the flagship annual conference of the Special Interest Group on
Security, Audit and Control (SIGSAC) of the Association for Computing
Machinery (ACM). The conference brings together information security
researchers, practitioners, developers, and users from all over the
world to explore cutting-edge ideas and results. It provides an environment
to conduct intellectual discussions. From its inception, CCS has
established itself as a high standard research conference in its area.
-------------------------------------------------------------------------
SECURECOMM 2013 9th International ICST Conference on Security and
Privacy in Communication Networks, Sydney, Australia, September 25-27, 2013.
(Submissions due 10 May 2013)
http://securecomm.org/2013/.
Securecomm seeks high-quality research contributions in the form of
well-developed papers. Topics of interest encompass research advances in
ALL areas of secure communications and networking. Topics in other areas
(e.g., formal methods, database security, secure software, theoretical
cryptography) will be considered only if a clear connection to private or
secure communication/networking is demonstrated. Topics of interest include,
but are not limited to, the following:
- Security & Privacy in Wired, Wireless, Mobile, Hybrid, Sensor, Ad Hoc networks
- Network Intrusion Detection and Prevention, Firewalls, Packet Filters
- Malware, botnets and Distributed Denial of Service
- Communication Privacy and Anonymity
- Network and Internet Forensics Techniques
- Public Key Infrastructures, Key Management, Credential Management
- Secure Routing, Naming/Addressing, Network Management
- Security & Privacy in Pervasive and Ubiquitous Computing, e.g., RFIDs
- Security & Privacy for emerging technologies: VoIP, peer-to-peer and
overlay network systems
-------------------------------------------------------------------------
IWSEC 2013 8th International Workshop on Security,
Okinawaken Shichouson Jichikaikan, Japan, November 18-20, 2013.
(Submissions due 13 May 2013)
http://www.iwsec.org/2013/
Original papers on the research and development of various security
topics, as well as case studies and implementation experiences, are
solicited for submission to IWSEC 2013. Topics of interest for
IWSEC 2013 include but are not limited to:
- Anonymity
- Application Security
- Authentication, Authorization and Access Control
- Biometrics
- Block/Stream Ciphers
- Cloud Computing Security
- Cryptographic Implementations and their Analysis
- Cryptographic Protocols
- Cryptanalysis
- Data and System Integrity
- Database Security
- Digital Forensics
- Digital Signatures
- E-business/e-commerce/e-government Security
- Hash Functions
- Information Hiding
- Information Law and Ethics
- Intellectual Property Protection
- Intrusion Prevention and Detection
- Malware Prevention and Detection
- Mobile System Security
- Network Security
- Privacy Preserving Systems
- Public Key Cryptosystems
- Quantum Security
- Risk Analysis and Risk Management
- Security Architectures
- Security for Consumer Electronics
- Security for Critical Infrastructures
- Security Management
- Secure Multiparty Computation
- Security for Ubiquitous/Pervasive Computing
- Smart Card and RFID Security
- Software Security
- System Security
- Web Security
-------------------------------------------------------------------------
SOUPS-RISK 2013 Workshop on Risk Perception in IT Security and Privacy,
Newcastle, UK, July 24-26, 2013.
(Submissions due 30 May 2013)
http://cups.cs.cmu.edu/soups/2013/risk.html
This workshop is an opportunity to bring together researchers and
practitioners to share experiences, concerns and ideas about how to address
the gap between user perception of IT risks and security / organizational
requirements for security and privacy. Willingness to perform actions for
security purposes is strongly determined by the costs and perceived benefit
to the individual. When end-users' perceptions of risk are not aligned with
organization or system, there is a mismatch in perceived benefit, leading
to poor user acceptance of the technology. For example, organizations face
complex decisions when pushing valuable information across the network to
mobile devices, web clients, automobiles and other embedded systems. This
may impose burdensome security decisions on employees and clients due to
the risks of devices being lost or stolen, shoulder surfing, eavesdropping,
etc. Effective risk communication can provide a shared understanding of
the need for, and benefits of secure approaches and practices. While risk
perception has been studied in non-IT contexts, how well people perceive
and react to IT risk is less well understood. How systems measure IT risk,
how it is best communicated to users, and how to best align these often
misaligned perspectives is poorly understood. Risk taking decisions (policies)
are increasingly being pushed out to users who are frequently ill prepared
to make complex technical security decisions based on limited information
about the consequences of their actions. In other risk domains we know that
non-experts think and respond to risk very differently than experts.
Non-experts often rely on affect, and may be unduly influenced by the
perceived degree of damage that will be caused. Experts, and risk evaluation
systems, use statistical reasoning to assess risk. The purpose of this
workshop is to bring together researchers and practitioners to share
experiences, concerns and ideas about how to address the gap between user
perception of IT risks and security / organizational requirements for
security and privacy. Topics of interest include:
- Human decision and different attack types: Malware, eavesdropping,
inadvertent loss / disclosure of information, phishing, browser attacks, etc.
- Research methods and metrics for assessing perception of risk
- Assessing value of assets and resources at risk
- Communicating and portrayal of risk - security indicators, status
indicators, etc.
- Organizational versus personal risk
- The psychology of risk perception
- Behavioral aspects of risk perception
- Real versus perceived risk
- Other topics related to measuring IT risk and/or user perception of IT risk
-------------------------------------------------------------------------
SIN 2013 6th International Conference on Security of Information and Networks,
Aksaray, Turkey, November 26-28, 2013.
(Submissions due 30 June 2013)
please see http://www.sinconf.org
The 6th International Conference on Security of Information and
Networks (SIN 2013) provides an international forum for presentation of
research and applications of security in information and networks. Papers
addressing all aspects of security in information and networks are being
sought. Researchers and industrial practitioners working on the following
and related subjects are especially encouraged: Development and
realization of cryptographic solutions, security schemes, new algorithms;
critical analysis of existing approaches; secure information systems,
especially distributed control and processing applications, and security
in networks; interoperability, service levels and quality issues in such
systems; information assurance, security, and public policy; detection and
prevention of cybercrimes such as fraud and phishing; next generation network
architectures, protocols, systems and applications; industrial experiences
and challenges of the above.
-------------------------------------------------------------------------
RFIDsec-Asia 2013 Workshop on RFID and IoT Security,
Guangzhou, China, November 27, 2013.
(Submissions due 1 July 2013)
http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm
The workshop series of RFIDsec Asia, the Asia branch of RFIDsec, aims
to provide researchers, enterprises and governments a platform to investigate,
discuss and propose new solutions on security and privacy issues of RFID/IoT
(Internet of Things) technologies and applications. Papers with original
research in theory and practical system design concerning RFID/IoT security
are solicited. Topics of interest include, but are not limited to,
the following:
- New applications for secure RFID/IoT systems
- Data integrity and privacy protection techniques for RFID/IoT
- Attacks and countermeasures on RFID/IoT systems
- Design and analysis on secure RFID/IoT hardware
- Risk assessment and management on RFID/IoT applications
- Trust model, data aggregation and information sharing for EPCglobal network
- Resource efficient implementation of cryptography
- Integration of secure RFID/IoT systems
-------------------------------------------------------------------------
VizSec 2013 10th International Symposium on Visualization for Cyber Security,
Atlanta GA, USA, October 14, 2013.
(Submissions due 8 July 2013)
http://www.vizsec.org/
The 10th International Symposium on Visualization for Cyber Security (VizSec)
is a forum that brings together researchers and practitioners from academia,
government, and industry to address the needs of the cyber security community
through new and insightful visualization and analysis techniques. VizSec will
provide an excellent venue for fostering greater exchange and new
collaborations on a broad range of security- and privacy-related topics.
Important research problems often lie at the intersection of disparate
domains. Our focus is to explore effective, scalable visual interfaces for
security domains, where visualization may provide a distinct benefit,
including computer forensics, reverse engineering, insider threat detection,
cryptography, privacy, preventing 'user assisted' attacks, compliance
management, wireless security, secure coding, and penetration testing in
addition to traditional network security. Human time and attention are
precious resources. We are particularly interested in visualization and
interaction techniques that effectively capture human analyst insights
so that further processing may be handled by machines, freeing the analyst
for other tasks. For example, a malware analyst might use a visualization
system to analyze a new piece of malicious software and then facilitate
generating a signature for future machine processing. When appropriate,
research that incorporates multiple data sources, such as network packet
captures, firewall rule sets and logs, DNS logs, web server logs, and/or
intrusion detection system logs, is particularly desirable.
====================================================================
Information on the Technical Committee on Security and Privacy
====================================================================
____________________________________________________________________
Information for Subscribers and Contributors
____________________________________________________________________
SUBSCRIPTIONS:
Two options, each with two options:
1. To receive the full ascii CIPHER issues as e-mail, send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe".
OR
send a note to cipher-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
2. To receive a short e-mail note announcing when a new issue of
CIPHER is available for Web browsing send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe postcard".
OR
send a note to cipher-postcard-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
To remove yourself from the subscription list, send e-mail to
cipher-admin@ieee-security.org with subject line "unsubscribe" or
"unsubscribe postcard" or, if you have subscribed directly to the
xmission.com mailing list, use your password (sent monthly) to
unsubscribe per the instructions at
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard
Those with access to hypertext browsers may prefer to read Cipher
that way. It can be found at URL http://www.ieee-security.org/cipher.html
CONTRIBUTIONS:
to cipher @ ieee-security.org are invited. Cipher is a NEWSletter,
not a bulletin board or forum. It has a fixed set of departments,
defined by the Table of Contents. Please indicate in the
subject line for which department your contribution is intended.
Calendar and Calls-for-Papers entries should be sent to
cipher-cfp @ ieee-security.org
and they will be automatically included in both departments. To
facilitate the semi-automated handling, please send either a text
version of the CFP or a URL from which a text version can be easily
obtained. For Calendar entries, please include a URL and/or e-mail
address for the point-of-contact. For Calls for Papers, please submit
a one paragraph summary. See this and past issues for examples. ALL
CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS
APPLY. All reuses of Cipher material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy,
publications using Cipher material should obtain permission from the
contributors.
____________________________________________________________________
Recent Address Changes
____________________________________________________________________
Address changes from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/AddressChanges.html
_____________________________________________________________________
How to become <> a member of the
IEEE Computer Society's TC on Security and Privacy
_____________________________________________________________________
You may easily join the TC on Security & Privacy by completing
the on-line for at IEEE at
https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728
______________________________________________________________________
TC Publications for Sale
______________________________________________________________________
IEEE Security and Privacy Symposium
The 2010 hardcopy proceedings are available at $25 each. The DVD with all
technical papers from all years of the SP Symposium and the CSF
Symposium (through 2009) is $10, plus shipping and handling.
The 2009 hardcopy proceedings are not available. The DVD with all
technical papers from all years of the SP Symposium and the CSF
Symposium is $5, plus shipping and handling.
The 2008 hardcopy proceedings are $10 plus shipping and handling;
the 29 year CD is $5.00, plus shipping and handling.
The 2007 proceedings are available in hardcopy for $10.00, the
28 year CD is $5.00, plus shipping and handling.
The 2006 Symposium proceedings and 11-year CD are sold out.
The 2005, 2004, and 2003 Symposium proceedings are available for $10
plus shipping and handling.
Shipping is $5.00/volume within the US, overseas surface mail is
$8/volume, and overseas airmail is $14/volume, based on an order of 3
volumes or less. The shipping charge for a CD is $3 per CD (no charge
if included with a hard copy order). Send a check made out to the
IEEE Symposium on Security and Privacy to the 2011 treasurer (below)
with the order description, including shipping method and shipping
address.
Robin Sommer
Treasurer, IEEE Symposium Security and Privacy 2011
International Computer Science Institute
Center for Internet Research
1947 Center St., Suite 600
Berkeley, CA 94704
USA
oakland11-treasurer@ieee-security.org
IEEE CS Press
You may order some back issues from IEEE CS Press at
http://www.computer.org/cspress/catalog/proc9.htm
Computer Security Foundations Symposium
Copies of the proceedings of the Computer Security Foundations
Workshop (now Symposium) are available for $10 each. Copies of
proceedings are available starting with year 10 (1997). Photocopy
versions of year 1 are also $10.
Contact Jonathan Herzog if interested in purchase.
Jonathan Herzog
jherzog@alum.mit.edu
____________________________________________________________________________
TC Officers and SP Steering Committee
____________________________________________________________________________
Chair: Security and Privacy Symposium Chair Emeritus:
Sven Dietrich Robert Cunningham
Department of Computer Science MIT Lincoln Laboratories
Stevens Institute of Technology http://www.ll.mit.edu/mission
+1 201 216 8078 /communications/ist/biographies
spock AT cs.stevens.edu /cunningham-bio.html
Vice Chair: Treasurer:
Patrick McDaniel Terry Benzel
Computer Science and Engineering USC Information Sciences Intnl
Pennsylvania State University 4676 Admiralty Way, Suite 1001
360 A IST Building Los Angeles, CA 90292
University Park, PA 16802 (310) 822-1511 (voice)
(814) 863-3599 tbenzel @isi.edu
mcdaniel@cse.psu.edu
Newsletter Editor and Security and Privacy Symposium, 2013 Chair:
TC Awards Chair: Robin Sommer
Hilarie Orman http://www.icir.org/robin
Purple Streak, Inc.
500 S. Maple Dr.
Woodland Hills, UT 84653
cipher-editor@ieee-security.org
________________________________________________________________________
BACK ISSUES:
Cipher is archived at: http://www.ieee-security.org/cipher.html
Cipher is published 6 times per year