_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 114 May 28, 2013 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of "The CERT Guide to Insider Threats" by Dawn Cappelli, Andrew Moore and Randall Trzeciak o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * News o Opinion: Cyber arms control? Forget about it o Hackers empty $900K bank account o Malware that detects sandboxing o School's Out for Hackers o Spain arrests suspect in massive cyberattack o As cyberthreats mount, hacker's conviction fuels critics' claims of government overreach o Proposal seeks to fine tech companies for noncompliance with wiretap orders o Silicon Valley uses growing clout to kill a digital privacy bill o Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Last week I was at the Security and Privacy Symposium in San Francisco. This annual event has grown to well over 400 attendees, and the two days of workshops following it now bring in a crowd of their own. The events had unprecedented corporate donations, showing the importance of cybersecurity to our economy. The spectrum of research areas is amazing, and the program has grown to accommodate more papers and more time. Next month the Computer Security Foundations Symposium will be held in New Orleans, and it too will have an excellent program. "Foundations" tends more toward theory and formalism than the mean of "Security and Privacy" (which features a "Best Practical Paper" award). The team of people who make these events possible is superlative, and every year they take on more daunting tasks. Ulf Lindqvist, a former S&P general chair and the new Techical Committee Vice Chair Elect, described it as "being a CEO for a year." S&P will take on a new procedure for selecting Program Chairs. The description of that and more can be found at http://ieee-security.org/TC/Reports/tcagenda2013.html . This month's issue has a book review from Richard Austin, and he has chosen a book covering "insider threats". That combined with a windfall of news articles, should raise the hackles of us all. "Eternal vigilance" has never been more apt. Please take note of the imminent deadline for abstracts of articles for "Security and Privacy Magazine" for "moving target defenses". Techniques like address space layout randomization (the subject of a paper and the S&P Symposium) can defeat some common attacks. The magazine will devote an issue to these techniques and their effectiveness. I hope you all have a good summer traveling from one security conference to another, keeping all your mobile devices safe and secure. In closing, I take note of this adage: "The desire for safety stands against every great and noble enterprise." (Publius Cornelius Tacitus) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html -------------------------------------------------------------------- Opinion: Cyber arms control? Forget about it CNN.com By Christopher Bronk and Dan Wallach Special to CNN Tue March 26, 2013 http://www.cnn.com/2013/03/26/opinion/bronk-wallach-cyberwar/index.html?iid=article_sidebar Cyberattack and cyberdefense are here to stay because the offensive tools are small, cheap, and ubiquitous. --------------------------------- Hackers empty $900K bank account Bankrate, Inc., Mar 30, 2013 http://www.bankrate.com/financing/banking/hackers-empty-900k-bank-account/?ec_id=m1078093 Denial-of-service can be a cover for thieves draining bank accounts. Almost a million dollars disappeared from a California bank on Christmas Eve. --------------------------------- Malware that detects sandboxing Apr 7, 2013 Lucian Constantin, IDG News Service Apr 6, 2013 http://www.pcworld.com/article/2033374/sneaky-malware-hides-behind-mouse-movement-experts-say.html?tk=out Malware can watch you watching malware, and that awareness helps it evade detection, according to researchers from the FireEye company. --------------------------------- School's Out for Hackers, Apr 17, 2013 TMCnet.com By Nicole Spector, Contributing Writer http://www.tmcnet.com/topics/articles/2013/04/15/334211-schools-out-hackers.htm NYU-Poly uses pizza and "Hack Night" to teach cybersecurity expertise. --------------------------------- Spain arrests suspect in massive cyberattack CNN.com Apr 28, 2013 http://www.cnn.com/2013/04/28/tech/spain-internet-attack-arrest/index.html?hpt=hp_t3 While living in a van near Barcelona, a Dutch citizen was allegedly able to direct a massive DDoS attack on The Spamhaus Project. --------------------------------- As cyberthreats mount, hacker's conviction fuels critics' claims of government overreach The Washington Post Apr 29, 2013 By Jerry Markon http://www.washingtonpost.com/politics/as-cyberthreats-mount-hackers-conviction-fuels-critics-claims-of-government-overreach/2013/04/29/d9430e3c-a1f4-11e2-9c03-6952ff305f35_story.html Read from a website, go to jail? Or has the FBI shut down a notorious hacking group that sought to breach privacy and bring fear to Internet users? --------------------------------- FBI proposal seeks to fine tech companies for noncompliance with wiretap orders The Washington Post, Apr 29, 2013 By Ellen Nakashima http://www.washingtonpost.com/world/national-security/proposal-seeks-to-fine-tech-companies-for-noncompliance-with-wiretap-orders/2013/04/28/29e7d9d8-a83c-11e2-b029-8fb7e977ef71_story.html The FBI is seeking to make US companies invest in wiretapping technology for their Internet services whether they want to or not. --------------------------------- Silicon Valley uses growing clout to kill a digital privacy bill Los Angeles Times, latimes.com, May 4, 2013 http://www.latimes.com/business/la-fi-digital-privacy-20130503,0,7322818.story Silicon Valley businesses, including Facebook and Google, rallied to stop a bill that would have protected the privacy of California citizens from data mining by commercial interests. --------------------------------- Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies Washington Post By Ellen Nakashima May 27, 2013 http://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/a42c3e1c-c2dd-11e2-8c3b-0b5e9247e8ca_story.html The Defense Science Board notes that confidential information about US weapons programs has been accessed by Chinese cyberspies. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin May 23, 2013 ____________________________________________________________________ "The CERT Guide to Insider Threats" by Dawn Cappelli, Andrew Moore and Randall Trzeciak Addison-Wesley 2012. ISBN 978-0-321-81257-5 amazon.com USD 35.88, Table of Contents: http://www.pearsonhighered.com/educator/product/CERT-Guide-Insider-Threats-How-Prevent-Detect-and-Respond-Information-Technology-Crimes-Theft-Sabotage-Fraud/9780321812575.page#table-of-contents This was a hard book to review - it is intended to be introductory and targeted at a non-technical reader, a decision which led to a glacial pace of presentation and frustratingly shallow detail in many areas. However, it also has the huge plus of being based on analysis of 700+ cases of insider abuse collected by CERT over a ten-year period. For that reason alone, I respectfully recommend it to your attention. The term "insider threat" can have many meanings so the authors clearly set their scope as "a current or former employee, contractor or business partner who has or has had authorized access to an organization's network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity or availability of information or information systems" (p. xx). That definition earns the authors bonus credit for including both contractors and business partners. Based on their analysis, the authors identify three profiles for insider threats: IT sabotage Theft of intellectual property Fraud As security professionals, our goals for insider threats are to identify the factors that make the threat likely to occur (the authors call these "predispositions"), to recognize that the threat has been instantiated, and to mitigate the threat or its effects. The authors address those goals by abstracting the results of their analysis of insider threat into the MERIT model ("Management and Education of the Risk of Insider Threat"). MERIT is a system dynamics model and some readers may benefit from a more substantial introduction to the topic (e.g., Meadows, D. H. [2008]. "Thinking in Systems: A Primer". Chelsea Green Publishing). Each threat profile is described in its own chapter where the model for that threat is presented. For example, the authors found that cases involving theft of intellectual property (IP) fit two general patterns: "entitled independent" and "ambitious leader". The "entitled independent" is, for example, the engineer who feels a proprietary ownership in the new product she developed and feels "entitled" to take the design with her when her position is eliminated during an economic downturn. The "ambitious leader" recruits a group of insiders to pilfer intellectual property for a share in the financial reward. The MERIT model for these patterns portrays the factors and relationships that give rise to the threat and shows where organizational responses can be most effectively applied. For example, the desire to steal for an "entitled independent" arises from the interplay between their contribution to the IP and feelings of ownership and precipitating events such as dissatisfaction or a job offer from a competitor. There's obviously a tension here where even though the feeling of entitlement predisposes the engineer to potentially steal the product, the organization benefits from the engineer's substantial contributions to the product and feelings of ownership. The models recognize this tension by suggesting that organizations include recognition of precipitating events as triggers for defensive measures such as increased behavioral monitoring. After working through the threat models, the authors turn their attention to detection and prevention. Chapter 6 reviews 16 best practices (ranging from consistently enforcing policies to effective monitoring). The best practices are each presented in a "how to" followed by a "what happens if you don't" case study. The list of best practices contains no surprises but a reexamination of "the usual suspects" from an insider-threat perspective is useful. Chapter 7, "Technical Insider Threat Controls", provides managerially-focused readers with a brief introduction to how intrusion detection systmes (IDS), network flow data, security information and event management (SIEM), etc., can be effectively used in detecting instantiation of insider threats. For technical professionals, the takeaways from this book revolve around the MERIT model and its way of looking at insider threats. The authors provide footnote references to the papers that back up the book chapters, and much of the lamented missing details are found in those papers. For managerial professionals, this is an excellent introductory book for understanding the scope of the insider threat and what organizations can do to predict, recognize and mitigate the threat. --------------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Posted Apr 2013 Department of Computer Science, TU, Darmstadt Darmstadt, Germany Multiple Ph.D. and PostDoc positions in Software Security Application deadline for all positions: 20 May 2013. However, applications will be considered until the positions are filled. http://www.mais.informatik.tu-darmstadt.de/Positions.html Posted Apr 2013 Mondragon University (Telematics Group) Mondragon, Spain Research Professors and Research Fellows Deadline for Research Professors applications: July 15, 2013 at 12:00 AM, CET Deadline for Research Fellows applications: June 30, 2013 at 12:00 AM, CET http://www.ikerbasque.net http://www.mondragon.edu/en/phs/research/research-lines/computer-security Posted Mar 2013 University of Versailles-St-Quentin-en-Yvelines PRiSM Laboratory - "Cryptology and Information Security" group Versailles, France Assistant Professor position Deadline for applications: March 28, 2013 http://www.prism.uvsq.fr/~logo/MCF-0781944P-4071_en.htm -------------- Full list: http://cisr.nps.edu/jobscipher.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 5/28/13- 5/30/13: WISTP, 7th Workshop in Information Security Theory and Practice, Heraklion, Greece; http://www.wistp.org 5/30/13: SOUPS-RISK, Workshop on Risk Perception in IT Security and Privacy, Newcastle, UK; http://cups.cs.cmu.edu/soups/2013/risk.html; Submissions are due 5/31/13: WISA, 14th International Workshop on Information Security Applications, Jeju Island, Korea; http://www.wisa.or.kr/; Submissions are due 6/ 1/13: Security and Privacy Magazine, Issue on Moving Target Defenses info: mailto:Luanne.Goldrich@jhuapl.edu Guide Web page: http://www.computer.org/portal/web/peerreviewmagazines/acsecurity abstracts are due 6/ 2/13: DPM, 8th International Workshop on Data Privacy Management, Held in conjunction with ESORICS 2013, Egham, U.K; http://research.icbnet.ntua.gr/DPM2013/; Submissions are due 6/ 2/13- 6/ 3/13: HOST, IEEE International Symposium on Hardware-oriented Security and Trust, Austin Convention Center, Austin, TX, USA; http://www.hostsymposium.org/ 6/ 3/13: CRiSIS, 8th International Conference on Risks and Security of Internet and Systems, La Rochelle, France; http://secinfo.msi.unilim.fr/crisis2013/; Submissions are due 6/ 3/13- 6/ 4/13: NSS, 7th International Conference on Network and System Security, Madrid, Spain; http://anss.org.au/nss2013/index.htm 6/ 3/13- 6/ 7/13: IFIP-TM, 7th IFIP International Conference on Trust Management, Málaga, Spain; http://conf2013.ifiptm.org/ 6/ 4/13: D-SPAN, 4th IEEE Workshop on Data Security and Privacy in Wireless Networks, Co-located with the 14th International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2013), Madrid, Spain; http://www.ee.washington.edu/research/nsl/DSPAN_2013/ 6/ 5/13: QASA, 2nd International Workshop in Quantitative Aspects in Security Assurance, Held in conjunction with ESORICS 2013, Egham, U.K; http://www.iit.cnr.it/qasa2013; Submissions are due 6/10/13: BigSecurity, 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA; http://www.nsp.org.au/CFP/BigSecurity/; Submissions are due 6/12/13- 6/14/13: SACMAT, 18th ACM Symposium on Access Control Models and Technologies, Amsterdam, The Netherlands; http://www.sacmat.org/ 6/17/13- 6/19/13: TRUST, 6th International Conference on Trust and Trustworthy Computing, London, UK; http://trust2013.sba-research.org 6/23/13: MWSN, IEEE International Workshop on Security and Privacy of Mobile, Wireless and Sensor Networks, New Orleans, LA, USA; http://www2.cs.uh.edu/mwsn/ 6/24/13- 6/27/13: PRISMS, International Conference on Privacy and Security in Mobile Systems, Atlantic City, NJ, USA; http://www.gws2013.org/prisms/ 6/25/13: SafeConfig, 6th Symposium on Security Analytics and Automation, Washington, D.C., USA; http://www.safeconfig.org; Submissions are due 6/25/13- 6/28/13: ACNS, 11th International Conference on Applied Cryptography and Network Security, Banff, Alberta, Canada; http://acns2013.cpsc.ucalgary.ca/ 6/26/13- 6/28/13: CSF, 26th IEEE Computer Security Foundations Symposium, Tulane University, New Orleans Louisiana, USA; http://csf2013.seas.harvard.edu/ 6/27/13- 7/ 2/13: CSAW, Cloud Security Auditing Workshop, Held in conjunction with the IEEE 9th World Congress on Services, Santa Clara, CA, USA; http://www.csaw2013.org 6/29/13: FCS, Workshop on Foundations of Computer Security, Tulane University, New Orleans, Louisiana, USA; http://prosecco.inria.fr/personal/bblanche/fcs13/ 6/30/13: SIN, 6th International Conference on Security of Information and Networks, Aksaray, Turkey; http://www.sinconf.org; Submissions are due 7/ 1/13: RFIDsec-Asia, Workshop on RFID and IoT Security, Guangzhou, China; http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm; Submissions are due 7/ 5/13: eCrime, 8th IEEE eCrime Researchers Summit, San Francisco, California, USA; http://ecrimeresearch.org/events/eCrime2013/cfp; Submissions are due 7/ 8/13: VizSec, 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA; http://www.vizsec.org/; Submissions are due 7/ 8/13: NFSP, 2nd International Workshop on Network Forensics, Security and Privacy, Held in conjunction with the 33rd International Conference on Distributed Computing Systems (ICDCS 2013), Philadelphia, PA, USA; http://www.faculty.umassd.edu/honggang.wang/nfsp2013/ 7/ 9/13- 7/11/13: RFIDSEC, 9th Workshop on RFID Security, Graz, Austria; http://rfidsec2013.iaik.tugraz.at/ 7/10/13- 7/12/13: PST, 11th International Conference on Privacy, Security and Trust, Tarragona, Catalonia; http://unescoprivacychair.urv.cat/pst2013/index.php?m=cfp 7/15/13- 7/17/13: DBSEC, 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Rutgers University, Newark, NJ, USA; http://dbsec2013.business.rutgers.edu/ 7/17/13- 7/19/13: VOTE-ID, 4th International Conference on E-voting and Identity, University of Surrey, Guildford, UK; http://www.voteid13.org/ 7/18/13- 7/19/13: DIMVA, 10th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Berlin, Germany; http://www.dimva.org/dimva2013 7/22/13: SPSM, 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany; http://www.spsm-workshop.org/2013/; Submissions are due 7/24/13- 7/26/13: SOUPS, Symposium On Usable Privacy and Security, Northumbria University, Newcastle, UK; http://cups.cs.cmu.edu/soups/ 7/24/13- 7/26/13: SOUPS-RISK, Workshop on Risk Perception in IT Security and Privacy, Newcastle, UK; http://cups.cs.cmu.edu/soups/2013/risk.html 7/29/13- 7/31/13: SECRYPT, 10th International Conference on Security and Cryptography, Reykjavik, Iceland; http://secrypt.icete.org 8/14/13- 8/16/13: USENIX-Security, 22nd USENIX Security Symposium, Washington, DC. USA; https://www.usenix.org/conference/usenixsecurity13 8/19/13- 8/21/13: WISA, 14th International Workshop on Information Security Applications, Jeju Island, Korea; http://www.wisa.or.kr/ 8/20/13- 8/23/13: CHES, Workshop on Cryptographic Hardware and Embedded Systems, Co-located with the 33rd Annual International Cryptology Conference (CRYPTO 2013), Santa Barbara, California, USA; http://www.chesworkshop.org/ches2013/ 8/30/13- 8/31/13: TGC, 8th International Symposium on Trustworthy Global Computing, Buenos Aires, Argentina; http://sysma.lab.imtlucca.it/tgc2013/ 9/ 2/13- 9/ 6/13: ECTCM, 1st International Workshop on Emerging Cyberthreats and Countermeasures, Co-located with ARES 2013, University Regensburg, Germany; http://www.ectcm.net 9/ 2/13- 9/ 6/13: SeCIHD, 3rd IFIP International Workshop on Security and Cognitive Informatics for Homeland Defense, Held in conjunction with the 8th ARES Conference (ARES 2013), Regensburg, Germany; http://isyou.info/conf/secihd13/ 9/12/13- 9/13/13: DPM, 8th International Workshop on Data Privacy Management, Held in conjunction with ESORICS 2013, Egham, U.K; http://research.icbnet.ntua.gr/DPM2013/ 9/12/13- 9/13/13: QASA, 2nd International Workshop in Quantitative Aspects in Security Assurance, Held in conjunction with ESORICS 2013, Egham, U.K; http://www.iit.cnr.it/qasa2013 9/15/13: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria; http://www.ifip119.org; Submissions are due 9/17/13- 9/18/13: eCrime, 8th IEEE eCrime Researchers Summit, San Francisco, California, USA; http://ecrimeresearch.org/events/eCrime2013/cfp 9/25/13- 9/26/13: CMS, 14th Joint IFIP TC6 and TC11 Conference on Communications and Multimedia Security, Magdeburg, Germany; http://www.cms2013.de 9/25/13- 9/27/13: SECURECOMM, 9th International ICST Conference on Security and Privacy in Communication Networks, Sydney, Australia; http://securecomm.org/2013/ 9/30/13-10/ 2/13: SeTTIT, Workshop on Security Tools and Techniques for Internet of Things, Co-located with the BODYNETS 2013 conference, Boston, Massachusetts, USA; http://settit.bodynets.org/2013/show/home 10/ 4/13: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France; http://www.etaps.org/2014/post-2014; Submissions are due 10/14/13: VizSec, 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA; http://www.vizsec.org/ 10/14/13: SafeConfig, 6th Symposium on Security Analytics and Automation, Washington, D.C., USA; http://www.safeconfig.org 10/14/13-10/16/13: CNS, 1st IEEE Conference on Communications and Network Security, Washington D.C., USA; http://www.ieee-cns.org 10/23/13-10/25/13: CRiSIS, 8th International Conference on Risks and Security of Internet and Systems, La Rochelle, France; http://secinfo.msi.unilim.fr/crisis2013/ 11/ 1/13: IEEE Transactions on Reliability, Special Section on Trustworthy Computing; http://rs.ieee.org/images/files/newsletters/2013/1_2013/CFP3.htm; Submissions are due 11/ 4/13-11/ 8/13: CCS, 20th ACM Conference on Computer and Communications Security, http://www.sigsac.org/ccs/CCS2013/ 11/ 8/13: SPSM, 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany; http://www.spsm-workshop.org/2013/ 11/12/13-11/14/13: HST, 13th annual IEEE Conference on Technologies for Homeland Security, Waltham, Massachusetts, USA; http://www.ieee-hst.org 11/18/13-11/20/13: IWSEC, 8th International Workshop on Security, Okinawaken Shichouson Jichikaikan, Japan; http://www.iwsec.org/2013 11/20/13-11/22/13: ICICS, 15th International Conference on Information and Communications Security, Beijing, China; http://icsd.i2r.a-star.edu.sg/icics2013/ 11/26/13-11/28/13: SIN, 6th International Conference on Security of Information and Networks, Aksaray, Turkey; http://www.sinconf.org 11/27/13: RFIDsec-Asia, Workshop on RFID and IoT Security, Guangzhou, China; http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm 12/ 9/13-12/13/13: BigSecurity, 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA; http://www.nsp.org.au/CFP/BigSecurity/ 1/ 8/14- 1/10/14: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria; http://www.ifip119.org 4/ 7/14- 4/11/14: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France; http://www.etaps.org/2014/post-2014 ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E113) ___________________________________________________________________ IEEE Security & Privacy Magazine Special Issue on Moving-Target Defense (Optional) Abstract submissions due to the guest editors: 1 June 2013 Articles due to ScholarOne: 1 July 2013 Publication date: March/April 2014 Guidelines: http://www.computer.org/portal/web/peerreviewmagazines/acsecurity Hitting a moving target is usually more difficult than hitting a stationary one. In World War II, naval ships zigzagged through the water to make it harder for submarines to torpedo them, and Hedy Lamarr and George Antheil's invention of frequency-hopping eventually made radio communications harder to jam. But some defensive techniques -- like zigzagging -- are soon negated by effective countermeasures. So how can we embrace a moving-target defense that has promise for long-term effectiveness? We welcome case studies, experience reports, practices, research results, and standards reports. Our readers are eager to hear about industry experiences, especially resulting from empirical studies that help us learn how past successes and failures should inform the next generation. ------------------------------------------------------------------------- SOUPS-RISK 2013 Workshop on Risk Perception in IT Security and Privacy, Newcastle, UK, July 24-26, 2013. (Submissions due 30 May 2013) http://cups.cs.cmu.edu/soups/2013/risk.html This workshop is an opportunity to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Willingness to perform actions for security purposes is strongly determined by the costs and perceived benefit to the individual. When end-users' perceptions of risk are not aligned with organization or system, there is a mismatch in perceived benefit, leading to poor user acceptance of the technology. For example, organizations face complex decisions when pushing valuable information across the network to mobile devices, web clients, automobiles and other embedded systems. This may impose burdensome security decisions on employees and clients due to the risks of devices being lost or stolen, shoulder surfing, eavesdropping, etc. Effective risk communication can provide a shared understanding of the need for, and benefits of secure approaches and practices. While risk perception has been studied in non-IT contexts, how well people perceive and react to IT risk is less well understood. How systems measure IT risk, how it is best communicated to users, and how to best align these often misaligned perspectives is poorly understood. Risk taking decisions (policies) are increasingly being pushed out to users who are frequently ill prepared to make complex technical security decisions based on limited information about the consequences of their actions. In other risk domains we know that non-experts think and respond to risk very differently than experts. Non-experts often rely on affect, and may be unduly influenced by the perceived degree of damage that will be caused. Experts, and risk evaluation systems, use statistical reasoning to assess risk. The purpose of this workshop is to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Topics of interest include: - Human decision and different attack types: Malware, eavesdropping, inadvertent loss / disclosure of information, phishing, browser attacks, etc. - Research methods and metrics for assessing perception of risk - Assessing value of assets and resources at risk - Communicating and portrayal of risk - security indicators, status indicators, etc. - Organizational versus personal risk - The psychology of risk perception - Behavioral aspects of risk perception - Real versus perceived risk - Other topics related to measuring IT risk and/or user perception of IT risk ------------------------------------------------------------------------- WISA 2013 14th International Workshop on Information Security Applications, Jeju Island, Korea, August 19-21, 2013. (Submissions due 31 May 2013) http://www.wisa.or.kr/ This year's program committee chairs decide to convert WISA to be a venue for discussing system security and offensive technology issues among researchers in Asia. More specifically, it will resemble two well-known conferences: USENIX Security and WOOT. The primary focus of WISA 2013, therefore, is on systems and network security, and the secondary focus is on offensive technology. Accordingly, the workshop will be composed of two tracks: regular and OT (Offensive Technology). Regular paper submissions are solicited in all areas relating to systems and network security, including: - Analysis of network and security protocols - Anonymity and censorship-resistant technologies - Applications of cryptographic techniques - Authentication and authorization of users, systems, and applications - Automated tools for source code/binary analysis - Botnet defense - Critical infrastructure security - Cryptographic implementation analysis and construction - Denial-of-service attack countermeasures - Embedded systems security - Forensics - Hardware and physical security - Human-computer interaction, security, and privacy - Intrusion/anomaly detection and prevention - Malware analysis - Mobile/wireless/cellular system security - Network infrastructure security - Operating system security - Physical security - Security architectures - Security in heterogeneous and large-scale environments - Security in ubiquitous computing environments - Security policy - Storage and file system security - Techniques for developing secure systems - Trustworthy computing - Web security, including client-side and server-side security ------------------------------------------------------------------------- DPM 2013 8th International Workshop on Data Privacy Management, Held in conjunction with ESORICS 2013, Egham, U.K., September 12-13, 2013. (Submissions due 2 June 2013) http://research.icbnet.ntua.gr/DPM2013/ The aim of this workshop is to discuss and exchange the ideas related to privacy data management. We invite papers from researchers and practitioners working in privacy, security, trustworthy data systems and related areas to submit their original papers in this workshop. Topics of interest include, but are not limited to the following: - Privacy Information Management - Privacy Policy-based Infrastructures and Architectures - Privacy-oriented Access Control Languages and Models - Privacy in Trust Management - Privacy Data Integration - Privacy Risk Assessment and Assurance - Privacy Services - Privacy Policy Analysis - Lightweight cryptography & Cryptanalysis - Query Execution over Privacy Sensitive Data - Privacy Preserving Data Mining - Hippocratic and Water-marking Databases - Privacy for Integrity-based Computing - Privacy Monitoring and Auditing - Privacy in Social Networks - Privacy in Ambient Intelligence (AmI) Applications - Individual Privacy vs. Corporate/National Security - Code-based Cryptology - Privacy in computer networks - Privacy and RFIDs - Privacy and Big Data - Privacy in sensor networks ------------------------------------------------------------------------- CRiSIS 2013 8th International Conference on Risks and Security of Internet and Systems, La Rochelle, France, October 23-25, 2013. (Submissions due 3 June 2013) http://secinfo.msi.unilim.fr/crisis2013/ The topics addressed by CRiSIS range from the analysis of risks, attacks to networks and system survivability, as well as security models, security mechanisms and privacy enhancing technologies. Prospective authors are invited to submit research results as well as practical experiment or deployment reports. Industrial papers about applications and case studies, such as tele medicine, banking, e-government and critical infrastructure, are also welcome. The list of topics includes but is not limited to: - Analysis and management of risk - Attacks and defenses - Attack data acquisition and network monitoring - Cryptography, Biometrics, Watermarking - Dependability and fault tolerance of Internet applications - Distributed systems security - Embedded system security - Empirical methods for security and risk evaluation - Hardware-based security and Physical security - Intrusion detection and Prevention systems - Organizational, ethical and legal issues - Privacy protection and anonymization - Risk-aware access and usage control - Security and risk assessment - Security and risks metrics - Security and dependability of operating systems - Security and safety of critical infrastructures - Security and privacy of peer-to-peer system - Security and privacy of wireless networks - Security models and security policies - Security of new generation networks, security of VoIP and multimedia - Security of e-commerce, electronic voting and database systems - Security of social networks - Smartphone security and privacy - Traceability, metrology and forensics - Trust management - Use of smart cards and personal devices for Internet applications - Web and cloud security ------------------------------------------------------------------------- QASA 2013 2nd International Workshop in Quantitative Aspects in Security Assurance, Held in conjunction with ESORICS 2013, Egham, U.K., September 12-13, 2013. (Submissions due 5 June 2013) http://www.iit.cnr.it/qasa2013 There is an increasing demand for techniques to deal with quantitative aspects of security assurance at several levels of the development life-cycle of systems & services, e.g., from requirements elicitation to run-time operation and maintenance. The aim of this workshop is to bring together researchers and practitioners interested in these research topics with a particular emphasis techniques for service oriented architectures. The scope of the workshop, is intended to be broad, including aspects as dependability, privacy, risk and trust. The list of topics includes, but it is not limited to: - Probabilistic/stochastic model checking - Quantitative information flow analysis - Quantitative issues in access and usage control - Security testing techniques - Static/dynamic code analysis techniques - Metrics for security, trust and privacy - Incremental/modular security assurance analysis - Process compliance assurance techniques - Tool support for quantitative security assurance - Simulation techniques - Model-driven techniques for security, trust, risk and privacy - Assurance cases modelling and analysis ------------------------------------------------------------------------- BigSecurity 2013 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA, December 9-13, 2013. (Submissions due 10 June 2013) http://www.nsp.org.au/CFP/BigSecurity/ As we are deep into the Information Age, we witness the explosive growth of data available on the Internet. For example, human beings create about 2.5 quintillion bytes of data every day in 2012, which come from sensors, individual archives, social networks, Internet of Things, enterprise and Internet in all scales and formats. We face one of the most challenging issues, i.e., how to effectively manage such a large amount of data and identify new ways to analyze large amounts of data and unlock information. The issue is also known as Big Data, which has been emerging as a hot topic in Information and Communication Technologies (ICT) research. Security and privacy issue is critical for Big Data. Many works have been carried out focusing on business, application and information processing level from big data, such as data mining and analysis. However, security and privacy issues in Big Data are seldom mentioned to date. Due to its extraordinary scale, security and privacy in Big Data faces many challenges, such as efficient encryption and decryption algorithms, encrypted information retrieval, attribute based encryption, attacks on availability, reliability and integrity of Big Data. This workshop offers a timely venue for researchers and industry partners to present and discuss their latest results in security and privacy related work of Big Data. ------------------------------------------------------------------------- SafeConfig 2013 6th Symposium on Security Analytics and Automation, Washington, D.C., USA, October 14, 2013. (Submissions due 25 June 2013) http://www.safeconfig.org The new sophisticated cyber security threats demand new security management approaches that offer a holistic security analytics based on the system data including configurations, logs and network traffic. Security analytics must be able to handle large volumes of data in order to model, integrate, analyze and respond to threats at real time. The system configuration/policy is a key component that determines the security and resiliency of networked information systems and services. However, a typical enterprise networked environment contains thousands of network and security devices and millions of inter-dependent configuration variables (e.g., rules) that orchestrate the end-to-end system behavior globally. As the current technology moves toward "smart" cyber infrastructure and open networking platforms (e.g. OpenFlow and virtual computing), the need for security analytics and automation significantly increases. The coupled integration of network sensor data and configuration in a unified framework will enable intelligent response, automated defense, and network resiliency/agility. This symposium offers a unique opportunity by bringing together researchers form academic, industry as well as government agencies to discuss these challenges, exchange experiences, and propose joint plans for promoting research and development in this area. SafeConfig Symposium is a one day program that will include invited talks, technical presentations of peer-reviewed papers, poster/demo sessions, and joint panels on research collaboration. SafeConfig Symposium solicits the submission of original unpublished ideas in 8-page long papers, 4-page sort papers, or 2-pages posters. Security analytics and automation for new emerging application domains such as clouds and data centers, cyber-physical systems software defined networking and Internet of things are of particular interest to SafeConfig community. ------------------------------------------------------------------------- SIN 2013 6th International Conference on Security of Information and Networks, Aksaray, Turkey, November 26-28, 2013. (Submissions due 30 June 2013) please see http://www.sinconf.org The 6th International Conference on Security of Information and Networks (SIN 2013) provides an international forum for presentation of research and applications of security in information and networks. Papers addressing all aspects of security in information and networks are being sought. Researchers and industrial practitioners working on the following and related subjects are especially encouraged: Development and realization of cryptographic solutions, security schemes, new algorithms; critical analysis of existing approaches; secure information systems, especially distributed control and processing applications, and security in networks; interoperability, service levels and quality issues in such systems; information assurance, security, and public policy; detection and prevention of cybercrimes such as fraud and phishing; next generation network architectures, protocols, systems and applications; industrial experiences and challenges of the above. ------------------------------------------------------------------------- RFIDsec-Asia 2013 Workshop on RFID and IoT Security, Guangzhou, China, November 27, 2013. (Submissions due 1 July 2013) http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm The workshop series of RFIDsec Asia, the Asia branch of RFIDsec, aims to provide researchers, enterprises and governments a platform to investigate, discuss and propose new solutions on security and privacy issues of RFID/IoT (Internet of Things) technologies and applications. Papers with original research in theory and practical system design concerning RFID/IoT security are solicited. Topics of interest include, but are not limited to, the following: - New applications for secure RFID/IoT systems - Data integrity and privacy protection techniques for RFID/IoT - Attacks and countermeasures on RFID/IoT systems - Design and analysis on secure RFID/IoT hardware - Risk assessment and management on RFID/IoT applications - Trust model, data aggregation and information sharing for EPCglobal network - Resource efficient implementation of cryptography - Integration of secure RFID/IoT systems ------------------------------------------------------------------------- eCrime 2013 8th IEEE eCrime Researchers Summit, San Francisco, California, USA, September 17-18, 2013. (Submissions due 5 July 2013) http://ecrimeresearch.org/events/eCrime2013/cfp eCRS 2013 consist of two full days which bring together academic researchers, security practitioners, and law enforcement to discuss all aspects of electronic crime and ways to combat it. Topics of interests include (but are not limited to): - Case studies of current attack methods, including phishing, malware, rogue antivirus, pharming, crimeware, botnets, and emerging techniques - Case studies of online advertising fraud, including click fraud, malvertising, cookie stuffing, and affiliate fraud - Case studies of large-scale take-downs, such as coordinated botnet disruption - Technical, legal, political, social and psychological aspects of fraud and fraud prevention - Economics of online crime, including measurement studies of underground economies and models of e-crime - Uncovering and disrupting online criminal collaboration and gangs - Financial infrastructure of e-crime, including payment processing and money laundering - Techniques to assess the risks and yields of attacks and the effectiveness of countermeasures - Delivery techniques, including spam, voice mail, social network and web search manipulation; and countermeasures - Techniques to avoid detection, tracking and take-down; and ways to block such techniques - Best practices for detecting and avoiding damages to critical internet infrastructure, such as DNS and SCADA, from electronic crime activities ------------------------------------------------------------------------- VizSec 2013 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA, October 14, 2013. (Submissions due 8 July 2013) http://www.vizsec.org/ The 10th International Symposium on Visualization for Cyber Security (VizSec) is a forum that brings together researchers and practitioners from academia, government, and industry to address the needs of the cyber security community through new and insightful visualization and analysis techniques. VizSec will provide an excellent venue for fostering greater exchange and new collaborations on a broad range of security- and privacy-related topics. Important research problems often lie at the intersection of disparate domains. Our focus is to explore effective, scalable visual interfaces for security domains, where visualization may provide a distinct benefit, including computer forensics, reverse engineering, insider threat detection, cryptography, privacy, preventing 'user assisted' attacks, compliance management, wireless security, secure coding, and penetration testing in addition to traditional network security. Human time and attention are precious resources. We are particularly interested in visualization and interaction techniques that effectively capture human analyst insights so that further processing may be handled by machines, freeing the analyst for other tasks. For example, a malware analyst might use a visualization system to analyze a new piece of malicious software and then facilitate generating a signature for future machine processing. When appropriate, research that incorporates multiple data sources, such as network packet captures, firewall rule sets and logs, DNS logs, web server logs, and/or intrusion detection system logs, is particularly desirable. ------------------------------------------------------------------------- SPSM 2013 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany, November 8, 2013. (Submissions due 22 July 2013) http://www.spsm-workshop.org/2013/ The SPSM workshop intends to provide a venue for interested researchers and practitioners to get together and exchange ideas. The workshop will deepen our understanding of various security and privacy issues on smartphones. As with the two very well received previous editions, the topics of interest to SPSM 2013 include (but are not limited to) the following subject categories: - Device/hardware security - OS/Middleware security - Application security - Authenticating users to devices and services - Mobile Web Browsers - Usability - Privacy - Rogue application detection and recovery - Vulnerability detection and remediation - Secure application development - Cloud support for mobile security ------------------------------------------------------------------------- IFIP119-DF 2014 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria, January 8-10, 2014. (Submissions due 15 September 2013) http://www.ifip119.org The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Tenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- POST 2014 3rd Conference on Principles of Security and Trust, Grenoble, France, April 7–11, 2014. (Submissions due 4 October 2013) http://www.etaps.org/2014/post-2014 Principles of Security and Trust is a broad forum related to the theoretical and foundational aspects of security and trust. Papers of many kinds are welcome: new theoretical results, practical applications of existing foundational ideas, and innovative theoretical approaches stimulated by pressing practical problems. We seek submissions proposing theories to clarify security and trust within computer science; submissions establishing new results in existing theories; and also submissions raising fundamental concerns about existing theories. We welcome new techniques and tools to automate reasoning within such theories, or to solve security and trust problems. Case studies that reflect the strengths and limitations of foundational approaches are also welcome, as are more exploratory presentations on open questions. Areas of interest include: - Access control - Anonymity - Authentication - Availability - Cloud security - Confidentiality - Covert channels - Crypto foundations - Economic issues - Information flow - Integrity - Languages for security - Malicious code - Mobile code - Models and policies - Privacy - Provenance - Reputation and trust - Resource usage - Risk assessment - Security architectures - Security protocols - Trust management - Web service security ------------------------------------------------------------------------- IEEE Transactions on Reliability, Special Section on Trustworthy Computing, 2014, (Submission Due 1 November 2013) http://rs.ieee.org/images/files/newsletters/2013/1_2013/CFP3.htm Editors: Shiuhpyng Winston Shieh (National Chiao Tung University, Taiwan) Trustworthy Computing (TC) has been applied to software-enabled computing systems and networks that are inherently secure, private, available, and reliable. As the fast growing mobile cloud computing emerges to cover smart phones, tablets, smart TV, and cloud computing platforms, these ubiquitous computing devices poses new challenges to trustworthy computing. Cloud computing offers organizations of all sizes the ability to embrace and implement new applications at far less cost than traditional approaches. Organizations that move workloads to the cloud take advantage of the capabilities of their cloud providers to ensure continuous availability of services. However, the ever-growing complexity of such systems and the software that controls them not only makes it much more difficult to guarantee their quality, but also introduces more vulnerability for malicious attacks, intrusion, and data loss. To address these needs, this special section calls for novel applications of emerging techniques for trustworthy computing of information, software, systems, networks. Reviews and case studies which address state-of-art research and state-of-practice industry experiences are also welcomed. The topics of interest include, but are not limited to: - Security, reliability, privacy, and availability issues in computing systems and networks - Trustworthy computing in small or large systems, such as mobile devices, embedded systems, cloud computing platforms, and internet of things - Information, system, and software assurance - Auditing, verification, validation - Security testing, evaluation, and measurement - Data protection, maintenance, recovery, and risk assessment - Authentication, authorization, access control, and accounting - Penetration analysis, intrusion detection and prevention - Malware behavior analysis, and software vulnerability discovery - Hardware techniques facilitating trustworthy computing, such as Trusted Platform Module (TPM) - Trustworthy operating systems and applications - Cloud Computing - Mobile Computing - Software defined networking (SDN) - Cryptographic techniques ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sven Dietrich Robert Cunningham Department of Computer Science MIT Lincoln Laboratories Stevens Institute of Technology http://www.ll.mit.edu/mission +1 201 216 8078 /communications/ist/biographies spock AT cs.stevens.edu /cunningham-bio.html Vice Chair: Treasurer: Patrick McDaniel Terry Benzel Computer Science and Engineering USC Information Sciences Intnl Pennsylvania State University 4676 Admiralty Way, Suite 1001 360 A IST Building Los Angeles, CA 90292 University Park, PA 16802 (310) 822-1511 (voice) (814) 863-3599 tbenzel @isi.edu mcdaniel@cse.psu.edu Newsletter Editor and Security and Privacy Symposium, 2013 Chair: TC Awards Chair: Robin Sommer Hilarie Orman http://www.icir.org/robin Purple Streak, Inc. 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year