Electronic CIPHER, Issue 115, July 17, 2013 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 115 July 17, 2013 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of "Linux Malware incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data" by Cameron Malin, Eoghan Casey and James Aquilina o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * News Items o Fallout from the NSA surveillance revelations, Apple security limitation, cyberespionage, and more. * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar of security events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The news: Snowden, NSA. The end of privacy. The question is, did we ever have privacy? We have known for a long time that the technology for surveillance was ready, that the capability existed, and post 9/11 the US government told us that it would use all means possible to thwart enemies. We have secret courts. Against that backdrop, how could we expect anything other than what Snowden has revealed? The debate about this will continue for a long time, but this genie is not going back in the bottle anytime soon. We also note that surveillance is a double-edged sword, and Susan Landau's book, "Surveillance or Security?" (reviewed here in 2011) points out many of them. The risk of network technicians blowing the whole operation wide open seems to be the one the public has seen in recent cases, but one wonders about undetected misuses. Switching to more local news, we note that the Computer Society is moving towards publication policies that are in keeping with open access concepts, and we expect to see the proceedings of the 2012 Security and Privacy Symposium online at the Society's Digital Library by summer's end. Less pleasant are new IEEE policies" affecting events that seek "in cooperation with" or "technical co-sponsorship" status. This is now a more complicated application procedure, and events that do not choose to publish their proceedings through IEEE must now pay a $500 fee. This month we have a book review about Linux malware and incident response. The Unix/Linux lineage is a long and distinguished one, but it has not been used as widely as Microsoft's Windows or Apple's MACOS. Apparently Linux is now going mainstream, and it is time to learn about the log files other artifacts that help track the path of malware. What if they had arrested Paul Revere and his horse for revealing state secrets? Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------------------- Nations Buying as Hackers Sell Flaws in Computer Code Nicole Perlroth and David E. Sanger The New York Times Jul 12, 2013 http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html The price for zero day exploits is sky-rocketing, and hackers world-wide pore over every detail of commonly used software, seeking the small wedge to drive through corporate and government defenses. ------------------------------- Report Indicates More Extensive Cooperation by Microsoft on Surveillance James Risen The New York Times Jul 11, 2013 http://www.nytimes.com/2013/07/12/us/report-indicates-more-extensive-cooperation-by-microsoft-on-surveillance.html Users who rely on encryption built into Microsoft products may be surprised to learn that Microsoft is alleged to provide "pre-encryption" data to NSA, thus bypassing the expected communication privacy. ------------------------------- Tiny Utah-based ISP makes a name for itself by rebuffing government snoops Rory Carroll in Salt Lake City The Guardian Jul 9, 2013 http://www.guardian.co.uk/world/2013/jul/09/xmission-isp-customers-privacy-nsa XMission is located only about 15 miles from the new NSA data center in Utah, but its CEO is determined to keep his customer's data out of the facility, and away from state and local governments, unless due process is followed, consistent with the US Constitution. Cipher subscribers may be interested to know that this newsletter is emailed to them through XMission servers. ------------------------------- Report: Web monitoring devices made by U.S. firm Blue Coat detected in Iran, Sudan Ellen Nakashima The Washington Post Jul 8, 2013 http://www.washingtonpost.com/world/national-security/report-web-monitoring-devices-made-by-us-firm-blue-coat-detected-in-iran-sudan/2013/07/08/09877ad6-e7cf-11e2-a301-ea5a8116d211_story.html The US restricts commerce with some countries, and they must restrict resellers from moving products to the banned nations. Yet Internet security technology for monitoring networks seems to be used in two of those places. ------------------------------- NSA in Utah: Mining a mountain of data Tony Semerad The Salt Lake Tribune June 29, 2013 http://www.sltrib.com/sltrib/news/56515678-78/data-nsa-http-www.html.csp "Leaks shed light on how spy agency may use supercomputers, gigantic hard drives." Are there exabytes, zetabytes, or yottabytes behind the new walls? (Cipher readers may be interested in the several articles published in the SL Tribune about the new data center). ------------------------------- Secret-court judges upset at portrayal of 'collaboration' with government Carol D. Leonnig, Ellen Nakashima and Barton Gellman The Washington Post Jun 30, 2013 http://www.washingtonpost.com/politics/secret-court-judges-upset-at-portrayal-of-collaboration-with-government/2013/06/29/ed73fb68-e01b-11e2-b94a-452948b95ca8_story.html Many people are upset about the revelations of NSA surveillance, but lost in the attention are the judges of the secret courts who feel that they are reviled without opportunity to explain themselves. ------------------------------- Bipartisan group of senators urges transparency on phone record surveillance Ellen Nakashima, The Washington Post, Jun 29, 2013 http://www.washingtonpost.com/world/national-security/bipartisan-group-of-senators-urges-transparency-on-phone-record-surveillance/2013/06/28/c7bfc3c2-e014-11e2-b94a-452948b95ca8_story.html US Senators of both political parties are asking for disclosure of more information about government communications surveillance. ------------------------------- Report: Verizon providing all call records to U.S. under court order Ellen Nakashima, Washington Post, Jun 6, 2013 http://www.washingtonpost.com/world/national-security/verizon-providing-all-call-records-to-us-under-court-order/2013/06/05/98656606-ce47-11e2-8845-d970ccb04497_story.html?tid=ts_carousel Much of the US population was surprised to learn that information about their phone calls goes directly from their phone provider to government databases. ------------------------------- Hagel chides China for cyber-espionage Ernesto Londono The Washington Post Jun 1, 2013 http://www.washingtonpost.com/world/hagel-rebukes-china-for-cyber-espionage/2013/06/01/da9c1c6c-ca6f-11e2-9cd9-3b9a22a4000a_story.html The US Defense Secretary complained about China's attempts to learn US secrets. The complaints preceded Snowden's information about US cyberespionage in Europe ------------------------------- U.S. and China to Hold Talks on Hacking David E. Sanger and Mark Landler The New York Times, Jun 2, 2013 http://www.nytimes.com/2013/06/02/world/asia/us-and-china-to-hold-talks-on-hacking.html The talks about cyberattacks were motivated by their economic impact on the US, which Gen. Keith B. Alexander of NSA described as "the greatest transfer of wealth in history." Alexander is a proponent of offensive cyberwarfare. ------------------------------- Apple's new two factor security system has holes Julianne Pepitone CNN Money May 30, 2013 http://money.cnn.com/2013/05/30/technology/security/apple-security/index.html?source=cnn_bin Apple's new security system, using passwords and verification codes, provides security for some user interactions with the company, but not the iCloud storage system. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 7/13/2013 ____________________________________________________________________ Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data by Cameron Malin, Eoghan Casey and James Aquilina Syngress 2013. ISBN ISBN 978-0-12-409507-6 amazon.com USD18.74 As the market profile of Linux systems has continued to grow and as more and more critical applications and valuable data are present on Linux systems, their profile as targets for adversaries has correspondingly increased. And though traditional mass-market malware has not reached the level on Linux systems that it has on other platforms, where there is valuable data, malicious code (e.g., targeted threats) will be sure to follow. First off, this short book is an excerpt from the forthcoming "Malware Forensics Field Guide for Linux Systems" and only contains the introduction, first chapter and four appendices. Thus, it deals only with the initial stages of malware response: identifying and acquiring potential digital evidence (to use terminology from ISO 27037). However, even this brief (112 pages) glimpse of the final book provides much useful information for the forensic practitioner. As noted in the introduction, this is a field guide meant to be referenced by the practitioner in the field while performing malware incident response. Theory, background, etc., are only sketched in (though references to other chapters indicate that deeper coverage will be present in the full book). With this terse level of presentation as a goal, the authors ran the real risk of having the text degenerate into yet another tool catalog but avoided it by contextualizing the tools with their function in the overall process and providing criteria for deciding when to choose one tool over another. Responding to a malware incident commonly involves many tasks that are outside usual forensic practice: acquiring data from running systems, running trusted tools on a live system, etc. This novelty can create challenges when communicating the results of a malware investigation to members of the legal profession. It is not unusual to be told "Good luck on getting that into court!" even by experienced forensic practitioners. This leaves us in rather of a "Catch-22" situation as much of the useful information regarding malware is only present on the running system (i.e., it will not be present in, for example, a disk image collected from a halted system). The authors emphasize that good process, solid documentation and trusted tools are key in assuring that the results may be usable in legal proceedings. Appendices 2 and 3 provide great sample forms that help assure that the investigator produces the proper documentation. Chapter 1 provides a whirlwind overview of the malware incident response process with illustration of the role particular tools (some proprietary and others Open Source) fulfill in acquiring relevant information to support later forensic analysis. To see how things fit together, I found it helpful to diagram the phases of the overall process based on the chapter headings and list the tool choices beneath the relevant phase. Appendix 4, "Pitfalls to Avoid", provides a concise list of gotchas that have marred many an incident response and will repay careful (and repeated) study. Even though it is a brief excerpt and contains a frustrating number of "this is explained in chapter x", this is an excellent place to start when preparing a malware incident response process for Linux systems. Readers are assumed to have some familiarity with Linux systems and a good command of the technical aspects of incident response and digital forensics. Definitely a recommended resource to have on your shelf (and in your traveling kit). -------------------------------------------------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== New since Cipher 114: Department of Computer Science, KU Leuven Leuven Belgium Multiple PhD positions in Secure Software Announcement closes August 31, 2013 https://distrinet.cs.kuleuven.be/jobs>https://distrinet.cs.kuleuven.be/jobs Full list: http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 7/15/13- 7/17/13: DBSEC, 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Rutgers University, Newark, NJ, USA; http://dbsec2013.business.rutgers.edu/ 7/16/13: SADFE, 8th International Workshop on Systematic Approaches to Digital Forensics Engineering, Hong Kong; http://conf.ncku.edu.tw/sadfe/sadfe13/; Submissions are due 7/17/13- 7/19/13: VOTE-ID, 4th International Conference on E-voting and Identity, University of Surrey, Guildford, UK; http://www.voteid13.org/ 7/18/13- 7/19/13: DIMVA, 10th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Berlin, Germany, http://www.dimva.org/dimva2013 7/20/13: PROOFS, 2nd International Workshop on Security Proofs for Embedded Systems, Santa Barbara, California, USA; http://www.proofs-workshop.org/; Submissions are due 7/21/13: TClouds 2013 Workshop on Trustworthy Clouds, Co-located with ESORICS 2013, Egham, U.K; http://workshop13.tclouds-project.eu/; Submissions are due 7/22/13: VizSec, 10th International Symposium on Visualization for Cyber Security, Atlanta, GA, USA; http://www.vizsec.org/; Submissions are due 7/22/13: SPSM, 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany; http://www.spsm-workshop.org/2013/; Submissions are due 7/22/13: TrustED, 3rd International Workshop on Trustworthy Embedded Devices, Collocated with the ACM CCS, 2013, Berlin, Germany; http://trusted.trust.cased.de/; Submissions are due 7/24/13- 7/26/13: SOUPS, Symposium On Usable Privacy and Security, Northumbria University, Newcastle, UK; http://cups.cs.cmu.edu/soups/ 7/24/13- 7/26/13: SOUPS-RISK, Workshop on Risk Perception in IT Security and Privacy, Newcastle, UK; http://cups.cs.cmu.edu/soups/2013/risk.html 7/29/13- 7/31/13: SECRYPT, 10th International Conference on Security and Cryptography, Reykjavik, Iceland; http://secrypt.icete.org 8/ 5/13: NDSS, 21st Annual Network and Distributed System Security Symposium, San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2014; Submissions are due 8/14/13- 8/16/13: USENIX-Security, 22nd USENIX Security Symposium, Washington, DC. USA; https://www.usenix.org/conference/usenixsecurity13 8/15/13: ATC, 10th IEEE International Conference on Autonomic and Trusted Computing, Sorrento Peninsula, Italy; http://cse.stfx.ca/~atc2013/; Submissions are due 8/19/13- 8/21/13: WISA, 14th International Workshop on Information Security Applications, Jeju Island, Korea; http://www.wisa.or.kr/ 8/20/13- 8/23/13: CHES, Workshop on Cryptographic Hardware and Embedded Systems, Co-located with the 33rd Annual International Cryptology Conference (CRYPTO 2013), Santa Barbara, California, USA; http://www.chesworkshop.org/ches2013/ 8/24/13: PROOFS, 2nd International Workshop on Security Proofs for Embedded Systems, Santa Barbara, California, USA; http://www.proofs-workshop.org/ 8/30/13- 8/31/13: TGC, 8th International Symposium on Trustworthy Global Computing, Buenos Aires, Argentina; http://sysma.lab.imtlucca.it/tgc2013/ 9/ 2/13- 9/ 6/13: ECTCM, 1st International Workshop on Emerging Cyberthreats and Countermeasures, Co-located with ARES 2013, University Regensburg, Germany; http://www.ectcm.net 9/ 2/13- 9/ 6/13: SeCIHD, 3rd IFIP International Workshop on Security and Cognitive Informatics for Homeland Defense, Held in conjunction with the 8th ARES Conference (ARES 2013), Regensburg, Germany; http://isyou.info/conf/secihd13/ 9/ 6/13: ESSOS, 6th International Symposium on Engineering Secure Software and Systems, Munich, Germany; http://distrinet.cs.kuleuven.be/events/essos/2014/; Submissions are due 9/12/13- 9/13/13: DPM, 8th International Workshop on Data Privacy Management, Held in conjunction with ESORICS 2013, Egham, U.K; http://research.icbnet.ntua.gr/DPM2013/ 9/12/13- 9/13/13: QASA, 2nd International Workshop in Quantitative Aspects in Security Assurance, Held in conjunction with ESORICS 2013, Egham, U.K; http://www.iit.cnr.it/qasa2013 9/12/13- 9/13/13: TClouds 2013 Workshop on Trustworthy Clouds, Co-located with ESORICS 2013, Egham, U.K; http://workshop13.tclouds-project.eu/ 9/13/13: SAC-SEC, 29th ACM Symposium on Applied Computing, Computer Security track, Gyeongju, Korea; http://www.dmi.unict.it/~giamp/sac/cfp2014.php; Submissions are due 9/15/13: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria; http://www.ifip119.org; Submissions are due 9/17/13- 9/18/13: eCrime, 8th IEEE eCrime Researchers Summit, San Francisco, California, USA; http://ecrimeresearch.org/events/eCrime2013/cfp 9/25/13- 9/26/13: CMS, 14th Joint IFIP TC6 and TC11 Conference on Communications and Multimedia Security, Magdeburg, Germany; http://www.cms2013.de 9/25/13- 9/27/13: SECURECOMM, 9th International ICST Conference on Security and Privacy in Communication Networks, Sydney, Australia; http://securecomm.org/2013/ 9/30/13-10/ 2/13: SeTTIT, Workshop on Security Tools and Techniques for Internet of Things, Co-located with the BODYNETS 2013 conference, Boston, Massachusetts, USA; http://settit.bodynets.org/2013/show/home 10/ 4/13: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France; http://www.etaps.org/2014/post-2014; Submissions are due 10/14/13: VizSec, 10th International Symposium on Visualization for Cyber Security, Atlanta, GA, USA; http://www.vizsec.org/ 10/14/13: SafeConfig, 6th Symposium on Security Analytics and Automation, Washington, D.C., USA; http://www.safeconfig.org 10/14/13-10/16/13: CNS, 1st IEEE Conference on Communications and Network Security, Washington D.C., USA; http://www.ieee-cns.org 10/23/13-10/25/13: CRiSIS, 8th International Conference on Risks and Security of Internet and Systems, La Rochelle, France; http://secinfo.msi.unilim.fr/crisis2013/ 11/ 1/13: IEEE Transactions on Reliability, Special Section on Trustworthy Computing; http://rs.ieee.org/images/files/newsletters/2013/1_2013/CFP3.htm; Submissions are due 11/ 4/13: TrustED, 3rd International Workshop on Trustworthy Embedded Devices, Collocated with the ACM CCS, 2013, Berlin, Germany; http://trusted.trust.cased.de/ 11/ 4/13-11/ 8/13: CCS, 20th ACM Conference on Computer and Communications Security, Berlin, Germany; http://www.sigsac.org/ccs/CCS2013/ 11/ 8/13: SPSM, 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany; http://www.spsm-workshop.org/2013/ 11/12/13-11/14/13: HST, 13th annual IEEE Conference on Technologies for Homeland Security, Waltham, Massachusetts, USA; http://www.ieee-hst.org 11/18/13-11/20/13: IWSEC, 8th International Workshop on Security, Okinawaken Shichouson Jichikaikan, Japan; http://www.iwsec.org/2013 11/20/13-11/22/13: ICICS, 15th International Conference on Information and Communications Security, Beijing, China; http://icsd.i2r.a-star.edu.sg/icics2013/ 11/21/13-11/22/13: SADFE, 8th International Workshop on Systematic Approaches to Digital Forensics Engineering, Hong Kong; http://conf.ncku.edu.tw/sadfe/sadfe13/ 11/26/13-11/28/13: SIN, 6th International Conference on Security of Information and Networks, Aksaray, Turkey; http://www.sinconf.org 11/27/13: RFIDsec-Asia, Workshop on RFID and IoT Security, Guangzhou, China; http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm 12/ 9/13-12/13/13: BigSecurity, 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA; http://www.nsp.org.au/CFP/BigSecurity/ 12/18/13-12/21/13: ATC, 10th IEEE International Conference on Autonomic and Trusted Computing, Sorrento Peninsula, Italy; http://cse.stfx.ca/~atc2013/ 1/ 8/14- 1/10/14: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria; http://www.ifip119.org 2/23/14- 2/26/14: NDSS, 21st Annual Network and Distributed System Security Symposium, San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2014 2/26/14- 2/28/14: ESSOS, 6th International Symposium on Engineering Secure Software and Systems, Munich, Germany; http://distrinet.cs.kuleuven.be/events/essos/2014/ 3/24/14- 3/28/14: SAC-SEC, 29th ACM Symposium on Applied Computing, Computer Security track, Gyeongju, Korea; http://www.dmi.unict.it/~giamp/sac/cfp2014.php 4/ 7/14- 4/11/14: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France; http://www.etaps.org/2014/post-2014 ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E114) ___________________________________________________________________ ------------------------------------------------------------------------- SADFE 2013 8th International Workshop on Systematic Approaches to Digital Forensics Engineering, Hong Kong, November 21-22, 2013. (Submissions due 16 July 2013) http://conf.ncku.edu.tw/sadfe/sadfe13/ We invite you to SADFE-2013, the eighth international conference on Systematic Approaches to Digital Forensic Engineering to be held in Hong Kong, China, November 21-22, 2013. SADFE-2013 investigates the application of digital forensic engineering expertise to advance a variety of goals, including criminal and corporate investigations, as well as documentation of individual and organizational activities. We believe digital forensic engineering is vital to security, the administration of justice and the evolution of culture. We welcome previously unpublished papers on digital forensics, security and preservation as to civil, criminal and national security investigations for use within a court of law, the execution of national policy or to aid in understanding the past and digital knowledge in general. Potential topics to be addressed by submissions include, but are not limited to: - Digital Data and Evidence Management: advanced digital evidence discovery, collection, management, storage and preservation - Digital Evidence, Data Integrity and Analytics: advanced digital evidence and digitized data analysis, correlation, and presentation - Forensics of embedded or non-traditional devices (e.g. digicams, cell phones, SCADA, obsolete storage media) - Forensic and digital data integrity issues for digital preservation and recovery - Scientific Principle-Based Digital Forensic Processes: systematic engineering processes supporting digital evidence management which are sound on scientific, technical and legal grounds - Legal, Ethical and Technical Challenges ------------------------------------------------------------------------- PROOFS 2013 2nd International Workshop on Security Proofs for Embedded Systems, Santa Barbara, California, USA, August 24, 2013. (Submissions due 20 July 2013) http://www.proofs-workshop.org/ Formal methods are used to increase the confidence level in system designs. They are customarily used for safety and dependability testing. The focus of the PROOFS workshop is the study of formal methods applied at the design stage with a view to preventing implementation-level attacks. As analog devices (random number generation, physically unclonable functions, etc.) are involved in some protection schemes, their experimental security proof are also emerging as a hot topic. Thus the workshop welcomes contributions in the following fields: - modelization of the threat - model verification and analysis with mathematical methods - protections, with their formal proof (at algorithmic or at code-level) - cyber-security patterns against viruses and malicious intrusions - resilience approaches to side-channel attacks - resilience approaches to perturbation attacks - resilience approaches to invasive attacks - formal verification of embedded software, at source code or assembly level - formal verification of VLSI designs, at RTL or netlist-level - formal verification of hardware designs of crypto algorithms - formal techniques for malicious circuits detection in embedded system - return on experiment about common criteria certification at EAL6 or EAL7 ------------------------------------------------------------------------- TClouds 2013 Workshop on Trustworthy Clouds, Co-located with ESORICS 2013, Egham, U.K, September 12-13, 2013. (Submissions due 21 July 2013) http://workshop13.tclouds-project.eu/ The workshop aims at bringing together researchers and practitioners working in cryptography, security, and distributed systems, from academia and industry, who are interested in the security and resilience of cloud computing. Security and resilience are widely regarded as a key concern for cloud-service providers, who want to protect their platforms and isolate tenants, as well as for cloud-customers, who want to minimize exposure of their data and computations. The goal is to create a dialogue about common goals and to discuss solutions for security problems in cloud computing, relying on operating system techniques, secure distributed protocols, cryptographic methods, and the trusted computing paradigm. Topics include cryptographic protocols, secure virtualization mechanisms, resilient distributed protocols, privacy and integrity for outsourced data, trusted computing etc. ------------------------------------------------------------------------- VizSec 2013 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA, October 14, 2013. (Submissions due 22 July 2013) http://www.vizsec.org/ The 10th International Symposium on Visualization for Cyber Security (VizSec) is a forum that brings together researchers and practitioners from academia, government, and industry to address the needs of the cyber security community through new and insightful visualization and analysis techniques. VizSec will provide an excellent venue for fostering greater exchange and new collaborations on a broad range of security- and privacy-related topics. Important research problems often lie at the intersection of disparate domains. Our focus is to explore effective, scalable visual interfaces for security domains, where visualization may provide a distinct benefit, including computer forensics, reverse engineering, insider threat detection, cryptography, privacy, preventing 'user assisted' attacks, compliance management, wireless security, secure coding, and penetration testing in addition to traditional network security. Human time and attention are precious resources. We are particularly interested in visualization and interaction techniques that effectively capture human analyst insights so that further processing may be handled by machines, freeing the analyst for other tasks. For example, a malware analyst might use a visualization system to analyze a new piece of malicious software and then facilitate generating a signature for future machine processing. When appropriate, research that incorporates multiple data sources, such as network packet captures, firewall rule sets and logs, DNS logs, web server logs, and/or intrusion detection system logs, is particularly desirable. ------------------------------------------------------------------------- SPSM 2013 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany, November 8, 2013. (Submissions due 22 July 2013) http://www.spsm-workshop.org/2013/ The SPSM workshop intends to provide a venue for interested researchers and practitioners to get together and exchange ideas. The workshop will deepen our understanding of various security and privacy issues on smartphones. As with the two very well received previous editions, the topics of interest to SPSM 2013 include (but are not limited to) the following subject categories: - Device/hardware security - OS/Middleware security - Application security - Authenticating users to devices and services - Mobile Web Browsers - Usability - Privacy - Rogue application detection and recovery - Vulnerability detection and remediation - Secure application development - Cloud support for mobile security ------------------------------------------------------------------------- TrustED 2013 3rd International Workshop on Trustworthy Embedded Devices, Collocated with the ACM CCS 2013, Berlin, Germany, November 4, 2013. (Submissions due 22 July 2013) http://trusted.trust.cased.de/ In this workshop we consider selected aspects of cyber physical systems and their environments. We aim to bring together experts from academia, research institutions, industry, and government to discuss problems, challenges, and some recent scientific and technological developments in this field. In particular, we are keenly interested in the participation of industry representatives. The workshop topics include, but are not limited to: - embedded system security - privacy aspects of embedded systems (e.g., medical devices, electronic IDs) - physical and logical convergence (e.g., secure and privacy-preserving facility management) - hardware entangled cryptography - foundation, development, and applications of physical security primitives (e.g., physical unclonable functions - PUFs) - remote attestation - IP protection for embedded systems - reverse engineering - secure execution environments (e.g., TrustZone, TPMs) on mobile devices - new protection paradigms for trustworthy embedded systems ------------------------------------------------------------------------- NDSS 2014 21st Annual Network and Distributed System Security Symposium, San Diego, California, USA, February 23-26, 2014. (Submissions due 5 August 2013) http://www.internetsociety.org/events/ndss-symposium-2014 The Network and Distributed System Security Symposium fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available network and distributed systems security technologies. Submissions are solicited in, but not limited to, the following areas: - Anti-malware techniques: detection, analysis, and prevention - Combating cyber-crime: anti-phishing, anti-spam, anti-fraud techniques - Future Internet architecture and design - High-availability wired and wireless networks - Implementation, deployment and management of network security policies - Integrating security in Internet protocols: routing, naming, network management - Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management - Intrusion prevention, detection, and response - Privacy and anonymity technologies - Public key infrastructures, key management, certification, and revocation - Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, reliability and cost - Security for collaborative applications: teleconferencing and video-conferencing - Security for cloud computing - Security for emerging technologies: sensor/wireless/mobile/personal networks and systems - Security for future home networks, Internet of Things, body-area networks - Security for large-scale systems and critical infrastructures (e.g., electronic voting, smart grid) - Security for peer-to-peer and overlay network systems - Security for Vehicular Ad-hoc Networks (VANETs) - Security of Web-based applications and services - Trustworthy Computing mechanisms to secure network protocols and distributed systems - Usable security and privacy ------------------------------------------------------------------------- ATC 2013 10th IEEE International Conference on Autonomic and Trusted Computing, Sorrento Peninsula, Italy, December 18-21, 2013. (Submissions due 15 August 2013) http://cse.stfx.ca/~atc2013/ Computing systems including hardware, software, communication, and networks are growing towards an ever-increasing scale and heterogeneity, becoming overly complex. Such complexity is getting even more critical with the ubiquitous permeation of embedded devices and other pervasive systems. To cope with the growing and ubiquitous complexity, Autonomic Computing (AC) focuses on self-manageable computing and communication systems that exhibit self-awareness, self-configuration, self-optimization, self-healing, self-protection and other self-x operations to the maximum extent possible without human intervention or guidance. Organic Computing (OC) additionally addresses adaptivity, robustness, and controlled emergence as well as nature-inspired concepts for self-organization. Any autonomic or organic system must be trustworthy to avoid the risk of losing control and retain confidence that the system will not fail. Trust and/or distrust relationships in the Internet and in pervasive infrastructures are key factors to enable dynamic interaction and cooperation of various users, systems, and services. Trusted/Trustworthy Computing (TC) aims at making computing and communication systems as well as services available, predictable, traceable, controllable, assessable, sustainable, dependable, persistent, security/privacy protectable, etc. ATC 2013 will offer a forum for researchers to exchange ideas and experiences in the most innovative research and development in these challenging areas and includes all technical aspects related to autonomic/organic computing (AC/OC) and trusted computing (TC). ------------------------------------------------------------------------- ESSOS 2014 6th International Symposium on Engineering Secure Software and Systems, Munich, Germany, February 26-28, 2014. (Submissions due 6 September 2013) http://distrinet.cs.kuleuven.be/events/essos/2014/ Trustworthy, secure software is a core ingredient of the modern world. So is the Internet. Hostile, networked environments, like the Internet, can allow vulnerabilities in software to be exploited from anywhere. To address this, high-quality security building blocks (e.g., cryptographic components) are necessary, but insufficient. Indeed, the construction of secure software is challenging because of the complexity of modern applications, the growing sophistication of security requirements, the multitude of available software technologies and the progress of attack vectors. Clearly, a strong need exists for engineering techniques that scale well and that demonstrably improve the software's security properties. The Symposium seeks submissions on subjects related to its goals. This includes a diversity of topics including (but not limited to): - scalable techniques for threat modeling and analysis of vulnerabilities - specification and management of security requirements and policies - security architecture and design for software and systems - model checking for security - specification formalisms for security artifacts - verification techniques for security properties - systematic support for security best practices - security testing - security assurance cases - programming paradigms, models and DSL's for security - program rewriting techniques - processes for the development of secure software and systems - security-oriented software reconfiguration and evolution - security measurement - automated development - trade-off between security and other non-functional requirements (in particular economic considerations) - support for assurance, certification and accreditation - empirical secure software engineering - security by design ------------------------------------------------------------------------- SAC-SEC 2014 29th ACM Symposium on Applied Computing, Computer Security track, Gyeongju, Korea, March 24-28, 2014. (Submissions due 13 September 2013) http://www.dmi.unict.it/~giamp/sac/cfp2014.php For the past twenty-eight years, the ACM Symposium on Applied Computing has been a primary gathering forum for applied computer scientists, computer engineers, software engineers, and application developers from around the world. The Security Track reaches its thirteenth edition this year, thus appearing among the most established tracks in the Symposium. The list of issues remains vast, ranging from protocols to work-flows. Topics of interest include but are not limited to: - software security (protocols, operating systems, etc.) - hardware security (smartcards, biometric technologies, etc.) - mobile security (properties for/from mobile agents, etc.) - network security (anti-DoS tools, firewalls, real-time monitoring, mobile networks, sensor networks, etc.) - alternatives to cryptography (steganography, etc.) - security-specific software development practices (vulnerability testing, fault-injection resilience, etc.) - privacy and anonymity (trust management, pseudonymity, identity management, electronic voting, etc.) - safety and dependability issues (reliability, survivability, etc.) - cyberlaw and cybercrime (copyrights, trademarks, defamation, intellectual property, etc.) - security management and usability issues (security configuration, policy management, usability trials etc.) - workflow and service security (business processes, web services, etc.) - security in cloud computing and virtualised environments ------------------------------------------------------------------------- IFIP119-DF 2014 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria, January 8-10, 2014. (Submissions due 15 September 2013) http://www.ifip119.org The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Tenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- POST 2014 3rd Conference on Principles of Security and Trust, Grenoble, France, April 7-11, 2014. (Submissions due 4 October 2013) http://www.etaps.org/2014/post-2014 Principles of Security and Trust is a broad forum related to the theoretical and foundational aspects of security and trust. Papers of many kinds are welcome: new theoretical results, practical applications of existing foundational ideas, and innovative theoretical approaches stimulated by pressing practical problems. We seek submissions proposing theories to clarify security and trust within computer science; submissions establishing new results in existing theories; and also submissions raising fundamental concerns about existing theories. We welcome new techniques and tools to automate reasoning within such theories, or to solve security and trust problems. Case studies that reflect the strengths and limitations of foundational approaches are also welcome, as are more exploratory presentations on open questions. Areas of interest include: - Access control - Anonymity - Authentication - Availability - Cloud security - Confidentiality - Covert channels - Crypto foundations - Economic issues - Information flow - Integrity - Languages for security - Malicious code - Mobile code - Models and policies - Privacy - Provenance - Reputation and trust - Resource usage - Risk assessment - Security architectures - Security protocols - Trust management - Web service security ------------------------------------------------------------------------- IEEE Transactions on Reliability, Special Section on Trustworthy Computing, 2014, (Submission Due 1 November 2013) http://rs.ieee.org/images/files/newsletters/2013/1_2013/CFP3.htm Editors: Shiuhpyng Winston Shieh (National Chiao Tung University, Taiwan) Trustworthy Computing (TC) has been applied to software-enabled computing systems and networks that are inherently secure, private, available, and reliable. As the fast growing mobile cloud computing emerges to cover smart phones, tablets, smart TV, and cloud computing platforms, these ubiquitous computing devices poses new challenges to trustworthy computing. Cloud computing offers organizations of all sizes the ability to embrace and implement new applications at far less cost than traditional approaches. Organizations that move workloads to the cloud take advantage of the capabilities of their cloud providers to ensure continuous availability of services. However, the ever-growing complexity of such systems and the software that controls them not only makes it much more difficult to guarantee their quality, but also introduces more vulnerability for malicious attacks, intrusion, and data loss. To address these needs, this special section calls for novel applications of emerging techniques for trustworthy computing of information, software, systems, networks. Reviews and case studies which address state-of-art research and state-of-practice industry experiences are also welcomed. The topics of interest include, but are not limited to: - Security, reliability, privacy, and availability issues in computing systems and networks - Trustworthy computing in small or large systems, such as mobile devices, embedded systems, cloud computing platforms, and internet of things - Information, system, and software assurance - Auditing, verification, validation - Security testing, evaluation, and measurement - Data protection, maintenance, recovery, and risk assessment - Authentication, authorization, access control, and accounting - Penetration analysis, intrusion detection and prevention - Malware behavior analysis, and software vulnerability discovery - Hardware techniques facilitating trustworthy computing, such as Trusted Platform Module (TPM) - Trustworthy operating systems and applications - Cloud Computing - Mobile Computing - Software defined networking (SDN) - Cryptographic techniques ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sven Dietrich Robin Sommer Department of Computer Science http://www.icir.org/robin Stevens Institute of Technology +1 201 216 8078 spock AT cs.stevens.edu Vice Chair: Treasurer: Patrick McDaniel Yong Guan Computer Science and Engineering 3219 Coover Hall Pennsylvania State University Department of Electrical and Computer 360 A IST Building Engineering University Park, PA 16802 Iowa State University, Ames, IA 50011 (814) 863-3599 (515) 294-8378 mcdaniel@cse.psu.edu yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2014 Chair: TC Awards Chair: Greg Shannon Hilarie Orman CERT Purple Streak, Inc. 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year