Electronic CIPHER, Issue 116, September 22, 2013 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 116 September 22, 2013 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * News o Noted Security Pioneers Honored o The NSA Is Building the Country's Biggest Spy Center (Watch What You Say) o Revealed: how US and UK spy agencies defeat internet privacy and security o RSA Security tells customers to drop NSA-related encryption algorithm o The US Launched 231 Cyberattacks in 2011 o Tens of thousands of Yahoo accounts accessed by US government this year o Google races to encrypt data * Commentary and Opinion o Richard Austin's review of "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This is the time of year when security researchers around the world choose which of their stellar projects will be submitted for consideration for the Security and Privacy Symposium. The deadline for papers is in November (see the Calendar for details). The number of papers submitted to the program committee keeps increasing, and the symposium has responded by accepting a few more papers each year. The program now stands at 3 full days. The program chairs have emphasized that the program has room for "risky" papers, as well as the solid, deeply researched, and well-accepted research that is the hallmark of the event. The first round of workshop proposals for SPW, the workshops of Security and Privacy, are now in hand, and the program committee is considering them. Next year the workshop program will probably expand yet again, and it will move to a new timeslot on the weekend preceding the research symposium. The new venue for both events will be San Jose, California. The revelations from Edward Snowden continue to dominate security news, and fallout just keeps going wider. We have several news items related to this, and we also note that much of the information was revealed over a year ago in a the magazine Wired in an article by James Bamford. This month we have a book review from Richard Austin on the subject of network security monitoring, something that is of crucial importance in a world in which so many cybersecurity measures are weak or undermined. For Halloween, I'm dressing as an NSA encryption suite, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== Noted Security Pioneers Honored http://www.cybersecurityhalloffame.com/ The Cyber Security Hall of Fame recently announced their 2013 "Hall of Fame Class of 2013". The honorees are David E. Bell, Jim Bidzos, Eugene Spafford, James Anderson, and Willis Ware. ------------------------------------------------------------------------ The NSA Is Building the Country's Biggest Spy Center (Watch What You Say) http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter Wired Magazine by James Bamford March 15, 2012 As previously noted in Cipher, NSA is building a huge data center in Bluffdale, Utah. This article, published over a year ago, seems to foreshadow the revelations of Snowden's disclosures, as well as other developments at Oak Ridge. Bamford states: "According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US." ------------------------------------------------------------------------ Revealed: how US and UK spy agencies defeat internet privacy and security http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security The Guardian Weekly by James Ball, Julian Borger and Glenn Greenwald 5 September 2013 The NSA's efforts to intercept and read Internet traffic on a massive scale are further detailed in this article. Cooperating technology providers insert weaknesses into products and security standards for protected communications. Ordinary customers are described in NSA documents as "adversaries". ------------------------------------------------------------------------ Deliberately flawed? RSA Security tells customers to drop NSA-related encryption algorithm http://rt.com/usa/nsa-weak-cryptography-rsa-110 RT.com September 20, 2013 The company RSA, a long-time supplier of cryptographic software, issued an advisory to its customers to stop using the default pseuro-random number generator. The algorithm in question is based on elliptic curves over finite fields, and it is unclear why RSA used it as its default algorithm. There is speculation that the NSA promoted use of the method because they knew that its weaknesses would make it easier to decrypt data used by RSA customers. ------------------------------------------------------------------------ Google races to encrypt data http://www.washingtonpost.com/business/technology/google-encrypts-data-amid-backlash-against-nsa-spying/2013/09/06/9acc3c20-1722-11e3-a2ec-b47e45e6f8ef_story.html The Washington Post by Craig Timberg September 6, 2013 Google accelerated the pace of its project to encrypt its infrastructure communication in the light of the US surveillance of Internet traffic and its use of Google data to investigate activities of US citizens. While acknowledging that the measures would not eliminate the surveillance, Google seeks to make mass dragnets more difficult. ------------------------------------------------------------------------ U.S. spy agencies mounted 231 offensive cyber-operations in 2011, documents show http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story.html The Washington Post by Barton Gellman and Ellen Nakashima August 30, 2013 According to the recently revealed "Black Budget" of the US government spy agencies, of the 231 offensive operations conducted in 2011, the budget said, nearly three-quarters were against top-priority targets, (e.g. China and North Korea) and activities such as nuclear proliferation. ------------------------------------------------------------------------ Yahoo says U.S. sought data on 40,332 user accounts in 2013 http://www.washingtonpost.com/business/technology/yahoo-says-us-sought-data-on-40332-user-accounts-in-2013/2013/09/06/be304008-1718-11e3-804b-d3a1a3a18f2c_story.html The Washington Post Sep 6, 2013 by Hayley Tsukayama The Internet company Yahoo released some information about the number of requests for data about its users and their data that it received from the US government thus far in 2013. Of the 12,444 request covering 40,322 users, only 2 per cent were rejected by the company. ------------------------------------------------------------------------ News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 9/16/2013 The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich ____________________________________________________________________ No Starch Press 2013. ISBN ISBN 978-1-59237-509-9 amazon.com USD 29.97, Table of Contents: http://nostarch.com/nsm#toc The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich. No Starch Press, 2013. ISBN 978-1-59237-509-9. amazon.com USD 29.97 Table of Contents: http://nostarch.com/nsm#toc Have you ever thought that there has to be a way to harvest the information present in network traffic (both patterns and content) to defend computer-based assets? Richard Bejtlich has previously introduced two books that introduced "network security monitoring" (or NSM) showing that the value of paying just as much attention to traffic leaving a network as the traffic entering it: The Tao of Network Security Monitoring http://www.ieee-security.org/Cipher/BookReviews/2004/Bejtlich_by_bruen.html Extrusion Detection http://www.ieee-security.org/Cipher/BookReviews/2006/Bejtlich2_by_austin.html His third and latest book takes the practice of NSM ("the collection, analysis and escalation of indications and warnings to detect and respond to intrusions", p. 1) to a new level through an open source toolset that you can easily run on your network and put it through its paces. Bejtlich bases his presentation on the Open Source SecurityOnion Linux distribution (http://securityonion.blogspot.com/) which has the Open Source NSM tools already installed with canned configuration scripts to get the tools running on your network with a minimum of fuss and bother. As your humble correspondent can attest, by following the detailed instructions in Parts I and II of the book, you can set up a functioning NSM platform that will allow you to follow along with rest of the book and also provide useful information about what is happening on your networks. With your SecurityOnion installation up and running, Part-III of the book walks through the tools (both command line and GUI) with detailed instructions and copious annotated illustrations. While many tools will be familiar, presenting them in an overall NSM-centric context provides a sense of how the puzzle pieces and their capabilities work together to provide visibility into happenings within your networks. Part IV examines "NSM in Action" beginning with a solid overview of the process of how a well-functioning CIRT operates. I particularly recommend his taxonomy of "Intrusion Categories" (Figure 9-5) to your consideration. Bejtlich then examines in detail how the tools work together by taking a detailed look at both a server-side and client-side compromise. This is where the rubber meets the road and demonstrates the author's deep knowledge and experience of how intruders operate and the traces their actions leave in the network data. I would almost recommend that you skim this section before reading the entire book to get a sense of the power and insight that NSM can bring to your organization's efforts to monitor and defend its networks. Bejtlich is a master of his craft and also possesses the rare gift of being able to share his knowledge in a comprehensible way. This book demonstrates how NSM can be implemented using freely available Open Source tools and should inspire even wider adoption of the Tao. This book is targeted at tools for technical professionals. Managerially focused readers should definitely read Chapter 9, "NSM Operations", for a masterful overview of the processes governing security incident response operations. As Bejtlich makes only too clear, gathering relevant data and transforming it into actionable information is a meaningless activity unless there is an organizational process to make use of it. My sincere hope is that you will: buy this book; read this book; do as this book recommends. ---------------------------------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Date (Month/Day/Year), Event, Locations, web page for more info. 9/25/13- 9/26/13: CMS, 14th Joint IFIP TC6 and TC11 Conference on Communications and Multimedia Security, Magdeburg, Germany; http://www.cms2013.de 9/25/13- 9/27/13: SECURECOMM, 9th International ICST Conference on Security and Privacy in Communication Networks, Sydney, Australia; http://securecomm.org/2013/ 9/30/13: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria; http://www.ifip119.org; Submissions are due 9/30/13: Elsevier Journal of Information Security and Applications, Special Issue on Threat Detection, Analysis and Defense; http://www.journals.elsevier.com/journal-of-information-security-and-applications/call-for-papers/special-issue-on-threat-detection-analysis-and-defense/; Submissions are due 9/30/13-10/ 2/13: SeTTIT, Workshop on Security Tools and Techniques for Internet of Things, Co-located with the BODYNETS 2013 conference, Boston, Massachusetts, USA; http://settit.bodynets.org/2013/show/home 10/ 4/13: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France; http://www.etaps.org/2014/post-2014; Submissions are due 10/14/13: VizSec, 10th International Symposium on Visualization for Cyber Security, Atlanta, GA, USA; http://www.vizsec.org/ 10/14/13: SafeConfig, 6th Symposium on Security Analytics and Automation, Washington, D.C., USA; http://www.safeconfig.org 10/14/13-10/16/13: CNS, 1st IEEE Conference on Communications and Network Security, Washington D.C., USA; http://www.ieee-cns.org 10/23/13-10/25/13: CRiSIS, 8th International Conference on Risks and Security of Internet and Systems, La Rochelle, France; http://secinfo.msi.unilim.fr/crisis2013/ 11/ 1/13: IEEE Transactions on Reliability, Special Section on Trustworthy Computing; http://rs.ieee.org/images/files/newsletters/2013/1_2013/CFP3.htm; Submissions are due 11/ 4/13: TrustED, 3rd International Workshop on Trustworthy Embedded Devices, Collocated with the ACM CCS, 2013, Berlin, Germany; http://trusted.trust.cased.de/ 11/ 4/13: SESOC, 6th International Workshop on Security and Social Networking, Held in conjunction with PerCom 2014, Budapest, Hungary; http://www.sesoc.org; Submissions are due 11/ 4/13-11/ 8/13: CCS, 20th ACM Conference on Computer and Communications Security, Berlin, Germany; http://www.sigsac.org/ccs/CCS2013/ 11/ 8/13: HotSoS, Symposium and Bootcamp on the Science of Security, Raleigh, North Carolina, USA; http://www.csc2.ncsu.edu/conferences/hotsos; Submissions are due 11/ 8/13: SPSM, 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany; http://www.spsm-workshop.org/2013/ 11/12/13-11/14/13: HST, 13th annual IEEE Conference on Technologies for Homeland Security, Waltham, Massachusetts, USA; http://www.ieee-hst.org 11/13/13: SP, 35th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2014/cfp.html; Submissions are due 11/15/13: Elsevier Computers & Electrical Engineering, Special Issue on Recent Advances in Security and Privacy in Distributed Communications; http://www.journals.elsevier.com/computers-and-electrical-engineering/ call-for-papers/security-and-privacy-in-distributed-communications/; Submissions are due 11/18/13-11/20/13: IWSEC, 8th International Workshop on Security, Okinawaken Shichouson Jichikaikan, Japan; http://www.iwsec.org/2013 11/20/13-11/22/13: ICICS, 15th International Conference on Information and Communications Security, Beijing, China; http://icsd.i2r.a-star.edu.sg/icics2013/ 11/21/13-11/22/13: SADFE, 8th International Workshop on Systematic Approaches to Digital Forensics Engineering, Hong Kong; http://conf.ncku.edu.tw/sadfe/sadfe13/ 11/26/13-11/28/13: SIN, 6th International Conference on Security of Information and Networks, Aksaray, Turkey; http://www.sinconf.org 11/27/13: RFIDsec-Asia, Workshop on RFID and IoT Security, Guangzhou, China; http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm 12/ 9/13-12/13/13: BigSecurity, 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA; http://www.nsp.org.au/CFP/BigSecurity/ 12/15/13: IEEE Computers, Special Issue on Methodologies and Solutions for Mobile Application Security; http://www.computer.org/portal/web/computingnow/cocfp6; Submissions are due 12/15/13: Journal of Cyber Security and Mobility, Special issue on Next generation mobility network security; http://www.ee.columbia.edu/~roger/call.pdf; Submissions are due 12/18/13-12/21/13: ATC, 10th IEEE International Conference on Autonomic and Trusted Computing, Sorrento Peninsula, Italy; http://cse.stfx.ca/~atc2013/ 1/ 8/14- 1/10/14: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria; http://www.ifip119.org 2/23/14- 2/26/14: NDSS, 21st Annual Network and Distributed System Security Symposium, San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2014 2/26/14- 2/28/14: ESSOS, 6th International Symposium on Engineering Secure Software and Systems, Munich, Germany; http://distrinet.cs.kuleuven.be/events/essos/2014/ 3/24/14: SESOC, 6th International Workshop on Security and Social Networking, Held in conjunction with PerCom 2014, Budapest, Hungary; http://www.sesoc.org 3/24/14- 3/28/14: SAC-SEC, 29th ACM Symposium on Applied Computing, Computer Security track, Gyeongju, Korea; http://www.dmi.unict.it/~giamp/sac/cfp2014.php 4/ 7/14- 4/11/14: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France; http://www.etaps.org/2014/post-2014 4/ 8/14- 4/ 9/14: HotSoS, Symposium and Bootcamp on the Science of Security, Raleigh, North Carolina, USA; http://www.csc2.ncsu.edu/conferences/hotsos 5/18/14- 5/21/14: SP, 35th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2014/cfp.html ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E115) ___________________________________________________________________ IFIP119-DF 2014 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria, January 8-10, 2014. (Submissions due 30 September 2013) http://www.ifip119.org The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Tenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- Elsevier Journal of Information Security and Applications, Special Issue on Threat Detection, Analysis and Defense, July 2014, (Submission Due 30 September 2013) http://www.journals.elsevier.com/journal-of-information-security-and-applications/call-for-papers/special-issue-on-threat-detection-analysis-and-defense/ Editors: Alan Woodward (Charteris plc, United Kingdom), Konrad Rieck (University of Gottingen, Germany), Andrew Rogoyski (Roke Manor Research Ltd, United Kingdom), and Shujun Li (University of Surrey, United Kingdom) The majority of organizations in the commercial and government sectors now use digital Information Technology (IT) to store and process data that is sensitive in some way. Sensitive data ranges from individuals' confidential details to valuable intellectual property to market sensitive information or even state secrets. At the same time, the commercialization of the Internet in the mid-1990s has resulted in the Internet becoming the de facto electronic channel over which organizations now interact with each other. Even where systems are not directly connected to the Internet, there are often indirect channels being inadvertently created to reach apparently disconnected systems. The increase in connectivity has bought about new threats and that threat continues to evolve as connectivity evolves with developments such as mobile devices. This special issue is intended to bring forth the recent advancements in the detection, modeling, monitoring, analysis and defense of various threats posed to sensitive data and security systems from unauthorized or other inappropriate access. Areas to be covered include but are not limited to: - Monitoring - Novel tools and techniques for monitoring mounting threats including monitoring of ongoing attacks - Detection solutions - Innovations in the detection of intrusion, malware and its activity, including post-attack forensics on secure devices - Infrastructure - Improvements in network traffic security analysis for identification of threats - Threat modelling - Advances in the tools, technologies and processes used in anticipating attacks and understanding what assets it is most important to protect - Emergent problems - New threats resulting from new business models for transfer of value, from gold-farming to Paypal, or new forms of payment such as Bitcoin - Security designs - Innovations in security architectures, approaches and systems responding to specific emerging threats ------------------------------------------------------------------------- POST 2014 3rd Conference on Principles of Security and Trust, Grenoble, France, April 7-11, 2014. (Submissions due 4 October 2013) http://www.etaps.org/2014/post-2014 Principles of Security and Trust is a broad forum related to the theoretical and foundational aspects of security and trust. Papers of many kinds are welcome: new theoretical results, practical applications of existing foundational ideas, and innovative theoretical approaches stimulated by pressing practical problems. We seek submissions proposing theories to clarify security and trust within computer science; submissions establishing new results in existing theories; and also submissions raising fundamental concerns about existing theories. We welcome new techniques and tools to automate reasoning within such theories, or to solve security and trust problems. Case studies that reflect the strengths and limitations of foundational approaches are also welcome, as are more exploratory presentations on open questions. Areas of interest include: - Access control - Anonymity - Authentication - Availability - Cloud security - Confidentiality - Covert channels - Crypto foundations - Economic issues - Information flow - Integrity - Languages for security - Malicious code - Mobile code - Models and policies - Privacy - Provenance - Reputation and trust - Resource usage - Risk assessment - Security architectures - Security protocols - Trust management - Web service security ------------------------------------------------------------------------- IEEE Transactions on Reliability, Special Section on Trustworthy Computing, 2014, (Submission Due 1 November 2013) http://rs.ieee.org/images/files/newsletters/2013/1_2013/CFP3.htm Editors: Shiuhpyng Winston Shieh (National Chiao Tung University, Taiwan) Trustworthy Computing (TC) has been applied to software-enabled computing systems and networks that are inherently secure, private, available, and reliable. As the fast growing mobile cloud computing emerges to cover smart phones, tablets, smart TV, and cloud computing platforms, these ubiquitous computing devices poses new challenges to trustworthy computing. Cloud computing offers organizations of all sizes the ability to embrace and implement new applications at far less cost than traditional approaches. Organizations that move workloads to the cloud take advantage of the capabilities of their cloud providers to ensure continuous availability of services. However, the ever-growing complexity of such systems and the software that controls them not only makes it much more difficult to guarantee their quality, but also introduces more vulnerability for malicious attacks, intrusion, and data loss. To address these needs, this special section calls for novel applications of emerging techniques for trustworthy computing of information, software, systems, networks. Reviews and case studies which address state-of-art research and state-of-practice industry experiences are also welcomed. The topics of interest include, but are not limited to: - Security, reliability, privacy, and availability issues in computing systems and networks - Trustworthy computing in small or large systems, such as mobile devices, embedded systems, cloud computing platforms, and internet of things - Information, system, and software assurance - Auditing, verification, validation - Security testing, evaluation, and measurement - Data protection, maintenance, recovery, and risk assessment - Authentication, authorization, access control, and accounting - Penetration analysis, intrusion detection and prevention - Malware behavior analysis, and software vulnerability discovery - Hardware techniques facilitating trustworthy computing, such as Trusted Platform Module (TPM) - Trustworthy operating systems and applications - Cloud Computing - Mobile Computing - Software defined networking (SDN) - Cryptographic techniques ------------------------------------------------------------------------- SESOC 2014 6th International Workshop on Security and Social Networking, Held in conjunction with PerCom 2014, Budapest, Hungary, March 24, 2014. (Submissions due 4 November 2013) http://www.sesoc.org The number of profiles on Social Networking Services, like Facebook, Google-Plus, Snapchat, or Twitter have grown to account for a third of the world's population. Acting as convenient link collections and (group) communication media, they have evolved to central hubs for Web browsing and Internet use. Encouraging their subscribers to publish self-descriptive and user-generated content, usually covering topics, events, and opinions corresponding to their personal environment, these services have become collections of highly detailed profiles of them. A paramount paradigm change is a near to perfect identifiability of their subscribers, who are forced to register using their clear names, instead of pseudonyms or throwaway accounts in previous forums. The extent of information gathered about their subscribers additionally allows the providers to check the credibility of the chosen handles and even re-identify users who have chosen pseudonyms. While SNS previously have largely been walled-gardens, the current development sees an extending integration with the conventional Web. This both opens their content and interaction functions to become a social layer, and allows the providers to even better track their users behavior and activities on the Web. The subscribers additionally increasingly use their mobile applications, thus exposing even their whereabouts and communication patterns beyond their activities on the Web. These services, while offering extensive chances for enhanced communication between their subscribers raise entirely new privacy concerns. They hence require new reflections on security goals and services, and to revisit previously seemingly well understood solutions for confidentiality, trust establishment, key management, or cooperation enforcement. The aim of SESOC 2014 hence is to encompass research advances in all areas of security, trust and privacy in pervasive communication systems with a special focus on the social aspects of the services. ------------------------------------------------------------------------- HotSoS 2014 Symposium and Bootcamp on the Science of Security, Raleigh, North Carolina, USA, April 8-9, 2014. (Submissions due 8 November 2013) http://www.csc2.ncsu.edu/conferences/hotsos Security has been intensively studied, however, previous research has often emphasized the engineering of specific solutions and attacks without developing the scientific understanding of the problem domain. All too often, security research focuses on responding to specific threats in an apparently ad hoc manner. The motivation behind the nascent Science of Security is to understand how computing systems are architected, built, used, and maintained with a view to understanding and addressing security challenges systematically across their life cycle. In particular, two features distinguish the Science of Security from other research programs on security: scope and approach: - Scope: The Science of Security considers not just computational artifacts, but incorporates the human, social, and organizational aspects of computing within its purview. - Approach: The Science of Security takes a decidedly scientific approach, based on the understanding of empirical evaluation and theoretical foundations as developed in the natural and social sciences, but adapted as appropriate for the artificial science (in Herb Simon's term) that is computing. ------------------------------------------------------------------------- SP 2014 35th IEEE Symposium on Security and Privacy, San Jose, CA, USA, May 18-21, 2014. (Submissions due 13 November 2013) http://www.ieee-security.org/TC/SP2014/cfp.html Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Censorship and censorship-resistance - Distributed systems security - Embedded systems security - Forensics - Hardware security - Intrusion detection - Malware - Metrics - Mobile security and privacy - Language-based security - Network security - Privacy-preserving systems - Protocol security - Secure information flow - Security and privacy policies - Security architectures - System security - Usable security and privacy - Web security and privacy This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Given the rapidly expanding and maturing security and privacy community, we hope to increase the acceptance rate of papers that are more "far-reaching" and "risky," as long as those papers also show sufficient promise for creating interesting discussions and questioning widely-held beliefs. Systematization of Knowledge Papers: Following the success of the previous year's conferences, we are also soliciting papers focused on systematization of knowledge (SoK). The goal of this call is to encourage work that evaluates, systematizes, and contextualizes existing knowledge. These papers can provide a high value to our community but may not be accepted because of a lack of novel research contributions. Suitable papers include survey papers that provide useful perspectives on major research areas, papers that support or challenge long-held beliefs with compelling evidence, or papers that provide an extensive and realistic evaluation of competing approaches to solving specific problems. Submissions are encouraged to analyze the current research landscape: identify areas that have enjoyed much research attention, point out open areas with unsolved challenges, and present a prioritization that can guide researchers to make progress on solving important challenges. Submissions will be distinguished by the prefix "SoK:" in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, except instead of emphasizing novel research contributions the emphasis will be on value to the community. Accepted papers will be presented at the symposium and included in the proceedings. ------------------------------------------------------------------------- Elsevier Computers & Electrical Engineering, Special Issue on Recent Advances in Security and Privacy in Distributed Communications, June 2014, (Submission Due 15 November 2013) http://www.journals.elsevier.com/computers-and-electrical-engineering/ call-for-papers/security-and-privacy-in-distributed-communications/ Editors: Felix Gomez Marmol (NEC Laboratories Europe, Germany), Jose M. Alcaraz Calero (University of the West of Scotland, United Kingdom), and Gregorio Martinez Perez (University of Murcia, Spain) Security services need to be considered as part of most communication proposals being discussed nowadays in distributed communication environments. Additionally, in the last few years, privacy has been gaining interest from both the designers and the customers of security solutions, thus being considered now as a key aspect for them. For a good security and/or privacy design, one needs to be informed of the latest advances in this field, this being the main objective of this special issue. This special issue is intended to report the most recent research works on distributed communications related to security and privacy, particularly in the following fields: - Anonymity - Authentication - Authorization and access control - Critical Infrastructure Protection (CIP) - Cybersecurity and cyberwarfare - Data integrity and protection - Data security and data privacy - Dependability of cloud systems - Identity management - Intrusion detection and prevention - End-to-end security solutions - Privacy enhancing technologies - Risk analysis and management - Secure and private data storage and processing in the cloud - Security policies - Threats and vulnerabilities - Trust and reputation management in distributed scenarios ------------------------------------------------------------------------- IEEE Computers, Special Issue on Methodologies and Solutions for Mobile Application Security, June 2014, (Submission Due 15 December 2013) http://www.computer.org/portal/web/computingnow/cocfp6 Editors: Ying-Dar Lin (National Chiao Tung University, Hsinchu, Taiwan), Chun-Ying Huang (National Taiwan Ocean University, Taiwan), Matthew Wright (University of Texas at Arlington), and Georgios Kambourakis (University of the Aegean, Greece) With the ubiquitous use of mobile devices, mobile application security has become an important research topic. Compared with personal computers or servers, mobile devices store much more sensitive personal information and are thus attractive targets for attackers seeking financial gain. Because these devices are always online and have a restricted user interface, it is easier for attackers to hide their malicious activities. This special issue aims to present high-quality articles describing security algorithms, protocols, policies, and frameworks for applications running on modern mobile platforms such as Android, iOS, and Windows Mobile. Only submissions describing previously unpublished, original, state-of-the-art research that are not currently under review by a conference or journal will be considered. Appropriate topics include, but are not limited to, the following: - app and app store security and privacy - benchmarking and evaluation of mobile security solutions - bots on mobile devices - cloud security and privacy, as related to mobile devices - mobile device forensics - security and privacy in mobile device operating systems and middleware - mobile malware collection, statistics, and analysis - mobile services and social networking security - reverse engineering and automated analysis of mobile malware - security for smart payment applications, including near-field communication - standardization efforts related to developing and vetting mobile apps - testbeds and case studies for mobile platforms - traffic monitoring and detection algorithms for mobile platforms - usability of approaches for mobile security and privacy - virtualization solutions for mobile security - Web browser security on mobile devices ------------------------------------------------------------------------- Journal of Cyber Security and Mobility, Special issue on Next generation mobility network security, July 2014, (Submission Due 15 December 2013) http://www.ee.columbia.edu/~roger/call.pdf Editor: Roger Piqueras Jover (AT&T Security Research Center) The Long Term Evolution (LTE) is the newly adopted standard technology to offer enhanced capacity and coverage for mobility networks, providing advanced multimedia services beyond traditional voice and short messaging traffic for billions of users. This new cellular communication system introduces a substantial redesign of the network architecture resulting in the new eUTRAN (Enhanced Universal Terrestrial Radio Access Network) and the EPC (Enhanced Packet Core). In this context, the LTE Radio Access Network (RAN) is built upon a redesigned physical layer and based on an Orthogonal Frequency Division Multiple Access (OFDMA) modulation, features robust performance in challenging multipath environments and substantially improves capacity. Moreover, a new all-IP core architecture is designed to be more flexible and flatter. In parallel, the cyber-security landscape has changed drastically over the last few years. It is now characterized by large scale security threats such as massive Distributed Denial of Service Attacks (DDoS), the advent of the Advanced Persistent Threat (APT) and the surge of mobile malware and fraud. These new threats illustrate the importance of strengthening the resiliency of mobility networks against security attacks, ensuring this way full mobility network availability. In this context, however, the scale of the threat is not the key element anymore and traditionally overlooked low range threats, such as radio jamming, should also be included in security studies. This special issue of the Journal of Cyber Security and Mobility addresses research advances in mobility threats and new security applications/architectures for next generation mobility networks. The main topics of interest of this issue include, but are not limited to, the following: - LTE RAN security - OFDM/OFDMA radio jamming - Secure wireless communications under malicious interference/jamming - Mobility security threats based on interoperability with legacy networks - LTE EPC security - Mobile malware/botnet impact on RAN/EPC - Femtocell security threats - Detection of attacks against mobility networks - Self Organizing Network (SON) security applications - WiFi-cellular interoperability threats and security - Mobile device baseband security ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE CS Press ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sven Dietrich Robin Sommer Department of Computer Science http://www.icir.org/robin Stevens Institute of Technology +1 201 216 8078 spock AT cs.stevens.edu Vice Chair: Treasurer: Patrick McDaniel Yong Guan Computer Science and Engineering 3219 Coover Hall Pennsylvania State University Department of Electrical and Computer 360 A IST Building Engineering University Park, PA 16802 Iowa State University, Ames, IA 50011 (814) 863-3599 (515) 294-8378 mcdaniel@cse.psu.edu yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2014 Chair: TC Awards Chair: Greg Shannon Hilarie Orman CERT Purple Streak, Inc. oakland14-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year