_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 117 November 19, 2013 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of "Cyber War Will Not Take Place" by Thomas Rid o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * From the News o CIA Buys Call Data from AT&T o Yahoo to encrypt data center traffic o Microsoft considering data center traffic encryption o UK diverts Internet traffic o Lavabit founder explains what he's learned o Computer scientists not totally clueless on passwords o US documents authorizing email surveillance released o No early end to US phone surveillance * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Awaiting the onset of winter, I am sending this year end issue of Cipher as the deadline for papers for the 2014 Security and Privacy Symposium recedes into the past. This means that the program committee can warm themselves by feasting on the technical content of the finest security research on the planet, readying a stellar program for next May in San Jose, California. Our book reviewer Richard Austin takes us further afield than is his usual want by tackling a book about the fundamental notions of war and how they do or do not apply to the cyber realm. This may seem esoteric, but at some future time we may well have to decide when a cyber attack warrants a physical response. Will the public be educated enough to understand the issues amidst rhetoric? As for the news, there seems no end to the Snowden revelations, and the technology underlying government surveillance seems as interesting and varied as the Internet itself. What hath NSA wrought? People who transmit on glass fibers shouldn't get stoned, and have Happy Feasts and Festivals, Hilarie Orman ==================================================================== Commentary and Opinion ==================================================================== ____________________________________________________________________ Book Review By Richard Austin November 16, 2013 ____________________________________________________________________ Cyber War Will Not Take Place by Thomas Rid Oxford 2013. ISBN ISBN 978-0-19-933063-8 amazon.com USD 18.38 Table of Contents: http://global.oup.com/academic/product/cyber-war-will-not-take-place-9780199330638?cc=us&lang=en&tab=toc It is difficult to find a media outlet these days that doesn't contain multiple assurances that cyber warfare is a widespread phenomenon on the Internet, with consequences ranging from loss of intellectual property to interference with critical industries. Nations are racing each other to develop cyber warfare capabilities to inflict/counter these phenomena, and private organizations are wondering how they can deal effectively with their becoming targets in this global "cyber war". Rid takes a step back and asserts that a cyber-war is not in progress and may even be impossible. Before getting into Rid's argument, one might wonder why it even matters. War is a terrible phenomenon where the usual rules of civil conduct are thrown out the figurative window and behaviors that are normally reprehensible become commonplace and even admirable. A visit to any commemorative cemetery or historical battlefield will graphically remind one that war is a horrible thing that must be avoided until the last extremity of national need. Applying the label of "war" inappropriately may be the first step onto a slippery slope leading to an awful (and perhaps unintended) destination. But at the same time, "war" is an amorphous concept, even though humanity has routinely practiced its arts throughout history. Consider, for example, where one would draw the lines between crime, acts of terror and an overtly aggressive act by a nation state? Even the US military acknowledges this notional swamp in its term "operations other than war (OOTW)". Factor in the cyber world and the confusion grows exponentially. Malware aims at a panoply of effects ranging from ransomeware to credential stealing to exfiltration of intellectual property to real-world effects (e.g., StuxNet). Where does one draw the line between crimeware and cyber-weapon? Which malware effects would trigger a nation state's right of self-defense? Are their times when destructive real-world effects would constitute a crime rather than an act of war? Rid tackles these issues head-on by opening the book with a discussion of "What is Cyber War?" He proposes Clausewitz's tripartite definition of war: violence, instrumentality, and political nature. To constitute an act of war, the act must be violent - "potentially or actually lethal, at least for some participants on at least one side" (p. 1). Notice that people don't necessarily have to suffer harm; the threat of harm is sufficient to qualify as violence. Instrumentality implies that there is a purpose or means to an end. This turns the well-known attribution problem on its head (at least as far as war is concerned). If Agrivona* and Eurya* have a national dispute over issue X, and Eurya launches a violent cyber-attack against its adversary, Agrivona must in no uncertain terms know that Eurya is behind the attack or it will not understand that if it accedes to Eurya's position, no further attacks will occur. Finally, there must be a political purpose (political in the sense of serving national policy on an issue). While one could certainly quarrel about the specifics of Rid's definition, it does clearly define the criteria that distinguish an act of war from espionage or random violence. Rid then explores the critical concept of "violence" (specifically, "instrumental violence, violence administered (or threatened) in the service of a political purpose", p. 21). If an attack is not "violent" then it cannot be an act of war. Violence in the cyber realm is rather distinct from violence in the physical realm. For example, a hand-grenade is in and of itself "violent" (its detonation creates both direct physical effects and scatters shrapnel over a wide area). However, a cyber-weapon cannot be physically destructive in the same way - it can only create violence indirectly (or parasitically) by exploiting the violence already potential in a system (p. 13f). Thus, cyber-weapons can only affect systems controlled by other systems (e.g., a cyber-weapon could destabilize a control process to cause a machine to exceed its safe operating parameters and "self-destruct" in some way). Any violence done to people as the result of the cyber-attack is actually caused by the targeted system not the weapon itself. This indirect nature of cyber-violence gives rise to the second difference - cyber-violence has less of an emotional impact (p. 17), Continuing with the earlier analogy, hurling a hand grenade into a crowd produces a greater emotional impact (think news headlines) than a cyber-mediated explosion at a chemical plant even though the latter likely produced more human casualties. Lastly, instruments of cyber-violence have little symbolic value - compare the symbolic impact of an aircraft carrier battle group to the possibility that a StuxNet-II exists somewhere (p. 19f). These limitations impose significant challenges for cyber-weapons ability to produce sufficient violence to qualify as weapons-of-war. Rid then explores another concept lacking in precise definition: weapon. For example, a hammer is both a useful tool (for driving nails or accidentally smashing one's finger while driving nails) and a potential weapon (perhaps specialized as a mace). To distinguish these different use cases, he defines "weapon" as "a tool that is used, or designed to be used, with the aim of threatening or causing physical, functional or mental harm to structures, systems or living things" (p. 37). Note the essential requirement of potential violence in this definition. This definition is immediately useful in distinguishing attacks that might trigger a nation's right of self-defense versus activities such as espionage (e.g., exfiltration of valuable intellectual property) that does not. With the definitional firmly established, Rid then explores the use cases of sabotage (undermining the intended function of a system) and espionage (clandestine pilfering of information). He notes that while sabotage might potentially qualify in terms of violence, instrumentality and political intent as "war", espionage does not. Rid then turns his attention to an area where cyber techniques have clear advantages: subversion. When the intent is to affect "regime change", a critical task is to undermine confidence in the sitting government. This is an area where cyber techniques' stealthy nature and ability to interfere with information infrastructure are clear advantages. If a government cannot protect its official websites, assure critical services (electricity, water), etc., in the face of a subversive movement's cyber actions, the populace may well begin to consider the movement's call for change in a much more positive light. As Rid draws his discussion to a close, he reviews the "attribution problem" or how actions in the cyber realm are tied to the actor responsible for them. As noted earlier, with acts of war, it is in the actor's best political (or policy) interest that their responsibility for the action be clearly known without doubt. However, when dealing with acts of espionage, the actor's benefit lies in their responsibility being concealed in a fog of plausible deniability. The final chapter, aptly titled "Beyond Cyber War", is a call to move the discussion beyond graphic, one-size-fits-all analogies such as "Cyber Pearl Harbor" or "Cyber Hiroshima" to a more nuanced discussion that recognizes the spectrum of potential actions in cyberspace and tailors policy and technical responses appropriately. This is a disturbing book about an uncomfortable subject, but it is an important topic for the practicing security professional. Applying the label of "war" inappropriately produces bad policy decisions - on the one hand, it absolves the private sector of responsibility (contracts commonly include indemnity for "acts of war") while on the other, it encourages inappropriate responses. Many will find Rid's definitions and arguments controversial but his definitions and well-referenced reasoning bring clarity to what has been a fractious and murky debate. Highly recommended for your consideration. *Note: Agivona and Eurya are fictional country names generated by http://nine.frenchboys.net/country.php _______________________________________________________________________ It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org _______________________________________________________________________ Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== News Briefs ==================================================================== ------------------------------------------------------------------- C.I.A. Is Said to Pay AT&T for Call Data http://www.nytimes.com/2013/11/07/us/cia-is-said-to-pay-att-for-call-data.html?hp&_r=0 By Charlie Savage November 7, 2013 The CIA, which has no authority to spy on US citizens, purchases data about their international calls from AT&T. The company has declined to comment on the program. ------------------------------------------------------------------- Yahoo to encrypt internal data http://arstechnica.com/information-technology/2013/11/yahoo-will-encrypt-between-data-centers-use-ssl-for-all-sites/ Ars Technica by Sean Gallagher Nov 18, 2013 "Yahoo will encrypt between data centers, use SSL for all sites. CEO Marissa Mayer promises Yahoo will be locked down by March 2014." This claim follows on the heels of revelations by Edard Snowden that Yahoo is a large information source for the NSA. ------------------------------------------------------------------- Microsoft late to the data center encryption party http://arstechnica.com/security/2013/11/we-still-dont-encrypt-server-to-server-data-admits-microsoft/ Ars Technica by Chris Baraniuk, wired.co.uk Nov 14, 2013 'We still don't encrypt server-to-server data,' admits Microsoft "This is why we are currently reviewing our security system." These remarks came in testimony to a European parliamentary committee. In the same meeting, a Google representative noted that Google has not completed encrypting all of its communication lines. ------------------------------------------------------------------- UK diverts Internet traffic to goverment servers http://arstechnica.com/tech-policy/2013/11/uk-spies-continue-quantum-insert-attack-via-linkedin-slashdot-pages/ Ars Technica by Cyrus Farivar Nov 10, 2013 The German newspapaer "Der Spiegel" reports "UK spies continue "quantum insert" attack via LinkedIn and Slashdot pages. Targets included engineers at Global Roaming Exchange providers and OPEC." The attack relies on having government controlled servers that can respond more quickly than the real servers. The attack seems to depend on known vulnerabilities in name lookups (DNS) [Ed. "Secure" DNS, which took nearly 20 years to get traction, was meant to prevent these attacks]. ------------------------------------------------------------------- Op-ed: Lavabit's founder responds to cryptographer's criticism http://arstechnica.com/security/2013/11/op-ed-lavabits-founder-responds-to-cryptographers-criticism/ Ars Technica by Ladar Levison Nov 7, 2013 "Ladar Levison, who shut down his secure email service under US goverment pressure, has learned a lot." His vision was protection for email "at rest" in a way that would make government search warrants useless. Instead, he got hit with a demand for the system's "data in transit" keys, implying a network surveillance capability that caught him unawares. ------------------------------------------------------------------- http://arstechnica.com/security/2013/11/its-official-computer-scientists-pick-stronger-passwords/ Computer Scientists Not Totally Clueless About Passwords Ars Technica by Dan Goodin Nov 8, 2013 "It's official: Computer scientists pick stronger passwords. Landmark study says people in business school choose weakest passwords." While it seems unsurprising that computer scientists, on the average, choose slightly better passwords than their peers in the arts, it is surprising that those in the arts surpass those in business school. Apparently the profit motive is insufficient. ------------------------------------------------------------------- Latest Release of Documents on N.S.A. Includes 2004 Ruling on Email Surveillance http://www.nytimes.com/2013/11/19/us/latest-release-of-documents-on-nsa-includes-2004-ruling-on-email-surveillance.html?hp&_r=0 NYTimes.com By Charlie Savage and James Risen November 18, 2013 A response to a Freedom of Information Act lawsuit, filed by the ACLU and the EFF, reveals that the secret Foreign Intelligence Surveillance Court approved the massive collection of American's email contents during the Bush administration. The Obama administration has declassified nearly 2000 pages of information abou surveillance operations. ------------------------------------------------------------------- Supreme Court allows NSA to continue looking at telephone records for now http://www.cnn.com/2013/11/18/politics/supreme-court-nsa-phone-records/index.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+rss%2Fcnn_allpolitics+%28RSS%3A+Politics%29 CNN.Com By Bill Mears, CNN Supreme Court Producer November 18, 2013 A move by the Electronic Privacy Information Center (EPIC) have the US Supreme Court in intervene to stop surveillance of US phone communications records was denied on Monday. The petition claimed that the surveillance was illegal. The case may still be heard, the program will not stop while awaiting that hearing. ------------------------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html New: Posted Oct 2013 Department of Computer Science, TU, Darmstadt Darmstadt, Germany Multiple Ph.D. and PostDoc positions in Mobile Software Security and Security Engineering Application deadline for all positions: 08 Nov 2013. However, applications will be considered until the positions are filled. http://www.mais.informatik.tu-darmstadt.de/Positions.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 11/18/13-11/20/13: IWSEC, 8th International Workshop on Security, Okinawaken Shichouson Jichikaikan, Japan; http://www.iwsec.org/2013 11/20/13-11/22/13: ICICS, 15th International Conference on Information and Communications Security, Beijing, China; http://icsd.i2r.a-star.edu.sg/icics2013/ 11/21/13-11/22/13: SADFE, 8th International Workshop on Systematic Approaches to Digital Forensics Engineering, Hong Kong; http://conf.ncku.edu.tw/sadfe/sadfe13/ 11/26/13-11/28/13: SIN, 6th International Conference on Security of Information and Networks, Aksaray, Turkey; http://www.sinconf.org 11/27/13: RFIDsec-Asia, Workshop on RFID and IoT Security, Guangzhou, China; http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm 12/ 9/13-12/13/13: BigSecurity, 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA; http://www.nsp.org.au/CFP/BigSecurity/ 12/15/13: IEEE Computers, Special Issue on Methodologies and Solutions for Mobile Application Security; http://www.computer.org/portal/web/computingnow/cocfp6; Submissions are due 12/15/13: Journal of Cyber Security and Mobility, Special issue on Next generation mobility network security; http://www.ee.columbia.edu/~roger/call.pdf; Submissions are due 12/15/13: COSADE, 5th International Workshop on Constructive Side-Channel Analysis and Secure Design, Paris, France; http://www.cosade.org; Submissions are due 12/18/13-12/21/13: ATC, 10th IEEE International Conference on Autonomic and Trusted Computing, Sorrento Peninsula, Italy; http://cse.stfx.ca/~atc2013/ 1/ 1/14: IEEE Security and Privacy Magazine, Special Issue on Security for Energy Sector Control Systems; http://www.computer.org/portal/web/computingnow/spcfp6; Submissions are due 1/ 8/14- 1/10/14: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria; http://www.ifip119.org 1/20/14: IFIP-SEC, 29th IFIP TC-11 SEC 2014 International Conference ICT Systems Security and Privacy Protection, Marrakech, Morocco; http://www.ensa.ac.ma/sec2014/; Submissions are due 2/ 8/14: DIMVA, 11th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Royal Holloway London, Egham, UK; http://www.dimva.org/dimva2014; Submissions are due 2/23/14- 2/26/14: NDSS, 21st Annual Network and Distributed System Security Symposium, San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2014 2/26/14- 2/28/14: ESSOS, 6th International Symposium on Engineering Secure Software and Systems, Munich, Germany; http://distrinet.cs.kuleuven.be/events/essos/2014/ 3/ 1/14: RFIDSec, 10th Workshop on RFID Security, Co-located with ACM WiSec 2014, Oxford, United Kingdom; http://rfidsec2014.cis.uab.edu/; Submissions are due 3/ 3/14: WiSec, 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Oxford, United Kingdom; http://www.sigsac.org/wisec/WiSec2014/; Submissions are due 3/ 7/14: WISTP, 8th Workshop in Information Security Theory and Practice, Heraklion, Greece; http://www.wistp.org/; Submissions are due 3/24/14: SESOC, 6th International Workshop on Security and Social Networking, Held in conjunction with PerCom 2014, Budapest, Hungary; http://www.sesoc.org 3/24/14- 3/28/14: SAC-SEC, 29th ACM Symposium on Applied Computing, Computer Security track, Gyeongju, Korea; http://www.dmi.unict.it/~giamp/sac/cfp2014.php 4/ 7/14- 4/11/14: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France; http://www.etaps.org/2014/post-2014 4/ 8/14- 4/ 9/14: HotSoS, Symposium and Bootcamp on the Science of Security, Raleigh, North Carolina, USA; http://www.csc2.ncsu.edu/conferences/hotsos 4/14/14- 4/15/14: COSADE, 5th International Workshop on Constructive Side-Channel Analysis and Secure Design, Paris, France; http://www.cosade.org 5/18/14- 5/21/14: SP, 35th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2014/cfp.html 6/ 2/14- 6/ 4/14: IFIP-SEC, 29th IFIP TC-11 SEC 2014 International Conference ICT Systems Security and Privacy Protection, Marrakech, Morocco; http://www.ensa.ac.ma/sec2014/ 6/23/14- 6/25/14: WISTP, 8th Workshop in Information Security Theory and Practice, Heraklion, Greece; http://www.wistp.org/ 7/10/14- 7/11/14: DIMVA, 11th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Royal Holloway London, Egham, UK; http://www.dimva.org/dimva2014 7/21/14- 7/23/14: RFIDSec, 10th Workshop on RFID Security, Co-located with ACM WiSec 2014, Oxford, United Kingdom; http://rfidsec2014.cis.uab.edu/ 7/21/14- 7/25/14: WiSec, 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Oxford, United Kingdom; http://www.sigsac.org/wisec/WiSec2014/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E116) ___________________________________________________________________ ------------------------------------------------------------------------ IEEE Computers, Special Issue on Methodologies and Solutions for Mobile Application Security, June 2014, (Submission Due 15 December 2013) http://www.computer.org/portal/web/computingnow/cocfp6 Editors: Ying-Dar Lin (National Chiao Tung University, Hsinchu, Taiwan), Chun-Ying Huang (National Taiwan Ocean University, Taiwan), Matthew Wright (University of Texas at Arlington), and Georgios Kambourakis (University of the Aegean, Greece) With the ubiquitous use of mobile devices, mobile application security has become an important research topic. Compared with personal computers or servers, mobile devices store much more sensitive personal information and are thus attractive targets for attackers seeking financial gain. Because these devices are always online and have a restricted user interface, it is easier for attackers to hide their malicious activities. This special issue aims to present high-quality articles describing security algorithms, protocols, policies, and frameworks for applications running on modern mobile platforms such as Android, iOS, and Windows Mobile. Only submissions describing previously unpublished, original, state-of-the-art research that are not currently under review by a conference or journal will be considered. Appropriate topics include, but are not limited to, the following: - app and app store security and privacy - benchmarking and evaluation of mobile security solutions - bots on mobile devices - cloud security and privacy, as related to mobile devices - mobile device forensics - security and privacy in mobile device operating systems and middleware - mobile malware collection, statistics, and analysis - mobile services and social networking security - reverse engineering and automated analysis of mobile malware - security for smart payment applications, including near-field communication - standardization efforts related to developing and vetting mobile apps - testbeds and case studies for mobile platforms - traffic monitoring and detection algorithms for mobile platforms - usability of approaches for mobile security and privacy - virtualization solutions for mobile security - Web browser security on mobile devices ------------------------------------------------------------------------- Journal of Cyber Security and Mobility, Special issue on Next generation mobility network security, July 2014, (Submission Due 15 December 2013) http://www.ee.columbia.edu/~roger/call.pdf Editor: Roger Piqueras Jover (AT&T Security Research Center) The Long Term Evolution (LTE) is the newly adopted standard technology to offer enhanced capacity and coverage for mobility networks, providing advanced multimedia services beyond traditional voice and short messaging traffic for billions of users. This new cellular communication system introduces a substantial redesign of the network architecture resulting in the new eUTRAN (Enhanced Universal Terrestrial Radio Access Network) and the EPC (Enhanced Packet Core). In this context, the LTE Radio Access Network (RAN) is built upon a redesigned physical layer and based on an Orthogonal Frequency Division Multiple Access (OFDMA) modulation, features robust performance in challenging multipath environments and substantially improves capacity. Moreover, a new all-IP core architecture is designed to be more flexible and flatter. In parallel, the cyber-security landscape has changed drastically over the last few years. It is now characterized by large scale security threats such as massive Distributed Denial of Service Attacks (DDoS), the advent of the Advanced Persistent Threat (APT) and the surge of mobile malware and fraud. These new threats illustrate the importance of strengthening the resiliency of mobility networks against security attacks, ensuring this way full mobility network availability. In this context, however, the scale of the threat is not the key element anymore and traditionally overlooked low range threats, such as radio jamming, should also be included in security studies. This special issue of the Journal of Cyber Security and Mobility addresses research advances in mobility threats and new security applications/architectures for next generation mobility networks. The main topics of interest of this issue include, but are not limited to, the following: - LTE RAN security - OFDM/OFDMA radio jamming - Secure wireless communications under malicious interference/jamming - Mobility security threats based on interoperability with legacy networks - LTE EPC security - Mobile malware/botnet impact on RAN/EPC - Femtocell security threats - Detection of attacks against mobility networks - Self Organizing Network (SON) security applications - WiFi-cellular interoperability threats and security - Mobile device baseband security ------------------------------------------------------------------------- COSADE 2014 5th International Workshop on Constructive Side-Channel Analysis and Secure Design, Paris, France, April 14-15, 2014. (Submission Due 15 December 2013) http://www.cosade.org Side-channel analysis (SCA) and implementation attacks have become an important field of research at universities and in the industry. In order to enhance the resistance of cryptographic and security critical implementations within the design phase, constructive attacks and analyzing techniques may serve as a quality metric to optimize the design and development process. Since 2010, COSADE provides an international platform for researchers, academics, and industry participants to present their work and their current research topics. It is an excellent opportunity to exchange on new results with international experts and to initiate new collaborations and information exchange at a professional level. The workshop will feature both invited presentations and contributed talks. The topics of COSADE 2014 include, but are not limited to: - Constructive side-channel analysis and implementation attacks - Semi-invasive, invasive and fault attacks - Leakage models and security models for side-channel analysis - Cache-attacks and micro-architectural analysis - Decapsulation and preparation techniques - Side-channel based reverse engineering - Leakage Resilient Implementations - Evaluation methodologies for side-channel resistant designs - Secure designs and countermeasures - Evaluation platforms and tools for testing side-channel characteristics ------------------------------------------------------------------------- IEEE Security and Privacy Magazine, Special Issue on Security for Energy Sector Control Systems, November/December 2014, (Submission Due 1 January 2014) http://www.computer.org/portal/web/computingnow/spcfp6 Editor: Sean Peisert (Lawrence Berkeley National Laboratory and University of California, Davis, USA) and Jonathan Margulies (National Institute of Standards and Technology, USA) Control systems used in the energy sector present unusual security and reliability challenges: The installed base is often decades old, systems are commonly installed in adverse physical conditions, bandwidth and communication reliability can be very low, with tight performance timelines, and, most important, failure can result in destruction of critical physical systems or loss of life. This special issue seeks articles that can help lead to solutions that can be shown to improve the security and reliability of power systems, including control systems related to generation, transmission, distribution, and consumption or use, such as in industrial plant operations, commercial buildings, or homes. Such solutions might be purely technical, or could be social, policy-related, or some combination. Articles should address questions such as: - Very few techniques from "traditional" computer security and information technology (IT) can be shown to demonstrably improve security and reliability of the systems they seek to protect. --- Are there techniques that exist for control systems that make the problem more tractable? --- Are there challenges that make the problem even worse? How can those be surmounted? - How can safety engineering traditionally used with control systems be married with computer security techniques traditionally used in IT? - How do current policies, laws, and regulations help or hinder security for power-related controls systems? What policy changes might be useful to improving control system security & reliability? - What privacy problems or solutions exist in relation to electric power control systems? We welcome case studies, experience reports, practices, research results, and standards reports. Our readers are eager to hear about industry experiences, especially resulting from empirical studies that help us learn how past successes and failures should inform new technology or practices. We are also interested in failures, either in research, development, or operations, that can convey valuable learning experience. ------------------------------------------------------------------------- IFIP-SEC 2014 29th IFIP TC-11 SEC 2014 International Conference ICT Systems Security and Privacy Protection, Marrakech, Morocco, June 2-4, 2014. (Submission Due 20 January 2014) http://www.ensa.ac.ma/sec2014/ This conference is the flagship event of the International Federation for Information Processing (IFIP) Technical Committee 11 on Security and Privacy Protection in Information Processing Systems (TC-11, www.ifiptc11.org). We seek submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of security and privacy protection in ICT Systems. Topics of interest include, but are not limited to: - Access control and authentication - Applied cryptography - Cloud and big data security - Critical Infrastructure Protection - Data and Applications Security - Digital Forensics - Human Aspects of Information Security and Assurance - Identity Management - Information Security Education - Information Security Management - Information Technology Mis-Use and the Law - Managing information security functions - Mobile security - Multilateral Security - Network & Distributed Systems Security - Pervasive Systems Security - Privacy protection - Trust Management - Audit and risk analysis ------------------------------------------------------------------------- DIMVA 2014 11th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Royal Holloway London, Egham, UK, July 10-11, 2014. (Submission Due 8 February 2014) http://www.dimva.org/dimva2014 The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year, DIMVA brings together international experts from academia, industry, and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group "Security - Intrusion Detection and Response" (SIDAR) of the German Informatics Society (GI). The conference proceedings will appear as a volume in the Springer Lecture Notes in Computer Science (LNCS) series (approval pending). DIMVA encourages submissions from the following broad areas: Intrusion Detection - Novel approaches and domains - Insider detection - Prevention and response - Data leakage and exfiltration - Result correlation and cooperation - Evasion and other attacks - Potentials and limitations - Operational experiences Malware Detection - Automated analyses - Behavioral models - Prevention and containment - Infiltration - Acquisition and monitoring - Forensics and recovery - Underground economy Vulnerability Assessment - Vulnerability detection - Vulnerability prevention - Fuzzing techniques - Classification and evaluation - Situational awareness ------------------------------------------------------------------------- RFIDSec 2014 10th Workshop on RFID Security, Co-located with ACM WiSec 2014, Oxford, United Kingdom, July 21-23, 2014. (Submission Due 1 March 2013) http://rfidsec2014.cis.uab.edu/ RFIDsec is the premier workshop devoted to security and privacy in Radio Frequency Identification (RFID) with participants throughout the world. RFIDsec brings together researchers from academia and industry for topics of importance to improving the security and privacy of RFID, NFC, contactless technologies, and the Internet of Things. RFIDsec bridges the gap between cryptographic researchers and RFID developers through invited talks and contributed presentations. Topics of interest include: - New applications for secure RFID, NFC and other constrained systems - Resource-efficient implementations of cryptography - Attacks on RFID systems (e.g. side-channel attacks, fault attacks, hardware tampering) - Data protection and privacy-enhancing techniques - Cryptographic protocols (e.g. authentication, key distribution, scalability issues) - Integration of secure RFID systems (e.g. infrastructures, middleware and security) - Data mining and other systemic approaches to RFID security - RFID hardware security (e.g. Physical Unclonable Functions (PUFs), RFID Trojans) - Case studies ------------------------------------------------------------------------- WiSec 2014 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Oxford, United Kingdom, July 21-25, 2014. (Submission Due 3 March 2013) http://www.sigsac.org/wisec/WiSec2014/ ACM WiSec has been broadening its scope and seeks to present high quality research papers exploring security and privacy aspects of wireless communications, mobile networks, and their applications. In addition to the traditional ACM WiSec topics of physical, link, and network layer security, we welcome papers focusing on the security and privacy of mobile software platforms, usable security and privacy, biometrics and the increasingly diverse range of mobile or wireless applications. The conference welcomes both theoretical as well as systems contributions. Topics of interest include, but are not limited to: - Mobile malware and platform security - Security & Privacy for Smart Devices (e.g., Smartphones) - Wireless and mobile privacy and anonymity - Secure localization and location privacy - Cellular network fraud and security - Jamming attacks and defenses - Key extraction, agreement, or distribution - Theoretical foundations, cryptographic primitives, and formal methods - NFC and smart payment applications - Security and privacy for mobile sensing systems - Wireless or mobile security and privacy in health, automotive, avionics, or smart grid applications - Self-tracking/Quantified Self Security and Privacy - Physical Tracking Security and Privacy - Usable Mobile Security and Privacy - Economics of Mobile Security and Privacy - Bring Your Own Device (BYOD) Security ------------------------------------------------------------------------- WISTP 2014 8th Workshop in Information Security Theory and Practice, Heraklion, Greece, June 23-25, 2014. (Submission Due 7 March 2014) http://www.wistp.org/ Future ICT technologies, such as the concepts of Ambient Intelligence, Cyber-physical Systems and Internet of Things provide a vision of the InformationSociety in which: a) people and physical systems are surrounded with intelligent interactive interfaces and objects, and b) environments are capable of recognising and reacting to the presence of different individuals or events in a seamless, unobtrusive and invisible manner. The success of future ICT technologies will depend on how secure these systems may be, to what extent they will protect the privacy of individuals and how individuals will come to trust them. WISTP 2014 aims to address security and privacy issues of smart devices, networks, architectures, protocols, policies, systems, and applications related to Internet of Things, along with evaluating their impact on business, individuals, and the society. The workshop seeks original submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy of Internet of Things, as well as experimental studies of fielded systems, the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law, business, and policy that present these communities' perspectives on technological issues. Topics of interest include, but are not limited to: Security and Privacy in Smart Devices - Biometrics, National ID cards - Embedded Systems Security and TPMs - Interplay of TPMs and Smart Cards - Mobile Codes Security - Mobile Devices Security - Mobile Malware - Mobile OSes Security Analysis - New Applications for Secure RFID Systems - RFID Systems - Smart Card - Smart Devices Applications - Wireless Sensor Node Security and Privacy in Networks - Ad Hoc Networks - Delay-Tolerant Network - Domestic Network - GSM/GPRS/UMTS Systems - Peer-to-Peer Networks - Security Issues in Mobile and Ubiquitous Networks - Sensor Networks: Campus Area, Body Area, Sensor and Metropolitan Area Networks - Vehicular Network - Wireless Communication: Bluetooth, NFC, WiFi, WiMAX, others Security and Privacy in Architectures, Protocols, Policies, Systems and Applications - BYOD Contexts - Cloud-enhanced Mobile Security - Critical Infrastructure (e.g. for Medical or Military Applications) - Cyber-Physical Systems - Digital Rights Management (DRM) - Distributed Systems and Grid Computing - Information Assurance and Trust Management - Intrusion Detection and Information Filtering - Lightweight cryptography - Localization Systems (Tracking of People and Goods) - M2M (Machine to Machine), H2M (Human to Machine) and M2H (Machine to Human) - Mobile Commerce - Multimedia Applications - Public Administration and Governmental Services - Pervasive Systems - Privacy Enhancing Technologies - Secure self-organization and self-configuration - Security Models, Architecture and Protocol: for Identification and Authentication, Access Control, Data Protection - Security Policies (Human-Computer Interaction and Human Behavior Impact) - Security Measurements - Smart Cities - Systems Controlling Industrial Processes ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html Ted Lee announces with regret the demise of his decades old email address and asks that correspondents use tmplee@gmail.com _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE CS Press ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sven Dietrich Robin Sommer Department of Computer Science http://www.icir.org/robin Stevens Institute of Technology +1 201 216 8078 spock AT cs.stevens.edu Vice Chair: Treasurer: Patrick McDaniel Yong Guan Computer Science and Engineering 3219 Coover Hall Pennsylvania State University Department of Electrical and Computer 360 A IST Building Engineering University Park, PA 16802 Iowa State University, Ames, IA 50011 (814) 863-3599 (515) 294-8378 mcdaniel@cse.psu.edu yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2014 Chair: TC Awards Chair: Greg Shannon Hilarie Orman CERT Purple Streak, Inc. oakland14-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year