Electronic CIPHER, Issue 121, July 22, 2014 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 121 July 22, 2014 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Richard Austin's review of "Threat Modeling: Designing for Security" by Adam Shostack o News: Beware of cute cat photos; Forgotten in the EU o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Retail data breaches and certificate authority compromises were the excitement of winter, but the summer doldrums bring privacy concerns. Internet search engine companies are trying to navigate the new thicket of privacy rights guaranteed to EU members, but a tangle of jurisdictional regulations make this a daunting task. In the research world, a paper about how users of the anonymous network Tor can be identified was withdrawn from the Black Hat conference by the authors, perhaps because their research constitutes privacy violations. Is the notion of privacy itself an artifact of faulty technology --- the poor memory of human beings and the inconvenience of paper? Should we all move to the cloud and share ourselves in toto? I don't know the answers to these questions, all I know is that I bought a new car and it immediately asked for access to my contact lists and text messages. Such a busy body. Richard Austin, our constant reader and faithful reviewer, comments on a new book about threat modeling and how to think about security design. Read this book and trudge onward and upward with the everlasting battle to get ourselves secure. Don't hide your Wifi under a bushel, hide it under a password, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== o Is nothing sacred? Even cat photos compromise your privacy. (New York Times, July 22, 2014) http://www.nytimes.com/2014/07/23/upshot/what-the-internet-can-see-from-your-cat-pictures.html o Microsoft follows Google in establishing EU's "right to be forgotten", but it's not so simple (Reuters, July 16, 2014) http://www.reuters.com/article/2014/07/16/us-eu-privacy-microsoft-idUSKBN0FL2NX20140716 No news is good news? Unlikely. If you see security related news that's interesting, pass it on to Cipher. News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin July 17, 2014 ____________________________________________________________________ Threat Modeling: Designing for Security by Adam Shostack Wiley 2014 ISBN 978-1-118-80999-0 Amazon.com USD 49.56 Table of Contents: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html As you've probably noticed, we seem to have a slight problem with software security, and though great strides have been made, vulnerabilities continue to appear on a disturbingly regular basis. A perennial problem is that the people who write software are largely not information security professionals, and when one is in thrall to the tyranny of schedule and functionality, security concerns may seem remote and almost irrelevant. Shostack envisions the process of threat modeling as a way of integrating security principles into the development process and make developers active participants in identifying and fixing vulnerabilities before the product reaches the door. Shostack's threat modeling framework involves answering four basic questions: "What are you building?", "What can go wrong with it once it's built?", "What should you do about those things that can go wrong?", "Did you do a decent job of analysis?". The more jaded of us will immediately zoom in on the second question and archly opine that "most developers couldn't spot a security problem if they stepped in it". While there is no "silver bullet" to make a seasoned defect-spotter out of a developer overnight, Shostack does describe a charming technique for helping groups think about security-relevant defects in a structured way: The "Elevation of Privilege" card game. It is, in fact, a real card game (the cards are available as a PDF download from Microsoft and professionally printed cards are available, like most other things, on e-bay) based on Microsoft's STRIDE threat framework (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege). And to save you the trouble of looking, there is really not supposed to be a "2-of-Tampering", or a 2, 3 and 4 of "Elevation of Privilege". Players are dealt hands and play a card by trying to find its threat in their software. I have not used the game with professional developers, but students in a secure programming class very quickly picked up the rules and identified many more threats in a sample application than with the previous checklists, etc. While this was in no way a scientific study, it did pique my interest. The entire book might be thought of as a handbook on how to play "Elevation of Privilege". It opens with an introduction to threat modeling and progresses through threat identification and how to address the identified threats. Shostack then branches out to examine threat modeling in the "tricky areas" such as the cloud and cryptosystems. The final section, "Taking it to the next level", offers guidance on how to introduce threat modeling into your organization (and deal with the objections of why it can't be done and is a waste of scarce developer time) and examines cutting edge techniques such as "kill chains" and machine learning. Shostack's presentation style is lively and well-illustrated. Seasoned security professionals may find the pace a bit labored but the book is also targeted at audiences (such as developers) lacking much, if any, background in information security. Several chapters are especially noteworthy: Chapter 6, "Privacy Tools". This brief chapter's introduction to ways of thinking about privacy is both an excellent summary as well as a guide for further exploration. Chapter 9, Trade-Offs When Addressing Threats", is a gentle introduction to risk management and underlines the important fact that risk-elimination is an impossible goal (there will always be residual risk). Chapter 15, "Human Factors and Usability", is a gem. Our profession is plagued with great ideas that are routinely bypassed or ignored because they are just too painful for people to use. Thinking about how users will interact with a security-relevant function is a core success factor in actually making things work and achieve their intended purpose. Chapter 16, "Threats to Cryptosystems", makes the important point that cryptography is not magic pixie dust that you can sprinkle on something to make it "secure". In less than 20 pages, Shostack provides a solid review of what you have to get right in order for cryptography to make a meaningful contribution to a system's security posture (cryptographic implementations of known pedigree, solid key management, etc.). Shostack's book provides a readable, comprehensive guide on how to make threat modeling a useful component of the software development process. Definitely a recommended read. ----------------------------------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html Posted June 2014 University of Surrey, UK Guildford, Surrey, UK Lecturer/Senior Lecturer (equivalent to Assistant/Associate Professor) in Cyber Security Deadline for applications: 30 June, 2014 https://jobs.surrey.ac.uk/Vacancy.aspx?ref=037614 -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 7/19/14- 7/22/14: CSF, 27th IEEE Computer Security Foundations Symposium, Vienna University of Technology, Vienna, Austria; http://csf2014.di.univr.it/ 7/21/14- 7/23/14: RFIDSec, 10th Workshop on RFID Security, Co-located with ACM WiSec 2014, Oxford, United Kingdom; http://rfidsec2014.cis.uab.edu/ 7/21/14- 7/25/14: WiSec, 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Oxford, United Kingdom; http://www.sigsac.org/wisec/WiSec2014/ 7/21/14- 7/25/14: SHPCS, 9th Workshop on Security and High Performance Computing Systems, Held in conjunction with the International Conference on High Performance Computing & Simulation (HPCS 2014), Bologna, Italy; http://hpcs2014.cisedu.info/ 7/22/14: MTD, 1st ACM Workshop on Moving Target Defense, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (ACM-CCS 2014), Scottsdale, Arizona, USA; http://csis.gmu.edu/MTD2014; Submissions are due 7/23/14- 7/24/14: PST, 12th Annual Conference on Privacy, Security and Trust, Toronto, Canada; http://pst2014.ryerson.ca 7/25/14: WISCS, 1st ACM Workshop on Information Sharing and Collaborative Security, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (ACM-CCS 2014), Scottsdale, Arizona, USA; https://sites.google.com/site/wiscs2014/; Submissions are due 7/29/14: PLAS, 9th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Uppsala, Sweden; http://researcher.ibm.com/researcher/view_project.php?id=5237 7/30/14: CCSW, ACM Cloud Computing Security Workshop (CCSW), Held in conjunction with the 21st ACM Conference on Computer and Communications Security (CCS 2014), Scottsdale, Arizona, USA; http://digitalpiglet.org/nsac/ccsw14/; Submissions are due 8/ 1/14: VizSec, 11th Visualization for Cyber Security, Paris, France; http://www.vizsec.org; Submissions are due 8/ 4/14: SafeConfig, Workshop on Cyber Security Analytics and Automation, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (CCS 2014), Scottsdale, Arizona, USA; http://www.cyberdna.uncc.edu/safeconfig/2014/; Submissions are due 8/10/14: TrustCol, 9th IEEE International Workshop on Trusted Collaboration, Held in conjunction with IEEE CollaborateCom 2014, Miami, Florida, USA; http://honeynet.asu.edu/trustcol2014; Submissions are due 8/14/14- 8/15/14: SAC, Conference on Selected Areas in Cryptography, Concordia University, Montreal, Quebec, Canada; http://users.encs.concordia.ca/~youssef/SAC2014-WebSite/ 8/18/14: ACSW-AISC, Australasian Information Security Conference, Held as part of Australasian Computer Science Week, Sydney, Australia; http://homepages.ecs.vuw.ac.nz/Users/Ian/ACSW_AISC2015; Submissions are due 8/30/14: BDSP, 1st IEEE International Workshop on Big Data Security and Privacy, Washington DC, USA; http://www.bigdatasecurityprivacyworkshop.com; Submissions are due 9/ 1/14: IEEE Transactions on Emerging Topics in Computing, Emerging topics in Cyber Security; http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tetcsi_cbs.pdf; Submissions are due 9/ 1/14- 9/ 2/14: LightSEC, 3rd International Workshop on Lightweight Cryptography for Security & Privacy, Istanbul, Turkey; http://www.light-sec.org 9/ 6/14- 9/ 6/14: TGC, 9th Symposium on Trustworthy Global Computing, Co-located with Concur 2014, Rome, Italy; http://www.cs.le.ac.uk/events/tgc2014/ 9/ 7/14- 9/11/14: ESORICS, 19th European Symposium on Research in Computer Security, Wroclaw, Poland; http://esorics2014.pwr.wroc.pl/index.html 9/ 8/14: ESSoS, 6th International Symposium on Engineering Secure Software and Systems, Milan, Italy; https://distrinet.cs.kuleuven.be/events/essos/2015/calls-papers.html; Submissions are due 9/ 8/14: ACC, IEEE International Workshop on Autonomic Cloud Cybersecurity, Held in conjunction with the IEEE International Conference on Cloud and Autonomic Computing (CAC 2014), London, UK; http://sesar.dti.unimi.it/ACC2014 9/ 8/14- 9/12/14: ECTCM, 2nd International Workshop on Emerging Cyberthreats and Countermeasures, Co-located with International Conference on Availability, Reliability and Security (ARES 2014), Fribourg, Switzerland; http://www.ectcm.net/ 9/ 9/14: ICISSP, 1st International Conference on Information Systems Security and Privacy, ESEO, Angers, Loire Valley, France; http://www.icissp.org/; Submissions are due 9/ 9/14- 9/11/14: SIN, 7th International Conference on the Security of Information and Networks, Glasgow, UK; http://www.sinconf.org/sin2014/ 9/ 9/14- 9/12/14: SecATM, International Workshop on Security in Air Traffic Management and other Critical Infrastructures, Held in conjunction with ARES 2014, University of Fribourg, Switzerland; http://www.secatm.org 9/10/14- 9/11/14: STM, 10th International Workshop on Security and Trust Management, Held in conjunction with ESORICS 2014, Wroclaw, Poland; http://stm14.uni.lu/ 9/15/14: Journal of Computer Security, Special Issue on Security and High Performance Computing Systems; http://www.gii.it/news/call-for-papers/137-jcs-special-issue.html; Submissions are due 9/15/14: CODASPY, 5th ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA; http://www.codaspy.org/; Submissions are due 9/15/14- 9/18/14: NSPW, New Security Paradigms Workshop, Victoria, British Columbia, Canada; http://www.nspw.org/2014/cfp 9/23/14: SLSS, International Workshop on System Level Security of Smartphones, Held in conjunction with SecureComm 2014, Beijing, China; http://www.dacas.cn/slss2014 9/23/14- 9/25/14: eCrime, 9th Symposium on Electronic Crime Research, Held in conjunction with the 2014 APWG General Meeting, Birmingham, Alabama, USA; http://ecrimeresearch.org/events/ecrime2014 9/24/14- 9/26/14: RAID, 17th International Symposium on Research in Attacks, Intrusions and Defenses, Gothenburg, Sweden; http://www.raid2014.eu/cfp.html 10/ 1/14: IEEE Transactions on Dependable and Secure Computing, Special Issue on Cyber Crime; http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tdscsi_cc.pdf; Submissions are due 10/ 6/14-10/ 8/14: OSDI, 11th USENIX Symposium on Operating Systems Design and Implementation, Broomfield, CO, USA; https://www.usenix.org/conference/osdi14/call-for-papers 10/ 9/14-10/10/14: ProvSec, 8th International Conference on Provable Security, Hong Kong; http://home.ie.cuhk.edu.hk/~provsec14 10/10/14: IFIP119-DF, 11th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org; Submissions are due 10/12/14-10/14/14: ISC, 17th Information Security Conference, Hong Kong; http://home.ie.cuhk.edu.hk/~provsec14 10/15/14-10/16/14: LASER, Workshop on Learning from Authoritative Security Experiment Results, Arlington, Virginia, USA; http://www.laser-workshop.org 10/15/14-10/17/14: NordSec, 19th Nordic Conference on Secure IT Systems, Tromsø, Norway; http://site.uit.no/nordsec2014/ 10/22/14: TrustCol, 9th IEEE International Workshop on Trusted Collaboration, Held in conjunction with IEEE CollaborateCom 2014, Miami, Florida, USA; http://honeynet.asu.edu/trustcol2014 10/22/14-10/24/14: CANS, 13th International Conference on Cryptology and Network Security, Aldemar Royal Mare Resort, Heraklion Crete, Greece; http://www.ics.forth.gr/cans2014 10/26/14: ASIACCS, 10th ACM Symposium on Information, Computer and Communications Security, Singapore; http://icsd.i2r.a-star.edu.sg/asiaccs15; Submissions are due 10/27/14-10/30/14: BDSP, 1st IEEE International Workshop on Big Data Security and Privacy, Washington DC, USA; http://www.bigdatasecurityprivacyworkshop.com 10/29/14-10/31/14: CNS, 2nd IEEE Conference on Communications and Network Security, San Francisco, CA, USA; http://ieee-cns.org 10/29/14: M2MSec, International Workshop on Security and Privacy in Machine-to-Machine Communications, Held in conjunction with IEEE Conference on Communications and Network Security (CNS 2014), San Francisco, CA, USA; http://www.m2m-sec.org/ 10/31/14: Elsevier Computer Communications Journal, Special Issue on Security and Privacy in Unified Communications: Challenges and Solutions, ; http://www.journals.elsevier.com/computer-communications/call-for-papers/special-issue-on-security-and-privacy-in-unified-communicati/; Submissions are due 11/ 3/14: TrustED, 4th International Workshop on Trustworthy Embedded Devices, Co-located with the ACM Conference on Computer & Communications Security (CCS 2014), Scottsdale, Arizona, USA; http://www.trusted-workshop.de 11/ 3/14: MTD, 1st ACM Workshop on Moving Target Defense, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (ACM-CCS 2014), Scottsdale, Arizona, USA; http://csis.gmu.edu/MTD2014 11/ 3/14: WISCS, 1st ACM Workshop on Information Sharing and Collaborative Security, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (ACM-CCS 2014), Scottsdale, Arizona, USA; https://sites.google.com/site/wiscs2014/ 11/ 3/14: SafeConfig, Workshop on Cyber Security Analytics and Automation, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (CCS 2014), Scottsdale, Arizona, USA; http://www.cyberdna.uncc.edu/safeconfig/2014/ 11/ 3/14-11/ 7/14: ACM-CCS, 21st ACM Conference on Computer and Communications Security, The Scottsdale Plaza Resort, Scottsdale, Arizona, USA; http://www.sigsac.org/ccs/CCS2014/ 11/ 7/14: CCSW, ACM Cloud Computing Security Workshop (CCSW), Held in conjunction with the 21st ACM Conference on Computer and Communications Security (CCS 2014), Scottsdale, Arizona, USA; http://digitalpiglet.org/nsac/ccsw14/ 11/ 9/14-11/14/14: LISA, 28th Large Installation System Administration Conference, Seattle, WA, USA; https://www.usenix.org/sites/default/files/lisa14cfp_102813.pdf 11/10/14: VizSec, 11th Visualization for Cyber Security, Paris, France; http://www.vizsec.org 12/ 8/14-12/ 9/14: SKM, International Conference on Secure Knowledge Management, BITS Pilani, Dubai; http://www.bits-dubai.ac.ae/skm2014/index.html 1/26/15- 1/28/15: IFIP119-DF, 11th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org 1/27/15- 1/30/15: ACSW-AISC, Australasian Information Security Conference, Held as part of Australasian Computer Science Week, Sydney, Australia; http://homepages.ecs.vuw.ac.nz/Users/Ian/ACSW_AISC2015 2/ 9/15- 2/11/15: ICISSP, 1st International Conference on Information Systems Security and Privacy, ESEO, Angers, Loire Valley, France; http://www.icissp.org/ 3/ 2/15- 3/ 4/15: CODASPY, 5th ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA; http://www.codaspy.org/ 3/ 4/15- 3/ 6/15: ESSoS, 6th International Symposium on Engineering Secure Software and Systems, Milan, Italy; https://distrinet.cs.kuleuven.be/events/essos/2015/calls-papers.html 4/14/15- 4/16/15: HST, 14th annual IEEE Symposium on Technologies for Homeland Security, Boston, Massachusetts, USA; http://ieee-hst.org/ 4/14/15- 4/17/15: ASIACCS, 10th ACM Symposium on Information, Computer and Communications Security, Singapore; http://icsd.i2r.a-star.edu.sg/asiaccs15 ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E87) ___________________________________________________________________ ------------------------------------------------------------------------- MTD 2014 1st ACM Workshop on Moving Target Defense, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (ACM-CCS 2014), Scottsdale, Arizona, USA, November 3, 2014. (Submission Due 22 July 2014) http://csis.gmu.edu/MTD2014 The static nature of current computing systems has made them easy to attack and harder to defend. Adversaries have an asymmetric advantage in that they have the time to study a system, identify its vulnerabilities, and choose the time and place of attack to gain the maximum benefit. The idea of moving-target defense (MTD) is to impose the same asymmetric disadvantage on the attacker by making systems dynamic and harder to predict. With a constantly changing system and its ever adapting attack surface, the attacker will have to deal with a great deal of uncertainty just like defenders do today. The ultimate goal is to level the cybersecurity playing field for defenders versus attackers. This workshop seeks to bring together researchers from academia, government, and industry to report on the latest research efforts on moving-target defense, and to have productive discussion and constructive debate on this topic. We solicit submissions on original research in the broad area of MTD, with possible topics such as those listed below. Since this is still a research area in a nascent stage, the list should only be used as a reference. We welcome all works that fall under the broad scope of moving target defense, including research that shows negative results. Topics include: - System randomization - Artificial diversity - Cyber maneuver - Bio-inspired defenses - Dynamic network configuration - Moving target in the cloud - System diversification techniques - Dynamic compilation techniques - Adaptive defenses - Analytical models for MTD - Large-scale MTD (using multiple techniques) ------------------------------------------------------------------------- WISCS 2014 1st ACM Workshop on Information Sharing and Collaborative Security, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (ACM-CCS 2014), Scottsdale, Arizona, USA, November 3, 2014. (Submission Due 25 July 2014) https://sites.google.com/site/wiscs2014/ Sharing of security related information is believed to greatly enhance the ability of organizations to defend themselves against sophisticated attacks. If one organization detects a breach the automated sharing of observed security indicators (such as IP addresses, domain names etc.) provide valuable, actionable information to others. Through analyzing shared data it seems possible to get much better insights into emerging attacks. Sharing higher level intelligence about campaigns, threat actors and mitigations is also of great interest. Both in the US and the EU there are major efforts underway to strengthen information sharing. Yet there are a number of technical and policy challenges to realizing this vision. Which information exactly should be shared? How can privacy and confidentiality be protected? How can we create high-fidelity intelligence from shared data without getting overwhelmed by false positives? The first Workshop on Information Sharing and Collaborative Security (WISCS 2014) aims to bring together experts and practitioners from academia, industry and government to present innovative research, case studies, and legal and policy issues. Topics of interest for the workshop include, but are not limited to: - Collaborative intrusion detection - Case studies for information sharing - Domain name and IP address blacklisting - Collaborative approaches to spear-phishing and DDoS attacks - Data deidentification - Privacy and confidentiality - Cryptographic protocols for collaborative security - Scalability of security analysis on shared data - Ontologies and standards for sharing security data - Human factors in collaboration - Policy and legal issues - Surveillance issues - Trust models - Attacks on information sharing - Economics of security collaboration ------------------------------------------------------------------------- CCSW 2014 ACM Cloud Computing Security Workshop (CCSW), Held in conjunction with the 21st ACM Conference on Computer and Communications Security (CCS 2014), Scottsdale, Arizona, USA, November 7, 2014. (Submission Due 30 July 2014) http://digitalpiglet.org/nsac/ccsw14/ Notwithstanding the latest buzzword (grid, cloud, utility computing, SaaS, etc.), large-scale computing and cloud-like infrastructures are here to stay. The exact form they take is still for the markets to decide, yet one thing is certain: clouds bring with them new deployment models and hence new adversarial threats and vulnerabilities. CCSW brings together researchers and practitioners in all security aspects of outsourced computing, including:: - practical cloud security solutions - practical cryptography for cloud security - secure cloud resource virtualization - network virtualization - secure data management outsourcing - practical privacy & integrity for outsourcing - foundations of cloud-centric threat models - secure & verifiable computation outsourcing - remote attestation mechanisms in clouds - sandboxing and VM-based enforcements - trust and policy management in clouds - secure identity management mechanisms - cloud-aware web service security paradigms - cloud-centric regulatory compliance - business & security risk models in the cloud - cost & usability models and their interaction with security - scalability of security in global-size clouds - trusted computing technology and clouds - binary analysis for remote attestation and cloud protection - cloud network security (DoS defense, IDS) - security for cloud programming models - energy/costs/efficiency of security in clouds ------------------------------------------------------------------------- VizSec 2014 11th Visualization for Cyber Security, Paris, France, November 10, 2014. (Submission Due 1 August 2014) http://www.vizsec.org The 11th Visualization for Cyber Security (VizSec) is a forum that brings together researchers and practitioners from academia, government, and industry to address the needs of the cyber security community through new and insightful visualization and analysis techniques. VizSec provides an excellent venue for fostering greater exchange and new collaborations on a broad range of security- and privacy-related topics. Full papers describing novel contributions in security visualization are solicited. Papers may present techniques, applications, practical experience, theory, analysis, or experiments and evaluations. We encourage the submission of papers on technologies and methods that promise to improve cyber security practices, including, but not limited to: - Situation awareness and/or understanding - Incident handling including triage, exploration, correlation, and response - Computer forensics - Recording and reporting results of investigations - Reverse engineering and malware analysis - Multiple data source analysis - Analyzing information requirements for computer network defense - Evaluation and/or user testing of VizSec systems - Criteria for assessing the effectiveness of cyber security visualizations (whether from a security goal perspective or a human factors perspective) - Modeling system and network behavior - Modeling attacker and defender behavior - Studying risk and impact of cyber attacks - Predicting future attacks or targets - Security metrics and education - Software security - Mobile application security - Social networking privacy and security ------------------------------------------------------------------------- SafeConfig 2014 Workshop on Cyber Security Analytics and Automation, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (CCS 2014), Scottsdale, Arizona, USA, November 3, 2014. (Submission Due 4 August 2014) http://www.cyberdna.uncc.edu/safeconfig/2014/ Ensuring correctness and integrity of system configurations and associated policies are key to proper functioning, accessibility, security, privacy and resilience of modern information systems and services. However, this is a daunting in large enterprise systems that may contain millions of physical and/or virtual components that must be properly configured and secured from unauthorized access. Furthermore, the configuration variables often have explicit or hidden interdependencies that must be understood in order to ensure proper end to end behavior. The new sophisticated cyber security threats demand new security techniques and approaches that offer proactive, intelligent and a holistic security analytics based on analyzing the system artifacts including system traces, configurations, logs, incident reports, alarms and network traffic. Scalable analytics techniques are essential to handle large volumes of data and to normalize, model, integrate, analyze and respond to threats in real time. As the current technology moves toward "smart" cyber infrastructure and open networking platforms (e.g. OpenFlow and virtual computing) and integration of large variety of sensors, the need for large-scale security analytics and automation becomes essential to enable intelligent response, automated defense, and network resilience and agility. This workshop offers a unique opportunity by bringing together researchers from academia, industry as well as government agencies to discuss the challenges listed above, to exchange experiences, and to propose joint plans for promoting research and development in this area. SafeConfig is a one day forum that includes invited talks, technical presentations of peer-reviewed papers, poster/demo sessions, and joint panels on research collaboration. SafeConfig was started in 2009 and has been continuously running since then. It provides a unique forum to explore theoretical foundations, algorithmic advances, modeling, and evaluation of configuration related challenges for large scale cyber and cyberphysical systems. ------------------------------------------------------------------------- TrustCol 2014 9th IEEE International Workshop on Trusted Collaboration, Held in conjunction with IEEE CollaborateCom 2014, Miami, Florida, USA, October 22, 2014. (Submission Due 10 August 2014) http://honeynet.asu.edu/trustcol2014 The key goal of this workshop is to foster active interactions among diverse researchers and practitioners, and generate added momentum towards research in finding viable solutions to the security and privacy challenges faced by the current and future collaborative systems and infrastructures. We solicit unpublished research papers, both regular (8 pages max) and short (4 pages max) papers, that address theoretical issues and practical implementations/experiences related to security and privacy solutions for collaborative systems. Topics of interest include, but are not limited to: - Secure dynamic coalition environments - Privacy control in collaborative environments - Secure workflows for collaborative computing - Policy-based management of collaborative workspace - Secure middleware for large scale collaborative infrastructures - Security and privacy issues in mobile collaborative applications - Identity management for large scale collaborative infrastructures - Semantic web technologies for secure collaborative infrastructure - Trust models, trust negotiation/management for collaborative systems - Access control models and mechanisms for collaboration environments - Protection models and mechanisms for peer-to-peer collaborative environments - Delegation, accountability, and information flow control in collaborative applications - Intrusion detection, recovery and survivability of collaborative systems/infrastructures - Security of web services and grid technologies for supporting multidomain collaborative applications - Security and privacy challenges in cloud-based collaborative applications - Insider threats in collaborative systems/applications ------------------------------------------------------------------------- ACSW-AISC 2015 Australasian Information Security Conference, Held as part of Australasian Computer Science Week, Sydney, Australia, January 27-30, 2015. (Submission Due 18 August 2014) http://homepages.ecs.vuw.ac.nz/Users/Ian/ACSW_AISC2015 AISC aims at promoting research on all aspects of information security and increasing communication between academic and industrial researchers working in this area. We seek submissions from academic and industrial researchers on all theoretical and practical aspects of information security. Suggested topics include, but are not restricted to: access control; anonymity and pseudonymity; cryptography and cryptographic protocols; database security; identity management and identity theft; intrusion detection and prevention; malicious software; network security; privacy enhancing technologies; and trust and risk. ------------------------------------------------------------------------- BDSP 2014 1st IEEE International Workshop on Big Data Security and Privacy, Washington DC, USA, October 27-30, 2014. (Submission Due 30 August 2014) http://www.bigdatasecurityprivacyworkshop.com Big Data is characterized by the integration of a significant amount of data, of varying modalities or types, at a pace that cannot be handled by traditional data management systems. This has sparked innovation in the collection, processing and storage of this data. The analytic systems built to leverage Big Data have yielded (and hold even greater promise to uncover) remarkable insights that enable a host of new applications that were not thought possible prior to the era of Big Data. However, with this capacity to contribute to and benefit the greater good comes the responsibility to protect the subjects referenced in the data sets. In this context, the old adage is correct - "With great power, comes great responsibility". Ultimately, the data subjects own the data and they stand to suffer most significantly from the data's compromise. Thus, there needs to be advances in techniques for 1) ingesting Big Data in a secure and privacy-preserving, 2) performing Big Data analysis in a secure environment and in a privacy-preserving manner, and 3) storing and enforcing retention policy securely (and in private modes) for Big Data systems. If these solutions are not in place, then the willingness of people to contribute their data to be included in a Big Data system decreases. Additionally, Big Data professionals need to perform risk analyses, as they relate to security and privacy, to get a realistic view of the safety of the landscape. There is a lot of work to be done in this emerging field. This workshop is a venue for researchers and practitioners to come together and tackle them in a supportive and stimulating environment. ------------------------------------------------------------------------- IEEE Transactions on Emerging Topics in Computing, Emerging topics in Cyber Security, 2015, (Submission Due 1 September 2014) http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tetcsi_cbs.pdf Editor: Giorgio Di Natale (LIRMM, France) and Stefano Zanero (Politecnico di Milano, Italy) Cyber Security is a topic which is getting a very high level of attention from researchers, decision makers, policy makers and from the general public. The value of digital information is growing dramatically. Physical systems coupled with computing devices (so-called cyber-physical systems) carry out functions that are fundamental for our society. Protecting these emerging critical digital infrastructures is an increasingly relevant objective from a military and political point of view. For this reason, the IEEE Transactions on Emerging Topics in Computing (TETC) seek original manuscripts for a Special Issue on Emerging Topics in Cyber Security, scheduled to appear in the first issue of 2015. TETC is the newest Transactions of the IEEE Computer Society, and it uses an Open Access model exclusively. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of cyber security systems, to deal with emerging computing technologies and applications. Given the the peculiar nature of TETC, we are seeking in particular papers that are more "far-reaching" than is usual for journal submissions, as long as they show promise for opening up new areas of study, or questioning long-held beliefs and tenets of the cybersecurity field. ------------------------------------------------------------------------- ESSoS 2015 6th International Symposium on Engineering Secure Software and Systems, Milan, Italy, March 4-6, 2015. (Submission Due 8 September 2014) https://distrinet.cs.kuleuven.be/events/essos/2015/calls-papers.html Trustworthy, secure software is a core ingredient of the modern world. So is the Internet. Hostile, networked environments, like the Internet, can allow vulnerabilities in software to be exploited from anywhere. To address this, high-quality security building blocks (e.g., cryptographic components) are necessary, but insufficient. Indeed, the construction of secure software is challenging because of the complexity of modern applications, the growing sophistication of security requirements, the multitude of available software technologies and the progress of attack vectors. Clearly, a strong need exists for engineering techniques that scale well and that demonstrably improve the software's security properties. The goal of this symposium, which will be the sixth in the series, is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The symposium will feature two days of technical program. In addition to academic papers, the symposium encourages submission of high-quality, informative industrial experience papers about successes and failures in security software engineering and the lessons learned. Furthermore, the symposium also accepts short idea papers that crisply describe a promising direction, approach, or insight. Paper submissions are solicited in all areas relating to secure software and secure systems research, including but not limited to: - Cloud security, virtualization for security - Mobile devices security - Automated techniques for vulnerability discovery and analysis - Model checking for security - Binary code analysis, reverse-engineering - Programming paradigms, models, and domain-specific languages for security - Operating system security - Verification techniques for security properties - Malware: detection, analysis, mitigation - Security in critical infrastructures - Security economics - Security by design - Static and dynamic code analysis for security - Web applications security - Program rewriting techniques for security - Security measurements - Empirical secure software engineering - Security-oriented software reconfiguration and evolution - Computer forensics - Processes for the development of secure software and systems - Human-computer interaction for security - Security testing - Embedded software security ------------------------------------------------------------------------- ICISSP 2015 1st International Conference on Information Systems Security and Privacy, ESEO, Angers, Loire Valley, France, February 9-11, 2015. (Submission Due 9 September 2014) http://www.icissp.org/ The International Conference on Information Systems Security and Privacy aims at creating a meeting point of researchers and practitioners that address security and privacy challenges that concern information systems, especially in organizations, including not only technological issues but also social issues. The conference welcomes papers of either practical or theoretical nature, presenting research or applications addressing all aspects of security and privacy, such as methods to improve the accuracy of data, encryption techniques to conceal information in transit and avoid data breaches, identity protection, biometrics, access control policies, location information and mobile systems privacy, transactional security, social media privacy control, web and email vulnerabilities, trust management, compliance violations in organizations, security auditing, and so on. Cloud computing, big data, and other IT advances raise added security and privacy concerns to organizations and individuals, thus creating new research opportunities. Each of these topic areas is expanded below but the sub-topics list is not exhaustive. Papers may address one or more of the listed sub-topics, although authors should not feel limited by them. Unlisted but related sub-topics are also acceptable, provided they fit in one of the following main topic areas: - DATA AND SOFTWARE SECURITY - TRUST - PRIVACY AND CONFIDENTIALITY - MOBILE SYSTEMS SECURITY - BIOMETRIC AUTHENTICATION ------------------------------------------------------------------------- Journal of Computer Security, Special Issue on Security and High Performance Computing Systems, 2015, (Submission Due 15 September 2014) http://www.gii.it/news/call-for-papers/137-jcs-special-issue.html Editor: Luca Spalazzi (Università di Ancona, Italy) and Luca Viganò (King's College London, UK) Providing high performance computing and security is a challenging task. On the one hand, Internet, operating systems and distributed environments currently suffer from poor security support and cannot resist common attacks. On the other hand, adding security measures typically degrades performance. The relationships between security and high performance computing systems thus raise a number of problems and challenges that are of interest for this special issue, such as (but not limited to) the following ones: (1). How to enforce security requirements in high performance computing systems. For instance, which kind of obfuscation techniques can enforce privacy in a cloud storage, or how grid security can be verified at design-time (formal verification) or at run-time (run-time verification). In this case, safety properties can also be addressed, such as availability and fault tolerance for high performance computing systems. (2). How to use high performance computing systems to solve security problems. For instance, a grid computation can break an encryption code, and a cluster can support high performance intrusion detection or a distributed formal verification system. More generally, this topic addresses every efficient use of a high performance computing systems to improve security. (3). The tradeoffs between maintaining high performance and achieving security in computing systems and solutions to balance the two objectives. In all these directions, various formal analyses, as well as performance analyses or monitoring techniques can be conducted to show the efficiency of a security infrastructure. The special issue seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of computer and network security, as well as case studies and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. The topics of interest include (but are not limited to) the following: - Access Control - Accounting and Audit - Anonymity - Applied Cryptography - Authentication - Cloud Security - Commercial and Industry Security - Cryptographic Protocols - Data and Application Security - Data/System Integrity - Database Security - Digital Rights Management - Formal Verification of Secure Systems - Identity Management - Inference/Controlled Disclosure - Information Warfare - Intellectual Property Protection - Intrusion and Attack Detection - Intrusion and Attack Response - Key Management - Privacy-Enhancing Technology - Secure Networking - Secure System Design - Security Monitoring & Management - Security for Mobile Code - Security for Specific Domains (e.g., E-Government, E-Business, P2P) - Security in IT Outsourcing - Security in Mobile and Wireless Networks - Security in Untrusted & Adversarial Environments and Systems - Security in Operating Systems - Security Location Services - Security of Grid and Cluster Architectures - Security Visualization - Smartcards - Trust Management Policies - Trust Models - Web Security - Web Services Security ------------------------------------------------------------------------- CODASPY 2015 5th ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA, March 2-4 2015. (Submission Due 15 September 2014) http://www.codaspy.org/ Data and applications security and privacy has rapidly expanded as a research field with many important challenges to be addressed. The goal of the ACM Conference on Data and Applications Security (CODASPY) is to discuss novel, exciting research topics in data and application security and privacy and to lay out directions for further research and development in this area. The conference seeks submissions from diverse communities, including corporate and academic researchers, open-source projects, standardization bodies, governments, system and security administrators, software engineers and application domain experts. Topics of interest include, but are not limited to: - Application-layer security policies - Access control for applications - Access control for databases - Data-dissemination controls - Data forensics - Enforcement-layer security policies - Privacy-preserving techniques - Private information retrieval - Search on protected/encrypted data - Secure auditing - Secure collaboration - Secure data provenance - Secure electronic commerce - Secure information sharing - Secure knowledge management - Secure multiparty computations - Secure software development - Securing data/apps on untrusted platforms - Securing the semantic web - Security and privacy in GIS/spatial data - Security and privacy in healthcare - Security policies for databases - Social computing security and privacy - Social networking security and privacy - Trust metrics for applications, data, and users - Usable security and privacy - Web application security ------------------------------------------------------------------------- IEEE Transactions on Dependable and Secure Computing, Special Issue on Cyber Crime, 2015, (Submission Due 1 October 2014) http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tdscsi_cc.pdf Editor: Wojciech Mazurczyk (Warsaw University of Technology, Poland), Thomas J. Holt (School of Criminal Justice, Michigan State University, USA), and Krzysztof Szczypiorski (Warsaw University of Technology, Poland) Cyber crimes reflect the evolution of criminal practices that have adapted to the world of information and communication technologies. Cybercriminality has become a curse of the modern world with the potential to affect every one nationally and/or internationally. Individuals, companies, governments and institutions may become victims as well as (involuntary) helpers of cyber criminals. The inability to provide cyber-security can potentially have a tremendous socio-economic impact on global enterprises as well as individuals. The aim of this special issue is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of cyber crime. Prospective authors will be encouraged to submit related distinguished research papers on the subject of both: theoretical approaches and practical case reviews. Topics of interest include, but are not limited to: - Cyber-crime science - Emerging cybercriminals techniques and countermeasures - Cyber forensics and anti-forensic procedures, techniques, tools and analysis - Cyber crime investigations & incident response - Active and passive cyber crime defense techniques, tools and mechanisms - Cybersecurity testbeds, tools, methodologies - Cyber threat modeling analysis, cyber risk and vulnerability assessment - Cyber warfare & cyber terrorism - Cybersecurity economic modeling and metrics - Cybersecurity standards, policy, law, and regulation - Legal, ethical and policy issues related to cyber crime - Human and behavioral issues in cyber crime - Network traffic analysis and modelling for cyber crime science - Deviant activities and crime patterns - Insider threat detection and prevention - Misuse of personal data and the right to online privacy ------------------------------------------------------------------------- IFIP119-DF 2015 11th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 26-28, 2015. (Submission Due 10 October 2014) http://www.ifip119.org The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Eleventh Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the eleventh volume in the well-known Research Advances in Digital Forensics book series (Springer, Heidelberg, Germany) during the summer of 2015. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- ASIACCS 2015 10th ACM Symposium on Information, Computer and Communications Security, Singapore, April 14-17, 2015. (Submission Due 26 October 2014) http://icsd.i2r.a-star.edu.sg/asiaccs15 ASIACCS is a major international forum for information security researchers, practitioners, developers, and users to explore and exchange the newest cyber security ideas, breakthroughs, findings, techniques, tools, and experiences. We invite submissions from academia, government, and industry presenting novel research on all theoretical and practical aspects of computer and network security. Areas of interest for ASIACCS 2015 include, but are not limited to: - Access control - Accounting and audit - Applied cryptography - Authentication - Cloud computing security - Cyber-physical security - Data and application security - Digital forensics - Embedded systems security - Formal methods for security - Hardware-based security - Intrusion detection - Key management - Malware and botnets - Mobile computing security - Network security - Operating system security - Privacy-enhancing technology - Security architectures - Security metrics - Software security - Smart grid security - Threat modelling - Trusted computing - Usable security and privacy - Web security - Wireless security ------------------------------------------------------------------------- Elsevier Computer Communications Journal, Special Issue on Security and Privacy in Unified Communications: Challenges and Solutions, 2015, (Submission Due 31 October 2014) http://www.journals.elsevier.com/computer-communications/call-for-papers/ special-issue-on-security-and-privacy-in-unified-communicati/ Editor: Georgios Karopoulos (Joint Research Centre (JRC), Italy), Georgios Portokalidis (Stevens Institute of Technology, USA), Josep Domingo-Ferrer (Universitat Rovira i Virgili, Catalonia), Ying-Dar Lin (National Chiao Tung University (NCTU), Taiwan), Dimitris Geneiatakis (Joint Research Centre (JRC), Italy), and Georgios Kambourakis (University of the Aegean, Greece) Unified Communications (UC) merge different communication technologies, types of products, and services, from various manufacturers, operators, and countries, following diverse policies and standards. Specifically, in the context of UC, a range of communication tools are integrated in a way that both corporations and individuals are able to manage all their communications in one entity instead of doing it disjointly. It is therefore said that UC bridges the opening between the various computer related communication technologies and Voice over IP (VoIP). However, this high level of heterogeneity expands the risks related to security and privacy that stakeholders should deal with. To eliminate or even prevent the increasing threats to end-users and operators, it is important to explore this growing and timely research topic. This feature topic will benefit the research community towards identifying challenges and disseminating the latest methodologies and solutions to UC security and privacy issues. Its objective is to publish high-quality articles presenting open issues, algorithms, protocols, policies, frameworks, standards, and solutions for UC related to security and privacy. Only technical papers describing previously unpublished, original, state-of-the-art research, and not currently under review by a conference or a journal will be considered. Reviews and case studies which address state-of-art research and state-of-practice industry experiences are also welcomed. We solicit papers in a variety of topics related to unified communications security and privacy, including, but not limited to: - Authorization and access control for UC services - Denial of service prevention schemes for UC - Reliability and availability issues on UC - Penetration testing, intrusion detection and prevention - End-to-end security solutions - Cryptographic protocols for UC - Voice security - Signaling security and privacy - Multimedia application security and privacy analysis - Multimedia communication platforms vulnerabilities and attacks - Security and privacy in mobile communication services - Smartphone multimedia apps security and privacy - Social networking security and privacy - Testbed and case studies for secure and private UC services - Trust establishment in UC - IP Multimedia Subsystem (IMS) security - Privacy and identity management - Privacy enhancing technologies for UC - Privacy models for UC - Security and privacy assessment for UC - Security policies - Auditing, verification, and validation of UC services - Risk analysis and management - Cyber-security issues affecting UC - Protection of UC as a Critical Information Infrastructure - VoIP peering security issues ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Patrick McDaniel Robin Sommer Computer Science and Engineering http://www.icir.org/robin Pennsylvania State University 360 A IST Building University Park, PA 16802 (814) 863-3599 mcdaniel@cse.psu.edu Vice Chair: Treasurer: Ulf Lindqvist Yong Guan SRI International 3219 Coover Hall Menlo Park, CA Department of Electrical and Computer ulf.lindqvist@sri.com Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2014 Chair: TC Awards Chair: Greg Shannon Hilarie Orman CERT Purple Streak, Inc. oakland14-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year