_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 122 September 25, 2014 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Richard Austin's review of "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman o News: Apple Will Encrypt iPhone Data (Don't Lose Your Passphrase!) o News: Home Depot Thoroughly Hacked o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The deadline for submitting papers to the premier security and privacy research conference is coming up soon: November 14. The IEEE Computer Society's Security and Privacy Symposium accepts the best research papers on all aspects of the field, and this year, again, will have consider "Systemization of Knowledge" papers. Get the latex macros running and put your best work up for review! Also, watch our ieee-security.org website for announcements of the workshops that will accompany the Symposium. This month Richard Austin has chosen a book about penetration testing, for his usual insightful review. When Cipher first covered this topic, many years ago, I was unfamiliar with the shortened term "pen testing", and I thought it was some kind of polygraph. I think this might be the first Cipher review of a book authored by a woman. Our news articles are taken from mainstream media, and apparently the New York Times articles are no longer readable by non-subscribers. We'll try to avoid them, or provide alternative sources for each topic. This time we have notes about Home Depot and secrecy of mobile device data. The latter reminds me that with great secrecy comes great responsibility; I recently met someone who had made a major change in cellphones, and in wiping the data from his old phone, lost his Bitcoins. That's putting a real price on secrecy! For a couple of months I've been wearing a smart watch, and it has proven itself as an enjoyable toy. It does some useful things, though I sometimes find myself disconcerted by the close association between my cell phone, my watch, and my car. They definitely know too much about me, and they whine pitiously when I deny them GPS information. If they offered me more eye candy I think I'd be less resistant, but I can see where this is headed. Brave new world that hath such wondrous pixels. My Android watch, by a virus may sicken, but it keeps on tickin', Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html Apple has introduced pervasive encryption into its newest phones, and user who want to take advantage of this strong protection need to understand that Apple cannot help them access their encrypted data. "No training wheels" for iOS8! Media stories: "Apple cannot bypass your passcode and therefore cannot access this data." by Cyrus Farivar Ars Technica Sept 17 2014 http://arstechnica.com/apple/2014/09/apple-expands-data-encryption-under-ios-8-making-handover-to-cops-moot/>Apple expands data encryption under iOS 8, making handover to cops moot Is Apple Picking a Fight With the U.S. Government? Not exactly By Matthew Green 9/23/2014 Slate Magazine http://www.slate.com/articles/technology/future_tense/2014/09/ios_8_encryption_why_apple_won_t_unlock_your_iphone_for_the_police.html> Apple will no longer unlock most iPhones, iPads for police, even with search warrants By Craig Timberg Washington Post September 18, 2014 http://www.washingtonpost.com/business/technology/2014/09/17/2612af58-3ed2-11e4-b03f-de718edeb92f_story.html> -------------------------------------------------------------------------- Home Depot's internal network for credit and debit card transactions was filtrated by persons unknown, and as a result, information about 56 million credit cards was exposed. Home Depot announced this on September 2, but the hackers had been operating since April. How did this happen? "Home Depot sells hammers", according to an ex-employee. Media stories: Ex-Employees Say Home Depot Left Data Vulnerable By Julie Creswell and Nicole Perlroth Sept. 19, 2014 NYTimes.com http://www.nytimes.com/2014/09/20/business/ex-employees-say-home-depot-left-data-vulnerable.html Home Depot: 56 million cards exposed in breach By Melvin Backman September 18, 2014 @CNNTech http://money.cnn.com/2014/09/18/technology/security/home-depot-hack/ ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 9/16/2014 ____________________________________________________________________ Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman No Starch Press 2014 ISBN 978-1-59327-564-8 Amazon.com USD 28.11 Table of Contents: http://www.nostarch.com/pentesting#toc When the publication announcement for this book arrived in my EMAIL, my first response was "Not another pen-testing book!" and I gazed at the table of contents with rather of a jaundiced eye. As you have probably noticed, I have a fondness for books that require you to "do" as you read and Weidman's chapters on setting up a virtual lab and introducing Kali Linux piqued my interest enough to start reading. Weidman wasted no time in starting to rack up credibility points as she noted that in a penetration test, you simulate attacks by actually EXPLOITING vulnerabilities rather than just identifying them (Chapter 0). Then on page 3, she earned her "veteran" status by noting that even a simple port scan of a device's management port can knock them off the air (in my experience by crashing the on-board web server). To avoid this becoming just another catalog of tools and dialogs, the reader will definitely want to follow the procedures in Chapter 1 to set up the virtual lab for the book. Weidman makes use of Kali Linux which has an arsenal of tools already installed and avoids much time wandering the "dependency maze" in getting the tools to run. She wisely recommends that you use the Kali version available on the book website so that her walkthroughs will match the tool versions. Chapters 2 through 4 provide a brief introduction to Kali, scripting and the Metasploit framework that prepare you for the detailed walkthroughs in later chapters. With preliminaries out of the way, Weidman devotes the next three chapters to the assessment phase of the penetration test. It's a pretty standard presentation of the usual tools (whois, nmap, Nessus, Metasploit, etc.) with accompanying introductory walkthroughs in the virtual lab environment. The next eight chapters are devoted to attacks, and this is where Weidman starts to shine. She makes the solid point that in a penetration test, you have to go beyond identifying a vulnerability and actually exploit it where possible. And, most importantly, after a successful exploit, you have to do something interesting (interesting to you as the pen-tester but damaging to the customer if actually done by an adversary). The catalog of attack methods is quite comprehensive and goes beyond the usual exploitation of technical vulnerabilities and cracking passwords to client-side attacks, social engineering (using SET. the Social Engineer Toolkit) and evading anti-virus. Chapter 13, "Post Exploitation", is highly recommended for its coverage (and walkthrough) of how to capitalize on an initial foothold to achieve further access within the infrastructure. She rounds out her survey of attacks with coverage of web applications (notable for illustrating use of the Burp proxy) and wireless. Weidman's next the important topic of "Exploit Development", and she spends four chapters covering stack-based buffer overflows, SEH (Structured Exception Handler) overwrites, fuzzing and development of Metasploit modules for new vulnerabilities. This section provides a concise, all-in-one-place overview of these essential topics. The final chapter covers Weidman's personal specialty: attacking mobile devices. As these wandering gateways into our infrastructures and repositories of proprietary data have become increasingly common, their value to our adversaries has correspondingly increased. Weidman's coverage of how these devices are attacked and use of her "Smartphone Pentest Framework" are a valuable addition to the knowledgebase of the practicing security professional. The walkthroughs are done using emulators, so there's no need to risk "bricking" a real device when following along with the text. Through I started out with reservations about the need for yet-another-pen-testing-book, Weidman's presentation has much to recommend it to the technical security professional. No book is ever going to make one into a successful penetration tester but careful study and time invested in following her walkthroughs will provide increased understanding of the pen-tester's craft and appreciation of our adversaries' use of similar techniques in the field. Definitely a recommended read. ---------------------------------------------------------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== 9/23/14: SLSS, International Workshop on System Level Security of Smartphones, Held in conjunction with SecureComm 2014, Beijing, China; http://www.dacas.cn/slss2014 9/23/14- 9/25/14: eCrime, 9th Symposium on Electronic Crime Research, Held in conjunction with the 2014 APWG General Meeting, Birmingham, Alabama, USA; http://ecrimeresearch.org/events/ecrime2014 9/24/14- 9/26/14: RAID, 17th International Symposium on Research in Attacks, Intrusions and Defenses, Gothenburg, Sweden; http://www.raid2014.eu/cfp.html 9/30/14: Wiley Security and Communication Networks (SCN), Special Issue on Security and Privacy in Internet of Things: Methods, Architectures and Solutions; http://onlinelibrary.wiley.com/doi/10.1002/sec.1065/full; Submissions are due 9/30/14: IWSAC 2014 2nd International Workshop on Security Assurance in the Cloud, Held in conjunction with the 10th International Conference on Signal Image Technology & Internet Based Systems (SITIS 2014), Marrakech, Morocco; http://sesar.di.unimi.it/IWSAC2014; Submissions are due 10/ 1/14: IEEE Transactions on Dependable and Secure Computing, Special Issue on Cyber Crime; http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tdscsi_cc.pdf; Submissions are due 10/ 6/14-10/ 8/14: OSDI, 11th USENIX Symposium on Operating Systems Design and Implementation, Broomfield, CO, USA; https://www.usenix.org/conference/osdi14/call-for-papers 10/ 9/14-10/10/14: ProvSec, 8th International Conference on Provable Security, Hong Kong; http://home.ie.cuhk.edu.hk/~provsec14 10/10/14: IFIP119-DF, 11th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org; Submissions are due 10/10/14: PPREW, 4th Program Protection and Reverse Engineering Workshop, Co-Located with the Annual Computer Security Applications Conference (ACSAC 2014), New Orleans, LA, USA; http://www.pprew.org; Submissions are due 10/12/14-10/14/14: ISC, 17th Information Security Conference, Hong Kong; http://home.ie.cuhk.edu.hk/~provsec14 10/15/14-10/16/14: LASER, Workshop on Learning from Authoritative Security Experiment Results, Arlington, Virginia, USA; http://www.laser-workshop.org 10/15/14-10/17/14: NordSec, 19th Nordic Conference on Secure IT Systems, Tromso, Norway; http://site.uit.no/nordsec2014/ 10/16/14: WEARABLE-S&P, 1st Workshop on Wearable Security and Privacy, Held in conjunction with Financial Crypto (FC 2015), Isla Verde, Puerto Rico; http://sensible.berkeley.edu/WEARABLE-S&P15/; Submissions are due 10/22/14: TrustCol, 9th IEEE International Workshop on Trusted Collaboration, Held in conjunction with IEEE CollaborateCom 2014, Miami, Florida, USA; http://honeynet.asu.edu/trustcol2014 10/22/14-10/24/14: CANS, 13th International Conference on Cryptology and Network Security, Aldemar Royal Mare Resort, Heraklion Crete, Greece; http://www.ics.forth.gr/cans2014 10/24/14: HOST, IEEE International Symposium on Hardware Oriented Security and Trust, Washington DC Metro Area, USA; http://www.hostsymposium.org; Submissions are due 10/26/14: ASIACCS, 10th ACM Symposium on Information, Computer and Communications Security, Singapore; http://icsd.i2r.a-star.edu.sg/asiaccs15; Submissions are due 10/27/14: CS2, 2nd Workshop on Cryptography and Security in Computing Systems, Co-located with HiPEAC 2015 Conference, Amsterdam, The Netherlands; http://www.cs2.deib.polimi.it; Submissions are due 10/27/14-10/30/14: BDSP, 1st IEEE International Workshop on Big Data Security and Privacy, Washington DC, USA; http://www.bigdatasecurityprivacyworkshop.com 10/29/14-10/31/14: CNS, 2nd IEEE Conference on Communications and Network Security, San Francisco, CA, USA; http://ieee-cns.org 10/29/14: M2MSec, International Workshop on Security and Privacy in Machine-to-Machine Communications, Held in conjunction with IEEE Conference on Communications and Network Security (CNS 2014), San Francisco, CA, USA; http://www.m2m-sec.org/ 10/31/14: Elsevier Computer Communications Journal, Special Issue on Security and Privacy in Unified Communications: Challenges and Solutions, ; http://www.journals.elsevier.com/computer-communications/call-for-papers/special-issue-on-security-and-privacy-in-unified-communicati/; Submissions are due 11/ 3/14: TrustED, 4th International Workshop on Trustworthy Embedded Devices, Co-located with the ACM Conference on Computer & Communications Security (CCS 2014), Scottsdale, Arizona, USA; http://www.trusted-workshop.de 11/ 3/14: MTD, 1st ACM Workshop on Moving Target Defense, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (ACM-CCS 2014), Scottsdale, Arizona, USA; http://csis.gmu.edu/MTD2014 11/ 3/14: WISCS, 1st ACM Workshop on Information Sharing and Collaborative Security, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (ACM-CCS 2014), Scottsdale, Arizona, USA; https://sites.google.com/site/wiscs2014/ 11/ 3/14: SafeConfig, Workshop on Cyber Security Analytics and Automation, Held in conjunction with the 21st ACM Conference on Computer and Communications Security (CCS 2014), Scottsdale, Arizona, USA; http://www.cyberdna.uncc.edu/safeconfig/2014/ 11/ 3/14-11/ 7/14: ACM-CCS, 21st ACM Conference on Computer and Communications Security, The Scottsdale Plaza Resort, Scottsdale, Arizona, USA; http://www.sigsac.org/ccs/CCS2014/ 11/ 7/14: CCSW, ACM Cloud Computing Security Workshop (CCSW), Held in conjunction with the 21st ACM Conference on Computer and Communications Security (CCS 2014), Scottsdale, Arizona, USA; http://digitalpiglet.org/nsac/ccsw14/ 11/10/14: VizSec, 11th Visualization for Cyber Security, Paris, France; http://www.vizsec.org 11/22/14: PETS, 15th Privacy Enhancing Technologies Symposium, Philadelphia, PA, USA; https://www.petsymposium.org/2015/; Submissions are due 11/23/14-11/27/14: IWSAC 2014 2nd International Workshop on Security Assurance in the Cloud, Held in conjunction with the 10th International Conference on Signal Image Technology & Internet Based Systems (SITIS 2014), Marrakech, Morocco; http://sesar.di.unimi.it/IWSAC2014 12/ 8/14-12/ 9/14: SKM, International Conference on Secure Knowledge Management, BITS Pilani, Dubai; http://www.bits-dubai.ac.ae/skm2014/index.html 12/ 9/14: PPREW, 4th Program Protection and Reverse Engineering Workshop, Co-Located with the Annual Computer Security Applications Conference (ACSAC 2014), New Orleans, LA, USA; http://www.pprew.org 1/ 7/15: IoTPTS, Workshop on IoT Privacy, Trust, and Security, Held in conjunction with ASIACCS 2015, Singapore; https://sites.google.com/site/iotpts/; Submissions are due 1/19/15- 1/21/15: CS2, 2nd Workshop on Cryptography and Security in Computing Systems, Co-located with HiPEAC 2015 Conference, Amsterdam, The Netherlands; http://www.cs2.deib.polimi.it 1/26/15- 1/28/15: IFIP119-DF, 11th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org 1/27/15- 1/30/15: ACSW-AISC, Australasian Information Security Conference, Held as part of Australasian Computer Science Week, Sydney, Australia; http://homepages.ecs.vuw.ac.nz/Users/Ian/ACSW_AISC2015 1/30/15: WEARABLE-S&P, 1st Workshop on Wearable Security and Privacy, Held in conjunction with Financial Crypto (FC 2015), Isla Verde, Puerto Rico; http://sensible.berkeley.edu/WEARABLE-S&P15/ 2/ 9/15- 2/11/15: ICISSP, 1st International Conference on Information Systems Security and Privacy, ESEO, Angers, Loire Valley, France; http://www.icissp.org/ 2/15/15: PETS, 15th Privacy Enhancing Technologies Symposium, Philadelphia, PA, USA; https://www.petsymposium.org/2015/; Submissions are due 3/ 2/15- 3/ 4/15: CODASPY, 5th ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA; http://www.codaspy.org/ 3/ 4/15- 3/ 6/15: ESSoS, 6th International Symposium on Engineering Secure Software and Systems, Milan, Italy; https://distrinet.cs.kuleuven.be/events/essos/2015/calls-papers.html 4/14/15: IoTPTS, Workshop on IoT Privacy, Trust, and Security, Held in conjunction with ASIACCS 2015, Singapore; https://sites.google.com/site/iotpts/ 4/14/15- 4/16/15: HST, 14th annual IEEE Symposium on Technologies for Homeland Security, Boston, Massachusetts, USA; http://ieee-hst.org/ 4/14/15- 4/17/15: ASIACCS, 10th ACM Symposium on Information, Computer and Communications Security, Singapore; http://icsd.i2r.a-star.edu.sg/asiaccs15 5/ 5/15- 5/ 7/15: HOST, IEEE International Symposium on Hardware Oriented Security and Trust, Washington DC Metro Area, USA; http://www.hostsymposium.org 5/18/15- 5/20/15: Security and Privacy Symposium and Workshops http://www.ieee-security.org San Jose, CA, USA 6/30/15- 7/ 2/15: PETS, 15th Privacy Enhancing Technologies Symposium, Philadelphia, PA, USA; https://www.petsymposium.org/2015/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E121) ___________________________________________________________________ Wiley Security and Communication Networks (SCN), Special Issue on Security and Privacy in Internet of Things: Methods, Architectures and Solutions, Summer/Autumn, 2015, (Submissions Due 30 September 2014) http://onlinelibrary.wiley.com/doi/10.1002/sec.1065/full Editor: Guangjie Han (Hohai University, China), Lei Shu (Guangdong University of Petrochemical Technology, China), Sammy Chan (City University of Hong Kong, Hong Kong, China), and Jiankun Hu (University of New South Wales at the Australian Defence Force Academy, Australia). Internet of Things (IoT) is a rapidly developing research area cross various technological fields including computer science, electronic engineering, mobile and wireless communications, embedded systems, etc. Many technologies serve as the building blocks of this new paradigm, such as wireless sensor networks (WSN), RFID, cloud services, machine-to-machine interfaces (M2M), and so on. IoT will allow billions of objects in the physical world as well as virtual environments to exchange data with each other in an autonomous way so as to create smart environments such as automotive, healthcare, logistics, environmental monitoring, and many others. However, IoT introduces new challenges for the security of systems and processes and the privacy of individuals. Protecting the information in IoT is a complex and difficult task. IoT requires global connectivity and accessibility which means anyone can access in anytime and anyway. It results in that the number of attack vectors available to malicious attackers might become staggering. Furthermore, the inherent complexity of the IoT, where multiple heterogeneous entities located in different contexts can exchange information with each other, further complicates the design and deployment of efficient, interoperable and scalable security mechanisms. The ubiquitous and clouding computing also makes the problem of privacy leakage get urgent. As a result, there is an increasing demand for development of new security and privacy approaches to guarantee the security, privacy, integrity and availability of resources in IoTs. This special issue aims to bring together state-of-the-art contributions on Internet of Things Security and Privacy: discover the existing IoT security challenges, introduce threats and attacker models that can be applied to IoT architectures, design methods of secure IoT applications and architectures, collect quality research proposals with a solid background in both theoretical and practical aspects. Original, unpublished contributions are solicited in all aspects of this discipline. Suitable topics include but are not limited to the following in the context of IoT: - Cyber security in the IoT - Secure policy, model and architecture for the IoT - Security and privacy for the IoT network and systems - Secure communication technologies for the IoT - Security and privacy in cloud computing applied to the IoT - Security and privacy in sensor networks applied to the IoT - Security and privacy in parallel and distributed systems applied to the IoT - Intrusion detection and avoidance techniques for the IoT - Identity, authentication, authorization and accounting techniques for the IoT - Threat and vulnerability modeling for the IoT - Lightweight cryptographic solutions for the IoT - Key agreement, distribution and management techniques for the IoT - Privacy and anonymity techniques for the IoT - Trust establishment, negotiation and management techniques for the IoT - Trusted network computing, operating systems, software and applications for the IoT - Risk and reputation management techniques for the IoT - Secure network protocols and frameworks for the IoT - Secure access control technologies and frameworks for the IoT - Secure solutions for realization of IoT - Privacy-preserving IoT applications ------------------------------------------------------------------------- IWSAC 2014 2nd International Workshop on Security Assurance in the Cloud, Held in conjunction with the 10th International Conference on Signal Image Technology & Internet Based Systems (SITIS 2014), Marrakech, Morocco, November 23-27, 2014. (Submissions Due 30 September 2014) http://sesar.di.unimi.it/IWSAC2014 The ongoing merge between Service-Oriented Architectures (SOAs) and the Cloud computing paradigm provides a new environment fostering the integration of services located within company boundaries with those in the Cloud. An increasing number of organizations implement their business processes and applications via runtime composition of services made available in the Cloud by external suppliers. This scenario is changing the traditional view of security introducing new service security risks and threats, and requires re-thinking of current assurance, development, testing, and verification methodologies. In particular, security assurance in the cloud is becoming a pressing need to increase the confidence of the cloud actors that the cloud and its services are behaving as expected, and requires novel approaches addressing SOA and cloud peculiarities. IWSAC 2014 is the continuation of the International Workshop on Securing Services on the Cloud, held in September 2011, Milan, Italy. It aims to address the security assurance issues related to the deployment of services in the Cloud, along with evaluating their impact on traditional security solutions for software and network systems. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and assurance of services implemented in the Cloud, as well as experimental studies in Cloud infrastructures, the implementation of services, and lessons learned. Topics of interest include, but are not limited to: - Authentication and access control in the cloud - Challenges in moving critical systems to the cloud - Cloud accountability - Cloud audit - Cloud compliance - Cloud certification - Cloud transparency, introspection, and outrospection - Cybersecurity in the cloud - Data security and privacy in the Cloud - Information assurance and trust management - Intrusion detection in the Cloud - Security assurance in the cloud - Security and assurance protocols in the Cloud - Service level agreements - Service procurement in the cloud - Service verification in critical cloud services - Test-based and monitoring-based verification of cloud services ------------------------------------------------------------------------- IEEE Transactions on Dependable and Secure Computing, Special Issue on Cyber Crime, 2015, (Submissions Due 1 October 2014) http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tdscsi_cc.pdf Editor: Wojciech Mazurczyk (Warsaw University of Technology, Poland), Thomas J. Holt (School of Criminal Justice, Michigan State University, USA), and Krzysztof Szczypiorski (Warsaw University of Technology, Poland) Cyber crimes reflect the evolution of criminal practices that have adapted to the world of information and communication technologies. Cybercriminality has become a curse of the modern world with the potential to affect every one nationally and/or internationally. Individuals, companies, governments and institutions may become victims as well as (involuntary) helpers of cyber criminals. The inability to provide cyber-security can potentially have a tremendous socio-economic impact on global enterprises as well as individuals. The aim of this special issue is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of cyber crime. Prospective authors will be encouraged to submit related distinguished research papers on the subject of both: theoretical approaches and practical case reviews. Topics of interest include, but are not limited to: - Cyber-crime science - Emerging cybercriminals techniques and countermeasures - Cyber forensics and anti-forensic procedures, techniques, tools and analysis - Cyber crime investigations & incident response - Active and passive cyber crime defense techniques, tools and mechanisms - Cybersecurity testbeds, tools, methodologies - Cyber threat modeling analysis, cyber risk and vulnerability assessment - Cyber warfare & cyber terrorism - Cybersecurity economic modeling and metrics - Cybersecurity standards, policy, law, and regulation - Legal, ethical and policy issues related to cyber crime - Human and behavioral issues in cyber crime - Network traffic analysis and modelling for cyber crime science - Deviant activities and crime patterns - Insider threat detection and prevention - Misuse of personal data and the right to online privacy ------------------------------------------------------------------------- IFIP119-DF 2015 11th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 26-28, 2015. (Submissions Due 10 October 2014) http://www.ifip119.org The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Eleventh Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the eleventh volume in the well-known Research Advances in Digital Forensics book series (Springer, Heidelberg, Germany) during the summer of 2015. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- PPREW 2014 4th Program Protection and Reverse Engineering Workshop, Co-Located with the Annual Computer Security Applications Conference (ACSAC 2014), New Orleans, LA, USA, December 9, 2014. (Submissions Due 10 October 2014) http://www.pprew.org Program protection and reverse engineering are dualisms of good and evil. Beneficial uses of reverse engineering abound: malicious software needs to be analyzed and understood in order to prevent their spread and to assess their functional footprint; owners of intellectual property (IP) at times need to recover lost or unmaintained designs. Conversely, malicious reverse engineering allows illegal copying and subversion; designers can employ obfuscation and tamper-proofing on IP to target various attack vectors. In this sense, protecting IP and protecting malware from detection and analysis is a double-edged sword: depending on the context, the same techniques are either beneficial or harmful. Likewise, tools that deobfuscate malware in good contexts become analysis methods that support reverse engineering for illegal activity. PPREW invites papers on practical and theoretical approaches for program protection and reverse engineering used in beneficial contexts, focusing on analysis/ deobfuscation of malicious code and methods/tools that hinder reverse engineering. Ongoing work with preliminary results, theoretical approaches, tool-based methods, and empirical studies on various methods are all appropriate. Studies on hardware/circuit based methods or software/assembly based mechanisms are within scope of the workshop. We expect the workshop to provide exchange of ideas and support for cooperative relationships among researchers in industry, academia, and government. Topics of interest include, but are not limited, to the following: - Obfuscation / Deobfuscation (polymorphism) - Tamper-proofing / Hardware-based protection - Theoretic proofs for exploitation or protection - Software watermarking / Digital fingerprinting - Reverse engineering tools and techniques - Side channel analysis and vulnerability mitigation - Program / circuit slicing - Information hiding and discovery - Virtualization for protection and/or analysis - Forensic and anti-forensic protection - Moving target and active cyber defense - Theoretic analysis frameworks (Abstract Interpretation, Homomorphic Encryption, Term Rewriting Systems, Machine Learning, Large Scale Boolean Matching) - Component / Functional Identification - Program understanding - Source code (static/dynamic) analysis techniques ------------------------------------------------------------------------ WEARABLE-S&P 2015 1st Workshop on Wearable Security and Privacy, Held in conjunction with Financial Crypto (FC 2015), Isla Verde, Puerto Rico, January 30, 2015. (Submissions Due 16 October 2014) http://sensible.berkeley.edu/WEARABLE-S&P15/ This workshop focuses on the unique challenges of security and privacy for wearable devices. The demand for a variety of technologies in wearable devices has increased in recent years. Products ranging from Google glass, to EEG brainwave signal readers, to heart rate monitors, have opened up many new applications, but also give rise to concerns involving security and privacy. This workshop seeks papers addressing the unique challenges of security and privacy for wearable computing devices. Suggested topics include (but are not limited to) empirical and theoretical studies of: - Novel biometrics - Behavioral biometrics - Multi-factor authentication with wearable sensors - Usability of wearable authentication - Robustness of wearable authentication systems - Wearable payment systems - Bio-cryptographic security protocols - Attacks against wearable systems - User impact of attacks on wearable systems - Access control for wearable data sharing - User testing of wearable security features - Economics of security for wearable technologies - Body worn cameras and sousveillance - Augmented reality security and privacy - Privacy of pervasive eye-tracking - Understanding user privacy concerns for wearable technologies - User testing of privacy features for wearable technologies - Privacy notifications for wearable recording devices - Economics of privacy for wearable technologies ------------------------------------------------------------------------- HOST 2015 IEEE International Symposium on Hardware Oriented Security and Trust, Washington DC Metro Area, USA, May 5-7, 2015. (Abstract Submissions Due 24 October 2014 and Paper Submission due 31 October 2014) http://www.hostsymposium.org The focus of modern computational and communication systems has been shifting from effective sharing of well-protected, scarce, and expensive resources to large-scale information exchange among a plurality of users that communicate using protected mobile devices and sensors, which can be placed in potentially hostile environments. Additionally, integrated circuit synthesis and manufacturing techniques are now complex and distributed with a number of potential security vulnerabilities. Security has emerged as a metric of paramount importance. The scope of system security now includes, in addition to encrypted communication, properties such as privacy, anonymity, and trust. The starting and ending points for all system and application vulnerabilities and defense mechanisms are hardware. The initial impetus was provided by government agencies and individual efforts, but recently a number of coordinated research projects have been undertaken by essentially all hardware and system companies. The IEEE International Symposium on Hardware Oriented Security and Trust (HOST) aims to facilitate the rapid growth of hardware-based security research and development. HOST seeks original contributions in the area of hardware and system security. Relevant research topics include techniques, tools, design/test methods, architectures, circuits, and applications of secure hardware. HOST 2015 invites contributions that are related to, but not limited by, the following topics: - Hardware Trojan attacks and detection techniques - Hardware-based security primitives (PUFs, PPUFs, HRNG) - Security, privacy, and trust protocols using hardware security primitives - Trusted information flow - Trusted design using untrusted tools - Trusted manufacturing including split manufacturing - Remote integrated circuits enabling and disabling and IP watermarking - Undeniable hardware metering techniques - Techniques and metrics for hardware system data confidentiality and hardware design confidentiality, integrity, and authenticity - Reverse engineering and hardware obfuscation - Side-channel attacks and techniques for their prevention - Supply chain risks mitigation including counterfeit detection & avoidance - Hardware tampering attacks - Hardware authentication techniques - Hardware techniques that ensure software and/or system security - Trusted remote sensing and computing - Hardware attestation techniques ------------------------------------------------------------------------- ASIACCS 2015 10th ACM Symposium on Information, Computer and Communications Security, Singapore, April 14-17, 2015. (Submissions Due 26 October 2014) http://icsd.i2r.a-star.edu.sg/asiaccs15 ASIACCS is a major international forum for information security researchers, practitioners, developers, and users to explore and exchange the newest cyber security ideas, breakthroughs, findings, techniques, tools, and experiences. We invite submissions from academia, government, and industry presenting novel research on all theoretical and practical aspects of computer and network security. Areas of interest for ASIACCS 2015 include, but are not limited to: - Access control - Accounting and audit - Applied cryptography - Authentication - Cloud computing security - Cyber-physical security - Data and application security - Digital forensics - Embedded systems security - Formal methods for security - Hardware-based security - Intrusion detection - Key management - Malware and botnets - Mobile computing security - Network security - Operating system security - Privacy-enhancing technology - Security architectures - Security metrics - Software security - Smart grid security - Threat modelling - Trusted computing - Usable security and privacy - Web security - Wireless security ------------------------------------------------------------------------- Elsevier Computer Communications Journal, Special Issue on Security and Privacy in Unified Communications: Challenges and Solutions, 2015, (Submissions Due 31 October 2014) http://www.journals.elsevier.com/computer-communications/call-for-papers/special-issue-on-security-and-privacy-in-unified-communicati/ Editor: Georgios Karopoulos (Joint Research Centre (JRC), Italy), Georgios Portokalidis (Stevens Institute of Technology, USA), Josep Domingo-Ferrer (Universitat Rovira i Virgili, Catalonia), Ying-Dar Lin (National Chiao Tung University (NCTU), Taiwan), Dimitris Geneiatakis (Joint Research Centre (JRC), Italy), and Georgios Kambourakis (University of the Aegean, Greece) Unified Communications (UC) merge different communication technologies, types of products, and services, from various manufacturers, operators, and countries, following diverse policies and standards. Specifically, in the context of UC, a range of communication tools are integrated in a way that both corporations and individuals are able to manage all their communications in one entity instead of doing it disjointly. It is therefore said that UC bridges the opening between the various computer related communication technologies and Voice over IP (VoIP). However, this high level of heterogeneity expands the risks related to security and privacy that stakeholders should deal with. To eliminate or even prevent the increasing threats to end-users and operators, it is important to explore this growing and timely research topic. This feature topic will benefit the research community towards identifying challenges and disseminating the latest methodologies and solutions to UC security and privacy issues. Its objective is to publish high-quality articles presenting open issues, algorithms, protocols, policies, frameworks, standards, and solutions for UC related to security and privacy. Only technical papers describing previously unpublished, original, state-of-the-art research, and not currently under review by a conference or a journal will be considered. Reviews and case studies which address state-of-art research and state-of-practice industry experiences are also welcomed. We solicit papers in a variety of topics related to unified communications security and privacy, including, but not limited to: - Authorization and access control for UC services - Denial of service prevention schemes for UC - Reliability and availability issues on UC - Penetration testing, intrusion detection and prevention - End-to-end security solutions - Cryptographic protocols for UC - Voice security - Signaling security and privacy - Multimedia application security and privacy analysis - Multimedia communication platforms vulnerabilities and attacks - Security and privacy in mobile communication services - Smartphone multimedia apps security and privacy - Social networking security and privacy - Testbed and case studies for secure and private UC services - Trust establishment in UC - IP Multimedia Subsystem (IMS) security - Privacy and identity management - Privacy enhancing technologies for UC - Privacy models for UC - Security and privacy assessment for UC - Security policies - Auditing, verification, and validation of UC services - Risk analysis and management - Cyber-security issues affecting UC - Protection of UC as a Critical Information Infrastructure - VoIP peering security issues ------------------------------------------------------------------------- Security and Privacy Symposium San Jose, California May 18-20, 2015 (Submissions due November 14, 2014) http://www.ieee-security.org Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: Access control Accountability Anonymity Application security Attacks and defenses Authentication Censorship and censorship-resistance Cloud security Distributed systems security Embedded systems security Forensics Hardware security Intrusion detection Malware Metrics Mobile security and privacy Language-based security Network security Privacy-preserving systems Protocol security Secure information flow Security and privacy policies Security architectures System security Usable security and privacy Web security and privacy This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Given the rapidly expanding and maturing security and privacy community, we hope to increase the acceptance rate of papers that are more far-reaching and risky, as long as those papers also show sufficient promise for creating interesting discussions and questioning widely-held beliefs. Systematization of Knowledge Papers Following the success of recent years' conferences, we are also soliciting papers focused on systematization of knowledge (SoK). The goal of this call is to encourage work that evaluates, systematizes, and contextualizes existing knowledge. Such work can provide a high value to our community but may not be accepted because of a lack of novel research contributions. Suitable papers are those that provide important new insights on established, major research areas or support or challenge long-held beliefs with compelling evidence. Papers that survey research areas without providing such insights are not appropriate. Submissions will be distinguished by the prefix "SoK:" in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, except instead of emphasizing novel research contributions the emphasis will be on value to the community. Accepted papers will be presented at the symposium and included in the proceedings. ---------------------------------------------------------------------------- PETS 2015 15th Privacy Enhancing Technologies Symposium, Philadelphia, PA, USA, June 30 - July 2, 2015. (Submissions Due 22 November 2014 or 15 February 2015) https://www.petsymposium.org/2015/ The annual Privacy Enhancing Technologies Symposium (PETS) brings together privacy and anonymity experts from around the world to discuss recent advances and new perspectives. PETS addresses the design and realization of privacy services for the Internet and other data systems and communication networks. Papers should present novel practical and/or theoretical research into the design, analysis, experimentation, or fielding of privacy-enhancing technologies. While PETS has traditionally been home to research on anonymity systems and privacy-oriented cryptography, we strongly encourage submissions in a number of both well-established and some emerging privacy-related topics. *** New starting this year ***: Papers will undergo a journal-style reviewing process and be published in the Proceedings on Privacy Enhancing Technologies (PoPETs). PoPETs, a scholarly journal for timely research papers on privacy, has been established as a way to improve reviewing and publication quality while retaining the highly successful PETS community event. PoPETs will be published by De Gruyter Open (http://degruyteropen.com/), the world's second largest publisher of Open Access academic content, and part of the De Gruyter group (http://www.degruyter.com/), which has over 260 years of publishing history. Authors can submit papers to one of several submission deadlines during the year. Papers are provided with major/minor revision decisions on a predictable schedule, where we endeavor to assign the same reviewers to major revisions. Authors can address the concerns of reviewers in their revision and rebut reviewer comments before a final decision on acceptance is made. Papers accepted for publication by May 15th will be presented at that year's symposium. Note that accepted papers must be presented at PETS. Suggested topics include but are not restricted to: - Behavioural targeting - Building and deploying privacy-enhancing systems - Crowdsourcing for privacy - Cryptographic tools for privacy - Data protection technologies - Differential privacy - Economics of privacy and game-theoretical approaches to privacy - Forensics and privacy - Human factors, usability and user-centered design for PETs - Information leakage, data correlation and generic attacks to privacy - Interdisciplinary research connecting privacy to economics, law, ethnography, psychology, medicine, biotechnology - Location and mobility privacy - Measuring and quantifying privacy - Obfuscation-based privacy - Policy languages and tools for privacy - Privacy and human rights - Privacy in ubiquitous computing and mobile devices - Privacy in cloud and big-data applications - Privacy in social networks and microblogging systems - Privacy-enhanced access control, authentication, and identity management - Profiling and data mining - Reliability, robustness, and abuse prevention in privacy systems - Surveillance - Systems for anonymous communications and censorship resistance - Traffic analysis - Transparency enhancing tools ------------------------------------------------------------------------- IoTPTS 2015 Workshop on IoT Privacy, Trust, and Security, Held in conjunction with ASIACCS 2015, Singapore, April 14, 2015. (Submissions Due 7 January 2015) https://sites.google.com/site/iotpts/ The Internet of Things (IoT) is the next great technology frontier. At a basic level, IoT refers simply to networked devices, but the IoT vision is a complex ecosystem that ranges from cloud backend services and big-data analytics to home, public, industrial, and wearable sensor devices and appliances. Architectures for these systems are in the formative stages, and now is the time to ensure privacy, trust, and security are designed into these systems from the beginning. We encourage submissions on all aspects of IoT privacy, trust, and security. Topic of interest include (but are not limited) to the following areas: - Privacy and IoT data - Privacy attacks for IoT - Trust management and device discoverability for IoT - Usability of privacy and security systems in IoT - User risk perceptions and modeling for IoT - Policy Management and enforcement for IoT - Authentication and access control for users for IoT - Cryptography for IoT - Attack detection and remediation for IoT - Security architectures for IoT systems and applications ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE CS Press ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Patrick McDaniel Greg Shannon Computer Science and Engineering CERT Pennsylvania State University oakland14-chair@ieee-security.org 360 A IST Building University Park, PA 16802 (814) 863-3599 mcdaniel@cse.psu.edu Vice Chair: Treasurer: Ulf Lindqvist Yong Guan SRI International 3219 Coover Hall Menlo Park, CA Department of Electrical and Computer ulf.lindqvist@sri.com Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2015 Chair: TC Awards Chair: Sean Peisert Hilarie Orman UC Davis and Purple Streak, Inc. Lawrence Berkeley National Laboratory 500 S. Maple Dr. oakland15-chair@ieee-security.org Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year