_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 124 January 20, 2015 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Richard Austin's review of "Black Hat Python: Python Programming for Hackers and Pentesters" by Justin Seitz o News items from the media - Malware vs. steel mill, Software 1, Furnace 0? - Is Your Smart TV Outsmarting You? - Don't Worry About NSA, Anyone Can Listen to Your Phone Calls - New Malware Earns Kudos from Experts - NSA Says It Watched North Korean Hackers Before SONY Hack o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calend1r of Events o Calls-for-Papers * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: I recently bought a TV without realizing that it was "smart" --- meaning that it "connects to the Internet and sends personal data to companies." My watch, my car, my phone, and now, "et tu TV?" If Stuxnet and the Sony hack have not convinced you that we need some great ideas to protect our privacy and security, the nothing will. Those great ideas will come from collaborations of many talented people, but by some measures, the diversity of pool of academic researchers in our field is decreasing. The GREPSEC workshop, in May, is a small step towards remedying that decrease, and perhaps it will turn out to attract some of the students who will eventually help pull us out of the spiral of connectedness and damage. Graduate students in minority demographic groups need to apply by February 28. See the events calendar in this issue for the pointers to more information for this and many other goings on. The program for the Security and Privacy Symposium, the flagship conference of our sponsoring entity, the IEEE Computer Society's Technical Committee on Security and Privacy, will be announced in a few weeks from now. Dozens of papers covering cutting-edge research will comprise the program, and the conference will commence in mid-May. Watch the website via www.ieee-security.org for information on the program and registration. Our steady book reviewer, Richard Austin, likes a new book about using Python programs to root out (pun intended) network hackers. If you have noticed a barrage of calls from people with heavy accents warning you about malware on your computer, you are not alone. If you have a bit of time to spare, advise them to change their passwords. reformat their hard drive, and reinstall the operating systems. You can brighten up the day of bored young foreigner. Driving under the influence of outdated software and a self-signed certificate, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== Malware vs. steel mill, Software 1, Furnace 0? A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever http://www.wired.com/2015/01/german-steel-mill-hack-destruction WIRED, Jan 8, 2015 By Kim Zetter This article from WIRED cites a short section of a German report on cybersecurity for 2014. The report says that malware caused a furnace to malfunction and become unusable. The comparisons to the Stuxnet malware come to mind, but there are no details about the exploit. Was it specifically targeted at this facility? How and why? How can other industrial sites protect themselves? --------------------------------------------------- Is Your Smart TV Outsmarting You? CES: Security Risks From the Smart Home http://www.nytimes.com/2015/01/08/technology/personaltech/ces-security-risks-from-the-smart-home.html NYTimes.com By Molly Wood Jan 7, 2015 Edith Ramirez, chairwoman of the Federal Trade Commission, addressed the International CES (high-tech electronics show) attendees with warnings about the risks of having household items constantly connected to the Internet. Ford announced that it would experiment with collecting driving information from volunteers. The information might be used to compute individualized insurance rates, for example. Drivers should not worry, because Ford's chief executive Mark Fields told attendees that his company would be "trusted stewards" of personal data. --------------------------------------------------- Don't Worry About NSA, Anyone Can Listen to Your Phone Calls German researchers discover a flaw that could let anyone listen to your cell calls http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers- discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/?hpid=z3 The Washington Post, By Craig Timberg December 18, 2014 The phone companies still rely on the venerable SS7 switch for routing calls. The software for the switches supports a variety of functions that can be exploited by hackers to divert calls or change user forwarding functions. Even encryption offers little protection, as shown in some experiments in Germany. --------------------------------------------------- New Malware Earns Kudos from Experts 'Regin' malware described as 'groundbreaking and almost peerless' http://money.cnn.com/2014/11/23/technology/security/regin-malware-symantec/index.html?hpt=hp_t2 CNNMoney Nov. 23, 2014 Experts at the security company Symantec say that the software package is a comprehensive intelligence gathering tool. The predominant occurrences are in Russia and Saudi Arabia. --------------------------------------------------- NSA Says It Watched North Korean Hackers Before SONY Hack N.S.A. Breached North Korean Networks Before Sony Attack, Officials Say http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html?_r=0 New York Times by David E. Sanger and Martin Fackler Jan. 18, 2015 The NSA claims that it developed deep hooks into North Korea's computer networks even before the Sony hack. Despite their surveillance of the sites, NSA did not realize that North Korea had discovered the access credentials of a Sony system administrator. NSA says its classified program has provided information that validates its claim that North Korea was behind the vandalism. --------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 1/14/2015 ____________________________________________________________________ Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz No Starch Press 2015. ISBN ISBN 978-1-59327-590-7 Book Web Site: http://www.nostarch.com/blackhatpython To cut to the chase, this is a charming little book on using Python to do interesting, security-related tasks quickly with a minimum of fuss and bother. The writing style is both fast-paced and lively. I thought to spend a few minutes exploring the book but was quickly captured by "It can't be that easy! Let's see." and the next thing I knew, I was halfway through the book. The book opens with a quick setup of Kali Linux in a virtual machine and installing the Wing interactive development environment. This is done to get the reader up and running quickly with a minimum of bother with prerequisites but if you already have Python installed on your platform of choice, you are pretty much ready to dive right in. After the first three pages of chapter 2, "The Network: Basics", you will have scripted opening a HTTP connection to Google. Though I was somewhat familiar with Python, I have to admit this was a "Wow!" moment. The script is quick and dirty with no error checking but it works. The action doesn't pause there but speeds on to implementing a network server and SSH tunneling. By the end of the chapter, one feels like one is a Python ninja but there is much more to come. Chapter 3, "The Network: Raw Packets and Sniffing", definitely should be introduced with "You think that's cool? You ain't seen nothing yet!" In a scant 12 pages, Seitz guides you through building a pretty functional packet sniffer and host discovery tool. And to be clear, this isn't the "type-this-in-and-here's-what-you'll-see" type of presentation; Seitz's clear explanations go far beyond annotated code listings into actually teaching you how to get things done. As the table of contents shows, the pace never slows as the remainder of the book guides the reader in building even more functional tools (though the tools aren't really the point but rather what the reader learns in putting them together). When you turn page 161 and find that you've finished the book, you'll likely be disappointed that there's nothing more. Seitz anticipates your disappointment with "homework" assignments peppered through the text and an invitation to let him know what kinds of interesting things you've gone on to implement in Python. This is a fascinating book that frankly will seduce you into spending quality time reading it and working through its many examples. In return, you'll gain a powerful new tool that will make you wonder how you ever got along without it. Definitely a recommended read for the technical security professional with some basic previous exposure to Python. ------------------------------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 1/19/15- 1/21/15: CS2, 2nd Workshop on Cryptography and Security in Computing Systems, Co-located with HiPEAC 2015 Conference, Amsterdam, The Netherlands; http://www.cs2.deib.polimi.it 1/20/15: GenoPri, 2nd International Workshop on Genome Privacy and Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; http://www.genopri.org/; Submissions are due 1/20/15: SACMAT, 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria; http://www.sacmat.org/; Submissions are due 1/23/15: IWPE, 1st International Workshop on Privacy Engineering, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; http://ieee-security.org/TC/SPW2015/IWPE/; Submissions are due 1/26/15- 1/28/15: IFIP119-DF, 11th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org 1/27/15- 1/30/15: ACSW-AISC, Australasian Information Security Conference, Held as part of Australasian Computer Science Week, Sydney, Australia; http://homepages.ecs.vuw.ac.nz/Users/Ian/ACSW_AISC2015 1/30/15: WEARABLE-S&P, 1st Workshop on Wearable Security and Privacy, Held in conjunction with Financial Crypto (FC 2015), Isla Verde, Puerto Rico; http://sensible.berkeley.edu/WEARABLE-S&P15/ 1/30/15: CAV, 27th International Conference on Computer Aided Verification, San Francisco, California, USA; http://i-cav.org/2015/; Submissions are due 2/ 8/15: NDSS-USEC, NDSS Workshop on Usable Security, San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2015/usec-workshop-call-papers 2/ 8/15: DIMVA, 12th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Milano, Italy; http://www.dimva2015.it; Submissions are due 2/ 9/15- 2/11/15: ICISSP, 1st International Conference on Information Systems Security and Privacy, ESEO, Angers, Loire Valley, France; http://www.icissp.org/ 2/10/15: WiSec, 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, New York City, NY, USA; http://www.sigsac.org/wisec/WiSec2015/; Submissions are due 2/13/15: EUSIPCO, 23rd European Signal Processing Conference, Information Forensics and Security Track, Nice, Cote d' Azur, France; http://www.eusipco2015.org; Submissions are due 2/15/15: PETS, 15th Privacy Enhancing Technologies Symposium, Philadelphia, PA, USA; https://www.petsymposium.org/2015/; Submissions are due 2/16/15: LangSec, 2nd Workshop on Language-Theoretic Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; http://spw15.langsec.org/index.html; Submissions are due 2/16/15: USENIX-Security, 24th USENIX Security Symposium, Washington, D.C., USA; https://www.usenix.org/conference/usenixsecurity15; Submissions are due 2/17/15: RFIDSec, 11th Workshop on RFID Security, Co-located with ACM WiSec 2015, New York City, NY, USA; http://rfidsec2015.iaik.tugraz.at/; Submissions are due 2/22/15: MoST, Mobile Security Technologies Workshop, an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2015), Held in conjunction with the 34th IEEE Symposium on Security and Privacy (IEEE SP 2015), The Fairmont Hotel, San Jose, CA, USA; http://ieee-security.org/TC/SPW2015/MoST/; Submissions are due 2/27/15: WEIS, 14th Annual Workshop on the Economic of Information Security, Delft University of Technology, The Netherlands; http://weis2015.econinfosec.org/; Submissions are due 2/28/15: Second Workshop for Underrepresented Groups in Computer Security Research (GREPSEC); http://www.ieee-security.org/grepsec San Jose, CA; Applications are due 2/28/15: EDFC, National Conference on Ethics and Digital Forensics, Arlington, VA, USA; http://edfc.thecenter.uab.edu; Submissions are due 3/ 1/15: IEEE Cloud Computing, Special Issue on Legal Clouds: How to Balance Privacy with Legitimate Surveillance and Lawful Data Access; http://www.computer.org/portal/web/computingnow/call-for-paper-cloud-computing-july-august; Submissions are due 3/ 2/15- 3/ 4/15: CODASPY, 5th ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA; http://www.codaspy.org/ 3/ 2/15- 3/ 4/15: SPA, International Workshop on Security and Privacy Analytics Co-located with ACM CODASPY 2015, San Antonio, TX, USA; http://capex.cs.uh.edu/?q=secanalysis2015 3/ 3/15: SECRYPT, 12th International Conference on Security and Cryptography, Colmar, Alsace, France; http://www.secrypt.icete.org; Submissions are due 3/ 4/15- 3/ 6/15: ESSoS, 6th International Symposium on Engineering Secure Software and Systems, Milan, Italy; https://distrinet.cs.kuleuven.be/events/essos/2015/calls-papers.html 3/ 6/15: SOUPS, Symposium On Usable Privacy and Security, Ottawa, Canada; http://cups.cs.cmu.edu/soups/; Submissions are due 3/31/15: HAISA, International Symposium on Human Aspects of Information Security & Assurance, Lesvos, Greece; http://haisa.org/; Submissions are due 4/ 4/15: ESORICS, 20th European Symposium on Research in Computer Security, Vienna, Austria; http://www.esorics2015.sba-research.org; Submissions are due 4/14/15: IoTPTS, Workshop on IoT Privacy, Trust, and Security, Held in conjunction with ASIACCS 2015, Singapore; https://sites.google.com/site/iotpts/ 4/14/15: CPSS, 1st Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2015, Singapore; http://icsd.i2r.a-star.edu.sg/cpss15 4/14/15- 4/16/15: HST, 14th annual IEEE Symposium on Technologies for Homeland Security, Boston, Massachusetts, USA; http://ieee-hst.org/ 4/14/15- 4/17/15: ASIACCS, 10th ACM Symposium on Information, Computer and Communications Security, Singapore; http://icsd.i2r.a-star.edu.sg/asiaccs15 4/15/15: NSS, 9th International Conference on Network and System Security, New York City, NY, USA; http://anss.org.au/nss2015/index.htm; Submissions are due 4/24/15: CNS, 3rd IEEE Conference on Communications and Network Security, Florence, Italy; http://cns2015.ieee-cns.org/; Submissions are due 5/ 1/15: Elsevier Future Generation Computer Systems, Special Issue on Cloud Cryptography: State of the Art and Recent Advances; http://www.journals.elsevier.com/future-generation-computer-systems/call-for-papers/special-issue-on-cloud-cryptography-state-of-the-art-and-rec/; Submissions are due 5/ 5/15- 5/ 7/15: HOST, IEEE International Symposium on Hardware Oriented Security and Trust, Washington DC Metro Area, USA; http://www.hostsymposium.org 5/ 5/15- 5/ 8/15: ISPEC, 11th International Conference on Information Security Practice and Experience, Beijing, China; http://icsd.i2r.a-star.edu.sg/ispec2015/ 5/13/15- 5/15/15: EDFC, National Conference on Ethics and Digital Forensics, Arlington, VA, USA; http://edfc.thecenter.uab.edu 5/16/15- 5/17/15: Second Workshop for Underrepresented Groups in Computer Security Research (GREPSEC) http://www.ieee-security.org/grepsec; San Jose, CA; NP 5/18/15- 5/20/15: SP, 36th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2015/ 5/21/15: W2SP, Web 2.0 Security and Privacy Workshop, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; http://ieee-security.org/TC/SPW2015/W2SP/cfp.html 5/21/15: GenoPri, 2nd International Workshop on Genome Privacy and Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; http://www.genopri.org/ 5/21/15: IWPE, 1st International Workshop on Privacy Engineering, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; http://ieee-security.org/TC/SPW2015/IWPE/ 5/21/15: LangSec, 2nd Workshop on Language-Theoretic Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; http://spw15.langsec.org/index.html 5/21/15: MoST, Mobile Security Technologies Workshop, an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2015), Held in conjunction with the 34th IEEE Symposium on Security and Privacy (IEEE SP 2015), The Fairmont Hotel, San Jose, CA, USA; http://ieee-security.org/TC/SPW2015/MoST/ 5/22/15: IEICE Transactions on Information and Systems, Special Issue on Information and Communication System Security; http://www.ieice.org/~icss/index.en.html; Submissions are due 6/ 1/15- 6/ 3/15: SACMAT, 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria; http://www.sacmat.org/ 6/ 2/15- 6/ 5/15: ACNS, 13th International Conference on Applied Cryptography and Network Security, New York, NY, USA; http://acns2015.cs.columbia.edu/ 6/ 7/15- 6/11/15: DAC-Security Track, Design Automation Conference, San Francisco, CA, USA; https://dac.com/submission-categories/hardware-and-software-security 6/22/15- 6/23/15: WEIS, 14th Annual Workshop on the Economic of Information Security, Delft University of Technology, The Netherlands; http://weis2015.econinfosec.org/ 6/22/15- 6/26/15: WiSec, 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, New York City, NY, USA; http://www.sigsac.org/wisec/WiSec2015/ 6/22/15- 6/23/15: RFIDSec, 11th Workshop on RFID Security, Co-located with ACM WiSec 2015, New York City, NY, USA; http://rfidsec2015.iaik.tugraz.at/ 6/30/15- 7/ 2/15: PETS, 15th Privacy Enhancing Technologies Symposium, Philadelphia, PA, USA; https://www.petsymposium.org/2015/ 7/ 1/15- 7/3/15: HAISA, International Symposium on Human Aspects of Information Security & Assurance, Lesvos, Greece; http://haisa.org/ 7/ 9/15- 7/10/15: DIMVA, 12th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Milano, Italy; http://www.dimva2015.it 7/18/15- 7/24/15: CAV, 27th International Conference on Computer Aided Verification, San Francisco, California, USA; http://i-cav.org/2015/ 7/20/15- 7/22/15: SECRYPT, 12th International Conference on Security and Cryptography, Colmar, Alsace, France; http://www.secrypt.icete.org 7/22/15- 7/24/15: SOUPS, Symposium On Usable Privacy and Security, Ottawa, Canada; http://cups.cs.cmu.edu/soups/ 8/12/15- 8/14/15: USENIX-Security, 24th USENIX Security Symposium, Washington, D.C., USA; https://www.usenix.org/conference/usenixsecurity15 8/31/15- 9/ 4/15: EUSIPCO, 23rd European Signal Processing Conference, Information Forensics and Security Track, Nice, Cote d' Azur, France; http://www.eusipco2015.org 9/23/15- 9/25/15: ESORICS, 20th European Symposium on Research in Computer Security, Vienna, Austria; http://www.esorics2015.sba-research.org 9/28/15- 9/30/15: CNS, 3rd IEEE Conference on Communications and Network Security, Florence, Italy; http://cns2015.ieee-cns.org/ 11/ 3/15-11/ 5/15: NSS, 9th International Conference on Network and System Security, New York City, NY, USA; http://anss.org.au/nss2015/index.htm ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E123) ___________________________________________________________________ GenoPri 2015 2nd International Workshop on Genome Privacy and Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA, May 21, 2015. (Submissions Due 20 January 2015) http://www.genopri.org/ Over the past several decades, genome sequencing technologies have evolved from slow and expensive systems that were limited in access to a select few scientists and forensics investigators to high-throughput, relatively low-cost tools that are available to consumers. A consequence of such technical progress is that genomics has become one of the next major challenges for privacy and security because (1) genetic diseases can be unveiled, (2) the propensity to develop specific diseases (such as Alzheimer's) can be revealed, (3) a volunteer, accepting to have his genomic code made public, can leak substantial information about his ethnic heritage and the genomic data of his relatives (possibly against their will), and (4) complex privacy issues can arise if DNA analysis is used for criminal investigations and medical purposes. As genomics is increasingly integrated into healthcare and "recreational" services (e.g., ancestry testing), the risk of DNA data leakage is serious for both individuals and their relatives. Failure to adequately protect such information could lead to a serious backlash, impeding genomic research, that could affect the well-being of our society as a whole. This prompts the need for research and innovation in all aspects of genome privacy and security, as suggested by the non-exhaustive list of topics below: - Privacy-preserving analysis of and computation on genomic data - Security and privacy metrics for the leakage of genomic data - Cross-layer attacks to genome privacy - Access control for genomic data - Differentiated access rights for medical professionals - Quantification of genome privacy - De-anonymization attacks against genomic databases - Efficient cryptographic techniques for enhancing security/privacy of genomic data - Privacy enhancing technologies for genomic data - Implications of synthetic DNA for privacy - Applications of differential privacy to the protection of genomic data - Storage and long-term safety of genomic data - Secure sharing of genomic data between different entities - Trust in genomic research and applications - Social and economic issues for genome privacy and security - Ethical and legal issues in genomics - Studies of policy efforts in genomics - User studies and perceptions - Social and economic issues for genome privacy - Studies of issues and challenges with informed consent - Privacy issues in transcriptomics and proteomics - Systematization-of-knowledge of genome privacy and security research ------------------------------------------------------------------------- SACMAT 2015 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria, June 1-3, 2015. (Submissions Due 20 January 2015) http://www.sacmat.org/ The ACM Symposium on Access Control Models and Technologies (SACMAT) is the premier forum for the presentation of research results and experience reports on leading edge issues of access control, including models, systems, applications, and theory. The aims of the symposium are to share novel access control solutions that fulfil the needs of heterogeneous applications and environments, and to identify new directions for future research and development. SACMAT provides researchers and practitioners with a unique opportunity to share their perspectives with others interested in the various aspects of access control. Papers offering novel research contributions in all aspects of access control are solicited for submission to the 20th ACM Symposium on Access Control Models and Technologies (SACMAT 2015). Accepted papers will be presented at the symposium and published by the ACM in the symposium proceedings. Topics of interest include but are not limited to: - Access Intelligence - Administration - Applications - Attribute-based systems - Authentication - Big data - Biometrics - Cloud computing - Cryptographic approaches - Cyber-physical systems - Databases and data management - Design methodology - Distributed and mobile systems - Economic models and game theory - Enforcement - Hardware enhanced - Identity management - Mechanisms, systems, and tools - Models and extensions - Obligations - Policy engineering and analysis - Requirements - Risk - Safety analysis - Standards - Theoretical foundations - Trust management - Usability ------------------------------------------------------------------------- IWPE 2015 1st International Workshop on Privacy Engineering, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA, May 21, 2015. (Submissions Due 23 January 2015) http://ieee-security.org/TC/SPW2015/IWPE/ Ongoing news reports regarding global surveillance programs, massive personal data breaches in corporate databases, and notorious examples of personal tragedies due to privacy violations have intensified societal demands for privacy-friendly systems. In response, current legislative and standardization processes worldwide aim to strengthen individual's privacy by introducing legal and organizational frameworks that personal data collectors and processors must follow. However, in practice, these initiatives alone are not enough to guarantee that organizations and software developers will be able to identify and adopt appropriate privacy engineering techniques in their daily practices. Even if so, it is difficult to systematically evaluate whether the systems they develop using such techniques comply with legal frameworks, provide necessary technical assurances, and fulfill users' privacy requirements. It is evident that research is needed in developing techniques that can aid the translation of legal and normative concepts, as well as user expectations into systems requirements. Furthermore, methods that can support organizations and engineers in developing (socio-)technical systems that address these requirements is of increasing value to respond to the existing societal challenges associated with privacy. While there is a consensus on the benefits of an engineering approach to privacy, concrete proposals for processes, models, methodologies, techniques and tools that support engineers and organizations in this endeavor are few and in need of immediate attention. To cover this gap, the topics of the International Workshop on Privacy Engineering (IWPE'15) focus on all the aspects surrounding privacy engineering, ranging from its theoretical foundations, engineering approaches, and support infrastructures, to its practical application in projects of different scale. IWPE'15 welcomes papers that focus on novel solutions on the recent developments in the general area of privacy engineering. Topics of interests include, but are not limited to: - Integration of law and policy compliance into the development process - Privacy impact assessment - Privacy risk management models - Privacy breach recovery Methods - Technical standards, heuristics and best practices for privacy engineering - Privacy engineering in technical standards - Privacy requirements elicitation and analysis methods - User privacy and data protection requirements - Management of privacy requirements with other system requirements - Privacy requirements operationalization - Privacy engineering strategies and design patterns - Privacy architectures - Privacy engineering and databases - Privacy engineering in the context of interaction design and usability - Privacy testing and evaluation methods - Validation and verification of privacy requirements - Engineering Privacy Enhancing Technologies - Models and approaches for the verification of privacy properties - Tools supporting privacy engineering - Teaching and training privacy engineering - Adaptations of privacy engineering into specific software development processes - Pilots and real-world applications - Privacy engineering and accountability - Organizational, legal, political and economic aspects of privacy engineering ------------------------------------------------------------------------- TELERISE 2015 1st International Workshop on TEchnical and LEgal aspects of data pRIvacy and SEcurity, Co-located with ICSE 2015, Florence, Italy, May 18, 2015. (Submissions Due 23 January 2015) http://www.iit.cnr.it/telerise2015/ Information sharing is essential for today's business and societal transactions. Nevertheless, such a sharing should not violate the security and privacy requirements dictated by Law, by internal regulations of organisations, and by data subjects. An effectual, rapid, and unfailing electronic data sharing among different parties, while protecting legitimate rights on these data, is a key issue with several shades. Among them, how to translate the high-level law obligations, business constraints, and users' requirements into system-level privacy policies, providing efficient and practical solutions for policy definition and enforcement. TELERISE aims at providing a forum for researchers and engineers, in academia and industry, to foster an exchange of research results, experiences, and products in the area of privacy preserving and secure data management, from a technical and legal perspective. The ultimate goal is to conceive new trends and ideas on designing, implementing, and evaluating solutions for privacy-preserving information sharing, with an eye to cross-relations between ICT and regulatory aspects of data management. Topics of interest are (but not limited to): - Model-based and experimental assessment of data protection - Privacy in identity management and authentication - Modelling and analysis languages for representation, visualization, specification of legal regulations - Technical, legal and user requirements for data protection - User-friendly authoring tools to edit privacy preferences - IT infrastructures for privacy and security policies management - IT infrastructure for supporting privacy and security policies evolution - Privacy and security policies conflict analysis and resolution strategies - Electronic Data Sharing Agreements Representation: Languages and Management Infrastructure - Cross-relations between privacy-preserving technical solutions and legal regulations - Privacy aware access and usage control - Privacy and security policies enforcement mechanisms - Privacy preserving data allocation and storage - Software systems compliance with applicable laws and regulations - Heuristic for pattern identification in law text - Empirical analysis of consumer's awareness of privacy and security policies ------------------------------------------------------------------------- CAV 2015 27th International Conference on Computer Aided Verification, San Francisco, California, USA, July 18-24 2015. (Submissions Due 30 January 2015) http://i-cav.org/2015/ CAV 2015 is the 27th in a series dedicated to the advancement of the theory and practice of computer-aided formal analysis methods for hardware and software systems. CAV considers it vital to continue spurring advances in hardware and software verification while expanding to new domains such as biological systems and computer security. The conference covers the spectrum from theoretical results to concrete applications, with an emphasis on practical verification tools and the algorithms and techniques that are needed for their implementation. The proceedings of the conference will be published in the Springer LNCS series. A selection of papers will be invited to a special issue of Formal Methods in System Design and the Journal of the ACM. Topics of interest include but are not limited to: - Algorithms and tools for verifying models and implementations - Hardware verification techniques - Deductive, compositional, and abstraction techniques for verification - Program analysis and software verification - Verification methods for parallel and concurrent hardware/software systems - Testing and run-time analysis based on verification technology - Applications and case studies in verification - Decision procedures and solvers for verification - Mathematical and logical foundations of practical verification tools - Verification in industrial practice - Algorithms and tools for system synthesis - Hybrid systems and embedded systems verification - Verification techniques for security - Formal models and methods for biological systems ------------------------------------------------------------------------- DIMVA 2015 12th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Milano, Italy, July 9-10, 2015. (Submissions Due 8 February 2015) http://www.dimva2015.it The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year, DIMVA brings together international experts from academia, industry, and government to present and discuss novel research in these areas. This year, due to the increased threats against critical infrastructures and industrial control systems, we encourage submissions in these areas. Specifically, we welcome strong technical contributions that consider the cross-area obstacles (e.g., privacy, societal and legal aspects) that arise when deploying protection measures in the real world. ------------------------------------------------------------------------- WiSec 2015 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, New York City, NY, USA, June 22-26, 2015. (Submissions Due 10 February 2015) http://www.sigsac.org/wisec/WiSec2015/ ACM WiSec is the leading ACM and SIGSAC conference dedicated to all aspects of security and privacy in wireless and mobile and mobile networks and their applications. In addition to the traditional ACM WiSec topics of physical, link, and network layer security, we welcome papers focusing on the security and privacy of mobile software platforms, usable security and privacy, biometrics, cryptography, and the increasingly diverse range of mobile or wireless applications such as Internet of Things, and Cyber-Physical Systems. The conference welcomes both theoretical as well as systems contributions. Topics of interest include, but are not limited to: - Mobile malware and platform security - Security & Privacy for Smart Devices (e.g., Smartphones) - Wireless and mobile privacy and anonymity - Secure localization and location privacy - Cellular network fraud and security - Jamming attacks and defenses - Key extraction, agreement, or distribution - Theoretical foundations, cryptographic primitives, and formal methods - NFC and smart payment applications - Security and privacy for mobile sensing systems - Wireless or mobile security and privacy in health, automotive, avionics, or smart grid applications - Self-tracking/Quantified Self Security and Privacy - Physical Tracking Security and Privacy - Usable Mobile Security and Privacy - Economics of Mobile Security and Privacy - Bring Your Own Device (BYOD) Security ------------------------------------------------------------------------- EUSIPCO 2015 23rd European Signal Processing Conference, Information Forensics and Security Track, Nice, Cote d' Azur, France, August 31 - September 4, 2015. (Submissions Due 13 February 2015) http://www.eusipco2015.org EUSIPCO is the flagship conference of the European Association for Signal Processing (EURASIP). EUSIPCO 2015 will feature world-class speakers, oral and poster sessions, keynotes, exhibitions, demonstrations and tutorials and is expected to attract in the order of 600 leading researchers and industry figures from all over the world. The Information Forensics and Security Track addresses all works whereby security is achieved through a combination of techniques from cryptography, computer security, machine learning and multimedia signal processing. ------------------------------------------------------------------------- PETS 2015 15th Privacy Enhancing Technologies Symposium, Philadelphia, PA, USA, June 30 - July 2, 2015. (Submissions Due 22 November 2014 or 15 February 2015) https://www.petsymposium.org/2015/ The annual Privacy Enhancing Technologies Symposium (PETS) brings together privacy and anonymity experts from around the world to discuss recent advances and new perspectives. PETS addresses the design and realization of privacy services for the Internet and other data systems and communication networks. Papers should present novel practical and/or theoretical research into the design, analysis, experimentation, or fielding of privacy-enhancing technologies. While PETS has traditionally been home to research on anonymity systems and privacy-oriented cryptography, we strongly encourage submissions in a number of both well-established and some emerging privacy-related topics. *** New starting this year ***: Papers will undergo a journal-style reviewing process and be published in the Proceedings on Privacy Enhancing Technologies (PoPETs). PoPETs, a scholarly journal for timely research papers on privacy, has been established as a way to improve reviewing and publication quality while retaining the highly successful PETS community event. PoPETs will be published by De Gruyter Open (http://degruyteropen.com/), the world's second largest publisher of Open Access academic content, and part of the De Gruyter group (http://www.degruyter.com/), which has over 260 years of publishing history. Authors can submit papers to one of several submission deadlines during the year. Papers are provided with major/minor revision decisions on a predictable schedule, where we endeavor to assign the same reviewers to major revisions. Authors can address the concerns of reviewers in their revision and rebut reviewer comments before a final decision on acceptance is made. Papers accepted for publication by May 15th will be presented at that year's symposium. Note that accepted papers must be presented at PETS. Suggested topics include but are not restricted to: - Behavioural targeting - Building and deploying privacy-enhancing systems - Crowdsourcing for privacy - Cryptographic tools for privacy - Data protection technologies - Differential privacy - Economics of privacy and game-theoretical approaches to privacy - Forensics and privacy - Human factors, usability and user-centered design for PETs - Information leakage, data correlation and generic attacks to privacy - Interdisciplinary research connecting privacy to economics, law, ethnography, psychology, medicine, biotechnology - Location and mobility privacy - Measuring and quantifying privacy - Obfuscation-based privacy - Policy languages and tools for privacy - Privacy and human rights - Privacy in ubiquitous computing and mobile devices - Privacy in cloud and big-data applications - Privacy in social networks and microblogging systems - Privacy-enhanced access control, authentication, and identity management - Profiling and data mining - Reliability, robustness, and abuse prevention in privacy systems - Surveillance - Systems for anonymous communications and censorship resistance - Traffic analysis - Transparency enhancing tools ------------------------------------------------------------------------- LangSec 2015 2nd Workshop on Language-Theoretic Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA, May 21, 2015. (Submissions Due 16 February 2015) http://spw15.langsec.org/index.html LangSec workshop solicits contributions related to the growing area of language-theoretic security. LangSec offers a coherent explanation for the "science of insecurity" as more than an ad hoc collection of software mistakes or design flaws. This explanation is predicated on the connection between fundamental computability principles and the continued existence of software flaws. LangSec posits that the only path to trustworthy software that takes untrusted inputs is treating all valid or expected inputs as a formal language and treating the respective input-handling routines as a recognizer for that language. The LangSec approach to system design is primarily concerned with achieving practical assurance: development that is rooted in fundamentally sound computability theory, but is expressed as efficient and practical systems components. One major objective of the workshop is to develop and share this viewpoint with attendees and the broader systems security community to help establish a foundation for research based on LangSec principles. The overall goal of the workshop is to bring more clarity and focus to two complementary areas: (1) practical software assurance and (2) vulnerability analysis (identification, characterization, and exploit development). The LangSec community views these activities as related and highly structured engineering disciplines and seeks to provide a forum to explore and develop this relationship. ------------------------------------------------------------------------- USENIX-Security 2015 24th USENIX Security Symposium, Washington, D.C., USA, August 12-14, 2015. (Submissions Due 16 February 2015) https://www.usenix.org/conference/usenixsecurity15 The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security and privacy of computer systems and networks. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in computer security. Refereed paper submissions are solicited in all areas relating to systems research in security and privacy, including but not limited to: - Systems security - Cryptographic implementation analysis and construction, applied cryptography - Programming language security - Web security - Hardware security - Network security - Privacy-enhancing technologies, anonymity - Human-computer interaction, security, and privacy - Social issues and security - Security analysis - Security measurement studies ------------------------------------------------------------------------- RFIDSec 2015 11th Workshop on RFID Security, Co-located with ACM WiSec 2015, New York City, NY, USA, June 22-23, 2015. (Submissions Due 17 February 2015) http://rfidsec2015.iaik.tugraz.at/ The RFIDSec workshop is the premier international venue on the latest technological advances in security and privacy in Radio Frequency Identification (RFID). The 11th edition of RFIDSec continues the effort to broaden the scope towards solutions for security and privacy in related constrained environments: Internet of Things, NFC devices, Wireless Tags, and more. Attendees from academia, industry and government can network with a broad range of international experts. The workshop will include both invited and contributed talks. We invite researchers to submit their latest results in Security and Privacy for RFID as well as for associated technologies. Topics of interest include: - Implementations of cryptography and protocols with constrained resources in terms of energy, power, computation resources and memory footprint - Lightweight cryptography and cryptographic protocols - Efficient and secure processor architectures for constrained environments - Tamper and reverse-engineering resistant designs for constrained platforms - Side-channel and fault attacks as well as countermeasures - Novel implementations of cryptography to support privacy and untraceability - Cross-layer engineering of constrained secure implementations within secure systems - Novel technologies and applications such as NFC, IC anti-counterfeiting, and Internet of Things - Design issues related to scalability, large-scale deployment and management of secure tags ------------------------------------------------------------------------- MoST 2015 Mobile Security Technologies Workshop, an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2015), Held in conjunction with the 34th IEEE Symposium on Security and Privacy (IEEE SP 2015), The Fairmont Hotel, San Jose, CA, USA, May 21, 2015. (Submissions Due 22 February 2015) http://ieee-security.org/TC/SPW2015/MoST/ Mobile Security Technologies (MoST) brings together researchers, practitioners, policy makers, and hardware and software developers of mobile systems to explore the latest understanding and advances in the security and privacy for mobile devices, applications, and systems. The scope of MoST 2015 includes, but is not limited to, security and privacy specifically for mobile devices and services related to: - Device hardware - Operating systems - Middleware - Mobile web - Secure and efficient communication - Secure application development tools and practices - Privacy - Vulnerabilities and remediation techniques - Usable security - Identity and access control - Risks in putting trust in the device vs. in the network/cloud - Special applications, such as medical monitoring and records - Mobile advertisement - Secure applications and application markets - Economic impact of security and privacy technologies ------------------------------------------------------------------------- WEIS 2015 14th Annual Workshop on the Economic of Information Security, Delft University of Technology, The Netherlands, June 22-23, 2015. (Submissions Due 27 February 2015) http://weis2015.econinfosec.org/ The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security and privacy, combining expertise from the fields of economics, social science, business, law, policy, and computer science. Prior workshops have explored the role of incentives between attackers and defenders of information systems, identified market failures surrounding Internet security, quantified risks of personal data disclosure, and assessed investments in cyber-defense. WEIS 2015 will build on past efforts using empirical and analytic tools not only to understand threats, but also to strengthen security and privacy through novel evaluations of available solutions. We encourage economists, computer scientists, legal scholars, business school researchers, security and privacy specialists, as well as industry experts to submit their research and participate by attending the workshop. Suggested topics include (but are not limited to) empirical and theoretical studies of: - Optimal investment in information security - Models and analysis of online crime - Risk management and cyber-insurance - Security standards and regulation - Cyber-security and privacy policy - Cyber-defense strategy and game theory - Security and privacy models and metrics - Economics of privacy and anonymity - Behavioral security and privacy - Vulnerability discovery, disclosure, and patching - Incentives for information sharing and cooperation - Incentives regarding pervasive monitoring threats ------------------------------------------------------------------------- EDFC 2015 National Conference on Ethics and Digital Forensics, Arlington, VA, USA, May 13-15, 2015. (Extended Abstract Submissions Due 28 February 2015) http://edfc.thecenter.uab.edu The National Science Foundation (NSF) and Alabama Cyber Research Consortium (ALCRC) are hosting the first interdisciplinary conference on professional ethics and digital forensics: Professional Ethics and Digital Forensics: An Interdisciplinary Conference. This conference will provide opportunities for both academics and practitioners to address a pressing issue in digital forensics: the lack of unifying ethical standards, procedures and guidelines for routine activities, such as digital forensic analysis, cybercrime case processing, and data mining/surveillance. This conference will also explore cyber ethics from the following interdisciplinary perspectives: Digital Forensic Investigations, Social and Behavioral Sciences, Jurisprudence, and Cyber Education and Awareness. ------------------------------------------------------------------------- IEEE Cloud Computing, Special Issue on Legal Clouds: How to Balance Privacy with Legitimate Surveillance and Lawful Data Access. (Submissions Due 1 March 2015) http://www.computer.org/portal/web/computingnow/call-for-paper-cloud-computing-july-august Editors: Kim-Kwang Raymond Choo (University of South Australia, Australia), and Rick Sarre (University of South Australia, Australia) This special issue will focus on cutting edge research from both academia and industry on the topic of balancing cloud user privacy with legitimate surveillance and lawful data access, with a particular focus on cross-disciplinary research. For example, how can we design technologies that will enhance "guardianship" and the "deterrent" effect in cloud security at the same time as reducing the "motivations" of cybercriminals? Topics of interest include but are not limited to: - Advanced cloud security - Cloud forensics and anti-forensics - Cloud incident response - Cloud information leakage detection and prevention - Enhancing and/or preserving cloud privacy - Cloud surveillance - Crime prevention strategies - Legal issues relating to surveillance - Enhancing privacy technology for cloud-based apps ------------------------------------------------------------------------- SECRYPT 2015 12th International Conference on Security and Cryptography, Colmar, Alsace, France, July 20 - 22, 2015. (Submissions Due 3 March 2015) http://www.secrypt.icete.org SECRYPT is an annual international conference covering research in information and communication security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, security, and cryptography. Papers describing the application of security technology, the implementation of systems, and lessons learned are also encouraged. Papers describing new methods or technologies, advanced prototypes, systems, tools and techniques and general survey papers indicating future directions are also encouraged. Topics of interest include: - Access Control - Applied Cryptography - Biometrics Security and Privacy - Critical Infrastructure Protection - Data Integrity - Data Protection - Database Security and Privacy - Digital Forensics - Digital Rights Management - Ethical and Legal Implications of Security and Privacy - Formal Methods for Security - Human Factors and Human Behavior Recognition Techniques - Identification, Authentication and Non-repudiation - Identity Management - Information Hiding - Information Systems Auditing - Insider Threats and Countermeasures - Intellectual Property Protection - Intrusion Detection & Prevention - Management of Computing Security - Network Security - Organizational Security Policies - Peer-to-Peer Security - Personal Data Protection for Information Systems - Privacy - Privacy Enhancing Technologies - Reliability and Dependability - Risk Assessment - Secure Software Development Methodologies - Security and Privacy for Big Data - Security and privacy in Complex Systems - Security and Privacy in Crowdsourcing - Security and Privacy in IT Outsourcing - Security and Privacy in Location-based Services - Security and Privacy in Mobile Systems - Security and Privacy in Pervasive/Ubiquitous Computing - Security and Privacy in Smart Grids - Security and Privacy in Social Networks - Security and Privacy in the Cloud - Security and Privacy in Web Services - Security and Privacy Policies - Security Area Control - Security Deployment - Security Engineering - Security in Distributed Systems - Security Information Systems Architecture - Security Management - Security Metrics and Measurement - Security Protocols - Security requirements - Security Verification and Validation - Sensor and Mobile Ad Hoc Network Security - Service and Systems Design and QoS Network Security - Software Security - Trust management and Reputation Systems - Ubiquitous Computing Security - Wireless Network Security ------------------------------------------------------------------------- SOUPS 2015 Symposium On Usable Privacy and Security, Ottawa, Canada, July 22-24, 2015. (Submissions Due 6 March 2015) http://cups.cs.cmu.edu/soups/ The 2015 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. We welcome a variety of research methods, including both qualitative and quantitative approaches. Topics include, but are not limited to: - innovative security or privacy functionality and design - new applications of existing models or technology - field studies of security or privacy technology - usability evaluations of new or existing security or privacy features - security testing of new or existing usability features - longitudinal studies of deployed security or privacy features - studies of administrators or developers and support for security and privacy - the impact of organizational policy or procurement decisions, and - lessons learned from the deployment and use of usable privacy and security features - reports of replicating previously published studies and experiments - reports of failed usable security studies or experiments, with the focus on the lessons learned from such experience ------------------------------------------------------------------------- HAISA 2015 International Symposium on Human Aspects of Information Security & Assurance, Lesvos, Greece, July 1-3, 2015. (Submissions Due 31 March 2015) http://haisa.org/ It is commonly acknowledged that security requirements cannot be addressed by technical means alone, and that a significant aspect of protection comes down to the attitudes, awareness, behaviour and capabilities of the people involved. Indeed, people can potentially represent a key asset in achieving security, but at present, factors such as lack of awareness and understanding, combined with unreasonable demands from security technologies, can dramatically impede their ability to do so. Ensuring appropriate attention and support for the needs of users should therefore be seen as a vital element of a successful security strategy. People at all levels (i.e. from organisations to domestic environments; from system administrators to end-users) need to understand security concepts, how the issues may apply to them, and how to use the available technology to protect their systems. In addition, the technology itself can make a contribution by reducing the demands upon users, simplifying protection measures, and automating a variety of safeguards. With the above in mind, this symposium specifically addresses information security issues that relate to people. It concerns the methods that inform and guide users' understanding of security, and the technologies that can benefit and support them in achieving protection. The symposium welcomes papers addressing research and case studies in relation to any aspect of information security that pertains to the attitudes, perceptions and behaviour of people, and how human characteristics or technologies may be positively modified to improve the level of protection. Indicative themes include: - Information security culture - Awareness and education methods - Enhancing risk perception - Public understanding of security - Usable security - Psychological models of security software usage - User acceptance of security policies and technologies - User-friendly authentication methods - Biometric technologies and impacts - Automating security functionality - Non-intrusive security - Assisting security administration - Impacts of standards, policies, compliance requirements - Organizational governance for information assurance - Simplifying risk and threat assessment - Understanding motivations for misuse - Social engineering and other human-related risks - Privacy attitudes and practices - Computer ethics and security ------------------------------------------------------------------------- ESORICS 2015 20th European Symposium on Research in Computer Security, Vienna, Austria, September 23-25, 2015. (Submissions Due 4 April 2015) http://www.esorics2015.sba-research.org ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. We encourage submissions of papers discussing industrial research and development. Topics of interest include, but are not limited to: - access control - accountability - ad hoc networks - anonymity - applied cryptography - authentication - biometrics - database security - data protection - digital content protection - digital forensic - distributed systems security - electronic payments - embedded systems security - inference control - information hiding - identity management - information flow control - integrity - intrusion detection - formal security methods - language-based security - network security - phishing and spam prevention - privacy - risk analysis and management - secure electronic voting - security architectures - security economics - security metrics - security models - security and privacy in cloud scenarios - security and privacy in complex systems - security and privacy in location services - security and privacy for mobile code - security and privacy in pervasive/ubiquitous computing - security and privacy policies - security and privacy in social networks - security and privacy in web services - security verification - software security - steganography - systems security - trust models and management - trustworthy user devices - web security - wireless security ------------------------------------------------------------------------- NSS 2015 9th International Conference on Network and System Security, New York City, NY, USA, November 3-5, 2015. (Submissions Due 15 April 2015) http://anss.org.au/nss2015/index.htm NSS is an annual international conference covering research in network and system security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of network security, privacy, applications security, and system security. Papers describing case studies, implementation experiences, and lessons learned are also encouraged. Topics of interest include but are not limited to: - Active Defense Systems - Adaptive Defense Systems - Applied Cryptography - Analysis, Benchmark of Security Systems - Authentication - Biometric Security - Complex Systems Security - Database and System Security - Data Protection - Data/System Integrity - Distributed Access Control - Distributed Attack Systems - Denial-of-Service - High Performance Network Virtualization - Hardware Security - High Performance Security Systems - Identity Management - Intelligent Defense Systems - Insider Threats - Intellectual Property Rights Protection - Internet and Network Forensics - Intrusion Detection and Prevention - Key Distribution and Management - Large-scale Attacks and Defense - Malware - Network Resiliency - Network Security - RFID Security and Privacy - Security Architectures - Security for Critical Infrastructures - Security in P2P systems - Security in Cloud and Grid Systems - Security in E-Commerce - Security in Pervasive/Ubiquitous Computing - Security and Privacy in Smart Grid - Security and Privacy in Wireless Networks - Security Policy - Secure Mobile Agents and Mobile Code - Security Theory and Tools - Standards and Assurance Methods - Trusted Computing - Trust Management - World Wide Web Security ------------------------------------------------------------------------- CNS 2015 3rd IEEE Conference on Communications and Network Security, Florence, Italy, September 28-30, 2015. (Submissions Due 24 April 2015) http://cns2015.ieee-cns.org/ IEEE Conference on Communications and Network Security (CNS) is a new conference series in IEEE Communications Society (ComSoc) core conference portfolio and the only ComSoc conference focusing solely on cyber security. IEEE CNS is also a spin-off of IEEE INFOCOM, the premier ComSoc conference on networking. The goal of CNS is to provide an outstanding forum for cyber security researchers, practitioners, policy makers, and users to exchange ideas, techniques and tools, raise awareness, and share experience related to all practical and theoretical aspects of communications and network security. Building on the success of the past two years' conferences, IEEE CNS 2015 seeks original high-quality technical papers from academia, government, and industry. Topics of interest encompass all practical and theoretical aspects of communications and network security, all the way from the physical layer to the various network layers to the variety of applications reliant on a secure communication substrate. Submissions with main contribution in other areas, such as information security, software security, system security, or applied cryptography, will also be considered if a clear connection to secure communications/networking is demonstrated. Particular topics of interest include, but are not limited to: - Anonymization and privacy in communication systems - Biometric authentication and identity management - Computer and network forensics - Data and application security - Data protection and integrity - Availability of communications, survivability of networks in the presence of attacks - Key management and PKI for networks - Information-theoretic security - Intrusion detection and prevention - Location privacy - Mobile security - Outsourcing of network and data communication services - Physical layer security methods, cross-layer methods for enhancing security - Secure routing, network management - Security for critical infrastructures - Security metrics and performance evaluation - Security and privacy for big data - Security and privacy in body area networks - Security and privacy in content delivery network - Security and privacy in cloud computing and federated cloud - Security and privacy in crowdsourcing - Security and privacy in the Internet of Things - Security and privacy in multihop wireless networks: ad hoc, mesh, sensor, vehicular and RFID networks - Security and privacy in peer-to-peer networks and overlay networks - Security and privacy in single-hop wireless networks: Wi-Fi, Wi-Max - Security and privacy in smart grid, cognitive radio networks, and disruption/delay tolerant networks - Security and privacy in social networks - Security and privacy in pervasive and ubiquitous computing - Social, economic and policy issues of trust, security and privacy - Traffic analysis - Usable security for networked computer systems - Vulnerability, exploitation tools, malware, botnet, DDoS attacks - Web, e-commerce, m-commerce, and e-mail security ------------------------------------------------------------------------- Elsevier Future Generation Computer Systems, Special Issue on Cloud Cryptography: State of the Art and Recent Advances. (Submissions Due 1 May 2015) http://www.journals.elsevier.com/future-generation-computer-systems/ call-for-papers/special-issue-on-cloud-cryptography-state-of-the-art-and-rec/ Editors: Kim-Kwang Raymond Choo (University of South Australia, Australia), Josep Domingo-Ferrer (Universitat Rovira i Virgili, Catalonia), and Lei Zhang (East China Normal University, China) Cloud computing is widely used by organisations and individuals. Despite the popularity of cloud computing, cloud security is still an area needing further research. A particularly promising approach to achieve security in this new computing paradigm is through cryptography, but traditional cryptographic techniques are not entirely suitable for cloud implementation due to computational efficiency limitations and other constraints. This special issue is dedicated to providing both scientists and practitioners with a forum to present their recent research on the use of novel cryptography techniques to improve the security of the underlying cloud architecture or ecosystem, particularly research that integrates both theory and practice. For example, how do we design an efficient cloud cryptography system that offers enhanced security without compromising on usability and performance? An efficient fully homomorphic encryption scheme might be an option. Such a scheme should guarantee that the cloud service provider is unable to view the content of the data he stores (thereby ensuring data confidentiality to users). However, sufficiently efficient fully homomorphic encryption is not yet available. We encourage authors to be exploratory in their submissions – that is, to report on advances beyond the state of the art in research and development of cryptographic techniques that result in secure and efficient means of ensuring security and privacy of cloud data. Topics of interest include but are not limited to: - Anonymity - Access control - Cloud key agreement - Distributed authentication and authority - Implementation of cryptographic schemes - Homomorphic encryption - Multi-cloud security - Privacy-preserving provisioning - Remote proofs of storage - Searchable encryption - Secure computation ------------------------------------------------------------------------- IEICE Transactions on Information and Systems, Special Issue on Information and Communication System Security. (Submissions Due 22 May 2015) http://www.ieice.org/~icss/index.en.html Editors: Toshihiro Yamauchi (Okayama University, Japan), Yasunori Ishihara (Osaka University, Japan), and Atsushi Kanai (Hosei University, Japan). The major topics include, but are not limited to: - Security Technologies on AdHoc Network, P2P, Sensor Network, RFID, Wireless Network, Mobile Network, Home Network, Cloud, and SNS - Access Control, Content Security, DRM, CDN, Privacy Protection, E-Commerce, PKI, Security Architecture, Security Protocol, Security Implementation, Technologies, Secure OS, Security Evaluation/Authentication ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE CS Press ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Patrick McDaniel Greg Shannon Computer Science and Engineering CERT Pennsylvania State University oakland14-chair@ieee-security.org 360 A IST Building University Park, PA 16802 (814) 863-3599 mcdaniel@cse.psu.edu Vice Chair: Treasurer: Ulf Lindqvist Yong Guan SRI International 3219 Coover Hall Menlo Park, CA Department of Electrical and Computer ulf.lindqvist@sri.com Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2015 Chair: TC Awards Chair: Sean Peisert Hilarie Orman UC Davis and Purple Streak, Inc. Lawrence Berkeley National Laboratory 500 S. Maple Dr. oakland15-chair@ieee-security.org Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year