Electronic CIPHER, Issue 125, March 17, 2015 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 125 March 17, 2015 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Richard Austin's review of "Data and Goliath: The hidden battles to capture your data and control your world", by Bruce Schneier o News articles about "The Equation Group", FREAK, JASBUG, and many other topics, ripped from the headlines of past weeks o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Selecting the few, most salient news articles from past weeks is becoming more and more arduous because there are just too many of them. Hacks from criminals, hacks from governments, the pace is accelerating. Only one news article is positive, an announcement of a tablet with strong security controls. At only about 4 times the price of an ordinary tablet, it is unlikely to be widely used. Our book review this month concerns Bruce Schneier's recent publication, "Data and Goliatth", and it is on the New York Times bestseller list. Registration for the Computer Society's Security and Privacy Symposium is now open. The program is on the website (http://ieee-security.org/TC/SP2015), and it looks to be as always, stellar, and bigger than ever. Hope you had a happy {pi, e} day, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin Mar 12, 2015 ____________________________________________________________________ "Data and Goliath: The hidden battles to capture your data and control your world" by Bruce Schneier W. W. Norton & Company 2015. ISBN 978-0393244816 Table of contents: https://www.schneier.com/book-dg-toc.html By the time this review is published, I predict that Schneier's book will have been reviewed in multiple places and will have spent time on the NYT bestsellers list so I'm not going to write yet another summary of the book. What I am going to do is summarize what I liked about the book and why you should read it, share it with your friends and even send copies to your elected representatives. We live in a world of data - it's harvested, stored, analyzed, reported and used to make important decisions ranging from what ads your search engine highlights to the security screening you face at the airport. And, as the Snowden revelations have shown, there's an extensive private/public infrastructure dedicated to harvesting, storing and acting on data. There's been a growing susurrus of concern about all this data gathering and decision making but the details have always seemed too technical and remote for a large majority of the people whose data is involved. Schnieer tackles the issues in a clear, readable presentation that is accessible to the general reader. He organizes the book into three parts: the first ("The World We're Creating") is a masterful summary of how intensive the harvesting of data actually is and the economic incentives that drive it; the second ("What's at Stake") delves into the societal implications of this surveillance-driven world; and the third (What to Do About it) proposes ways this data-addiction can be brought under control. The first two parts of the book explain our surveillance culture in detail and analyze the many false trade-offs (e.g., security vs. privacy) and collateral impacts (such as the post-Snowden reduced competitiveness of US products and services). As in any such presentation, the author will have to face the disbelief that such things are actually happening and Schneier meticulously documents the sources behind his writing in a notes section that occupies about a third of the book. What really sets this book apart is not its detailed examination of how bad things are but rather the proscriptive actions for improving the situation. Chapter 12 ("Principles") states the basic principles ("Security and Privacy", "Transparency", "Oversight and Accountability", "Resilient Design", "One World, One Network, One Answer") guiding the way forward in dealing with our surveillance problem. The angels are in the details, of course, and Schneier spends the following three chapters spelling out how governments, corporations and people can apply them. This is a controversial book that will be both praised and vilified. We owe a debt of gratitude to Bruce for bringing these issues together in one place and exploring them in a clear and understandable fashion. Read this book. Loan it to your friends. Send copies to your elected representatives. But most importantly, think about the principles and apply them in what you do. Our surveillance society was not built by a cabal of faceless monsters but by talented professionals seeking to solve a set of problems. We built this system and we can also help change it. -------------------------------------------------------------------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil No new announcements since last Cipher Issue ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ---------------------------------------------------- Why Health Insurers Are Frequent Targets http://www.washingtonpost.com/business/economy/investigators-suspect-china-may-be-responsible-for-hack-of-anthem/2015/02/05/25fbb36e-ad56-11e4-9c91-e9d2f9fde644_story.html China suspected in major hacking of health insurer The Washington Post Drew Harwell and Ellen Nakashima Feb 5, 2015 Health insurance company Anthem said it had been the victime of 'a very sophisticated attack'. There is a potential for hackers to steal private health data that is valued on the black market as tools for extortion, fraud or identity theft. Anthem said this attack did not reveal health data, but it did compromise identifying information for members and employees. Chinese hackers are suspected, perhaps because of the level of expertise shown in the attack. Related story: Massive data hack of health insurer Anthem potentially exposes millions http://www.washingtonpost.com/news/morning-mix/wp/2015/02/05/massive-data-hack-of-health-insurer-anthem-exposes-millions/ The Washington Post Fred Barbash and Abby Phillip Feb 5, 2015 Related story: Data Breach at Anthem May Lead to Others http://www.nytimes.com/2015/02/07/business/data-breach-at-anthem-may-lead-to-others.html?_r=0 NYTimes.com Reed Abelson and Julie Creswell Feb 6, 2015 ------------ http://www.ksl.com/?sid=33422622&nid= Obama to create new agency to examine cyberthreats AP via KSL.com Ken Dilanian, Associated Press February 10th, 2015 Can the creation of a new "Cyber Threats Intelligence Integration Center" help the Federal government deal with cyberattacks like the Sony hack? White House cybersecurity coordinator Michael Daniel thinks that coordinating the many individual cybersecurity efforts in the government will help streamline detection and response. ------------ https://nakedsecurity.sophos.com/2015/02/11/jasbug-windows-vulnerability-beyond-the-hype-what-you-need-to-know/ The 'JASBUG' Windows hole - beyond the hype, what you need to know Naked Security Paul Ducklin Feb 12, 2015 Downgrade attacks on Windows SMB and Active Directory Group Policy have been fixed, a year after their discovery, and some years after their origination. ------------ Bank Hackers Steal Millions via Malware http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html NYTimes.com David E. Sanger and Nicole Perlroth Feb. 14, 2015 Kaspersky Labs scored another expose last month in uncovering malware that surreptiously redirected millions of dollars of funds without detection. The software afflicted 100 financial institutions in 30 countries. Keeping a very low profile, the software enabled remote monitoring and execution. ------------ The Best Hackers Ever Are the Ones You Never Heard Of: The Equation Group Kaspersky Labs released a report about an unknown group reponsible for the widespread distribution of malware that was so stealthy that it resisted detection for 14 years. Omnipotent Hackers http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ Arstechnica Dan Goodin Feb 16, 2015 12:00pm MST Report: Equation Group Questions and Answers https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf Related story: Russian researchers expose breakthrough in U.S. spying program http://newsdaily.com/2015/02/russian-researchers-expose-breakthrough-u-s-spying-program/ Reuters Joseph Menn February 17, 2015 Related story: http://www.nytimes.com/2015/02/17/technology/spyware-embedded-by-us-in-foreign-networks-security-firm-says.html U.S. Embedded Spyware Overseas, Report Claims NYTimes.com Nicole Perlroth and David E. Sanger Feb. 16, 2015 ------------ Lenovo to stop pre-installing controversial software http://www.reuters.com/article/2015/02/19/us-lenovo-cybersecurity-idUSKBN0LN0XI20150219 Reuters Paul Carsten Feb 19, 2015 The world's largest PC maker, Lenovo, reacted to the discovery that notebooks sold in late 2014 had a piece of software that hijacked web connections. The purpose was to display ads. The objectionable feature was that it injected ads into what otherwise appeared to be a connection with authentication and encryption, i.e. "trusted". ------------ Secrecy around police surveillance equipment proves a case's undoing http://www.washingtonpost.com/world/national-security/secrecy-around-police-surveillance-equipment-proves-a-cases-undoing/2015/02/22/ce72308a-b7ac-11e4-aa05-1ce812b3fdd2_story.html?hpid=z1 The Washington Post Ellen Nakashima February 22, 2015 Rather than reveal information about "fake cellphone tower" equipment, the FBI scuttled a case against a small time pot dealer. The devices can find detailed location information for phones, down to the room in a house. ------------ Here's how the clash between the NSA Director and a senior Yahoo executive went down. http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/23/heres-how-the-clash-between-the-nsa-director-and-a-senior-yahoo-executive-went-down/?hpid=z12 The Washington Post Andrea Peterson Feb 23, 2015 At a public cybersecurity meeting, the NSA director spoke about the need for the government to have access to all encrypted material on the Internet. In case you think this is impossible, review the history of "key escrow". ------------ SIM Chip Encryption Key Compromised? Cell phone maker Gemalto said that persons unknown tried to get information that would let them compromise the SIM card encryption. The attacks occurred in 2010. Recent information has led the company to connect them to the US and British governments. But, were they successful? Chip Maker to Investigate Claims of Hacking by N.S.A. and British Spy Agencies http://www.nytimes.com/2015/02/21/world/europe/chip-maker-to-investigate-claims-of-hacking-by-nsa-and-british-spy-agencies.html?_r=0 New York Times Mark Scott Feb. 20, 2015 U.S. and British Agencies May Have Tried to Get SIM Encryption Codes, Gemalto Says http://www.nytimes.com/2015/02/26/business/international/gemalto-says-nsa-tried-to-take-sim-encryption-codes.html NYTimes.com Mark Scott and Aurelien Breeden Feb 25, 2015 ------------ How To Sabotage Encryption Software (And Not Get Caught) http://www.wired.com/2015/02/sabotage-encryption-software-get-caught/?mbid=synd_slate WIRED Andy Greenberg Feb 27, 2015 This article is about a new paper and a book by Bruce Scheier. The integrity of standards for Internet cryptography was called into question a few years ago with news that NSA seemed to have used its influence to introduce a weakness into a standard for random number generation. In the interim, there has been a great deal of thought put into how to produce standards that are free from undermining. The papers discusses the avenues by which weaknesses can be introduced. The paper: http://eprint.iacr.org/2015/097 "Surreptitiously Weakening Cryptographic Systems" by Bruce Schneier, Matthew Fredrikson, Tadayoshi Kohno, and Thomas Ristenpart The article mentions Bruce Scheier's book "Data and Goliath", reviewed in this Cipher issue. ------------ A "Zombie from the 90's": FREAK, the Vulnerability Against Apple and Google Users Secure access to websites is something that we have begun to take for granted, but it seems that a combination of man-in-the-middle and downgrade attacks can force many websites into using encryption so weak that an eavesdropper can read it without an extraordinary amount of work. 'FREAK' flaw undermines security for Apple and Google users, researchers discover http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ The Washington Post Craig Timberg Mar 3, 2015 Related story: Microsoft reacted to the FREAK vulnerability later than Apple and Google http://www.slate.com/blogs/future_tense/2015/03/06/microsoft_reacted_to_the_freak_vulnerability_later_than_apple_and_google.html Slate.com Lily Hay Newman Mar 7, 2015 ------------ So much for the claim that Apple Pay would be 'secure' http://www.latimes.com/business/hiltzik/la-fi-mh-apple-pay-would-be-secure-20150307-column.html Los Angeles Times Michael Hiltzik Mar 8, 2015 This article shows that "security" is a bigger concept than just authentication and encryption. By shifting some responsibility for safeguards for credit card registration from itself to banks, Apple enabled a corridor for easy use of stolen credit cards. ------------ Samsung tablets spy-proof with IBM software http://www.bloomberg.com/article/2015-03-14/anq8f5dGiQL4.html Bloomberg Business News March 14, 2015 At CeBIT 2015, Secusmart announced its high-security tablet based the Samsung Galaxy Tab S 10.5. The device allows non-secure apps to exist alongside "wrapped" secure apps. The device is targeted at government officials. ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 3/17/15: SECRYPT, 12th International Conference on Security and Cryptography, Colmar, France; http://secrypt.icete.org; Submissions are due 3/20/15: MSPN, International Conference on Mobile, Secure and Programmable Networking, Paris, France; http://cedric.cnam.fr/workshops/mspn2015/ Submissions are due 3/22/15: PTDCS, Workshop on Privacy by Transparency in Data-Centric Services, Held in conjunction with the 18th International Conference on Business Information Systems (BIS 2015), Poznan, Poland http://bis.kie.ue.poznan.pl/bis2015/workshops/ptdcs-2015/ Submissions are due 3/22/15: TrustBus, 12th International Conference on Trust, Privacy, and Security in Digital Business, Valencia, Spain; http://www.ds.unipi.gr/trustbus15/ Submissions are due 3/31/15: HAISA, International Symposium on Human Aspects of Information Security & Assurance Lesvos, Greece; http://haisa.org/ Submissions are due 3/31/15: ECTCM, 3rd International Workshop on Emerging Cyberthreats and Countermeasures, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015), Toulouse, France http://www.ares-conference.eu/conference/workshops/wsdf-2015/ Submissions are due 3/31/15: IEEE Transactions on Cloud Computing, Special Issue on Cloud Security Engineering; http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tccsi_cse.pdf Submissions are due 4/ 1/15: Globecom-CISS, IEEE Globecom 2015, Communication & Information System Security Symposium, San Diego, CA, USA; http://globecom2015.ieee-globecom.org/sites/globecom2015.ieee-globecom.org/files/u42/GC15_TPC_CFP_CISS_-_Communication_&_Information_System_Security.pdf; Submissions are due 4/ 1/15: RT2ND, International Workshop on Risk and Trust in New Network Developments, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015), Toulouse, France http://www.ares-conference.eu/conference/workshops/rt2nd-2015/ Submissions are due 4/ 1/15: WSDF, 8th International Workshop on Digital Forensics, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015) Toulouse, France http://www.ares-conference.eu/conference/workshops/wsdf-2015/ Submissions are due 4/ 1/15: PST, International Conference on Privacy, Security and Trust, Izmir, Turkey; http://pst2015.yasar.edu.tr/ Submissions are due 4/ 1/15: 10th IFIP Summer School on Privacy and Identity Management - Time for a Revolution? Edinburgh, Scotland; http://www.ifip-summerschool.org/ Submissions are due 4/ 1/15: SPE, IEEE 5th International Workshop on Security and Privacy Engineering, Co-located with 11th IEEE World Congress on Services (SERVICES 2015), New York, NY, USA; http://sesar.di.unimi.it/SPE2015/ Submissions are due 4/ 4/15: ESORICS, 20th European Symposium on Research in Computer Security, Vienna, Austria; http://www.esorics2015.sba-research.org; Submissions are due 4/10/15: WISTP, 9th WISTP International Conference on Information Security Theory and Practice Crete, Greece; http://www.wistp.org; Submissions are due 4/10/15: FCS, Workshop on Foundations of Computer Security, Held in conjunction with IEEE CSF 2015, Verona, Italy; http://software.imdea.org/~bkoepf/FCS15/ Submissions are due 4/14/15: IoTPTS, Workshop on IoT Privacy, Trust, and Security, Held in conjunction with ASIACCS 2015, Singapore; https://sites.google.com/site/iotpts/ 4/14/15: CPSS, 1st Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2015, Singapore; http://icsd.i2r.a-star.edu.sg/cpss15 4/14/15- 4/16/15: HST, 14th annual IEEE Symposium on Technologies for Homeland Security, Boston, Massachusetts, USA; http://ieee-hst.org/ 4/14/15- 4/17/15: ASIACCS, 10th ACM Symposium on Information, Computer and Communications Security, Singapore; http://icsd.i2r.a-star.edu.sg/asiaccs15 4/15/15: NSS, 9th International Conference on Network and System Security, New York City, NY, USA; http://anss.org.au/nss2015/index.htm; Submissions are due 4/24/15: CNS, 3rd IEEE Conference on Communications and Network Security, Florence, Italy; http://cns2015.ieee-cns.org/ Submissions are due 5/ 1/15: Elsevier Future Generation Computer Systems, Special Issue on Cloud Cryptography: State of the Art and Recent Advanc es; http://www.journals.elsevier.com/future-generation-computer-systems/call-for-papers/special-issue-on-cloud-cryptography-state-of-the-art-and-rec/ Submissions are due 5/ 5/15- 5/ 7/15: HOST, IEEE International Symposium on Hardware Oriented Security and Trust Washington DC Metro Area, USA; http://www.hostsymposium.org 5/ 5/15- 5/ 8/15: ISPEC, 11th International Conference on Information Security Practice and Experience, Beijing, China; http://icsd.i2r.a-star.edu.sg/ispec2015/ 5/10/15: CRITIS, 10th International Conference on Critical Information Infrastructures Security Berlin, Germany; http://www.critis2015.org; Submissions are due 5/13/15- 5/15/15: EDFC, National Conference on Ethics and Digital Forensics, Arlington, VA, USA; http://edfc.thecenter.uab.edu 5/15/15: ACM-CCS, 22nd ACM Conference on Computer and Communications Security, Denver, Colorado, USA; http://www.sigsac.org/ccs/CCS2015; Submissions are due 5/18/15- 5/20/15: SP, 36th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2015/ 5/21/15: W2SP, Web 2.0 Security and Privacy Workshop, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; http://ieee-security.org/TC/SPW2015/W2SP/cfp.html 5/21/15: GenoPri, 2nd International Workshop on Genome Privacy and Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; http://www.genopri.org/ 5/21/15: IWPE, 1st International Workshop on Privacy Engineering, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015) San Jose, CA, USA; http://ieee-security.org/TC/SPW2015/IWPE/ 5/21/15: LangSec, 2nd Workshop on Language-Theoretic Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015) San Jose, CA, USA; http://spw15.langsec.org/index.html 5/21/15: MoST, Mobile Security Technologies Workshop, an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2015), Held in conjunction with the 34th IEEE Symposium on Security and Privacy (IEEE SP 2015), San Jose, CA, USA; http://ieee-security.org/TC/SPW2015/MoST/ 5/22/15: IEICE Transactions on Information and Systems, Special Issue on Information and Communication System Security; http://www.ieice.org/~icss/index.en.html; Submissions are due 5/31/15: IEEE Transactions on Services Computing, Special Issue on Security and Dependability of Cloud Systems and Services; http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tscsi_sdcss.pdf; Submissions are due 6/ 1/15- 6/ 3/15: SACMAT, 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria; http://www.sacmat.org/ 6/ 2/15- 6/ 5/15: ACNS, 13th International Conference on Applied Cryptography and Network Security, New York, NY, USA; http://acns2015.cs.columbia.edu/ 6/ 7/15- 6/11/15: DAC-Security Track, Design Automation Conference, San Francisco, CA, USA; https://dac.com/submission-categories/hardware-and-software-security 6/15/15- 6/17/15: MSPN, International Conference on Mobile, Secure and Programmable Networking Paris, France; http://cedric.cnam.fr/workshops/mspn2015/ 6/22/15- 6/23/15: WEIS, 14th Annual Workshop on the Economic of Information Security, Delft University of Technology, The Netherlands; http://weis2015.econinfosec.org/ 6/22/15- 6/26/15: WiSec, 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, New York City, NY, USA; http://www.sigsac.org/wisec/WiSec2015/ 6/22/15- 6/23/15: RFIDSec, 11th Workshop on RFID Security, Co-located with ACM WiSec 2015, New York City, NY, USA; http://rfidsec2015.iaik.tugraz.at/ 6/24/15- 6/26/15: PTDCS, Workshop on Privacy by Transparency in Data-Centric Services, Held in conjunction with the 18th International Conference on Business Information Systems (BIS 2015) Poznan, Poland http://bis.kie.ue.poznan.pl/bis2015/workshops/ptdcs-2015/ 6/27/15- 7/ 2/15: SPE, IEEE 5th International Workshop on Security and Privacy Engineering, Co-located with 11th IEEE World Congress on Services (SERVICES 2015), New York, NY, USA; http://sesar.di.unimi.it/SPE2015/ 6/30/15- 7/ 2/15: PETS, 15th Privacy Enhancing Technologies Symposium, Philadelphia, PA, USA; https://www.petsymposium.org/2015/ 7/ 1/15- 7/3/15: HAISA, International Symposium on Human Aspects of Information Security & Assurance, Lesvos, Greece; http://haisa.org/ 7/ 9/15- 7/10/15: DIMVA, 12th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment Milano, Italy; http://www.dimva2015.it 7/13/15: FCS, Workshop on Foundations of Computer Security, Held in conjunction with IEEE CSF 2015 Verona, Italy; http://software.imdea.org/~bkoepf/FCS15/ Submissions are due 7/18/15- 7/24/15: CAV, 27th International Conference on Computer Aided Verification, San Francisco, California, USA; http://i-cav.org/2015/ 7/20/15- 7/22/15: SECRYPT, 12th International Conference on Security and Cryptography, Colmar, Alsace, France; http://www.secrypt.icete.org 7/21/15- 7/23/15: PST, International Conference on Privacy, Security and Trust, Izmir, Turkey; http://pst2015.yasar.edu.tr/ 7/22/15- 7/24/15: SOUPS, Symposium On Usable Privacy and Security, Ottawa, Canada; http://cups.cs.cmu.edu/soups/ 7/29/15: ICISS, 11th International Conference on Information Systems Security Kolkata, India; http://www.iciss.org.in; Submissions are due 8/12/15- 8/14/15: USENIX-Security, 24th USENIX Security Symposium, Washington, D.C., USA; https://www.usenix.org/conference/usenixsecurity15 8/16/15- 8/21/15: 10th IFIP Summer School on Privacy and Identity Management - Time for a Revolution? Edinburgh, Scotland; http://www.ifip-summerschool.org/ 8/24/15- 8/25/15: WISTP, 9th WISTP International Conference on Information Security Theory and Practice Crete, Greece; http://www.wistp.org 8/24/15- 8/28/15: ECTCM, 3rd International Workshop on Emerging Cyberthreats and Countermeasures, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015), Toulouse, France; http://www.ares-conference.eu/conference/workshops/wsdf-2015/ 8/24/15- 8/28/15: RT2ND, International Workshop on Risk and Trust in New Network Developments, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015), Toulouse, France; http://www.ares-conference.eu/conference/workshops/rt2nd-2015/ 8/24/15- 8/28/15: WSDF, 8th International Workshop on Digital Forensics, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015), Toulouse, France; http://www.ares-conference.eu/conference/workshops/wsdf-2015/ 8/31/15: IEEE Transactions on Services Computing, Special Issue on Security and Dependability of Cloud Systems and Services; http://www.journals.elsevier.com/journal-of-computer-and-system-sciences/call-for-papers/cyber-security-in-the-critical-infrastructure-advances-and-f/ Submissions are due 8/31/15- 9/ 4/15: EUSIPCO, 23rd European Signal Processing Conference, Information Forensics and Security Track, Nice, Cote d' Azur, France; http://www.eusipco2015.org 9/ 1/15- 9/ 2/15: TrustBus, 12th International Conference on Trust, Privacy, and Security in Digital Business Valencia, Spain; http://www.ds.unipi.gr/trustbus15/ 9/23/15- 9/25/15: ESORICS, 20th European Symposium on Research in Computer Security, Vienna, Austria; http://www.esorics2015.sba-research.org 9/28/15- 9/30/15: CNS, 3rd IEEE Conference on Communications and Network Security, Florence, Italy, http://cns2015.ieee-cns.org/ 10/ 5/15-10/ 7/15: CRITIS, 10th International Conference on Critical Information Infrastructures Security, Berlin, Germany, http://www.critis2015.org 10/12/15-10/16/15: ACM-CCS, 22nd ACM Conference on Computer and Communications Security, Denver, Colorado, USA; http://www.sigsac.org/ccs/CCS2015 11/ 3/15-11/ 5/15: NSS, 9th International Conference on Network and System Security, New York City, NY, USA; http://anss.org.au/nss2015/index.htm 12/ 6/15-12/10/15: Globecom-CISS, IEEE Globecom 2015, Communication & Information System Security Symposium, San Diego, CA, USA; http://globecom2015.ieee-globecom.org/sites /globecom2015.ieee-globecom.org/files/u42/GC15_TPC_CFP_CISS_-_Communication_&_Information_System_Security.pdf 12/16/15-12/20/15: ICISS, 11th International Conference on Information Systems Security, Kolkata, India; http://www.iciss.org.in ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E124) ___________________________________________________________________ SECRYPT 2015 12th International Conference on Security and Cryptography, Colmar, Alsace, France, July 20 - 22, 2015. (Submission Due 17 March 2015) http://www.secrypt.icete.org SECRYPT is an annual international conference covering research in information and communication security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, security, and cryptography. Papers describing the application of security technology, the implementation of systems, and lessons learned are also encouraged. Papers describing new methods or technologies, advanced prototypes, systems, tools and techniques and general survey papers indicating future directions are also encouraged. Topics of interest include: - Access Control - Applied Cryptography - Biometrics Security and Privacy - Critical Infrastructure Protection - Data Integrity - Data Protection - Database Security and Privacy - Digital Forensics - Digital Rights Management - Ethical and Legal Implications of Security and Privacy - Formal Methods for Security - Human Factors and Human Behavior Recognition Techniques - Identification, Authentication and Non-repudiation - Identity Management - Information Hiding - Information Systems Auditing - Insider Threats and Countermeasures - Intellectual Property Protection - Intrusion Detection & Prevention - Management of Computing Security - Network Security - Organizational Security Policies - Peer-to-Peer Security - Personal Data Protection for Information Systems - Privacy - Privacy Enhancing Technologies - Reliability and Dependability - Risk Assessment - Secure Software Development Methodologies - Security and Privacy for Big Data - Security and privacy in Complex Systems - Security and Privacy in Crowdsourcing - Security and Privacy in IT Outsourcing - Security and Privacy in Location-based Services - Security and Privacy in Mobile Systems - Security and Privacy in Pervasive/Ubiquitous Computing - Security and Privacy in Smart Grids - Security and Privacy in Social Networks - Security and Privacy in the Cloud - Security and Privacy in Web Services - Security and Privacy Policies - Security Area Control - Security Deployment - Security Engineering - Security in Distributed Systems - Security Information Systems Architecture - Security Management - Security Metrics and Measurement - Security Protocols - Security requirements - Security Verification and Validation - Sensor and Mobile Ad Hoc Network Security - Service and Systems Design and QoS Network Security - Software Security - Trust management and Reputation Systems - Ubiquitous Computing Security - Wireless Network Security ------------------------------------------------------------------------- MSPN 2015 International Conference on Mobile, Secure and Programmable Networking, Paris, France, June 15-17, 2015. (Submission Due 20 March 2015) http://cedric.cnam.fr/workshops/mspn2015/ The rapid deployment of new infrastructures based on network virtualization and Cloud computing triggers new applications and services that in turn generate new constraints such as security and/or mobility. The International Conference on Mobile, Secure and Programmable Networking aims at providing a top forum for researchers and practitioners to present and discuss new trends in networking infrastructures, security, services and applications while focusing on virtualization and Cloud computing for networks, network programming, Software Defined Networks (SDN) and their security. Position papers are also welcome and should be clearly marked as such. Authors are invited to submit complete unpublished papers, which are not under review in any other conference or journal, including, but not limited to, the following topic areas: - Software Defined Networks (tools, software, concepts) - Virtualization and Cloud computing - Networks and Cloud computing - Mobile computing and Mobile Cloud computing - Security, Privacy and Trust in Networks, Services and Applications - Green computing and networking - Ubiquitous Computing and Sensor Networks - System design and testbeds - Cross-Layer Design and Optimization - Quality of service - Modeling and performance evaluation - 4G and 5G networks - Social networks - Cooperative networking and Self-Organizing networks - Distributed sensing, actuation, and control in cyber-physical systems - Internet of Things - Vehicular networks and Connected Car - Crowdsourcing - Datacenter networking - Location-based Services - Web-services and SOA ------------------------------------------------------------------------- PTDCS 2015 Workshop on Privacy by Transparency in Data-Centric Services, Held in conjunction with the 18th International Conference on Business Information Systems (BIS 2015), Poznan, Poland, June 24-26, 2015. (Submission Due 22 March 2015) http://bis.kie.ue.poznan.pl/bis2015/workshops/ptdcs-2015/ Big Data has developed into a key factor of the economy that benefits users and providers of data-centric services. However, the analysis of growing volumes of users data in data-centric services also presents significant privacy challenges. The objective of this workshop is to bring researchers and practitioners together to explore transparency-based mechanisms, such as dashboards, economic explanations of the use of privacy and value of data, as well as user behavior. In particular, the goal of this workshop is to set thematic milestones for the technical development of transparency mechanisms on the one hand, and on the other, trace ways in which technical progress, users and industry could profit from transparency. A major focus will be set on Transparency-Enhancing Technologies (TET) and, in particular, Privacy Dashboards. Topics of interest include, but are not limited to: - Accountability in Data-Centric Services - Economics of TET - Privacy Dashboards - Privacy Economics - Privacy Policy Specification and Negotiation - Privacy in Socio-Technical Systems - Privacy-Enabled Business Models - Requirements for TET - Transparent Behavioral Targeting - Transparent Usage Control ------------------------------------------------------------------------- TrustBus 2015 12th International Conference on Trust, Privacy, and Security in Digital Business, Valencia, Spain, September 1-2, 2015. (Submission Due 22 March 2015) http://www.ds.unipi.gr/trustbus15/ TrustBus'2015 will bring together researchers from different disciplines, developers, and users all interested in the critical success factors of digital business systems. We are interested in papers, work-in-progress reports, and industrial experiences describing advances in all areas of digital business applications related to trust and privacy, including, but not limited to: - Anonymity and pseudonymity in business transactions - Business architectures and underlying infrastructures - Common practice, legal and regulatory issues - Cryptographic protocols - Delivery technologies and scheduling protocols - Design of businesses models with security requirements - Economics of Information Systems Security - Electronic cash, wallets and pay-per-view systems - Enterprise management and consumer protection - Identity and Trust Management - Intellectual property and digital rights management - Intrusion detection and information filtering - Languages for description of services and contracts - Management of privacy & confidentiality - Models for access control and authentication - Multimedia web services - New cryptographic building-blocks for e-business applications - Online transaction processing - PKI & PMI - Public administration, governmental services - P2P transactions and scenarios - Real-time Internet E-Services - Reliability and security of content and data - Reliable auction, e-procurement and negotiation technology - Reputation in services provision - Secure process integration and management - Security and Privacy models for Pervasive Information Systems - Security Policies - Shopping, trading, and contract management tools - Smartcard technology - Transactional Models - Trust and privacy issues in mobile commerce environments - Usability of security technologies and services ------------------------------------------------------------------------- IEEE Transactions on Cloud Computing, Special Issue on Cloud Security Engineering. (Submission Due 31 March 2015) http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tccsi_cse.pdf Editors: Kim-Kwang Raymond Choo (University of South Australia, Australia), Omer Rana (Cardiff University, UK), and Muttukrishnan Rajarajan (City University London, UK). As the use of cloud computing grows throughout society in general, it is essential that cloud service providers and cloud service users ensure that security and privacy safeguards are in place. There is, however, no perfect security and when a cybersecurity incident occurs, digital investigation will require the identification, preservation and analysis of evidential data. This special issue is dedicated to the identification of techniques that enable security mechanisms to be engineered and implemented in Cloud-based systems. A key focus will be on the integration of theoretical foundations with practical deployment of security strategies that make Cloud systems more secure for both end users and providers - enabling end users to increase the level of trust they have in Cloud providers - and conversely for Cloud service providers to provide greater guarantees to end users about the security of their services and data. Significant effort has been invested in performance engineering of Cloud-based systems, with a variety of research-based and commercial tools that enable autoscaling of Cloud systems, mechanisms for supporting Service Level Agreement-based provisioning and adaptation and more recently for supporting energy management of large scale data centres. This special issue will be devoted to understanding whether a similar engineering philosophy can be extended to support security mechanisms, and more importantly, whether experience from the performance engineering community (who often need to carry out analysis on large log files) can be carried over into the security domain. We encourage authors to be exploratory in their papers - reporting on novel use of performance engineering tools that could be repurposed for supporting security management and vice versa. Topics of interest include: - Advanced security features - Anonymity - Cloud forensic and anti-forensic techniques and implementations - Cloud privacy - Cloud-based honeypots - Cloud-based intrusion detection and prevention systems - Distributed authentication and authentication - Implementation of cryptographic and key management strategies in clouds (e.g. homomorphic encryption for cloud computing) - Multi-Cloud security provisioning - Real time analysis of security (log) data for alert generation - Remote collection of evidence (e.g. from cloud servers) - Security-focused Service Level Agreements ------------------------------------------------------------------------- HAISA 2015 International Symposium on Human Aspects of Information Security & Assurance, Lesvos, Greece, July 1-3, 2015. (Submission Due 31 March 2015) http://haisa.org/ It is commonly acknowledged that security requirements cannot be addressed by technical means alone, and that a significant aspect of protection comes down to the attitudes, awareness, behaviour and capabilities of the people involved. Indeed, people can potentially represent a key asset in achieving security, but at present, factors such as lack of awareness and understanding, combined with unreasonable demands from security technologies, can dramatically impede their ability to do so. Ensuring appropriate attention and support for the needs of users should therefore be seen as a vital element of a successful security strategy. People at all levels (i.e. from organisations to domestic environments; from system administrators to end-users) need to understand security concepts, how the issues may apply to them, and how to use the available technology to protect their systems. In addition, the technology itself can make a contribution by reducing the demands upon users, simplifying protection measures, and automating a variety of safeguards. With the above in mind, this symposium specifically addresses information security issues that relate to people. It concerns the methods that inform and guide users' understanding of security, and the technologies that can benefit and support them in achieving protection. The symposium welcomes papers addressing research and case studies in relation to any aspect of information security that pertains to the attitudes, perceptions and behaviour of people, and how human characteristics or technologies may be positively modified to improve the level of protection. Indicative themes include: - Information security culture - Awareness and education methods - Enhancing risk perception - Public understanding of security - Usable security - Psychological models of security software usage - User acceptance of security policies and technologies - User-friendly authentication methods - Biometric technologies and impacts - Automating security functionality - Non-intrusive security - Assisting security administration - Impacts of standards, policies, compliance requirements - Organizational governance for information assurance - Simplifying risk and threat assessment - Understanding motivations for misuse - Social engineering and other human-related risks - Privacy attitudes and practices - Computer ethics and security ------------------------------------------------------------------------- ECTCM 2015 3rd International Workshop on Emerging Cyberthreats and Countermeasures, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015), Toulouse, France, August 24-28, 2015. (Submission Due 31 March 2015) http://www.ares-conference.eu/conference/workshops/wsdf-2015/ The 3rd International Workshop on Emerging Cyberthreats and Countermeasures aims at bringing together researchers and practitioners working in different areas related to cybersecurity. In the elapsed year 2014 bleeding hearts, shocked shells, poodles and several more shocking vulnerabilities in essential parts of our IT (security) infrastructure emerged. We want to contribute to all technical, organizational and social facets of this problem. Contributions demonstrating current vulnerabilities and threats as well as new countermeasures are warmly welcome. ------------------------------------------------------------------------- Globecom-CISS 2015 IEEE Globecom 2015, Communication & Information System Security Symposium, San Diego, CA, USA, December 6-10, 2015. (Submission Due 1 April 2015) http://globecom2015.ieee-globecom.org/sites/globecom2015.ieee-globecom.org /files/u42/GC15_TPC_CFP_CISS_-_Communication_&_Information_System_Security.pdf As communication and information systems become more indispensable to the society, their security has also become extremely critical. This symposium welcomes manuscripts on all aspects of the modeling, design, implementation, deployment, and management of security algorithms, protocols, architectures, and systems. Furthermore, contributions devoted to the evaluation, optimization, or enhancement of security and privacy mechanisms for current technologies, as well as devising efficient security and privacy solutions for emerging areas, from physical-layer technology up to cyber security, are solicited. The Communication & Information Systems Security Symposium seeks original contributions in the following topical areas, plus others that are not explicitly listed but are closely related: - Anonymous communication, metrics and performance - Attack, detection and prevention - Authentication protocols and key management - Availability and survivability of secure services and systems - Biometric security: technologies, risks, vulnerabilities, bio-cryptography, mobile template protection - Cloud, data center and distributed systems security - Computer and network forensics - Cryptography for network security - Cyber security - Digital rights management - Firewall technologies - Formal trust models, security modeling, and design of secure protocols - Information systems security and security management - Internet security and privacy - Malware detection and damage recovery - Network security metrics and performance - Operating systems and application security - Physical security and hardware/software security - Post-quantum network security - Privacy and privacy-enhancing technologies - Security and privacy for mobile and wireless networks - Security for cloud computing and networking - Security for mobile and wireless networks - Security for next-generation networks - Security in virtual machine environments - Security tools for communication and information systems - Trustworthy computing - Wired systems and optical network security ------------------------------------------------------------------------- RT2ND 2015 International Workshop on Risk and Trust in New Network Developments, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015), Toulouse, France, August 24-28, 2015. (Submission Due 1 April 2015) http://www.ares-conference.eu/conference/workshops/rt2nd-2015/ The drive of being connected anywhere and anytime, the convenience of smart services, and advances in embedded computing have recently pushed new network developments. Several factors have contributed to this development, e.g., hardware advances (devices are smaller, more powerful, and batteries last longer), the heterogeneity of end-points (a range of devices and "intelligent things"), different architectures (networks of networks, self-configuring, opportunistic and ad-hoc networks), enhancements in technology (mobile, wireless, Bluetooth, RFID, NFC) and the ever more networked society (devices are increasingly affordable and ubiquitous). Such developments have created new network paradigms such as Vehicular Networks, Body Area Networks, Personal Area Networks, Smart Camera Networks, Virtualized Networks, Service-oriented Networks, Home Area Networks, and Named Data Networks. Novelties in network architectures, technologies and applications raise numerous challenges in terms of risk and trust, and in the trade-off between them. This workshop aims to bring together researchers and practitioners, and foment discussion on risk and trust in emerging networks and how to best defend against their misuse. We encourage different types of contributions - surveys, technical and empirical contributions. ------------------------------------------------------------------------- WSDF 2015 8th International Workshop on Digital Forensics, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015), Toulouse, France, August 24-28, 2015. (Submission Due 1 April 2015) http://www.ares-conference.eu/conference/workshops/wsdf-2015/ Digital forensics is a rapidly evolving field primarily focused on the extraction, preservation and analysis of digital evidence obtained from electronic devices in a manner that is legally acceptable. Research into new methodologies tools and techniques within this domain is necessitated by an ever-increasing dependency on tightly interconnected, complex and pervasive computer systems and networks. The ubiquitous nature of our digital lifestyle presents many avenues for the potential misuse of electronic devices in crimes that directly involve, or are facilitated by, these technologies. The aim of digital forensics is to produce outputs that can help investigators ascertain the overall state of a system. This includes any events that have occurred within the system and entities that have interacted with that system. Due care has to be taken in the identification, collection, archiving, maintenance, handling and analysis of digital evidence in order to prevent damage to data integrity. Such issues combined with the constant evolution of technology provide a large scope of digital forensic research. WSDF aims to bring together experts from academia, industry, government and law enforcement who are interested in advancing the state of the art in digital forensics by exchanging their knowledge, results, ideas and experiences. The aim of the workshop is to provide a relaxed atmosphere that promotes discussion and free exchange of ideas while providing a sound academic backing. The focus of this workshop is not only restricted to digital forensics in the investigation of crime. It also addresses security applications such as automated log analysis, forensic aspects of fraud prevention and investigation, policy and governance. ------------------------------------------------------------------------- PST 2015 International Conference on Privacy, Security and Trust, Izmir, Turkey, July 21-23, 2015. (Submission Due 1 April 2015) http://pst2015.yasar.edu.tr/ This conference, the thirteenth in an annual series, provides a forum for researchers world-wide to unveil their latest work in privacy, security and trust and to show how this research can be used to enable innovation. High-quality papers in all PST related areas that, at the time of submission, are not under review and have not already been published or accepted for publications elsewhere are solicited. PST2015 topics include, but are NOT limited to, the following: - Privacy Preserving / Enhancing Technologies - Critical Infrastructure Protection - Network and Wireless Security - Operating Systems Security - Intrusion Detection Technologies - Secure Software Development and Architecture - PST Challenges in e-Services, e.g. e-Health, e-Government, e-Commerce - Network Enabled Operations - Digital forensics - Information Filtering, Data Mining and Knowledge from Data - National Security and Public Safety - Cryptographic Techniques for Privacy Preservation - Security Metrics - Recommendation, Reputation and Delivery Technologies - Privacy, Traceability, and Anonymity - Trust and Reputation in Self-Organizing Environments - Anonymity and Privacy vs. Accountability - Access Control and Capability Delegation ------------------------------------------------------------------------- IFIP-Summer School on Privacy and Identity Management 2015 10th IFIP Summer School on Privacy and Identity Management - Time for a Revolution?, Edinburgh, Scotland, August 16-21, 2015. (Submission Due 1 April 2015) http://www.ifip-summerschool.org/ The Summer School takes a holistic approach to society and technology and supports interdisciplinary exchange through keynote and plenary lectures, tutorials, workshops, and research paper presentations. In particular, participants' contributions that combine technical, legal, regulatory, socio-economic, social or societal, political, ethical, anthropological, philosophical, or psychological perspectives are welcome. The school seeks contributions in the form of research papers, tutorials, and workshop proposals from all disciplines (e.g., computer science, informatics, economics, ethics, law, psychology, sociology, political and other social sciences, surveillance studies, business and public management), and is especially inviting contributions from students who are at the stage of preparing either a master's or a PhD thesis. Topics of interest include, but are not limited to: - big data analysis, biometrics, cloud computing, virtuality, data and visual analytics - concepts of anonymity, pseudonymity, identity in different disciplines or cultures - cybercrime and cybersecurity - data breaches, data retention and law enforcement - digital rights and net neutrality - digital participation, participatory design, ethically-informed design, co-creation and co-ollaboration, ecosystems, and social actors' engagement in design - health informatics, informed consent, and data-sharing - impact of legislative or regulatory initiatives on privacy - impact of technology on social exclusion/digital divide/social and cultural aspects - privacy and identity management (services, technologies, infrastructures, usability aspects, legal and socio-economic aspects) - privacy-by-design, privacy-by-default, and privacy impact assessment - privacy-enhancing technologies (PETs), privacy standardisation, and privacy issues relating to eIDs - profiling and tracking technologies - public attitudes to (national) security and privacy - roadmap towards increased privacy protection, use of PETs and privacy by design as a standard procedure - semantics, web security, and privacy - social accountability, social, legal and ethical aspects of technology and the Internet specifically - social care, community care, integrated care and opportunities for as well as threats to individual and community privacy - social networks, social computing, crowdsourcing and social movements - surveillance, video surveillance, sensor networks, and the Internet of Things - transparency-enhancing technologies (TETs) - trust management and reputation systems - ubiquitous and usable privacy and identity management ------------------------------------------------------------------------- SPE 2015 IEEE 5th International Workshop on Security and Privacy Engineering, Co-located with 11th IEEE World Congress on Services (SERVICES 2015), New York, NY, USA, June 27 - July 2, 2015. (Submission Due 1 April 2015) http://sesar.di.unimi.it/SPE2015/ Built upon the success of spectrum of conferences within the IEEE World Congress on Services and the Security and Privacy Engineering workshop, IEEE Security and Privacy Engineering (SPE 2015) theme is a unique place to exchange ideas of engineering secure systems in the context of service computing, cloud computing, and big data analytics. The emphasis on engineering in security and privacy of services differentiates the theme from other traditional prestigious security and privacy workshops, symposiums, and conferences. The practicality and value realization are examined by practitioners from leading industries as well as scientists from academia. In line with the engineering spirit, we solicit original papers presenting real solutions and visions on building secure service systems that can be applied to government procurement, digital medical records, cloud environments, social networking for business purposes, multimedia application, mobile commerce, education, and the like. Potential contributions could cover, but are not limited to, methodologies, protocols, tools, or verification and validation techniques. We also welcome review papers that analyze critically the status of current Security and Privacy (S&P) in a specific area. Papers from practitioners who encounter security and privacy problems and seek understanding are also welcome. Topics of interests of SPE 2015 include, but are not limited to: - S&P Engineering of Service-Based Applications - Security Engineering of Service Compositions - Practical Approaches to Security Engineering of Services - Privacy-Aware Service Engineering - Industrial and Real Use Cases in S&P Engineering of (Cloud) Services - S&P Engineering of Cloud Services - Auditing and Assessment - Assurance and Certification - Cloud Transparency - Security Management and Governance - Privacy Enforcement in Clouds and Services - Cybersecurity Issues of Clouds and Services - Validation and Verification of S&P in Clouds and Services - Applied Cryptography for S&P in Clouds and Services - S&P Testing in Clouds and Services - Security and Privacy Modeling - Socio-Economics and Compliance - Education and Awareness - Big Data S&P Engineering - Mobile Cloud S&P Engineering - S&P Engineering into futuristic blue skies ------------------------------------------------------------------------- ESORICS 2015 20th European Symposium on Research in Computer Security, Vienna, Austria, September 23-25, 2015. (Submission Due 4 April 2015) http://www.esorics2015.sba-research.org ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. We encourage submissions of papers discussing industrial research and development. Topics of interest include, but are not limited to: - access control - accountability - ad hoc networks - anonymity - applied cryptography - authentication - biometrics - database security - data protection - digital content protection - digital forensic - distributed systems security - electronic payments - embedded systems security - inference control - information hiding - identity management - information flow control - integrity - intrusion detection - formal security methods - language-based security - network security - phishing and spam prevention - privacy - risk analysis and management - secure electronic voting - security architectures - security economics - security metrics - security models - security and privacy in cloud scenarios - security and privacy in complex systems - security and privacy in location services - security and privacy for mobile code - security and privacy in pervasive/ubiquitous computing - security and privacy policies - security and privacy in social networks - security and privacy in web services - security verification - software security - steganography - systems security - trust models and management - trustworthy user devices - web security - wireless security ------------------------------------------------------------------------- WISTP 2015 9th WISTP International Conference on Information Security Theory and Practice, Crete, Greece, August 24-25, 2015. (Submission Due 10 April 2015) http://www.wistp.org Future ICT technologies, such as the concepts of Ambient Intelligence, Cyber-physical Systems, and Internet of Things provide a vision of the Information Society in which: a) people and physical systems are surrounded with intelligent interactive interfaces and objects, and b) environments are capable of recognising and reacting to the presence of different individuals or events in a seamless, unobtrusive, and invisible manner. The success of future ICT technologies will depend on how secure these systems are and to what extent they protect the privacy of individuals and individuals trust them. In 2007, Workshop in Information Security Theory and Practice (WISTP) was created as a forum for bringing together researchers and practitioners in related areas and to encourage interchange and cooperation between the research community and the industrial/consumer community. Based on the growing interest of the participants, 2015 edition is becoming a conference - The 9th WISTP International Conference on Information Security Theory and Practice (WISTP'2015). WISTP 2015 seeks original submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy, as well as experimental studies of fielded systems, the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law, business, and policy that present these communities' perspectives on technological issues. Topics of interest include, but are not limited to: - Security and Privacy in Smart Devices - Security and Privacy in Networks - Security and Privacy in Architectures, Protocols, Policies, Systems and Applications ------------------------------------------------------------------------- FCS 2015 Workshop on Foundations of Computer Security, Held in conjunction with IEEE CSF 2015, Verona, Italy, July 13, 2015. (Submission Due 10 April 2015) http://software.imdea.org/~bkoepf/FCS15/ Computer security is an established field of both theoretical and practical significance. In recent years, there has been sustained interest in the formal foundations of methods used in computer security. The aim of the FCS 2015 workshop is to provide a forum for continued activity in this area. The scope of FCS 2015 includes, but is not limited to, the formal specification, analysis, and design of cryptographic protocols and their applications; the formal definition of various aspects of security such as access control mechanisms, mobile code security and denial-of-service attacks; the modelling of information flow and its application to confidentiality policies, system composition, and covert channel analysis. We are interested both in new theoretical results in computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories, as well as in new results on developing and applying automated reasoning techniques and tools for the formal specification and analysis of security protocols. We thus solicit submission of papers both on mature work and on work in progress. Please note that FCS has no published proceedings. Presenting a paper at the workshop should not preclude submission to or publication in other venues. Papers presented at the workshop will be made publicly available, but this will not constitute an official proceedings. ------------------------------------------------------------------------- NSS 2015 9th International Conference on Network and System Security, New York City, NY, USA, November 3-5, 2015. (Submission Due 15 April 2015) http://anss.org.au/nss2015/index.htm NSS is an annual international conference covering research in network and system security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of network security, privacy, applications security, and system security. Papers describing case studies, implementation experiences, and lessons learned are also encouraged. Topics of interest include but are not limited to: - Active Defense Systems - Adaptive Defense Systems - Applied Cryptography - Analysis, Benchmark of Security Systems - Authentication - Biometric Security - Complex Systems Security - Database and System Security - Data Protection - Data/System Integrity - Distributed Access Control - Distributed Attack Systems - Denial-of-Service - High Performance Network Virtualization - Hardware Security - High Performance Security Systems - Identity Management - Intelligent Defense Systems - Insider Threats - Intellectual Property Rights Protection - Internet and Network Forensics - Intrusion Detection and Prevention - Key Distribution and Management - Large-scale Attacks and Defense - Malware - Network Resiliency - Network Security - RFID Security and Privacy - Security Architectures - Security for Critical Infrastructures - Security in P2P systems - Security in Cloud and Grid Systems - Security in E-Commerce - Security in Pervasive/Ubiquitous Computing - Security and Privacy in Smart Grid - Security and Privacy in Wireless Networks - Security Policy - Secure Mobile Agents and Mobile Code - Security Theory and Tools - Standards and Assurance Methods - Trusted Computing - Trust Management - World Wide Web Security ------------------------------------------------------------------------- CNS 2015 3rd IEEE Conference on Communications and Network Security, Florence, Italy, September 28-30, 2015. (Submission Due 24 April 2015) http://cns2015.ieee-cns.org/ IEEE Conference on Communications and Network Security (CNS) is a new conference series in IEEE Communications Society (ComSoc) core conference portfolio and the only ComSoc conference focusing solely on cyber security. IEEE CNS is also a spin-off of IEEE INFOCOM, the premier ComSoc conference on networking. The goal of CNS is to provide an outstanding forum for cyber security researchers, practitioners, policy makers, and users to exchange ideas, techniques and tools, raise awareness, and share experience related to all practical and theoretical aspects of communications and network security. Building on the success of the past two years' conferences, IEEE CNS 2015 seeks original high-quality technical papers from academia, government, and industry. Topics of interest encompass all practical and theoretical aspects of communications and network security, all the way from the physical layer to the various network layers to the variety of applications reliant on a secure communication substrate. Submissions with main contribution in other areas, such as information security, software security, system security, or applied cryptography, will also be considered if a clear connection to secure communications/networking is demonstrated. Particular topics of interest include, but are not limited to: - Anonymization and privacy in communication systems - Biometric authentication and identity management - Computer and network forensics - Data and application security - Data protection and integrity - Availability of communications, survivability of networks in the presence of attacks - Key management and PKI for networks - Information-theoretic security - Intrusion detection and prevention - Location privacy - Mobile security - Outsourcing of network and data communication services - Physical layer security methods, cross-layer methods for enhancing security - Secure routing, network management - Security for critical infrastructures - Security metrics and performance evaluation - Security and privacy for big data - Security and privacy in body area networks - Security and privacy in content delivery network - Security and privacy in cloud computing and federated cloud - Security and privacy in crowdsourcing - Security and privacy in the Internet of Things - Security and privacy in multihop wireless networks: ad hoc, mesh, sensor, vehicular and RFID networks - Security and privacy in peer-to-peer networks and overlay networks - Security and privacy in single-hop wireless networks: Wi-Fi, Wi-Max - Security and privacy in smart grid, cognitive radio networks, and disruption/delay tolerant networks - Security and privacy in social networks - Security and privacy in pervasive and ubiquitous computing - Social, economic and policy issues of trust, security and privacy - Traffic analysis - Usable security for networked computer systems - Vulnerability, exploitation tools, malware, botnet, DDoS attacks - Web, e-commerce, m-commerce, and e-mail security ------------------------------------------------------------------------- Elsevier Future Generation Computer Systems, Special Issue on Cloud Cryptography: State of the Art and Recent Advances. (Submission Due 1 May 2015) http://www.journals.elsevier.com/future-generation-computer-systems/ call-for-papers/special-issue-on-cloud-cryptography-state-of-the-art-and-rec/ Editors: Kim-Kwang Raymond Choo (University of South Australia, Australia), Josep Domingo-Ferrer (Universitat Rovira i Virgili, Catalonia), and Lei Zhang (East China Normal University, China) Cloud computing is widely used by organisations and individuals. Despite the popularity of cloud computing, cloud security is still an area needing further research. A particularly promising approach to achieve security in this new computing paradigm is through cryptography, but traditional cryptographic techniques are not entirely suitable for cloud implementation due to computational efficiency limitations and other constraints. This special issue is dedicated to providing both scientists and practitioners with a forum to present their recent research on the use of novel cryptography techniques to improve the security of the underlying cloud architecture or ecosystem, particularly research that integrates both theory and practice. For example, how do we design an efficient cloud cryptography system that offers enhanced security without compromising on usability and performance? An efficient fully homomorphic encryption scheme might be an option. Such a scheme should guarantee that the cloud service provider is unable to view the content of the data he stores (thereby ensuring data confidentiality to users). However, sufficiently efficient fully homomorphic encryption is not yet available. We encourage authors to be exploratory in their submissions - that is, to report on advances beyond the state of the art in research and development of cryptographic techniques that result in secure and efficient means of ensuring security and privacy of cloud data. Topics of interest include but are not limited to: - Anonymity - Access control - Cloud key agreement - Distributed authentication and authority - Implementation of cryptographic schemes - Homomorphic encryption - Multi-cloud security - Privacy-preserving provisioning - Remote proofs of storage - Searchable encryption - Secure computation ------------------------------------------------------------------------- CRITIS 2015 10th International Conference on Critical Information Infrastructures Security, Berlin, Germany, October 5-7, 2015. (Submission Due 10 May 2015) http://www.critis2015.org CRITIS 2015 has four foci. Topic category 1, Resilience and protection of cyber-physical systems, covers advances in the classical CIIP sectors telecommunication, cyber systems and electricity infrastructures. Topic category 2 focuses on advances in C(I)IP policies and best practices in C(I)IP specifically from stakeholders' perspectives. In topic category 3, general advances in C(I)IP, we are explicitly inviting contributions from additional infrastructure sectors like energy, transport, and smart built infrastructure) and cover also cross-sector CI(I)P aspects. In 2013, the CRITIS series of conferences has started to foster contributions from young experts and researchers ("Young CRITIS"), and in 2014 this has been reinforced by the first edition of the CIPRNet Young CRITIS Award (CYCA). We will continue both activities at CRITIS 2015, since our demanding multi-disciplinary field of research requires open-minded talents. ------------------------------------------------------------------------- ACM-CCS 2015 22nd ACM Conference on Computer and Communications Security, Denver, Colorado, USA, October 12-16, 2015. (Submission Due 15 May 2015) http://www.sigsac.org/ccs/CCS2015 The ACM Conference on Computer and Communications Security (CCS) is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM). The conference brings together information security researchers, practitioners, developers, and users from all over the world to explore cutting-edge ideas and results. It provides an environment to conduct intellectual discussions. From its inception, CCS has established itself as a high standard research conference in its area. ------------------------------------------------------------------------- IEICE Transactions on Information and Systems, Special Issue on Information and Communication System Security. (Submission Due 22 May 2015) http://www.ieice.org/~icss/index.en.html Editors: Toshihiro Yamauchi (Okayama University, Japan), Yasunori Ishihara (Osaka University, Japan), and Atsushi Kanai (Hosei University, Japan). The major topics include, but are not limited to: - Security Technologies on AdHoc Network, P2P, Sensor Network, RFID, Wireless Network, Mobile Network, Home Network, Cloud, and SNS - Access Control, Content Security, DRM, CDN, Privacy Protection, E-Commerce, PKI, Security Architecture, Security Protocol, Security Implementation, Technologies, Secure OS, Security Evaluation/Authentication ------------------------------------------------------------------------- IEEE Transactions on Services Computing, Special Issue on Security and Dependability of Cloud Systems and Services. (Submission Due 31 May 2015) http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tscsi_sdcss.pdf Editors: Marco Vieira (University of Coimbra, Portugal) and Stefano Russo (Università di Napoli Federico II, Italy). Service-based cloud systems are being used in business-, mission- and safety-critical scenarios to achieve operational goals. Their characteristics of complexity, heterogeneity, and fast-changing dynamics bring difficult challenges to the research and industry communities. Among them, security and dependability (Sec. & Dep.) have been widely identified as increasingly relevant issues. Crucial aspects to be addressed include: metrics, techniques and tools for assessing Sec. & Dep.; modeling and evaluation of the impact of accidental and malicious threats; failure and recovery analysis; Sec. & Dep. testing, testbeds, benchmarks; infrastructure interdependencies, interoperability in presence of Sec. & Dep. guarantees. The objective of this Special Issue is to bring together sound original contributions from researchers and practitioners on methodologies, techniques and tools to assess or improve the security and dependability of cloud systems and services. Suggested topics include, but are not limited to: - Design, deployment and management of secure and dependable cloud systems and services - Secure and dependable Service-Oriented Architecture (SOA) - Secure and dependable Big Data services - Specification and design methodologies (e.g., model-driven, component-based) - Modeling and simulation of security and dependability of cloud systems and services - Metrics for quantifying services dependability and security - Dependability and security benchmarking of cloud systems - Verification and validation (V&V) for dependability and security evaluation of services - Formal verification, testing, analytical and experimental evaluation of services - Off-line versus on-line dependability and security services assessment - Protocols and network technologies for dependable and secure mobile cloud applications - Virtualization for dependable cloud networks - Future Internet architectures and protocols for mobile cloud computing - Design and use of supporting tools for creating dependable and secure services - Case studies illustrating challenges and solutions in designing secure and dependable cloud systems and services ------------------------------------------------------------------------- ICISS 2015 11th International Conference on Information Systems Security, Kolkata, India, December 16-20, 2015. (Submission Due 29 July 2015) http://www.iciss.org.in The conference series ICISS (International Conference on Information Systems Security), held annually, provides a forum for disseminating latest research results in information and systems security. ICISS 2015, the eleventh conference in this series, will be held under the aegis of the Society for Research in Information Security and Privacy (SRISP). Submissions are encouraged from academia, industry and government, addressing theoretical and practical problems in information and systems security and related areas. Topics of interest include but are not limited to: - Access and Usage Control - Application Security - Authentication and Audit - Biometric Security - Cloud Security - Cryptographic Protocols - Cyber-physical Systems Security - Data Security and Privacy - Digital Forensics - Digital Rights Management - Distributed Systems Security - Formal Models in Security - Identity Management - Intrusion Detection and Prevention - Intrusion Tolerance and Recovery - Key Management - Language-based Security - Malware Analysis and Mitigation - Network Security - Operating Systems Security - Privacy and Anonymity - Secure Data Streams - Security and Usability - Security Testing - Sensor and Ad Hoc Network Security - Smartphone Security - Software Security - Usable Security - Vulnerability Detection and Mitigation - Web Security ------------------------------------------------------------------------- Journal of Computer and System Sciences, Special Issue on Cyber Security in the Critical Infrastructure: Advances and Future Directions. (Submission Due 31 August 2015) http://www.journals.elsevier.com/journal-of-computer-and-system-sciences /call-for-papers/cyber-security-in-the-critical-infrastructure-advances-and-f/ Editors: Jemal Abawajy (Deakin University, Australia), Kim-Kwang Raymond Choo (University of South Australia, Australia), and Rafiqul Islam (Charles Sturt University, Australia). This special issue invites original research papers that reports on state-of-the-art and recent advancements in securing our critical infrastructure and cyberspace, with a particular emphasis on novel techniques to build resilient critical information infrastructure. Topics of interest include but are not limited to: - Cyber security mitigation techniques for critical infrastructures such as banking and finance, communications, emergency services, energy, food chain, health, mass gatherings, transport and water - Cyber threat modelling and analysis - Cyber forensics - Visual analytics and risk management techniques for cyber security - Cyber security test beds, tools, and methodologies ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE CS Press ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Patrick McDaniel Greg Shannon Computer Science and Engineering CERT Pennsylvania State University oakland14-chair@ieee-security.org 360 A IST Building University Park, PA 16802 (814) 863-3599 mcdaniel@cse.psu.edu Vice Chair: Treasurer: Ulf Lindqvist Yong Guan SRI International 3219 Coover Hall Menlo Park, CA Department of Electrical and Computer ulf.lindqvist@sri.com Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2015 Chair: TC Awards Chair: Sean Peisert Hilarie Orman UC Davis and Purple Streak, Inc. Lawrence Berkeley National Laboratory 500 S. Maple Dr. oakland15-chair@ieee-security.org Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year