_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 130 January 25, 2016 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News Items - FBI Stays on Top of the Cyber Game - Terrorism, Crypto Wars, repeat - Practical Unix Security hits a milestone - Routers with double backdoors - Floodgates remained closed in 2013 cyberattack - Google tries password alternatives - The Ukraine loses power in first successful attack against substations - White House looks to tech for propaganda deterrence - Home routers are neither secure nor up-to-date o Richard Austin's review of "Thinking Security: Stopping Next Year's Hackers" by Steven Bellovin o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The program committee for the annual Security and Privacy Symposium are in the final stages of determining the papers to be presented in May. Our website, http://ieee-security.org, has a link to the conference page where the final program will be announced in February. Registration will open about the same time. Watch for it. Our book reviewer Richard Austin turned his attention to a new book by long-time security expert Steve Bellovin. Anyone who wants to know why computer security is both necessary and difficult should take a look. Recently the Wall Street Journal ran a long article about the security of home routers --- those little plastic boxes that make it so easy to have wifi throughout the house. How much more mainstream can security be? And yet, the main news is that the firmware has vulnerabilities, and updates can be hard to come by. How much more depressing can it get? Perhaps security has become the dismal science, pushing economics aside in the mad rush towards the singularity. I close with a quote from Shakespeare. Although his use of the word "security" meant something more like "complacency" or "overconfidence", I still think it is fitting. I am sure that many hackers, like the witches of the play, know this truth: And you all know, security Is mortals' chiefest enemy. (Macbeth, III 5) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html Meet the woman in charge of the FBI's most controversial high-tech tools https://www.washingtonpost.com/world/national-security/meet-the-woman-in-charge-of-the-fbis-most-contentious-high-tech-tools/2015/12/08/15adb35e-9860-11e5-8917-653b65c809eb_story.html The Washington Post By Ellen Nakashima December 8, 2015 Summary: The FBI is no longer behind the times in cyber technology, and their executive assistant director for science and technology is responsible for keeping them current. This article highlights the role of that person, Amy Hess, who took the reins in 2014. A video games whiz when she entered the FBI academy, she now manages a budget of around half a billion dollars while navigating the boundaries of security and privacy in relationships with industry. ------------------- After terrorist attacks, the debate over encryption gets new life https://www.washingtonpost.com/world/national-security/after-terrorist-attacks-the-debate-over-encryption-gets-new-life/2015/12/09/3bb73f22-9e99-11e5-8728-1af6af208198_story.html The Washington Post By Ellen Nakashima Dec 9, 2015 Summary: FBI Director James B. Comey made remarks at a Senate Judiciary Committee meeting urging the Senate to changed the "unacceptable" status quo with regard to encryption technology. The terrorist attacks in Paris and in San Bernadino, California have made law enforcement hungry to complete access to communications among suspected terrorists. Comey asserted that technology for encrypted intercepts was not an impediment and that controls could be installed without "breaking the Internet". ------------------- A looming anniversary, and an offer December 15, 2015 From Gene Spafford Next year is the 25th anniversary of the publication of Practical Unix Security. The book has attracted quite a readership over the years. As a celebration of the anniversary, and as a way of helping raise some funds for two worthwhile non-profit organizations (EPIC and the ISSA Foundation), we are making a special offer to get a copy of the book signed by the authors. Details are at http://ceri.as/puis http://ceri.as/puis We encourage people to participate --- if nothing else, to provide some support to two worthwhile organizations supporting security & privacy work. ------------------- Secret Code Found in Juniper's Firewalls Shows Risk of Government Backdoors http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/ Wired by Kim Zetter 12.18.15 Summary: Juniper Networks makes high-speed routers that power the Internet, so it was no small matter when it was discovered that their operating system had not one but two "backdoors" allowing access to traffic passing through. Further, one of the backdoors allows access to encrypted VPN traffic. There is no information about who installed the code, who used it, or whether or not the two backdoors come from the same source. Speculation is rife, and some experts suspect that there is some intertwined further vulnerability associated with keys derived from NIST's flawed EC random number generator. Juniper has issued patches for both backdoors, and one expert reversed engineered a patch to find the master password underlying the secret access. ------------------- Official: Iranians hacked into New York dam http://www.cnn.com/2015/12/21/politics/iranian-hackers-new-york-dam/index.html CNNPolitics.com by Shimon Prokupecz, Tal Kopan and Sonia Moghe Dec 22, 2015 Summary: In 2013, Iranian hackers infiltrated a software control system for a flood control dam in Rye Brook, New York, according to information from an unidentified US official and revealed in the Wall Street Journal last December. Street Journal in December. The hackers were not able to gain control of the floodgates, however. The town uses industry standard software control systems, but apparently the operators were not aware of security problems with the software or its configuration. ------------------- Google is trying to kill passwords. But what should replace them?, https://www.washingtonpost.com/news/the-switch/wp/2015/12/23/google-is-trying-to-kill-passwords-but-what-should-replace-them/ The Washington Post by Andrea Peterson Dec 23, 2015 Summary: Google has been experimenting with alternatives to passwords. One trial involves combining computer access with cell phone authorization: when you try to login to an email account, a mesage is sent to your cell phone requesting permission. The cell phone response opens the email account to the computer. This method could be combined, in the future, with biometric authentication. Whether or not this increases the overall security of email access remains somewhat in question because it simply makes the cell phone the primary target of hackers. ------------------- Hackers caused a blackout for the first time, researchers say https://www.washingtonpost.com/news/the-switch/wp/2016/01/05/hackers-caused-a-blackout-for-the-first-time-researchers-say The Washington Post by Andrea Peterson Jan 6, 2016 Summary: John Hultquist, head of iSIGHT Partner's cyberespionage intelligence practice, said that hackers had used a known malware package called Black Energy against an electric power substations in the Ukraine in late December. As a result, half the homes in the Ivano-Frankivsk region were without power. This seems to be the first time that a cyberattack has caused an outage. Cyber intrusions in power grids are not unknown, but successful sabotage is unknown, until now. The malware was not designed to take down power grids. It deletes computer files, making the computer unusable. The malware rendered more than one substation inoperative. The brute force simplicity of the attack and the ease with which it permeated the substations is cause for alarm (for those who were not already alarmed). ------------------- White House Officials Meet With Tech Leaders on Thwarting Terrorists, http://www.nytimes.com/2016/01/09/world/middleeast/white-house-officials-to-meet-with-tech-leaders-on-thwarting-terrorists.html The New York Times by Gardiner Harris and Cecilia Kang Jan 8, 2016 Summary: Not all of the US government's cyber responses to terrorism are concerned with encryption. Two new efforts will focus on countering propaganda from the Islamic State. The Department of Homeland Security and the Justice Department will coordinate the program, and the State Department will launch an effort to counter disinformation and to "create positive images of the West." Officials from the Obama administration emphasize that they need help from big technology companies to carry out their program. Rarely Patched Software Bugs in Home Routers Cripple Security http://www.wsj.com/articles/rarely-patched-software-bugs-in-home-routers-cripple-security-1453136285 (NB: paywall access only) The Wall Street Journal By Jennifer Valentino-DeVries Jan 18, 2016 Home routers are cheap and easy to set up, but a study an expert hired by the newspaper found that a great many of them rely on an insecure version of the firmware. Furthermore, it can be difficult to impossible to find firmware updates. This investigative article shows that the reach of poor security practices is immense, and there seem to be few economic incentives to fix them. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 01/19/2016 Thinking Security: Stopping Next Year's Hackers by Steven Bellovin ____________________________________________________________________ Addison-Wesley 2016. ISBN ISBN 978-0-13-427754-7 "I know security is important but what should I be doing?", "Is there really anything to security beyond complying with X?", "It seems like the security budget keeps going up year after year but what am I getting for that investment?" are some questions we've all encountered. They're very good questions but good answers are elusive. Bellovin asserts that the fundamental problem is that word "security" and a generally flawed understanding of what it is and what achieving it might imply. He pithily summarizes the problem as (p. xi): "we're protecting the wrong things, and we're hurting productivity in the process" when we should instead "protect the right things, and make it easy for employees to do the right thing." The intended audience for the book is not hard-core security professionals or researchers, but system administrators, architects, IT managers, etc., who understand the basics of security but haven't yet taken the step of questioning and understanding the "Why?". Though a large population of educated practitioners is critical to the success of our security programs, there is a dearth of introductory books targeting this population. Answering the "Why?" takes the reader on a four-step journey: "Defining the problem", "Technologies", "Secure Operations" and finally "The Future". "Defining the problem" takes a broad view of "security", what it is and how one actually goes about doing it. In a brief sidebar titled "Cyberwar?" (p. 29), Bellovin deftly abolishes the popular hype of "Cyberwar" (military operations exclusively in the cyber domain) in favor of what Dr. Chris Demchak calls "cybered-warfare" (i.e., modern military operations will likely include a cyber component as a matter of course). I am indebted to him for the term "Targetier", introduced on p. 36 to refer to someone who mounts a targeted attack (as he notes, the etymology is questionable but, as in security, language and usage do change over time). "Technologies" tours the common technologies found in the security aresenal such as anti-virus, firewalls, etc. Notable is Bellovin's discussion of extrusion detection in the chapter on firewalls and IDS. Chapter 6 on "Cryptography and VPNs" is a masterful overview of what crypto can and cannot do as well as what goes into using it correctly. "Secure Operations" delves into how technologies are used together in solving the security problem. In addition to a solid overview of the usual suspects, Bellovin includes the often overlooked topics of "Keeping Software Up to Date" and "People" (where the poor usability of most of our security measures gets a well-deserved shellacking). The final section, "The Future", opens with four case studies (including one on the IoT) where the reader is guided in applying what they've learned thus far and concludes with a commentary that examines what is involved in "Doing Security Properly". This is a charming book for those who have some grasp of the basics of security and are ready to explore the topic further. Bellovin's lively and engaging writing style will draw the reader into an in-depth exploration of the topics under the guidance of a master who has realized that the measure of a true master is not in displaying his knowledge but in sharing it. Experts might consider keeping several copies for sharing. ---------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin fearlessly samples the latest offerings of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html (no new listings since Cipher E129) -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews 1/27/16: ACNS, 14th International Conference on Applied Cryptography and Network Security, London, United Kingdom; http://acns2016.sccs.surrey.ac.uk/ Submissions are due 1/29/16: LASER, 4th Workshop on Learning from Authoritative Security Experiment Results, Co-located with 37th IEEE Symposium on Security and Privacy (IEEE S&P 2016), San Jose, CA, USA; http://2016.laser-workshop.org/ Submissions are due 1/29/16: MOST, Workshop on Mobile Security Technologies, Co-located with 37th IEEE Symposium on Security and Privacy (IEEE S&P 2016), San Jose, CA, USA; http://ieee-security.org/TC/SPW2016/MoST/cfp.html Submissions are due 1/31/16: ICIMP, 11th International Conference on Internet Monitoring and Protection, Valencia, Spain; http://www.iaria.org/conferences2016/ICIMP16.html Submissions are due 2/ 1/16: IEEE Computer, Special Issue on Supply Chain Security for Cyber-Infrastructure; http://www.computer.org/web/computingnow/cocfp8 Submissions are due 2/ 1/16: WTMC, International Workshop on Traffic Measurements for Cybersecurity, Co-located with 11th ACM Asia Conference on Computer and Communications Security (AsiaCCS 2016), Xi'an, China; http://wtmc.info Submissions are due 2/ 3/16: DIMVA, 13th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, San Sebastian, Spain; http://dimva2016.mondragon.edu Submissions are due 2/12/16: IoTPTS, 2nd ACM International Workshop on IoT Privacy, Trust, and Security, Co-located with 11th ACM Asia Conference on Computer and Communications Security (AsiaCCS 2016), Xi'an, China; https://sites.google.com/site/iotpts2016/ Submissions are due 2/12/16: CSF, 29th IEEE Computer Security Foundations Symposium, Lisbon, Portugal; http://csf2016.tecnico.ulisboa.pt/ Submissions are due 2/19/16- 2/21/15: ICISSP, 2nd International Conference on Information Systems Security and Privacy, Rome, Italy; http://www.icissp.org/ 2/21/16- 2/24/16: NDSS, Network and Distributed System Security Symposium, San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2016 2/24/16- 2/26/16: PQCrypto, 7th International Conference on Post-Quantum Cryptography, Fukuoka, Japan; https://pqcrypto2016.jp/ 2/26/16: WiSec, 9th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Darmstadt, Germany; http://www.sigsac.org/wisec/WiSec2016/ Submissions are due 2/29/16: IEEE Cloud Computing, Special Issue on Cloud Security; http://www.computer.org/cloudcomputing Submissions are due 2/29/16: PETS, 16th Privacy Enhancing Technologies Symposium, Darmstadt, Germany; http://petsymposium.org/ Submissions are due 2/29/16: IMPS, Workshop on Innovations in Mobile Privacy and Security, Held in conjunction with ESSoS 2016, London, UK; http://groups.inf.ed.ac.uk/security/IMPS/ Submissions are due 2/29/16: DBSec, 30th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Trento, Italy; http://dbsec2016.fbk.eu Submissions are due 3/ 1/16: SECRYPT, 13th International Conference on Security and Cryptography, Lisbon, Portugal; http://www.secrypt.icete.org Submissions are due 3/ 6/16: STPSA, 11th IEEE International Workshop on Security, Trust, and Privacy for Software Applications, Held in conjunction with COMPSAC 2016, Atlanta, GA, USA; http://staging.computer.org/web/compsac2016/stpsa Submissions are due 3/ 7/16: SHPCS, 11th International Workshop on Security and High Performance Computing Systems, Held in conjunction with the 2016 International Conference on High Performance Computing & Simulation (HPCS 2016), Innsbruck, Austria; http://hpcs2016.cisedu.info/2-conference/workshops---hpcs2016/workshop09-shpcs Submissions are due 3/ 7/16: ISC, 19th Information Security Conference, Honolulu, Hawaii, USA; http://manoa.hawaii.edu/isc2016 Submissions are due 3/ 9/16- 3/11/16: CODASPY, 6TH ACM Conference on Data and Application Security and Privacy, New Orleans, LA, USA; http://www.codaspy.org 3/11/16: IWSPA, International Workshop on Security And Privacy Analytics, Co-located with ACM CODASPY 2016, New Orleans, LA, USA; http://capex.cs.uh.edu/?q=content/international-workshop-security-and-privacy-analytics-2016 3/11/16: SDN-NFV Security, ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Co-located with ACM CODASPY 2016, New Orleans, LA, USA; http://honeynet.asu.edu/sdnnfvsec2016/ 3/14/16- 3/18/16: SPT-IOT, 1st IEEE PERCOM Workshop on Security, Privacy and Trust in the Internet of Things, Held in conjunction with IEEE PERCOM 2016, Sydney, Australia; https://sites.google.com/site/sptiot2016/home 3/21/16- 3/24/16: EuroSP, 1st IEEE European Symposium on Security and Privacy, Congress Center Saar, Saarbrucken, Germany; http://www.ieee-security.org/TC/EuroSP2016/ 3/23/16- 3/25/16: INTRICATE-SEC, 4th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Held in conjunction with the 30th International Conference on Advanced Information Networking and Applications (AINA-2016), Crans-Montana, Switzerland; http://infosec.cs.uct.ac.za/INTRICATE-SEC/ 3/25/16: HAISA, International Symposium on Human Aspects of Information Security & Assurance, Frankfurt Germany; http://haisa.org/ Submissions are due 3/31/16: IWSEC, 11th International Workshop on Security, Tokyo, Japan; http://www.iwsec.org/2016/ Submissions are due 4/ 4/16: I-SAT, International Workshop on Information Security, Assurance, and Trust, Vancouver, BC, Canada; http://i-sat.ca Submissions are due 4/ 6/16: IMPS, Workshop on Innovations in Mobile Privacy and Security, Held in conjunction with ESSoS 2016, London, UK; http://groups.inf.ed.ac.uk/security/IMPS/ 4/ 6/16- 4/ 8/16: ESSoS, International Symposium on Engineering Secure Software and Systems, University of London, London, UK; https://distrinet.cs.kuleuven.be/events/essos/2016/calls-papers.html 4/12/16: PMSPCR, Workshop on Process Mining for Security, Privacy, Compliance & Resilience, Held in conjunction with the 19th International Conference on Business Information Systems (BIS 2016), Leipzig, Germany; http://bis.kie.ue.poznan.pl/bis2016/workshops/pmspcr-2016/ Submissions are due 4/15/16: TrustCom, 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Tianjin, China; http://adnet.tju.edu.cn/TrustCom2016/ Submissions are due 4/19/16- 4/20/16: Cybersecurity, Cybersecurity Symposium, Coeur d'Alene, Idaho, U.S.A; http://www.cybersecuritysymposium.com 4/22/16: ESORICS, 21st European Symposium on Research in Computer Security, Heraklion, Crete; http://www.ics.forth.gr/esorics2016/ Submissions are due 5/ 5/16- 5/ 7/16: HOST, IEEE International Symposium on Hardware Oriented Security and Trust, Washington DC, USA; http://www.hostsymposium.org 5/13/16: EuroUSEC, 1st European Workshop on Usable Security, Affiliated with PETS 2016, Darmstadt, Germany; https://eurousec.secuso.org/2016/ Submissions are due 5/15/16: Call for Book Chapters: Empirical Research for Software Security: Foundations and Experience, Taylor & Francis Group, LLC; https://www.sit.fraunhofer.de/de/ijsse/?no_cache=1 Submissions are due 5/22/16- 5/26/16: ICIMP, 11th International Conference on Internet Monitoring and Protection, Valencia, Spain; http://www.iaria.org/conferences2016/ICIMP16.html 5/23/16- 5/25/16: SP, 37th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2016/ 5/26/16: SPW, Security and Privacy Workshops, Held in conjunction with the 37th IEEE Symposium on Security and Privacy (SP 2016), San Jose, CA, USA; http://www.ieee-security.org/TC/SP2016/cfworkshops.html 5/26/16: BioSTAR, International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with 37th IEEE Symposium on Security and Privacy (IEEE S&P 2016), San Jose, CA, USA; http://biostar.cybersecurity.bio/ 5/26/16: MOST, Workshop on Mobile Security Technologies, Co-located with 37th IEEE Symposium on Security and Privacy (IEEE S&P 2016), San Jose, CA, USA; http://ieee-security.org/TC/SPW2016/MoST/cfp.html 5/26/16: LASER, 4th Workshop on Learning from Authoritative Security Experiment Results, Co-located with 37th IEEE Symposium on Security and Privacy (IEEE S&P 2016), San Jose, CA, USA; http://2016.laser-workshop.org/ 5/30/16: IEEE Transactions on Computers, Special Section on Secure Computer Architectures; http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tcsi_sca.pdf Submissions are due 5/30/16: WTMC, International Workshop on Traffic Measurements for Cybersecurity, Co-located with 11th ACM Asia Conference on Computer and Communications Security (AsiaCCS 2016), Xi'an, China; http://wtmc.info 5/30/16: IoTPTS, 2nd ACM International Workshop on IoT Privacy, Trust, and Security, Co-located with 11th ACM Asia Conference on Computer and Communications Security (AsiaCCS 2016), Xi'an, China; https://sites.google.com/site/iotpts2016/ 5/30/16- 6/ 1/16: IFIP SEC, 31th IFIP TC-11 SEC 2016 International Information Security and Privacy Conference, Ghent, Belgium; http://ifipsec.org/2016/ 5/31/16- 6/ 3/16: ASIACCS, 11th ACM Asia Conference on Computer and Communications Security, Xi'an, China; http://meeting.xidian.edu.cn/conference/AsiaCCS2016/home.html 5/31/16: CPSS, 2nd ACM Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2016 Conference, Xi'an, China; http://icsd.i2r.a-star.edu.sg/cpss16/ 6/10/16- 6/14/16: STPSA, 11th IEEE International Workshop on Security, Trust, and Privacy for Software Applications, Held in conjunction with COMPSAC 2016, Atlanta, GA, USA; http://staging.computer.org/web/compsac2016/stpsa 6/16/16- 6/18/16: I-SAT, International Workshop on Information Security, Assurance, and Trust, Vancouver, BC, Canada; http://i-sat.ca 6/19/16- 6/22/16: ACNS, 14th International Conference on Applied Cryptography and Network Security, London, United Kingdom; http://acns2016.sccs.surrey.ac.uk/ 6/28/16- 7/ 1/16: CSF, 29th IEEE Computer Security Foundations Symposium, Lisbon, Portugal; http://csf2016.tecnico.ulisboa.pt/ 7/ 6/16- 7/ 8/16: PMSPCR, Workshop on Process Mining for Security, Privacy, Compliance & Resilience, Held in conjunction with the 19th International Conference on Business Information Systems (BIS 2016), Leipzig, Germany; http://bis.kie.ue.poznan.pl/bis2016/workshops/pmspcr-2016/ 7/ 7/16- 7/ 8/16: DIMVA, 13th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, San Sebastian, Spain; http://dimva2016.mondragon.edu 7/18/16: EuroUSEC, 1st European Workshop on Usable Security, Affiliated with PETS 2016, Darmstadt, Germany; https://eurousec.secuso.org/2016/ 7/18/16- 7/20/16: WiSec, 9th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Darmstadt, Germany; http://www.sigsac.org/wisec/WiSec2016/ 7/18/16- 7/21/16: DBSec, 30th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Trento, Italy; http://dbsec2016.fbk.eu 7/18/16- 7/22/16: SHPCS, 11th International Workshop on Security and High Performance Computing Systems, Held in conjunction with the 2016 International Conference on High Performance Computing & Simulation (HPCS 2016), Innsbruck, Austria; http://hpcs2016.cisedu.info/2-conference/workshops---hpcs2016/workshop09-shpcs 7/19/16- 7/21/16: HAISA, International Symposium on Human Aspects of Information Security & Assurance, Frankfurt Germany; http://haisa.org/ 7/19/16- 7/22/16: PETS, 16th Privacy Enhancing Technologies Symposium, Darmstadt, Germany; http://petsymposium.org/ 7/26/16- 7/28/16: SECRYPT, 13th International Conference on Security and Cryptography, Lisbon, Portugal; http://www.secrypt.icete.org 7/23/16- 7/26/16: TrustCom, 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Tianjin, China; http://adnet.tju.edu.cn/TrustCom2016/ 9/ 7/16- 9/ 9/16: ISC, 19th Information Security Conference, Honolulu, Hawaii, USA; http://manoa.hawaii.edu/isc2016 9/12/16- 9/14/16: IWSEC, 11th International Workshop on Security, Tokyo, Japan; http://www.iwsec.org/2016/ 9/26/16- 9/30/16: ESORICS, 21st European Symposium on Research in Computer Security, Heraklion, Crete; http://www.ics.forth.gr/esorics2016/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E129) ___________________________________________________________________ ACNS 2016 14th International Conference on Applied Cryptography and Network Security, London, United Kingdom, June 19-22, 2016. (Submission Due 27 January 2016) http://acns2016.sccs.surrey.ac.uk/ The conference seeks submissions presenting novel research on all technical aspects of applied cryptography, cyber security (incl. network and computer security) and privacy. This includes submissions from academia/industry on traditional and emerging topics and new paradigms in these areas, with a clear connection to real-world problems, systems or applications. Submissions may focus on the modelling, design, analysis (incl. security proofs and attacks), development (e.g. implementations), deployment (e.g. system integration), and maintenance (e.g. performance measurements, usability studies) of algorithms/protocols/standards/implementations/technologies /devices/systems standing in relation with applied cryptography, cyber security and privacy, while advancing or bringing new insights to the state of the art. Some topics of interest include but not limited to: - Access control - Applied cryptography - Automated security analysis - Biometric security/privacy - Complex systems security - Critical infrastructures - Cryptographic primitives - Cryptographic protocols - Data protection - Database/system security - Digital rights management - Email and web security - Future Internet security - Identity management - IP protection - Internet fraud, cybercrime - Internet-of-Things security - Intrusion detection - Key management - Malware - Mobile/wireless/5G security - Network security protocols - Privacy/anonymity, PETs - Pervasive security - Security in e-commerce - Security in P2P systems - Security in grid systems - Cloud security/privacy - Security/privacy metrics - Trust management - Ubiquitous security/privacy - Human factors in security - Usability in security/privacy ------------------------------------------------------------------------- LASER 2016 4th Workshop on Learning from Authoritative Security Experiment Results, Co-located with 37th IEEE Symposium on Security and Privacy (IEEE S&P 2016), San Jose, CA, USA, May 26, 2016. (Submission Due 29 January 2016) http://2016.laser-workshop.org/ The Learning from Authoritative Security Experiment Results (LASER) workshop series focuses on learning from and improving cyber security experimental results. LASER explores both positive and negative results, the latter of which are not often published. LASER's overarching goal is to foster a dramatic change in the paradigm of cyber security research and experimentation, improving the overall quality of practiced science. This year, LASER will focus on cyber security experimentation methods and results that demonstrate approaches to increasing the repeatability and archiving of experiments, methods, results, and data. Participants will find LASER to be a constructive and highly interactive venue featuring informal paper presentations and extended discussions. To promote a high level of interaction, attendance will be limited, with first preference given to participating authors. Additional seats will be available on a first-come first-served basis. LASER also seeks to foster good science in the next generation of cyber security researchers. As such, LASER offers a limited number of student scholarships for participation. ------------------------------------------------------------------------- MOST 2016 Workshop on Mobile Security Technologies, Co-located with 37th IEEE Symposium on Security and Privacy (IEEE S&P 2016), San Jose, CA, USA, May 26, 2016. (Submission Due 29 January 2016) http://ieee-security.org/TC/SPW2016/MoST/cfp.html Mobile Security Technologies (MoST) brings together researchers, practitioners, policy makers, and hardware and software developers of mobile systems to explore the latest understanding and advances in the security and privacy for mobile devices, applications, and systems. With the development of new mobile platforms, such as Android and iOS, mobile computing has shown exponential growth in popularity in recent years. To benefit from the availability of constantly-growing consumer base, new services and applications are being built from the composition of existing ones at breakneck speed. This rapid growth has also been coupled with new security and privacy concerns and challenges. For instance, more and more sensitive content is being collected and shared by third-party applications that, if misused, can have serious security and privacy repercussions. Consequently, there is a growing need to study and address these new challenges. We are seeking both short position papers (2-4 pages) and longer papers (a maximum of 10 pages). The topics of interest include, but are not limited to: - Identity and access control for mobile platforms - Mobile app security - Mobile cloud security - Mobile hardware security - Mobile middleware and OS security - Mobile web and advertisement security - Protecting security-critical applications of mobile platforms - Secure application development tools and practices - Security study of mobile ecosystems - Unmanned aerial vehicles (UAVs) security - Wearable and IoT security ------------------------------------------------------------------------- ICIMP 2016 11th International Conference on Internet Monitoring and Protection, Valencia, Spain, May 22-26, 2016. (Submission Due 31 January 2016) http://www.iaria.org/conferences2016/ICIMP16.html The International Conference on Internet Monitoring and Protection (ICIMP 2016) continues a series of special events targeting security, performance, vulnerabilities in Internet, as well as disaster prevention and recovery. Dedicated events focus on measurement, monitoring and lessons learnt in protecting the user. The design, implementation and deployment of large distributed systems are subject to conflicting or missing requirements leading to visible and/or hidden vulnerabilities. Vulnerability specification patterns and vulnerability assessment tools are used for discovering, predicting and/or bypassing known vulnerabilities. Vulnerability self-assessment software tools have been developed to capture and report critical vulnerabilities. Some of vulnerabilities are fixed via patches, other are simply reported, while others are self-fixed by the system itself. Despite the advances in the last years, protocol vulnerabilities, domain-specific vulnerabilities and detection of critical vulnerabilities rely on the art and experience of the operators; sometimes this is fruit of hazard discovery and difficult to be reproduced and repaired. System diagnosis represent a series of pre-deployment or post-deployment activities to identify feature interactions, service interactions, behavior that is not captured by the specifications, or abnormal behavior with respect to system specification. As systems grow in complexity, the need for reliable testing and diagnosis grows accordingly. The design of complex systems has been facilitated by CAD/CAE tools. Unfortunately, test engineering tools have not kept pace with design tools, and test engineers are having difficulty developing reliable procedures to satisfy the test requirements of modern systems. Therefore, rather than maintaining a single candidate system diagnosis, or a small set of possible diagnoses, anticipative and proactive mechanisms have been developed and experimented. In dealing with system diagnosis data overload is a generic and tremendously difficult problem that has only grown. Cognitive system diagnosis methods have been proposed to cope with volume and complexity. ------------------------------------------------------------------------- IEEE Computer, Special Issue on Supply Chain Security for Cyber-Infrastructure. (Submission Due 1 February 2016) http://www.computer.org/web/computingnow/cocfp8 Editors: Domenic Forte (University of Florida, USA), Swarup Bhunia (University of Florida, USA), Ron Perez (Cryptography Research Inc., USA), and Yongdae Kim, Korea Advanced Institute of Science and Technology, Korea). Design, fabrication, assembly, distribution, system integration, and disposal of today's electronic components, systems, and software involve multiple untrusted parties. Recent reports demonstrate that this long and globally distributed supply chain is vulnerable to counterfeiting (cloning, overproduction, recycling, etc.) and malicious design modification (such as Trojan attacks). The issues associated with counterfeit components include security and reliability risks to critical systems, profit and reputation loss for intellectual property owners, and the discouragement of innovation in system development. Recent bugs such as Heartbleed have shown that flaws in open source and third-party code can have a tremendous impact, including the leakage of sensitive and personal data. While awareness in the hardware supply chain has increased in recent years, the scope of the problem has continued to grow and evolve. Data from the Government and Industry Data Exchange Program and Information Handling Services Inc. indicates a sixfold and fourfold increase, respectively, in reported counterfeit components over the last four years. Existing solutions fail to provide adequate protection against supply chain security issues, and many are too intrusive and expensive to be practical for industry use. Most focus on protecting custom digital integrated circuits (ICs) such as processors and field-programmable gate arrays. However, many other large and small electronic systems and components are just as susceptible to recycling, cloning, and tampering, but have not been adequately addressed. Meanwhile, recent reports by the Business Software Alliance highlight the widespread use of unlicensed software in emerging markets, which account for the majority of PCs in use globally. Furthermore, the software distribution model has shifted from purchases made in stores to those made online, creating even more opportunities for hackers to manipulate code and/or spread malware. This special issue is intended to raise awareness of supply chain issues, highlight new attacks, point out the existing solutions, and encourage fresh protection approaches. It will focus on supply chain security, as well as comprehensive, cost effective, and easy-to-use solutions. We solicit articles on topics related to security in all parts of the hardware and software supply chain. While articles that focus on specific supply chain security gaps are acceptable, those that address problems with all steps of the supply chain and/or hardware-software integration are strongly encouraged. Example topics include, but are not limited to, the following: - Analysis of supply chain vulnerabilities and trends - Risk-based analysis for counterfeit electronics, pirated software, and/or malicious hardware and software - Quantitative metrics for hardware and software supply chain security - Security at hardware-software integration boundaries - Hardware and software reverse engineering and anti-reverse engineering - Hardware and software Trojan detection, prevention, and recovery - Provenance for counterfeit electronics and unlicensed software - Secure software delivery and digital rights management - Primitives, sensors, and tests for counterfeit electronics detection - Novel solutions for analog and mixed-signal counterfeit ICs - Hardware metering at device and system levels - Tracking and tracing of electronic devices and systems ------------------------------------------------------------------------- WTMC 2016 International Workshop on Traffic Measurements for Cybersecurity, Co-located with 11th ACM Asia Conference on Computer and Communications Security (AsiaCCS 2016), Xi'an, China, May 30, 2016 . (Submission Due 1 February 2016) http://wtmc.info Today's world's societies are becoming more and more dependent on open networks such as the Internet - where commercial activities, business transactions and government services are realized. This has led to the fast development of new cyber threats and numerous information security issues which are exploited by cyber criminals. The inability to provide trusted secure services in contemporary computer network technologies has a tremendous socio-economic impact on global enterprises as well as individuals. Current communication networks are increasingly becoming pervasive, complex, and ever-evolving due to factors like enormous growth in the number of network users, continuous appearance of network applications, increasing amount of data transferred, and diversity of user behaviors. Understanding and measuring traffic in such networks is a difficult yet vital task for network management but recently also for cybersecurity purposes. Network traffic measuring and monitoring can, for example, enable the analysis of the spreading of malicious software and its capabilities or can help to understand the nature of various network threats including those that exploit users' behavior and other user's sensitive information. On the other hand network traffic investigation can also help to assess the effectiveness of the existing countermeasures or contribute to building new, better ones. Recently, traffic measurements have been utilized in the area of economics of cybersecurity e.g. to assess ISP "badness" or to estimate the revenue of cyber criminals. Topics of interest include, but are not limited to: - Measurements for network incidents response, investigation and evidence handling - Measurements for network anomalies detection - Measurements for economics of cybersecurity - Network traffic analysis to discover the nature and evolution of the cybersecurity threats - Measurements for assessing the effectiveness of the threats detection/prevention methods and countermeasures - Novel passive, active and hybrid measurements techniques for cybersecurity purposes - Traffic classification and topology discovery tools for monitoring the evolving status of the network from the cybersecurity perspective - Correlation of measurements across multiple layers, protocols or networks for cybersecurity purposes - Novel visualization approaches to detect network attacks and other threats - Analysis of network traffic to provide new insights about network structure and behavior from the security perspective - Measurements of network protocol and applications behavior and its impact on cybersecurity and users' privacy - Measurements related to network security and privacy ------------------------------------------------------------------------- DIMVA 2016 13th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, San Sebastian, Spain, July 7-8, 2016. (Submission Due 3 February 2016) http://dimva2016.mondragon.edu The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year, DIMVA brings together international experts from academia, industry, and government to present and discuss novel research in these areas. DIMVA solicits submission of high-quality, original scientific papers presenting novel research on malware analysis, intrusion detection, and related systems security topics. As per our tradition, DIMVA encourages submissions from the following broad areas: INTRUSION DETECTION - Novel approaches and domains - Insider detection - Prevention and response - Data leakage and exfiltration - Result correlation and cooperation - Evasion and other attacks - Potentials and limitations - Operational experiences - Privacy, legal and social aspects - Targeted attacks MALWARE DETECTION - Automated analyses - Behavioral models - Prevention and containment - Classification - Lineage - Forensics and recovery - Underground economy VULNERABILITY ASSESSMENT - Vulnerability detection - Vulnerability prevention - Vulnerability analysis - Exploitation prevention - Situational awareness - Active probing ------------------------------------------------------------------------- IoTPTS 2016 2nd ACM International Workshop on IoT Privacy, Trust, and Security, Held in conjunction with the 11th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2016), Xian, China, May 30, 2016. (Submission Due 12 February 2016) https://sites.google.com/site/iotpts2016/ The Internet of Things (IoT) is the next great technology frontier. At a basic level, IoT refers simply to networked devices, but the IoT vision is a complex ecosystem that ranges from cloud backend services and big-data analytics to home, public, industrial, and wearable sensor devices and appliances. Architectures for these systems are in the formative stages, and now is the time to ensure privacy, trust, and security are designed into these systems from the beginning. We encourage submissions on all aspects of IoT privacy, trust, and security. Topics of interest include (but are not limited) to the following areas: - Privacy and IoT data - Privacy attacks for IoT - Trust management and device discoverability for IoT - Usability of privacy and security systems in IoT - User risk perceptions and modeling for IoT - Policy Management and enforcement for IoT - Authentication and access control for users for IoT - Cryptography for IoT - Attack detection and remediation for IoT - Security architectures for IoT systems and applications ------------------------------------------------------------------------- CSF 2016 29th IEEE Computer Security Foundations Symposium, Lisbon, Portugal, June 28 - July 1, 2016. (Submission Due 12 February 2016) http://csf2016.tecnico.ulisboa.pt/ The Computer Security Foundations Symposium is an annual conference for researchers in computer security. CSF seeks papers on foundational aspects of computer security, such as formal security models, relationships between security properties and defenses, principled techniques and tools for design and analysis of security mechanisms, as well as their application to practice. While CSF welcomes submissions beyond the topics listed below, the main focus of CSF is foundational security: submissions that lack foundational aspects risk rejection. This year, CSF will use a light form of double blind reviewing (see the conference website). New results in computer security are welcome. We also encourage challenge/vision papers, which may describe open questions and raise fundamental concerns about security. Possible topics for all papers include, but are not limited to: access control, accountability, anonymity and privacy, authentication, computer-aided cryptography, data and system integrity, database security, decidability and complexity, distributed systems security, electronic voting, formal methods and verification, decision theory, hardware-based security, information flow, intrusion detection, language-based security, network security, data provenance, mobile security, security metrics, security protocols, software security, socio-technical security, trust management, usable security, web security. SPECIAL SESSIONS: This year, we strongly encourage papers in two foundational areas of research we would like to promote at CSF: - PRIVACY (Chair: Daniel Kifer). CSF 2015 will include a special session on privacy foundations and invites submissions on innovations in practice, as well as definitions, models, and frameworks for communication and data privacy, principled analysis of deployed or proposed privacy protection mechanisms, and foundational aspects of practical privacy technologies. We especially encourage submissions aiming at connecting the computer science point of view on privacy with that of other disciplines (law, economics, sociology, statistics...) - SECURITY ECONOMICS (Chair: Jens Grossklags). There is an interplay between important system properties including privacy, security, efficiency, flexibility, and usability. Diverse systems balance these properties differently, and as such provide varied benefits (for users) for different costs (for builders and attackers). In short, securing systems is ultimately an economic question. CSF 2016 will include a special session on security economics, where we invite submissions on foundational work in this area. Topics include, but are not limited to, risk management and cyber-insurance, investments in information security, security metrics, decision and game theory for security, and cryptocurrencies. These papers will be reviewed under the supervision of the special session chairs. They will be presented at the conference, and will appear in the CSF proceedings, without any distinction from the other papers. ------------------------------------------------------------------------- WiSec 2016 9th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Darmstadt, Germany, July 18-20, 2016. (Abstract Submission Due 26 February 2016 and Paper Submission Due 4 March 2016) http://www.sigsac.org/wisec/WiSec2016/ ACM WiSec is the leading ACM conference dedicated to all aspects of security and privacy in wireless and mobile networks and systems and their applications. In addition to the traditional ACM WiSec topics of physical, link, and network layer security, we welcome papers focusing on the security and privacy of mobile software platforms, usable security and privacy, biometrics, cryptography, and the increasingly diverse range of mobile or wireless applications such as Internet of Things, and Cyber-Physical Systems. The conference welcomes both theoretical as well as systems contributions. Topics of interest include: - Security & privacy for smart devices (e.g., smartphones) - Wireless and mobile privacy and anonymity - Secure localization and location privacy - Cellular network fraud and security - Jamming attacks and defenses - Key management (agreement or distribution) for wireless or mobile systems - Information-theoretic security schemes for wireless systems - Theoretical and formal approaches for wireless and mobile security - Cryptographic primitives for wireless and mobile security - NFC and smart payment applications - Security and privacy for mobile sensing systems - Wireless or mobile security for emerging applications (e.g, privacy in health, automotive, avionics, smart grid, or IoT applications) - Physical tracking security and privacy - Usable mobile security and privacy - Economics of mobile security and privacy - Bring Your Own Device (BYOD) security - Mobile malware and platform security - Security for cognitive radio and dynamic spectrum access systems - Security protocols for wireless networking ------------------------------------------------------------------------- IEEE Cloud Computing, Special Issue on Cloud Security. (Submission Due 29 February 2016) http://www.computer.org/cloudcomputing Editors: Peter Mueller (IBM Zurich Research Laboratory, Switzerland), Chin-Tser Huang (University of South Carolina, USA), Shui Yu (Deakin University, Australia), Zahir Tari (RMIT University, Australia), and Ying-Dar Lin (National Chiao Tung University, Taiwan). Many critical applications - from medical, financial, and big data applications to applications with real-time constraints - are being migrated to cloud platforms. It's been predicted that the bulk of future IT infrastructure spending will be on cloud platforms and applications, and nearly half of all large enterprises are planning cloud deployments by the end of 2017. However, cloud computing systems and services are also major targets for cyberattackers. Because the cloud infrastructure is always, to a certain degree, an open and shared resource, it's subject to malicious attacks from both insiders and outsiders. Side-channel attacks, identity hijacking, and distribution of malicious code have all been observed. Thus, centralized management of security in cloud environments needs to be carefully analyzed and maintained. These vulnerabilities point to the importance of protecting cloud platforms, infrastructures, hosted applications, and information data, and create demand for much higher-level cloud security management than is available today. This calls for comprehensive vulnerability analyses and massive theoretical and practical innovation in security technologies. This special issue aims to address these needs. Areas of interest for the special issue include, but are not limited to: - Access control mechanisms for clouds - Cloud security management - Colluding attacks over multiple clouds - Distributed denial of service in clouds - Information retrieval on encrypted data in clouds - Information sharing and data protection in clouds - Intrusion detection in clouds - Privacy policy framework for clouds - Secure applications distributed over clouds - Secure big data in clouds - Security architectures for mobile cloud computing - Security in software-defined networks. - Security protocols for cloud computing - Trust computing for meshed cloud services - Virtualization of security in clouds ------------------------------------------------------------------------- PETS 2016 16th Privacy Enhancing Technologies Symposium, Darmstadt, Germany, July 19-22, 2016. (Submission Due 31 August 2015, 30 November 2015, or 29 February 2016) http://petsymposium.org/ The annual Privacy Enhancing Technologies Symposium (PETS) brings together privacy experts from around the world to discuss recent advances and new perspectives on research in privacy technologies. New model as of PETS 2015: Papers undergo a journal-style reviewing process and accepted papers are published in the journal Proceedings on Privacy Enhancing Technologies (PoPETs). PoPETs, a scholarly, open access journal for timely research papers on privacy, has been established as a way to improve reviewing and publication quality while retaining the highly successful PETS community event. Authors can submit papers to PoPETs four times a year, every three months on a predictable schedule. Authors are notified of the decisions about two months after submission. In addition to accept and reject decisions, papers may be provided with 'major revision' decisions, in which case authors are invited to revise and resubmit their article to one of the following two submission deadlines. NEW as of PETS 2016: PETS 2016 also solicits submissions for Systematization of Knowledge (SoK) papers. These are papers that critically review, evaluate, and contextualize work in areas for which a body of prior literature exists, and whose contribution lies in systematizing the existing knowledge in that area. Authors are encouraged to view our FAQ about the submission process. Suggested topics include but are not restricted to: - Behavioural targeting - Building and deploying privacy-enhancing systems - Crowdsourcing for privacy - Cryptographic tools for privacy - Data protection technologies - Differential privacy - Economics of privacy and game-theoretical approaches to privacy - Forensics and privacy - Human factors, usability and user-centered design for PETs - Information leakage, data correlation and generic attacks to privacy - Interdisciplinary research connecting privacy to economics, law, ethnography, psychology, medicine, biotechnology - Location and mobility privacy - Measuring and quantifying privacy - Obfuscation-based privacy - Policy languages and tools for privacy - Privacy and human rights - Privacy in ubiquitous computing and mobile devices - Privacy in cloud and big-data applications - Privacy in social networks and microblogging systems - Privacy-enhanced access control, authentication, and identity management - Profiling and data mining - Reliability, robustness, and abuse prevention in privacy systems - Surveillance - Systems for anonymous communications and censorship resistance - Traffic analysis - Transparency enhancing tools ------------------------------------------------------------------------- IMPS 2016 Workshop on Innovations in Mobile Privacy and Security, Held in conjunction with ESSoS 2016, London, UK, April 6, 2016. (Submission Due 29 February 2016) http://groups.inf.ed.ac.uk/security/IMPS/ IMPS aims to bring together researchers working on challenges in security and privacy for mobile platforms, broadly considered. We are interested in investigations into existing security platforms, their users, applications and app store ecosystems, and research into novel security or privacy mechanisms, tools and analysis. Areas of interest include but are not restricted to: - Secure application development tools and practices - Privacy enhancing techniques for devices and connected services - Secure or trusted computing mechanisms - Static and dynamic analysis for security - Formal methods for mobile security - Vulnerability detection and prevention - Mobile operating system security features - Security and privacy for IoT and other constrained devices - Usable security and privacy on small or mobile devices ------------------------------------------------------------------------- DBSec 2016 30th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Trento, Italy, July 18-21, 2016. (Submission Due 29 February 2016) http://dbsec2016.fbk.eu DBSec is an annual international conference covering research in data and applications security and privacy. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, and applications security. Topics of interest include (but are not limited to): - access control - anonymity - applied cryptography in data security - authentication - big data security - data and system integrity - data protection - database security - digital rights management - identity management - intrusion detection - knowledge discovery and privacy - methodologies for data and application security - network security - organizational security - privacy - secure distributed systems - secure information integration - secure Web services - security and privacy in crowdsourcing - security and privacy in IT outsourcing - security and privacy in the Internet of Things - security and privacy in location-based services - security and privacy in P2P scenarios and social networks - security and privacy in pervasive/ubiquitous computing - security and privacy in cloud scenarios - security and privacy policies - security management - security metrics - threats, vulnerabilities, and risk management - trust and reputation systems - trust management - wireless and mobile security - biometrics ------------------------------------------------------------------------- SECRYPT 2016 13th International Conference on Security and Cryptography, Lisbon, Portugal, July 26 - 28, 2016. (Submission Due 1 March 2016) http://www.secrypt.icete.org SECRYPT is an annual international conference covering research in information and communication security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, security, and cryptography. Papers describing the application of security technology, the implementation of systems, and lessons learned are also encouraged. Papers describing new methods or technologies, advanced prototypes, systems, tools and techniques and vision papers indicating future directions are also encouraged. Conference topics: - Access Control - Applied Cryptography - Biometrics Security and Privacy - Critical Infrastructure Protection - Data Integrity - Data Protection - Database Security and Privacy - Digital Forensics - Digital Rights Management - Ethical and Legal Implications of Security and Privacy - Formal Methods for Security - Human Factors and Human Behavior Recognition Techniques - Identification, Authentication and Non-repudiation - Identity Management - Information Hiding - Information Systems Auditing - Insider Threats and Countermeasures - Intellectual Property Protection - Intrusion Detection & Prevention - Management of Computing Security - Network Security - Organizational Security Policies - Peer-to-Peer Security - Personal Data Protection for Information Systems - Privacy - Privacy Enhancing Technologies - Reliability and Dependability - Risk Assessment - Secure Software Development Methodologies - Security and Privacy for Big Data - Security and privacy in Complex Systems - Security and Privacy in Crowdsourcing - Security and Privacy in IT Outsourcing - Security and Privacy in Location-based Services - Security and Privacy in Mobile Systems - Security and Privacy in Pervasive/Ubiquitous Computing - Security and Privacy in Smart Grids - Security and Privacy in Social Networks - Security and Privacy in the Cloud - Security and Privacy in Web Services - Security and Privacy Policies - Security Area Control - Security Deployment - Security Engineering - Security in Distributed Systems - Security Information Systems Architecture - Security Management - Security Metrics and Measurement - Security Protocols - Security requirements - Security Verification and Validation - Sensor and Mobile Ad Hoc Network Security - Service and Systems Design and QoS Network Security - Software Security - Trust management and Reputation Systems - Ubiquitous Computing Security - Wireless Network Security ------------------------------------------------------------------------- STPSA 2016 11th IEEE International Workshop on Security, Trust, and Privacy for Software Applications, Held in conjunction with COMPSAC 2016, Atlanta, GA, USA, June 10-14, 2016. (Submission Due 6 March 2016) http://staging.computer.org/web/compsac2016/stpsa Information security has become a major concern for both pervasive and non-pervasive software applications. Software systems must be engineered with reliable protection mechanisms with respect to security, privacy, and trust, while still delivering the expected value of the software to their customers. The traditional approaches to secure a system (e.g., IDS, firewalls) are no longer sufficient to address many security, trust, and privacy (STP) issues. These issues should be addressed by building more effective STP-aware software applications. The principal obstacle in developing STP-aware software is that current software specification, design, implementation, and testing practices do not include adequate methods and tools to achieve security, trust, and privacy goals. As most systems now are Internet-based, the number of attackers is increased dramatically and threat scenarios have changed. Traditional security measures do not fit well for the software of pervasive applications. Since location and contexts are key attributes of pervasive applications, the privacy issues need to be handled in a novel manner than traditional software applications. The devices in pervasive computing leave and join in ad hoc manner in the pervasive network. These create a need for new trust models for pervasive computing applications. In this workshop, we will also welcome papers on the challenges and requirements of security, privacy, and trust for pervasive software applications. This workshop will bring researchers from academia and industry to discuss methods and tools to achieve security, trust, and privacy goals of both pervasive and pervasive software applications. This workshop will focus on techniques, experiences and lessons learned with respect to the state of art for the security, trust, and privacy aspects of both pervasive and non-pervasive software applications along with some open issues. ------------------------------------------------------------------------- SHPCS 2016 11th International Workshop on Security and High Performance Computing Systems, Held in conjunction with the 2016 International Conference on High Performance Computing & Simulation (HPCS 2016), Innsbruck, Austria, July 18 - 22, 2016. (Submission Due 7 March 2016) http://hpcs2016.cisedu.info/2-conference/workshops---hpcs2016/workshop09-shpcs Providing high performance computing and security is a challenging task. Internet, operating systems and distributed environments currently suffer from poor security support and cannot resist common attacks. Adding security measures typically degrade performance. This workshop addresses relationships between security, high performance and distributed computing systems in four directions. First, it considers how to add security properties (authentication, confidentiality, integrity, non-repudiation, access control) to high performance computing systems and how they can be formally verified both at design-time (formal verification) and at run-time (run-time verification). In this case, safety properties can also be addressed, such as availability and fault tolerance for high performance computing systems. Second, it addresses vulnerabilities and security threats (and remediation) targeting HPC, grid, cloud and mobile environments. Third, it covers how to use HPC systems to solve security problems. For instance, a grid computation can break an encryption code, a cluster can support high performance intrusion detection or a distributed formal verification system. More generally, this topic addresses every efficient use of a high performance computing systems to improve security. Fourth, it investigates the tradeoffs between maintaining high performance and achieving security in computing systems and solutions to balance the two objectives. In all these directions, various formal analyses, as well as performance analyses or monitoring techniques can be conducted to show the efficiency of a security infrastructure. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of security related to HPC, distributed, network and mobile environments, as well as case studies and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. ------------------------------------------------------------------------- ISC 2016 19th Information Security Conference, Honolulu, Hawaii, USA, September 7-9, 2016. (Submission Due 7 March 2016) http://manoa.hawaii.edu/isc2016 The Information Security Conference (ISC) is an annual international conference covering research in theory and applications of Information Security. ISC aims to attract high quality papers in all technical aspects of information security. ISC has been held in five continents. Papers on all technical aspects of these topics are solicited for submission. Areas of interest include, but are not restricted to: - access control - accountability - anonymity and pseudonymity - applied cryptography - authentication - biometrics - computer forensics - critical infrastructure security - cryptographic protocols - database security - data protection - data/system integrity - digital right management - economics of security and privacy - electronic frauds - embedded security - formal methods in security - identity management - information hiding & watermarking - intrusion detection - network security - peer-to-peer security - privacy - secure group communications - security in information flow - security for Internet of Things - security for mobile code - secure cloud computing - security in location services - security modeling & architectures - security and privacy in social networks - security and privacy in pervasive and ubiquitous computing - security of eCommerce, eBusiness and eGovernment - security models for ambient intelligence environments - trust models and trust policies - economics of security and privacy - information dissemination control ------------------------------------------------------------------------- HAISA 2016 International Symposium on Human Aspects of Information Security & Assurance, Frankfurt Germany, July 19 - 21, 2016. (Submission Due 25 March 2016) http://haisa.org/ It is commonly acknowledged that security requirements cannot be addressed by technical means alone, and that a significant aspect of protection comes down to the attitudes, awareness, behaviour and capabilities of the people involved. Indeed, people can potentially represent a key asset in achieving security, but at present, factors such as lack of awareness and understanding, combined with unreasonable demands from security technologies, can dramatically impede their ability to do so. Ensuring appropriate attention and support for the needs of users should therefore be seen as a vital element of a successful security strategy. People at all levels (i.e. from organisations to domestic environments; from system administrators to end-users) need to understand security concepts, how the issues may apply to them, and how to use the available technology to protect their systems. In addition, the technology itself can make a contribution by reducing the demands upon users, simplifying protection measures, and automating a variety of safeguards. With the above in mind, this symposium specifically addresses information security issues that relate to people. It concerns the methods that inform and guide users' understanding of security, and the technologies that can benefit and support them in achieving protection. The symposium welcomes papers addressing research and case studies in relation to any aspect of information security that pertains to the attitudes, perceptions and behaviour of people, and how human characteristics or technologies may be positively modified to improve the level of protection. Indicative themes include: - Information security culture - Awareness and education methods - Enhancing risk perception - Public understanding of security - Usable security - Psychological models of security software usage - User acceptance of security policies and technologies - User-friendly authentication methods - Biometric technologies and impacts - Automating security functionality - Non-intrusive security - Assisting security administration - Impacts of standards, policies, compliance requirements - Organizational governance for information assurance - Simplifying risk and threat assessment - Understanding motivations for misuse - Social engineering and other human-related risks - Privacy attitudes and practices - Computer ethics and security ------------------------------------------------------------------------- IWSEC 2016 11th International Workshop on Security, Tokyo, Japan, September 12-14, 2016. (Submission Due 31 March 2016) http://www.iwsec.org/2016/ Original papers on the research and development of various security topics, as well as case studies and implementation experiences, are solicited for submission to IWSEC 2016. Topics of interest for IWSEC 2016 include all theory and practice of cryptography, information security, and network security, as in previous IWSEC workshops. In particular, we encourage the following topics in this year: - Big Data Analysis for Security - Critical Infrastructure Security - Cryptanalysis - Cryptographic Protocols - Cybersecurity Economics - Digital Forensics - Enriched Cryptography - Formal Methods - IoT security - Machine Learning for Security - Malware Countermeasures - Measurements for Cybersecurity - Multiparty Computation - Post Quantum Cryptography - Privacy Preserving - Real World Cryptography - Visualization for Security ------------------------------------------------------------------------- I-SAT 2016 International Workshop on Information Security, Assurance, and Trust, Vancouver, BC, Canada, June 16-18, 2016. (Submission Due 4 April 2016) http://i-sat.ca The goal of this workshop is to provide a forum for researchers, scientists and engineers working in academia and industry to share their experiences, new ideas and research results in the areas of information and system security, assurance, and trust. I-SAT2016 will address novel research targeting technical aspects of protecting information security and establishing trust in the digital space. New paradigms and solutions targeting emerging topics in such fields will be presented and discussed by researchers and industrial experts. The main focus of the workshop will include, but not limited to the following: - Application Security and Threat Management - Cyber Security, Privacy and Trust - Modern Authentication Paradigms - Big data security - Database security - Digital Fraud detection - Social engineering and insider threats - Cyber threat intelligence - Cloud, Mobile, and Internet-of-Things security - Digital forensics - Intrusion Detection - Biometrics - Botnet and DDoS detection and control ------------------------------------------------------------------------- PMSPCR 2016 Workshop on Process Mining for Security, Privacy, Compliance & Resilience, Held in conjunction with the 19th International Conference on Business Information Systems (BIS 2016), Leipzig, Germany, July 6-8, 2016. (Submission Due 12 April 2016) http://bis.kie.ue.poznan.pl/bis2016/workshops/pmspcr-2016/ Security in Business Processes (BP) is an extension to well-known security analysis. Security rules are either defined by regulation, e.g. data protection law, or as guidelines for good conducts, e.g. Basel III or SOX. Business guidelines, e.g. ITIL and COBIT, form a specification of regulation and business conduct, but there are almost no satisfying approaches as far as computer science is concerned. This workshop deals with process mining as a means for security analysis. Three phases may be identified: process analysis before execution, monitoring, or after execution of the BP. With regard to the latter, logs recording the events executed in BP build the basis for Process Mining (PM), which provides methods and tools to ensure compliance to regulations and guidelines. This workshop aims to explore the potentials of process mining to bridge the gap between an analysis of workflows and a certification of compliance and security. We invite innovative and previously undisclosed contributions, but also case studies and best practices, which present the analysis of business processes related to security, resilience and privacy aspects ?y design?, during runtime, and forensically, based on the analysis of process logs. In this regard, we explicitly invite submission of practical contributions. ------------------------------------------------------------------------- TrustCom 2016 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Tianjin, China, August 23-26, 2016. (Submission Due 15 April 2016) http://adnet.tju.edu.cn/TrustCom2016/ With the rapid development and increasing complexity of computer systems and communication networks, user requirements for trust, security and privacy are becoming more and more demanding. Therefore, there is a grand challenge that traditional security technologies and measures may not meet user requirements in open, dynamic, heterogeneous, mobile, wireless, and distributed computing environments. As a result, we need to build systems and networks in which various applications allow users to enjoy more comprehensive services while preserving trust, security and privacy at the same time. As useful and innovative technologies, trusted computing and communications are attracting researchers with more and more attention. The conference aims at bringing together researchers and practitioners in the world working on trusted computing and communications, with regard to trust, security, privacy, reliability, dependability, survivability, availability, and fault tolerance aspects of computer systems and networks, and providing a forum to present and discuss emerging ideas and trends in this highly challenging research field. Topics of interest include, but not limited to: Trust Track - Trust semantics, metrics and models - Trusted computing platform - Trusted network computing - Trusted operating systems - Trusted software and applications - Trust in social networks - Trust in e-commerce and e-government - Trust in mobile and wireless communications - Risk and reputation management - Survivable computer systems/networks - Trust of 5G - Miscellaneous trust issues Security Track - Network security - Computer security - Database security - Web applications security - Security policy, model and architecture - Security in social networks - Security in parallel and distributed systems - Security in mobile and wireless communications - Security in grid/cloud/pervasive computing - Authentication, authorization and accounting - Security of 5G - Miscellaneous security issues Privacy Track - Privacy in Web-based applications and services - Privacy in database systems - Privacy in parallel and distributed systems - Privacy in grid/cloud/pervasive computing - Privacy in mobile and wireless communications - Privacy in e-commerce and e-government - Privacy in network deployment and management - Privacy and trust - Privacy and security - Privacy and anonymity - Privacy preservation in 5G - Miscellaneous privacy issues Forensics Track - Anti-forensics - Biometrics - Cryptanalysis - Big data forensics - CCTV forensics - Cloud forensics - Computational forensics - Cyber-physical system forensics - Datamining for forensics - Facial recognition - Fingerprint forensics - Image forensics - Malware forensics - Mobile app forensics (e.g. Skype, WeChat and Facebook) - Mobile device forensics - Multimedia forensics - Network forensics - Steganography and steganalysis - System reverse engineering - Watermarking ------------------------------------------------------------------------- ESORICS 2016 21st European Symposium on Research in Computer Security, Heraklion, Crete, September 26-30, 2016. (Submission Due 22 April 2016) http://www.ics.forth.gr/esorics2016/ ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. We encourage submissions of papers discussing industrial research and development. Topics of interest include, but are not limited to: - access control - accountability - ad hoc networks - anonymity - applied cryptography - authentication - biometrics - data and computation integrity - database security - data protection - digital content protection - digital forensics - distributed systems security - embedded systems security - inference control - information hiding - identity management - information flow control - information security governance and management - intrusion detection - formal security methods - language-based security - network security - phishing and spam prevention - privacy - privacy preserving data mining - risk analysis and management - secure electronic voting - security architectures - security economics - security metrics - security models - security and privacy for big data - security and privacy in cloud scenarios - security and privacy in complex systems - security and privacy in content centric networking - security and privacy in crowdsourcing - security and privacy in the IoT - security and privacy in location services - security and privacy for mobile code - security and privacy in pervasive / ubiquitous computing - security and privacy policies - security and privacy in social networks - security and privacy in web services - security and privacy in cyber-physical systems - security, privacy and resilience in critical infrastructures - security verification - software security - systems security - trust models and management - trustworthy user devices - usable security and privacy - web security - wireless security ------------------------------------------------------------------------- EuroUSEC 2016 1st European Workshop on Usable Security, Affiliated with PETS 2016, Darmstadt, Germany, July 18, 2016. (Submission Due 13 May 2016) https://eurousec.secuso.org/2016/ The aim of this workshop is to bring together researchers from different areas of computer science such as security, visualisation, artificial intelligence and machine learning as well as researchers from other domains such as psychology, social science and economics. We encourage submissions from collaborative research by authors of multiple fields. Topics of interest include: - Usability evaluation of existing security and privacy paradigms or technologies - Design and evaluation of novel security and privacy paradigms or technologies - Evaluation of existing security and privacy awareness and education tools - Design and evaluation of novel security and privacy awareness and education tools - Lessons learned from the design, deployment, management or the evaluation of security and privacy paradigms or technologies - Foundations of usable security and privacy - Psychological, sociological and economic aspects of security and privacy - Methodology for usable security and privacy research ------------------------------------------------------------------------- Call for Book Chapters: Empirical Research for Software Security: Foundations and Experience, Taylor & Francis Group, LLC. (Submission Due 15 May 2016) https://www.sit.fraunhofer.de/de/ijsse/?no_cache=1 This book introduces the reader to using empirical research methods in exploring software security challenges. These methods include data analytics, questionnaires, interviews, and surveys that produce evidence for or against given claims. The book provides the foundations for using these empirical methods of collecting evidence about tools, techniques, methods, and processes for developing secure software using practical examples. Developing secure software requires the integration of methods, such as threat modeling and risk assessment and the integration of tools, such as security testing and code analysis tools into the development process. The design of such methods and processes is in general an artistic endeavor that is based on the shared expert knowledge, claims, and opinions. Empirical research methods allow extracting knowledge and insights from the data that organizations collect from their processes and tools and from the opinions of the experts who practice these processes and methods. This knowledge extraction contributes to maturing the design and adaptation of these techniques, methods, and processes. Example of the topics of interest include: - The science of secure software - Survey of threat modeling techniques - Empirical research in software security - The fundamentals of data analytics for secure software - Assessment of the challenges of developing secure software using the agile approach - Assessment of the usability of security code analysis tools - The impact of security assessment on the developers' security awareness - The efficiency of security training - Combinatorial testing for software security ------------------------------------------------------------------------- IEEE Transactions on Computers, Special Section on Secure Computer Architectures. (Submission Due 30 May 2016) http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tcsi_sca.pdf Editors: Ruby Lee (Princeton University, USA), Patrick Schaumont (Virginia Tech, USA), Ron Perez (Cryptography Research Inc., USA), and Guido Bertoni (ST Microelectronics, USA). Nowadays, computer architectures are profoundly affected by a new security landscape, caused by the dramatic evolution of information technology over the past decade. First, secure computer architectures have to support a wide range of security applications that extend well beyond the desktop environment, and that also include handheld, mobile and embedded architectures, as well as high-end computing servers. Second, secure computer architectures have to support new applications of information security and privacy, as well as new information security standards. Third, secure computer architectures have to be protected and be tamper-resistant at multiple abstraction levels, covering network, software, and hardware. This Special Section from Transactions on Computers aims to capture this evolving landscape of secure computing architectures, to build a vision of opportunities and unresolved challenges. It is expected that contributed submissions will place emphasis on secure computing in general and on engineering and architecture design aspects of security in particular. IEEE Transactions on Computers seeks original manuscripts for a Special Section on Secure Computer Architectures tentatively scheduled to appear in the July 2017 issue. The topics of interest for this special section include: - Cryptographic Primitives - Homomorphic Computing and Multiparty Computing - Scalability Issues of Server-level Secure Computing - High Performance/Low Power Cryptography - Oblivious RAM - Side-Channel Analysis - Side-channel attacks and defenses - Hardware Trojans and Backdoors - Hardware Vulnerabilities - Counters, Caches, Shared Memory - Computing Architectures for Isolation - Smartphone Security - Embedded Systems Security - Secure Processors and Systems - Hardware Security - Secure Virtualization and Memory Safety - Security Simulation, Testing, Validation and Verification - Metrics for Tamper Resistance - Security Metrics - Standards in Secure Computing - Instruction-Sets for Security and Cryptography - Dedicated and Protected Storage - Secure Computer Interfaces ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE CS Press ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulf Lindqvist Sean Peisert SRI International UC Davis and Menlo Park, CA Lawrence Berkeley ulf.lindqvist@sri.com National Laboratory speisert@ucdavis.edu Chair: Treasurer: Sean Peisert Yong Guan UC Davis and 3219 Coover Hall Lawrence Berkeley Department of Electrical and Computer National Laboratory Engineering speisert@ucdavis.edu Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2016 Chair: TC Awards Chair: Michael Locasto Hilarie Orman SRI International Purple Streak, Inc. oakland16-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year