_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 131 March 22, 2016 Hilarie Orman, Editor cipher-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Richard Austin's review of "The Car Hacker's Handbook: A Guide for the Penetration Tester" by Craig Smith o Items from the news - More employee data leakage from US Federal Departments - British teenager social engineers top US officials - NIST releases two crypto documents for public comment - The iPhone lands in hot water, crypto-wise - Stop changing your password - Iran to be named dam hacker - Carhacking, it's a thing in the Io(insecure)T - 2015 Turing Award Goes to Diffie and Hellman o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar of Events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Ah, spring, the time when the earth tilts on its axis and reveals the program for the Security and Privacy Symposium at http://www.ieee-security.org/TC/SP2016/program-papers.html . If that does not make you feel the season, you should still register for the conference so that you can be there to soak up all the great, newly hatched research at the Symposium, which starts on May 23 in San Jose, California The ACM awarded its 2015 Turing award to Whitfield Diffie and Martin Hellman for their pioneering work in discovering asymmetric (public key) cryptography. Cipher offers its congratulations to pair. One the day of the announcement, there was a Congressional hearing about the FBI's difficulties in dealing with access to an iPhone. The central issue is the symmetric encryption of the iPhone's data, but the FBI has demanded that Apple produce a special-purpose operating system to be loaded onto the iPhone in question. The FBI needs Apple's cooperation in producing a digital signature for the OS, showing that Diffie and Hellman's discovery continues to produce deep repercussions and is at the heart of privacy and security in the digital age. Speaking of security and privacy, isn't it time to take your car in for a virus scan? Our book reviewer Richard Austin takes us on a tour of new book about all-too-real subject of car hacking (software-based hijacking?). The FBI has seen fit to issue a public service bulletin about the vulnerabilities of vehicle software, which we might call "Unsafe at Any (Network) Speed". Don't sit under that Apple tree until you give me the key, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 3/17/2016 ____________________________________________________________________ The Car Hacker's Handbook: A Guide for the Penetration Tester by Craig Smith No Starch Press, 2016 ISBN 978-1-59327-703 A penetration test on your car? Have we really gotten to the point where even our cars have networks, multiple computers, panoplies of sensors and, of course, software to make them all work together? Smith assures us that we have and then proceeds to walk us through a solid introduction to this bizarre world and how things in it can be made to misbehave. Smith opens the book with a welcome chapter on threat models which orients the reader for the material that follows and how it might be applied by security professionals. Far too many books of this type open with a frantic rush to get to the tools and leave the reader to contextualize and position the material as best they can with the usual result of a vague impression of a long list of tools and commands that all do something but really no idea of how they might fit together into a whole. The next three chapters introduce the important protocols, how communication within the vehicle is done, and an introduction to the diagnostic and logging data maintained by the vehicle (if you've ever had a "Check Engine" light illuminate, you've seen the "user mode" interface to this data). Chapter 5, "Reverse Engineering the CAN Bus", reflects the important point that these are proprietary systems and manufacturers have little incentive to disclose their details. This leaves the security professional with the task of capturing traffic, decoding it to form theories about what is actually going on and then apply the theory to verify that it is somewhere close to correct. Smith demonstrates use of the tools with screenshots and sample commands to get you started. He thoughtfully provides a troubleshooting guide for when you accidentally put the vehicle into a state where it no longer works correctly. The next chapter, "ECU Hacking", describes how to interact with a vehicle's ECU's (Electronic Control Units) in three ways: front door attacks using the manufacturer's access mechanisms; backdoor attacks using the more or less traditional hardware analysis techniques (dumping and disassembling firmware, etc.); and exploits where you discover unintentional access methods. Chapter 7, "Building and Using ECU Test Benches", describes how to "run" an ECU outside the vehicle so you can interact with it in isolation from the rest of the vehicle. Smith also covers the important topic of how to simulate the sensor signals the ECU is expecting to process. Working with the EXU outside the vehicle reduces the noise introduced by other units and also reduces the consequences of an "Oops!". The next chapter, "Attacking ECUS And Other Embedded Systems", gets to the meat of the matter in interacting with these devices. This is an excellent chapter that introduces a plethora of tools and hardware accessories in a single place without having to scour multiple websites and online forums. Some of the techniques (e.g., JTAG) will be familiar if you've done hardware debugging but Smith's additional discussion of how these tools can be used to change the desired operation of embedded systems in ways an adversary might desire is both eye opening and invaluable. Chapter 9, "In-Vehicle Infotainment Systems", extends the discussion to that nice touchscreen found in many vehicles that is the interface to multiple applications such as navigation and climate control. The next chapter, "Vehicle-to-Vehicle Communication", provides an introduction to one of the more frightening possibilities in vehicle systems: cross-communication. Though it might be useful for a truck loaded with dynamite to notify vehicles in its vicinity that it's transporting hazardous material, the potential mischief of false notifications or suppressed notifications is obvious. This is a developing technology and could well use input from the security profession. Chapter 11, "Weaponizing CAN Findings", describes how to "take an exploit and make it easy to use" (p. 193). Smith lucidly demonstrates how to take an exploit (found during your research using the techniques described in the earlier chapters) and package it as a Metasploit payload (it doesn't get much easier to use than this). The next chapter, "Attacking Wireless Systems with SDR", describes how to use inexpensive Software Defined Radio (SDR) equipment to interact with vehicle systems using wireless technology. While wide coverage radio transceivers may cost several thousands of dollars, a SDR costs typically less that $500 (SDR receivers can be found as cheaply as $30). The systems used as examples are the TPMS (Tire Pressure Monitoring System) and key fobs (more interesting because they use cryptography). Smith begins with a discussion of modulation, how information is imposed onto a radio signal, and moves on to receiving the signals and interpreting them. Once you know the frequency, modulation and the format of the information itself, you are in a position to generate your own signals to trigger the desired action. Chapter 13, "Performance Tuning", describes a well-developed, application for modifying the operating parameters of vehicle systems to improve performance. This is a masterful demonstration that these are not abstract possibilities but, at least in their more benign applications, already well-developed. Our world is rapidly being filled with things that are computers and communication networks but don't look like them. And, like any other complex system, they expose vulnerabilities that can be exploited by a malicious adversary. The consequences of suddenly killing the engines of several vehicles surrounding a truck carrying hazardous materials on a busy interstate highway are horrifying to contemplate. Smith has done a marvelous job of providing a practical introduction to the world of vehicle systems and the tools used to interact with them for both benign and malicious purposes. The challenge for the security profession is to engage with the engineers designing these systems to build understanding of the security implications of design and implementation decisions. With Smith's introduction under our belt, we will be much better prepared to speak their language. Definitely a recommended read. ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------ More employee data leakage from US Federal Departments "Hackers Access Employee Records at Justice and Homeland Security Depts" http://www.nytimes.com/2016/02/09/us/hackers-access-employee-records-at-justice-and-homeland-security-depts.html New York Times Eric Lichtbleau Feb 8, 2016 Summary: In today's world, the disclosure of personal information of 30,000 government workers on the Internet is hardly enough to break into the news cycle. But, because it affected the departments of Justice and Homeland Security, it seems just worthy of note. The information seems to have been obtained by a politically motivated hacker who used information about an employee on a social media site to leverage access to government employee directories. ------------------------------------------------------------------------ British teenager social engineers top US officials "British teen arrested in hacking of top U.S. intelligence officials" https://www.washingtonpost.com/world/national-security/british-teen-arrested-in-hacking-of-top-us-intelligence-officials/2016/02/12/7b87351e-d1a5-11e5-b2bc-988409ee911b_story.html The Washington Post Feb 12, 2016 By Matt Zapotosky and Ellen Nakashima Summary: The emails of the CIA director and the Director of National Intelligence were the victims of email hacking, and a British teenager has been arrested for it. The investigation of the exploit has focused on "Crackas With Attitude", and they are suspected of leaking government employee information (see the preceding news item). The exploit may have been "old school" because it is rumored to have been based on convincing Verizon workers that they were talking to the victims. The hackers got the account access information changed so that they could login to the victims' email accounts. They also claimed to have changed voice forwarding on one of the phones. ------------------------------------------------------------------------ Two NIST announcements NIST announces new publication Special Publication (SP) 800-57, Part 1 Rev. 4, Recommendation for Key Management, Part 1: General NIST announces the completion of http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf >Special Publication (SP) 800-57, Part 1 Rev. 4, Recommendation for Key Management, Part 1: General. This Recommendation provides general cryptographic key management guidance. The proper management of cryptographic keys is essential to the effective use of cryptography for security. Public comments received during the review of this document are provided here: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57pt1r4_comments_received.pdf NIST announces new draft publication, invites comments Special Publication (SP) 800-175, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms. NIST requests comments on SP 800-175B, http://csrc.nist.gov/publications/drafts/800-175/sp800-175b_draft.pdf "Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms." The SP 800-175 publications are intended to be a replacement for SP 800-21, Guideline for Implementing Cryptography in the Federal Government, but with a focus on using the cryptographic offerings currently available, rather than building one's own implementation. SP 800-175B is intended to provide guidance to the Federal government for using cryptography and NIST's cryptographic standards to protect sensitive, but unclassified digitized information during transmission and while in storage. The cryptographic methods and services to be used are also discussed. The first document in the series (i.e., SP 800-175A) will be available shortly. Please provide comments on SP 800-175B by Friday, April 29, 2016. Comments may be sent to mailto:SP800-175@nist.gov?subject=Comments%20on%20SP%20800-175B with "Comments on SP 800-175B" as the subject. ------------------------------------------------------------------------ The iPhone lands in hot water, crypto-wise In the past two months there have been many stories about how the US government has been raising legal objections to commercial applications that encrypt data without providing any backdoors for law enforcement. Apple iPhones have been the focal point for the controversy, and the Justice Department has taken the unusual step of ordering Apple to produce a digitally signed and weakened version of its OS to load onto the iPhone of a dead terrorist. The debate about public safety vs. personal privacy has moved into new territory. We present a a selection of pointers to news and commentry about it. ----------------------- Justice Dept.: Apple won't help unlock iPhone due to worry about 'impact on its reputation' https://www.washingtonpost.com/news/post-nation/wp/2016/02/19/justice-dept-says- The Washington Post Feb 19, 2016 by Mark Berman US government files appeal in New York iPhone unlocking case http://www.theguardian.com/technology/2016/mar/07/apple-iphone-new-york-case-fbi-encryption The Guardian March 7, 2016 by Danny Yadron Apple, The FBI And iPhone Encryption: A Look At What's At Stake http://www.npr.org/sections/thetwo-way/2016/02/17/467096705/apple-the-fbi-and-iphone-encryption-a-look-at-whats-at-stake NPR February 19, 2016 by Alina Selyukh and Camila Domonoske Congressional Committee Testimony re encryption https://judiciary.house.gov/wp-content/uploads/2016/02/Landau-Written-Testimony.pdf by Susan Landau Apple Letter to Customers http://www.apple.com/customer-letter/ February 16, 2016 by Tim Cook Obama at SXSW: "Dangers are real" in debate over encryption http://www.cbsnews.com/news/obama-at-sxsw-dangers-are-real-in-debate-over-encryption/ AP Wire Mar 12, 2016 ------------------------------------------------------------------------ Stop changing your password "Why changing your password regularly may do more harm than good" https://www.washingtonpost.com/news/the-switch/wp/2016/03/02/the-case-against-the-most-annoying-security-measure-virtually-every-workplace-uses/ The Washington Post Mar 3, 2016 by Andrea Peterson Summary: Federal Trade Commission chief technologist, Lorrie Cranor, has some contrarian advice about password changes. An expert in human factors issues for computer security, Cranor suggests that people have enough trouble coming up with one good password, let alone a constant stream of them. The result is that bad passwords are used more often when changes are frequent. Case studies bear out the claim. Some people take this as just one more reason to give up on passwords altogether and switch to biometric authentication. ------------------------------------------------------------------------ Iran to be named dam hacker "U.S. plans to publicly blame Iran for dam cyber breach" http://www.cnn.com/2016/03/10/politics/iran-us-dam-cyber-attack/index.html CNNPolitics.com Mar 10, 2016 Evan Perez and Shimon Prokupecz Summary: As reported in the last issue of Cipher, in 2013, using off-the-shelf malicious software tools, someone gained access to the "backoffice systems" for a dam in New York state. Although no damage resulted, it was unsettling to US officials to have a piece of physical infrastructure come close to being breached. Iran has been named the likely culprit, and an indictment may be handed down soon. ------------------------------------------------------------------------ Carhacking, it's a thing in the Io(insecure)T "Car hacking" http://www.reuters.com/article/us-fbi-autos-cyber-idUSKCN0WK0BB Reuters March 17, 2016 David Shepardson Summary: As Cipher's book review this month points out, car hacking is now an activity. So serious a thing that there have been three separate software security updates by major manufacturers in the past year, one of them involving a recall. The Alliance of Automobile Manufacturers and Association of Global Automakers late last year opened an Information Sharing and Analysis Center. Perhaps this will help improve the awareness of risks and secure design methods. The FBI and NHTSA warn that owners might be tricked into installing malicious software updates on their smartphones (there's an app for your car) or directly onto their vehicles. That software might let hackers take control of vehicles and cause mayhem. Federal Bulletin: http://www.ic3.gov/media/2016/160317.aspx ------------------------------------------------------------------------ Diffie and Hellman win the 2015 Turing Award "Cryptography Pioneers Receive ACM Turing Award" http://awards.acm.org/turing-award-2015.pdf ACM Press Release March 1, 2016 Summary: Decades ago two Stanford researchers decided to tackle the seemingly off-limits topic of cryptography, and they ended up making the remarkable discovery of public key cryptography. Now, the pair, Whitfield Diffie and Martin Hellman, have received the ACM's Turing Award for 2015. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html Nothing new since Cipher E130 -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 3/21/16- 3/24/16: EuroSP, 1st IEEE European Symposium on Security and Privacy, Congress Center Saar, Saarbrucken, Germany; http://www.ieee-security.org/TC/EuroSP2016/ 3/23/16: TELERISE, 2nd International Workshop on TEchnical and LEgal aspects of data pRIvacy and SEcurity, Co-located with ICWE 2016, Universita della Svizzera Italiana (USI) Lugano, Switzerland; http://www.iit.cnr.it/telerise2016/; Submissions are due 3/23/16- 3/25/16: INTRICATE-SEC, 4th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Held in conjunction with the 30th International Conference on Advanced Information Networking and Applications (AINA-2016), Crans-Montana, Switzerland; http://infosec.cs.uct.ac.za/INTRICATE-SEC/ 3/25/16: HAISA, International Symposium on Human Aspects of Information Security & Assurance, Frankfurt Germany; http://haisa.org/; Submissions are due 3/25/16: MSPN, International Conference on Mobile, Secure and Programmable Networking, Paris, France; http://cedric.cnam.fr/workshops/mspn2016/; Submissions are due 3/31/16: IWSEC, 11th International Workshop on Security, Tokyo, Japan; http://www.iwsec.org/2016/; Submissions are due 4/ 1/16: RAID, 19th International Symposium on Research in Attacks, Intrusions and Defenses, Paris, France; http://www.raid2016.org/; Submissions are due 4/ 1/16: SIN, 9th International Conference on Security of Information and Networks, Rutgers University, New Jersey, NJ, USA; http://www.sinconf.org; Submissions are due 4/ 4/16: I-SAT, International Workshop on Information Security, Assurance, and Trust, Vancouver, BC, Canada; http://i-sat.ca; Submissions are due 4/ 4/16: IWCC, 5th International Workshop on Cyber Crime, Co-located with the 11th International Conference on Availability, Reliability and Security (ARES 2016), Salzburg, Austria; http://stegano.net/IWCC2016/; Submissions are due 4/ 6/16: IMPS, Workshop on Innovations in Mobile Privacy and Security, Held in conjunction with ESSoS 2016, London, UK; http://groups.inf.ed.ac.uk/security/IMPS/ 4/ 6/16- 4/ 8/16: ESSoS, International Symposium on Engineering Secure Software and Systems, University of London, London, UK; https://distrinet.cs.kuleuven.be/events/essos/2016/calls-papers.html 4/12/16: PMSPCR, Workshop on Process Mining for Security, Privacy, Compliance & Resilience, Held in conjunction with the 19th International Conference on Business Information Systems (BIS 2016), Leipzig, Germany; http://bis.kie.ue.poznan.pl/bis2016/workshops/pmspcr-2016/; Submissions are due 4/15/16: TrustCom, 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Tianjin, China; http://adnet.tju.edu.cn/TrustCom2016/; Submissions are due 4/17/16: NSAA, Workshop on Network Security Analytics and Automation, Held in conjunction with the 25th International Conference on Computer Communication and Networks (ICCCN 2016), Waikoloa, Hawaii, USA; http://icccn.org/icccn16/; Submissions are due 4/18/16: GraMSec, 3rd International Workshop on Graphical Models for Security, Co-located with CSF 2016, Lisbon, Portugal; http://gramsec.uni.lu/; Submissions are due 4/19/16- 4/20/16: Cybersecurity, Cybersecurity Symposium, Coeur d'Alene, Idaho, U.S.A; http://www.cybersecuritysymposium.com 4/20/16: CNS, 4th IEEE Conference on Communications and Network Security, Philadelphia, PA, USA; http://cns2016.ieee-cns.org/; Submissions are due 4/22/16: ESORICS, 21st European Symposium on Research in Computer Security, Heraklion, Crete; http://www.ics.forth.gr/esorics2016/; Submissions are due 4/30/16: Mycrypt, 2nd International Conference on Cryptology & Malicious Security, Kuala Lumpur, Malaysia; https://foe.mmu.edu.my/mycrypt2016; Submissions are due 5/ 3/16: WISTP, 10th WISTP International Conference on Information Security Theory and Practice, Heraklion, Crete, Greece; http://www.wistp.org/; Submissions are due 5/ 5/16- 5/ 7/16: HOST, IEEE International Symposium on Hardware Oriented Security and Trust, Washington DC, USA; http://www.hostsymposium.org 5/ 9/16: TRUST, 9th International Conference on Trust & Trustworthy Computing, Vienna, Austria; http://trust2016.sba-esearch.org/; Submissions are due 5/13/16: EuroUSEC, 1st European Workshop on Usable Security, Affiliated with PETS 2016, Darmstadt, Germany; https://eurousec.secuso.org/2016/; Submissions are due 5/15/16: Call for Book Chapters: Empirical Research for Software Security: Foundations and Experience, Taylor & Francis Group, LLC; https://www.sit.fraunhofer.de/de/ijsse/?no_cache=1; Submissions are due 5/22/16- 5/26/16: ICIMP, 11th International Conference on Internet Monitoring and Protection, Valencia, Spain; http://www.iaria.org/conferences2016/ICIMP16.html 5/23/16: ACM CCS, 23rd ACM Conference on Computer and Communications Security, Vienna, Austria; http://www.sigsac.org/ccs/CCS2016/call-for-papers/; Submissions are due 5/23/16- 5/25/16: SP, 37th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2016/ 5/26/16: SPW, Security and Privacy Workshops, Held in conjunction with the 37th IEEE Symposium on Security and Privacy (SP 2016), San Jose, CA, USA; http://www.ieee-security.org/TC/SP2016/cfworkshops.html 5/26/16: BioSTAR, International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with 37th IEEE Symposium on Security and Privacy (IEEE S&P 2016), San Jose, CA, USA; http://biostar.cybersecurity.bio/ 5/26/16: MOST, Workshop on Mobile Security Technologies, Co-located with 37th IEEE Symposium on Security and Privacy (IEEE S&P 2016), San Jose, CA, USA; http://ieee-security.org/TC/SPW2016/MoST/cfp.html 5/26/16: LASER, 4th Workshop on Learning from Authoritative Security Experiment Results, Co-located with 37th IEEE Symposium on Security and Privacy (IEEE S&P 2016), San Jose, CA, USA; http://2016.laser-workshop.org/ 5/30/16: IEEE Transactions on Computers, Special Section on Secure Computer Architectures; http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tcsi_sca.pdf; Submissions are due 5/30/16: SSR, 3rd International conference on Security Standardization Research, Gaithersburg, MD, USA; http://csrc.nist.gov/groups/ST/ssr2016/; Submissions are due 5/30/16: WTMC, International Workshop on Traffic Measurements for Cybersecurity, Co-located with 11th ACM Asia Conference on Computer and Communications Security (AsiaCCS 2016), Xi'an, China; http://wtmc.info 5/30/16: IoTPTS, 2nd ACM International Workshop on IoT Privacy, Trust, and Security, Co-located with 11th ACM Asia Conference on Computer and Communications Security (AsiaCCS 2016), Xi'an, China; https://sites.google.com/site/iotpts2016/ 5/30/16- 6/ 1/16: IFIP SEC, 31th IFIP TC-11 SEC 2016 International Information Security and Privacy Conference, Ghent, Belgium; http://ifipsec.org/2016/ 5/31/16- 6/ 3/16: ASIACCS, 11th ACM Asia Conference on Computer and Communications Security, Xi'an, China; http://meeting.xidian.edu.cn/conference/AsiaCCS2016/home.html 5/31/16: CPSS, 2nd ACM Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2016 Conference, Xi'an, China; http://icsd.i2r.a-star.edu.sg/cpss16/ 6/ 1/16: SADFE, 11th International Conference on Systematic Approaches to Digital Forensics Engineering, Kyoto, Japan; http://sadfe.org; Submissions are due 6/ 1/16- 6/ 3/16: MSPN, International Conference on Mobile, Secure and Programmable Networking, Paris, France; http://cedric.cnam.fr/workshops/mspn2016/ 6/ 4/16: PROOFS, 5th International Workshop on Security Proofs for Embedded Systems, Santa Barbara, California, USA; http://www.proofs-workshop.org/; Submissions are due 6/9/16: TELERISE, 2nd International Workshop on TEchnical and LEgal aspects of data pRIvacy and SEcurity, Co-located with ICWE 2016, Universita della Svizzera Italiana (USI) Lugano, Switzerland; http://www.iit.cnr.it/telerise2016/ 6/10/16- 6/14/16: STPSA, 11th IEEE International Workshop on Security, Trust, and Privacy for Software Applications, Held in conjunction with COMPSAC 2016, Atlanta, GA, USA; http://staging.computer.org/web/compsac2016/stpsa 6/15/16: SecureComm, 12th EAI International Conference on Security and Privacy in Communication Networks, Guangzhou, China; http://securecomm.org; Submissions are due 6/15/16: IWDW, 15th International Workshop on Digital-forensics and Watermarking, Beijing, China; http://www.iwdw.net/; Submissions are due 6/16/16- 6/18/16: I-SAT, International Workshop on Information Security, Assurance, and Trust, Vancouver, BC, Canada; http://i-sat.ca 6/19/16- 6/22/16: ACNS, 14th International Conference on Applied Cryptography and Network Security, London, United Kingdom; http://acns2016.sccs.surrey.ac.uk/ 6/27/16: GraMSec, 3rd International Workshop on Graphical Models for Security, Co-located with CSF 2016, Lisbon, Portugal; http://gramsec.uni.lu/ 6/28/16- 7/ 1/16: CSF, 29th IEEE Computer Security Foundations Symposium, Lisbon, Portugal; http://csf2016.tecnico.ulisboa.pt/ 7/ 6/16- 7/ 8/16: PMSPCR, Workshop on Process Mining for Security, Privacy, Compliance & Resilience, Held in conjunction with the 19th International Conference on Business Information Systems (BIS 2016), Leipzig, Germany; http://bis.kie.ue.poznan.pl/bis2016/workshops/pmspcr-2016/ 7/ 7/16- 7/ 8/16: DIMVA, 13th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, San Sebastian, Spain; http://dimva2016.mondragon.edu 7/18/16: EuroUSEC, 1st European Workshop on Usable Security, Affiliated with PETS 2016, Darmstadt, Germany; https://eurousec.secuso.org/2016/ 7/18/16- 7/20/16: WiSec, 9th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Darmstadt, Germany; http://www.sigsac.org/wisec/WiSec2016/ 7/18/16- 7/21/16: DBSec, 30th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Trento, Italy; http://dbsec2016.fbk.eu 7/18/16- 7/22/16: SHPCS, 11th International Workshop on Security and High Performance Computing Systems, Held in conjunction with the 2016 International Conference on High Performance Computing & Simulation (HPCS 2016), Innsbruck, Austria; http://hpcs2016.cisedu.info/2-conference/workshops---hpcs2016/workshop09-shpcs 7/19/16- 7/21/16: HAISA, International Symposium on Human Aspects of Information Security & Assurance, Frankfurt Germany; http://haisa.org/ 7/19/16- 7/22/16: PETS, 16th Privacy Enhancing Technologies Symposium, Darmstadt, Germany; http://petsymposium.org/ 7/20/16- 7/22/16: SIN, 9th International Conference on Security of Information and Networks, Rutgers University, New Jersey, NJ, USA; http://www.sinconf.org 7/26/16- 7/28/16: SECRYPT, 13th International Conference on Security and Cryptography, Lisbon, Portugal; http://www.secrypt.icete.org 7/23/16- 7/26/16: TrustCom, 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Tianjin, China; http://adnet.tju.edu.cn/TrustCom2016/ 8/ 1/16- 8/ 4/16: NSAA, Workshop on Network Security Analytics and Automation, Held in conjunction with the 25th International Conference on Computer Communication and Networks (ICCCN 2016), Waikoloa, Hawaii, USA; http://icccn.org/icccn16/ 8/20/16: PROOFS, 5th International Workshop on Security Proofs for Embedded Systems, Santa Barbara, California, USA; http://www.proofs-workshop.org/ 8/22/16: GenoPri, 3rd International Workshop on Genome Privacy and Security, Held in conjunction with the AMIA 2016 Annual Symposium, Chicago, IL, USA; http://www.genopri.org/; Submissions are due 8/29/16- 8/30/16: TRUST, 9th International Conference on Trust & Trustworthy Computing, Vienna, Austria; http://trust2016.sba-esearch.org/ 8/29/16- 9/ 2/16: IWCC, 5th International Workshop on Cyber Crime, Co-located with the 11th International Conference on Availability, Reliability and Security (ARES 2016), Salzburg, Austria; http://stegano.net/IWCC2016/ 9/ 7/16- 9/ 9/16: ISC, 19th Information Security Conference, Honolulu, Hawaii, USA; http://manoa.hawaii.edu/isc2016 9/12/16- 9/14/16: IWSEC, 11th International Workshop on Security, Tokyo, Japan; http://www.iwsec.org/2016/ 9/17/16- 9/19/16: IWDW, 15th International Workshop on Digital-forensics and Watermarking, Beijing, China; http://www.iwdw.net/ 9/19/16- 9/21/16: RAID, 19th International Symposium on Research in Attacks, Intrusions and Defenses, Paris, France; http://www.raid2016.org/ 9/20/16- 9/22/16: SADFE, 11th International Conference on Systematic Approaches to Digital Forensics Engineering, Kyoto, Japan; http://sadfe.org 9/26/16- 9/27/16: WISTP, 10th WISTP International Conference on Information Security Theory and Practice, Heraklion, Crete, Greece; http://www.wistp.org/ 9/26/16- 9/30/16: ESORICS, 21st European Symposium on Research in Computer Security, Heraklion, Crete; http://www.ics.forth.gr/esorics2016/ 10/10/16-10/12/16: SecureComm, 12th EAI International Conference on Security and Privacy in Communication Networks, Guangzhou, China; http://securecomm.org 10/17/16-10/19/16: CNS, 4th IEEE Conference on Communications and Network Security, Philadelphia, PA, USA; http://cns2016.ieee-cns.org/ 10/24/16-10/28/16: ACM CCS, 23rd ACM Conference on Computer and Communications Security, Vienna, Austria; http://www.sigsac.org/ccs/CCS2016/call-for-papers/ 11/12/16: GenoPri, 3rd International Workshop on Genome Privacy and Security, Held in conjunction with the AMIA 2016 Annual Symposium, Chicago, IL, USA; http://www.genopri.org/ 12/ 1/16-12/ 2/16: Mycrypt, 2nd International Conference on Cryptology & Malicious Security, Kuala Lumpur, Malaysia; https://foe.mmu.edu.my/mycrypt2016 12/ 5/16-12/ 6/16: SSR, 3rd International conference on Security Standardization Research, Gaithersburg, MD, USA; http://csrc.nist.gov/groups/ST/ssr2016/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E130) ___________________________________________________________________ TELERISE 2016 2nd International Workshop on TEchnical and LEgal aspects of data pRIvacy and SEcurity, Co-located with ICWE 2016, Universita della Svizzera Italiana (USI) Lugano, Switzerland, June 9, 2016. (Submissions Due 23 March 2016) http://www.iit.cnr.it/telerise2016/ Information sharing on the Web is essential for today's business and societal transactions. Nevertheless, such a sharing should not violate the security and privacy requirements either dictated by Law to protect data subjects or by internal regulations provided both at organisation and individual level. An effectual, rapid, and unfailing electronic data sharing among different parties, while protecting legitimate rights on these data, is a key issue with several shades. Among them, how to translate the high-level law obligations, business constraints, and users' requirements into system-level privacy policies, as well as engineering efficient and practical Web applications-based solutions for policy definition and enforcement. TELERISE aims at providing a forum for researchers and engineers, in academia as well as in industry, to foster an exchange of research results, experiences, and products in the area of privacy preserving, secure data management, and engineering on the Web, from a technical and legal perspective. The ultimate goal is to conceive new trends and ideas on designing, implementing, and evaluating solutions for privacy-preserving information sharing, with an eye to the cross-relations between ICT and regulatory aspects of data management and engineering. Topics of interest are (but not limited to): - Model-based and experimental assessment of data protection - Privacy in identity management and authentication - Modeling and analysis languages for representation, visualization, specification of legal regulations - Technical, legal, and user requirements for data protection - User-friendly authoring tools to edit privacy preferences - IT infrastructures for privacy and security policies management - IT infrastructure for supporting privacy and security policies evolution - Privacy and security policies conflict analysis and resolution strategies - Electronic Data Sharing Agreements representation: languages and management infrastructure - Cross-relations between privacy-preserving technical solutions and legal regulations - Privacy aware access and usage control - Privacy and security policies enforcement mechanisms - Privacy preserving data allocation and storage - Software systems compliance with applicable laws and regulations - Heuristic for pattern identification in law text - Empirical analysis of consumer's awareness of privacy and security policies ------------------------------------------------------------------------- HAISA 2016 International Symposium on Human Aspects of Information Security & Assurance, Frankfurt Germany, July 19 - 21, 2016. (Submissions Due 25 March 2016) http://haisa.org/ It is commonly acknowledged that security requirements cannot be addressed by technical means alone, and that a significant aspect of protection comes down to the attitudes, awareness, behaviour and capabilities of the people involved. Indeed, people can potentially represent a key asset in achieving security, but at present, factors such as lack of awareness and understanding, combined with unreasonable demands from security technologies, can dramatically impede their ability to do so. Ensuring appropriate attention and support for the needs of users should therefore be seen as a vital element of a successful security strategy. People at all levels (i.e. from organisations to domestic environments; from system administrators to end-users) need to understand security concepts, how the issues may apply to them, and how to use the available technology to protect their systems. In addition, the technology itself can make a contribution by reducing the demands upon users, simplifying protection measures, and automating a variety of safeguards. With the above in mind, this symposium specifically addresses information security issues that relate to people. It concerns the methods that inform and guide users' understanding of security, and the technologies that can benefit and support them in achieving protection. The symposium welcomes papers addressing research and case studies in relation to any aspect of information security that pertains to the attitudes, perceptions and behaviour of people, and how human characteristics or technologies may be positively modified to improve the level of protection. Indicative themes include: - Information security culture - Awareness and education methods - Enhancing risk perception - Public understanding of security - Usable security - Psychological models of security software usage - User acceptance of security policies and technologies - User-friendly authentication methods - Biometric technologies and impacts - Automating security functionality - Non-intrusive security - Assisting security administration - Impacts of standards, policies, compliance requirements - Organizational governance for information assurance - Simplifying risk and threat assessment - Understanding motivations for misuse - Social engineering and other human-related risks - Privacy attitudes and practices - Computer ethics and security ------------------------------------------------------------------------- MSPN 2016 International Conference on Mobile, Secure and Programmable Networking, Paris, France, June 1-3, 2016. (Submissions Due 25 March 2016) http://cedric.cnam.fr/workshops/mspn2016/ The rapid deployment of new infrastructures based on network virtualization and Cloud computing triggers new applications and services that in turn generate new constraints such as security and/or mobility. The International Conference on Mobile, Secure and Programmable Networking aims at providing a top forum for researchers and practitioners to present and discuss new trends in networking infrastructures, security, services and applications while focusing on virtualization and Cloud computing, network programming, Internet of things and Cloud computing convergence, Software Defined Networks (SDN) and their security. Position papers are also welcome and should be clearly marked as such. The accepted papers wil be published as a post-proceedings in Springer's LNCS. Authors are invited to submit complete unpublished papers, which are not under review in any other conference or journal, including, but not limited to, the following topic areas: - Software Defined Networks (tools, software, concepts) - Virtualization and Cloud computing - Networks and Cloud computing - Mobile computing and Mobile Cloud computing - Security, Privacy and Trust in Networks, Services and Applications - Green computing and networking - Ubiquitous Computing and Sensor Networks - System design and testbeds - Cross-Layer Design and Optimization - Modeling and performance evaluation - 4G and 5G networks - Social networks - Cooperative networking and Self-Organizing networks - Distributed sensing, actuation, and control in cyber-physical systems - Internet of Things - Vehicular networks and Connected Cars - Crowdsourcing - Datacenter networking - Location-based Services - Smart cities ------------------------------------------------------------------------- IWSEC 2016 11th International Workshop on Security, Tokyo, Japan, September 12-14, 2016. (Submissions Due 31 March 2016) http://www.iwsec.org/2016/ Original papers on the research and development of various security topics, as well as case studies and implementation experiences, are solicited for submission to IWSEC 2016. Topics of interest for IWSEC 2016 include all theory and practice of cryptography, information security, and network security, as in previous IWSEC workshops. In particular, we encourage the following topics in this year: - Big Data Analysis for Security - Critical Infrastructure Security - Cryptanalysis - Cryptographic Protocols - Cybersecurity Economics - Digital Forensics - Enriched Cryptography - Formal Methods - IoT security - Machine Learning for Security - Malware Countermeasures - Measurements for Cybersecurity - Multiparty Computation - Post Quantum Cryptography - Privacy Preserving - Real World Cryptography - Visualization for Security ------------------------------------------------------------------------- RAID 2016 19th International Symposium on Research in Attacks, Intrusions and Defenses, Paris, France, September 19-21, 2016. (Submissions Due 1 April 2016) http://www.raid2016.org/ The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) aims at bringing together leading researchers and practitioners from academia, government, and industry to discuss novel research contributions related to computer and information security. Research papers on all topics related to cyber attacks, intrusions or defenses are within scope, including papers on: - Malware and unwanted software - Mobile and Web security and privacy - Cloud computing security - Computer and network security - Denial-of-Service attacks - Formal models, analysis, and standards - Vulnerability analysis - Secure software development - Machine learning for security - Computer security visualization techniques - Cyber crime and underground economies - Hardware security - Program analysis and reverse engineering - Digital forensics - Usable security and privacy - Intrusion detection and prevention - Cyber physical systems - Security measurement studies - Security and privacy of the Internet of Things - Threats against critical infrastructures and mitigation thereof - Cyber intelligence techniques and threats intel sharing ------------------------------------------------------------------------- SIN 2016 9th International Conference on Security of Information and Networks, Rutgers University, New Jersey, NJ, USA, July 20-22, 2016. (Submissions Due 1 April 2016) http://www.sinconf.org Papers, special sessions, tutorials, and workshops addressing all aspects of security in information and networks are being sought. Researchers and industrial practitioners working on the following and related subjects are especially encouraged: development and realization of cryptographic solutions, security schemes, new algorithms; critical analysis of existing approaches; secure information systems, especially distributed control and processing applications, and security in networks; interoperability, service levels and quality issues in such systems; information assurance, security, and public policy; detection and prevention of cybercrimes such as fraud and phishing; next generation network architectures, protocols, systems and applications; security education curriculum; industrial experiences and challenges of the above. Doctoral students are encouraged to propose papers on ongoing research. Original papers will be considered; submissions must not substantially duplicate work that any of the authors has published elsewhere or has submitted in parallel to any other conference or workshop that has proceedings. All submitted papers will be reviewed by at least three members of the program committee judging its originality, significance, correctness, presentation and relevance. Authors are also encouraged to propose position papers on practical studies and experiments, critique of existing work, emerging issues, and novel ideas under development. Enterprises and research centers developing, implementing, or using security tools and frameworks are encouraged to propose application / tool demo. Proposals of half-day tutorials on fundamental to advanced subjects covering practical implementation aspects of security are welcome. Proposals of special session(s) to be held in the main conference are welcome. Proposals are invited for workshops to be held in conjunction with SIN 2016 Conference. The workshop proposal theme should be closely related to the conference topics. Broad areas of interest include theory, tools, and applications of security for information, computer, network, and cloud but are not limited to, the following: - Access control and intrusion detection - Security of cyber-physical systems - Autonomous and adaptive security - Security tools and development platforms - Computational intelligence techniques in security - Security ontology, models, protocols & policies - Computer network defense - Standards, guidelines and certification - Cryptographic techniques and key management - Security-aware software engineering - Trust and privacy - Information assurance - Malware analysis - Network security and protocols - Security in Mobile/Embedded Systems - Cloud security - Security education and innovative curriculum ------------------------------------------------------------------------- I-SAT 2016 International Workshop on Information Security, Assurance, and Trust, Vancouver, BC, Canada, June 16-18, 2016. (Submissions Due 4 April 2016) http://i-sat.ca The goal of this workshop is to provide a forum for researchers, scientists and engineers working in academia and industry to share their experiences, new ideas and research results in the areas of information and system security, assurance, and trust. I-SAT2016 will address novel research targeting technical aspects of protecting information security and establishing trust in the digital space. New paradigms and solutions targeting emerging topics in such fields will be presented and discussed by researchers and industrial experts. The main focus of the workshop will include, but not limited to the following: - Application Security and Threat Management - Cyber Security, Privacy and Trust - Modern Authentication Paradigms - Big data security - Database security - Digital Fraud detection - Social engineering and insider threats - Cyber threat intelligence - Cloud, Mobile, and Internet-of-Things security - Digital forensics - Intrusion Detection - Biometrics - Botnet and DDoS detection and control ------------------------------------------------------------------------- IWCC 2016 5th International Workshop on Cyber Crime, Co-located with the 11th International Conference on Availability, Reliability and Security (ARES 2016), Salzburg, Austria, August 29 - September 2, 2016. (Submissions Due 4 April 2016) http://stegano.net/IWCC2016/ Today's world's societies are becoming more and more dependent on open networks such as the Internet - where commercial activities, business transactions and government services are realized. This has led to the fast development of new cyber threats and numerous information security issues which are exploited by cyber criminals. The inability to provide trusted secure services in contemporary computer network technologies has a tremendous socio-economic impact on global enterprises as well as individuals. Moreover, the frequently occurring international frauds impose the necessity to conduct the investigation of facts spanning across multiple international borders. Such examination is often subject to different jurisdictions and legal systems. A good illustration of the above being the Internet, which has made it easier to perpetrate traditional crimes. It has acted as an alternate avenue for the criminals to conduct their activities, and launch attacks with relative anonymity. The increased complexity of the communications and the networking infrastructure is making investigation of the crimes difficult. Traces of illegal digital activities are often buried in large volumes of data, which are hard to inspect with the aim of detecting offences and collecting evidence. Nowadays, the digital crime scene functions like any other network, with dedicated administrators functioning as the first responders. This poses new challenges for law enforcement policies and forces the computer societies to utilize digital forensics to combat the increasing number of cybercrimes. Forensic professionals must be fully prepared in order to be able to provide court admissible evidence. To make these goals achievable, forensic techniques should keep pace with new technologies. The aim of 5th International Workshop on Cyber Crime is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of digital forensics and to present the development of tools and techniques which assist the investigation process of potentially illegal cyber activity. We encourage prospective authors to submit related distinguished research papers on the subject of both: theoretical approaches and practical case reviews. The workshop will be accessible to both non-experts interested in learning about this area and experts interesting in hearing about new research and approaches. Topics of interest include, but are not limited to: - Cyber crimes: evolution, new trends and detection - Cyber crime related investigations - Computer and network forensics - Digital forensics tools and applications - Digital forensics case studies and best practices - Privacy issues in digital forensics - Network traffic analysis, traceback and attribution - Incident response, investigation and evidence handling - Integrity of digital evidence and live investigations - Identification, authentication and collection of digital evidence - Anti-forensic techniques and methods - Watermarking and intellectual property theft - Social networking forensics - Steganography/steganalysis and covert/subliminal channels - Network anomalies detection - Novel applications of information hiding in networks - Political and business issues related to digital forensics and anti-forensic techniques ------------------------------------------------------------------------- PMSPCR 2016 Workshop on Process Mining for Security, Privacy, Compliance & Resilience, Held in conjunction with the 19th International Conference on Business Information Systems (BIS 2016), Leipzig, Germany, July 6-8, 2016. (Submissions Due 12 April 2016) http://bis.kie.ue.poznan.pl/bis2016/workshops/pmspcr-2016/ Security in Business Processes (BP) is an extension to well-known security analysis. Security rules are either defined by regulation, e.g. data protection law, or as guidelines for good conducts, e.g. Basel III or SOX. Business guidelines, e.g. ITIL and COBIT, form a specification of regulation and business conduct, but there are almost no satisfying approaches as far as computer science is concerned. This workshop deals with process mining as a means for security analysis. Three phases may be identified: process analysis before execution, monitoring, or after execution of the BP. With regard to the latter, logs recording the events executed in BP build the basis for Process Mining (PM), which provides methods and tools to ensure compliance to regulations and guidelines. This workshop aims to explore the potentials of process mining to bridge the gap between an analysis of workflows and a certification of compliance and security. We invite innovative and previously undisclosed contributions, but also case studies and best practices, which present the analysis of business processes related to security, resilience and privacy aspects ?y design?, during runtime, and forensically, based on the analysis of process logs. In this regard, we explicitly invite submission of practical contributions. ------------------------------------------------------------------------- TrustCom 2016 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Tianjin, China, August 23-26, 2016. (Submissions Due 15 April 2016) http://adnet.tju.edu.cn/TrustCom2016/ With the rapid development and increasing complexity of computer systems and communication networks, user requirements for trust, security and privacy are becoming more and more demanding. Therefore, there is a grand challenge that traditional security technologies and measures may not meet user requirements in open, dynamic, heterogeneous, mobile, wireless, and distributed computing environments. As a result, we need to build systems and networks in which various applications allow users to enjoy more comprehensive services while preserving trust, security and privacy at the same time. As useful and innovative technologies, trusted computing and communications are attracting researchers with more and more attention. The conference aims at bringing together researchers and practitioners in the world working on trusted computing and communications, with regard to trust, security, privacy, reliability, dependability, survivability, availability, and fault tolerance aspects of computer systems and networks, and providing a forum to present and discuss emerging ideas and trends in this highly challenging research field. Topics of interest include, but not limited to: Trust Track - Trust semantics, metrics and models - Trusted computing platform - Trusted network computing - Trusted operating systems - Trusted software and applications - Trust in social networks - Trust in e-commerce and e-government - Trust in mobile and wireless communications - Risk and reputation management - Survivable computer systems/networks - Trust of 5G - Miscellaneous trust issues Security Track - Network security - Computer security - Database security - Web applications security - Security policy, model and architecture - Security in social networks - Security in parallel and distributed systems - Security in mobile and wireless communications - Security in grid/cloud/pervasive computing - Authentication, authorization and accounting - Security of 5G - Miscellaneous security issues Privacy Track - Privacy in Web-based applications and services - Privacy in database systems - Privacy in parallel and distributed systems - Privacy in grid/cloud/pervasive computing - Privacy in mobile and wireless communications - Privacy in e-commerce and e-government - Privacy in network deployment and management - Privacy and trust - Privacy and security - Privacy and anonymity - Privacy preservation in 5G - Miscellaneous privacy issues Forensics Track - Anti-forensics - Biometrics - Cryptanalysis - Big data forensics - CCTV forensics - Cloud forensics - Computational forensics - Cyber-physical system forensics - Datamining for forensics - Facial recognition - Fingerprint forensics - Image forensics - Malware forensics - Mobile app forensics (e.g. Skype, WeChat and Facebook) - Mobile device forensics - Multimedia forensics - Network forensics - Steganography and steganalysis - System reverse engineering - Watermarking ------------------------------------------------------------------------- NSAA 2016 Workshop on Network Security Analytics and Automation, Held in conjunction with the 25th International Conference on Computer Communication and Networks (ICCCN 2016), Waikoloa, Hawaii, USA, August 1-4, 2016. (Submissions Due 17 April 2016) http://icccn.org/icccn16/ This workshop provides a forum for researchers to explore promising new approaches to enable enterprises to quickly determine courses of action in response to ever changing computer network threats. Emphasis will be focused on building a sustained ecosystem for network security and using big data analytics techniques to determine appropriate responses to prevent massive attack events by neutralizing threats before they have a chance to gather momentum. To this end effective and safe automation and integration of security tools are critical. Topics of interest include, but not limited to: - Cyber threat information sharing standards, ontologies, and infrastructure - Assessing the reputation of cyber threat intelligence sources - Course of action planning based on shared information - Enrichment of shared threat information - Application of big data analytics to identify threats - Visualization of logs and attack information - Integration of network security responses - Orchestration of responses to threats - Curriculum development related to network security analytics and automation - Automation of responses - Safety controls for automation - Network resiliency ------------------------------------------------------------------------- GraMSec 2016 3rd International Workshop on Graphical Models for Security, Co-located with CSF 2016, Lisbon, Portugal, June 27, 2016. (Submissions Due 18 April 2016) http://gramsec.uni.lu/ Graphical security models provide an intuitive but systematic approach to analyze security weaknesses of systems and to evaluate potential protection measures. Formal methods and cyber security researchers, as well as security professionals from industry and government, have proposed various graphical security modeling schemes. Such models are used to capture different security facets (digital, physical, and social) and address a range of challenges including vulnerability assessment, risk analysis, defense analysis, automated defensing, secure services composition, policy validation and verification. The objective of the GraMSec workshop is to contribute to the development of well-founded graphical security models, efficient algorithms for their analysis, as well as methodologies for their practical usage. The workshop seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of graphical models for security. The topics of the workshop include, but are not limited to: - Graphical models for threat modeling and analysis - Graphical models for risk analysis and management - Graphical models for requirements analysis and management - Textual and graphical representation for system, organizational, and business security - Visual security modeling and analysis of socio-technical and cyber-physical systems - Graphical security modeling for cyber situational awareness - Graphical models supporting the security by design paradigm - Methods for quantitative and qualitative analysis of graphical security models - Formal semantics and verification of graphical security models - Methods for (semi-)automatic generation of graphical security models - Enhancement and/or optimization of existing graphical security models - Scalable evaluation of graphical security models - Evaluation algorithms for graphical security models - Dynamic update of graphical security models - Game theoretical approaches to graphical security modeling - Attack trees, attack graphs and their variants - Stochastic Petri nets, Markov chains, and Bayesian networks for security - UML-based models and other graphical modeling approaches for security - Software tools for graphical security modeling and analysis - Case studies and experience reports on the use of graphical security modeling paradigm ------------------------------------------------------------------------- CNS 2016 4th IEEE Conference on Communications and Network Security, Philadelphia, PA, USA, October 17-19, 2016. (Submissions Due 20 April 2016) http://cns2016.ieee-cns.org/ IEEE Conference on Communications and Network Security (CNS) is a conference series in IEEE Communications Society (ComSoc) core conference portfolio and the only ComSoc conference focusing solely on cyber security. IEEE CNS is also a spin-off of IEEE INFOCOM, the premier ComSoc conference on networking. The goal of CNS is to provide an outstanding forum for cyber security researchers, practitioners, policy makers, and users to exchange ideas, techniques and tools, raise awareness, and share experience related to all practical and theoretical aspects of communications and network security. Building on the success of the past three years' conferences, IEEE CNS 2016 seeks original high-quality technical papers from academia, government, and industry. Topics of interest encompass all practical and theoretical aspects of communications and network security, all the way from the physical layer to the various network layers to the variety of applications reliant on a secure communication substrate. ------------------------------------------------------------------------- ESORICS 2016 21st European Symposium on Research in Computer Security, Heraklion, Crete, September 26-30, 2016. (Submissions Due 22 April 2016) http://www.ics.forth.gr/esorics2016/ ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. We encourage submissions of papers discussing industrial research and development. Topics of interest include, but are not limited to: - access control - accountability - ad hoc networks - anonymity - applied cryptography - authentication - biometrics - data and computation integrity - database security - data protection - digital content protection - digital forensics - distributed systems security - embedded systems security - inference control - information hiding - identity management - information flow control - information security governance and management - intrusion detection - formal security methods - language-based security - network security - phishing and spam prevention - privacy - privacy preserving data mining - risk analysis and management - secure electronic voting - security architectures - security economics - security metrics - security models - security and privacy for big data - security and privacy in cloud scenarios - security and privacy in complex systems - security and privacy in content centric networking - security and privacy in crowdsourcing - security and privacy in the IoT - security and privacy in location services - security and privacy for mobile code - security and privacy in pervasive / ubiquitous computing - security and privacy policies - security and privacy in social networks - security and privacy in web services - security and privacy in cyber-physical systems - security, privacy and resilience in critical infrastructures - security verification - software security - systems security - trust models and management - trustworthy user devices - usable security and privacy - web security - wireless security ------------------------------------------------------------------------- Mycrypt 2016 2nd International Conference on Cryptology & Malicious Security, Kuala Lumpur, Malaysia, December 1-2, 2016. (Submissions Due 30 April 2016) https://foe.mmu.edu.my/mycrypt2016 Original papers of substantial technical contribution in the areas of cryptology and malicious security are solicited for submission to the International Conference on Cryptology & Malicious Security. Submissions to Mycrypt 2016 should be aimed towards the following topic categories: - paradigm-shifting, unconventional cryptology (e.g. malicious crypto, unconventional formulations of underlying problems, or new hard problems) - position papers on breakthrough cryptologic/security research - revisits/critiques/analysis of long-standing crypto paradigms/approaches /models/formulations (in fact, we also encourage paired submissions by crypto factions of opposing views, where each paper in the pair argues for/against a paradigm) - approaches/solutions to long-standing open problems; or formulations of long-standing/thus-far adhoc security approaches - analysis of crypto/security standardization processes & how they may be subverted - cryptofications of the real world (e.g. new types of adversarial models and/or notions inspired by real world incidences/problems, modelling humans-in-the-security-loop) - crypto & beyond: cryptologic techniques in union with techniques from other disciplines ------------------------------------------------------------------------- WISTP 2016 10th WISTP International Conference on Information Security Theory and Practice, Heraklion, Crete, Greece, September 26-27, 2016. (Submissions Due 3 May 2016) http://www.wistp.org/ The 10th WISTP International Conference on Information Security Theory and Practice (WISTP 2016) seeks original submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy, as well as experimental studies of fielded systems, the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law, business, and policy that present these communities' perspectives on technological issues. ------------------------------------------------------------------------- TRUST 2016 9th International Conference on Trust & Trustworthy Computing, Vienna, Austria, August 29-30, 2016. (Submissions Due 9 May 2016) http://trust2016.sba-esearch.org/ TRUST 2016 is an international conference that explores new ideas and experiences in building, designing, using and understanding trustworthy computing systems. We are now calling for papers. Interested authors are invited to submit papers describing novel and previously unpublished results in building, designing, using and understanding trustworthy computing systems. Paper topics include, but are not limited to: - Architectures for trustworthy infrastructures - Emerging applications and technologies, including recent industrial research and development on trusted/trustworthy computing - Hardware security, including secure storage, cryptographic coprocessors, smartcards, and physically unclonable functions (PUFs) - Trustworthy applications, including webbased systems - Trusted mobile computing platforms - Trustworthy embedded, CyberPhysical, and Internet of Things systems - Security analysis and formal techniques for trusted/trustworthy computing - Verification of trusted/trustworthy computing (architectures, platforms, software, protocols) - Usability of trusted/trustworthy computing solutions and humancomputer interactions - Cloud security and trustworthy services - Trust management - Software engineering techniques for trustworthiness - Operating system security, including virtualization and monitoring - Cryptography for trusted computing and related applications - Intrusion detection and resilience leveraging trusted computing - Security policies and management of trusted/trustworthy systems - Experimental, userbased or testbed studies ------------------------------------------------------------------------- EuroUSEC 2016 1st European Workshop on Usable Security, Affiliated with PETS 2016, Darmstadt, Germany, July 18, 2016. (Submissions Due 13 May 2016) https://eurousec.secuso.org/2016/ The aim of this workshop is to bring together researchers from different areas of computer science such as security, visualisation, artificial intelligence and machine learning as well as researchers from other domains such as psychology, social science and economics. We encourage submissions from collaborative research by authors of multiple fields. Topics of interest include: - Usability evaluation of existing security and privacy paradigms or technologies - Design and evaluation of novel security and privacy paradigms or technologies - Evaluation of existing security and privacy awareness and education tools - Design and evaluation of novel security and privacy awareness and education tools - Lessons learned from the design, deployment, management or the evaluation of security and privacy paradigms or technologies - Foundations of usable security and privacy - Psychological, sociological and economic aspects of security and privacy - Methodology for usable security and privacy research ------------------------------------------------------------------------- Call for Book Chapters: Empirical Research for Software Security: Foundations and Experience, Taylor & Francis Group, LLC. (Submissions Due 15 May 2016) https://www.sit.fraunhofer.de/de/ijsse/?no_cache=1 This book introduces the reader to using empirical research methods in exploring software security challenges. These methods include data analytics, questionnaires, interviews, and surveys that produce evidence for or against given claims. The book provides the foundations for using these empirical methods of collecting evidence about tools, techniques, methods, and processes for developing secure software using practical examples. Developing secure software requires the integration of methods, such as threat modeling and risk assessment and the integration of tools, such as security testing and code analysis tools into the development process. The design of such methods and processes is in general an artistic endeavor that is based on the shared expert knowledge, claims, and opinions. Empirical research methods allow extracting knowledge and insights from the data that organizations collect from their processes and tools and from the opinions of the experts who practice these processes and methods. This knowledge extraction contributes to maturing the design and adaptation of these techniques, methods, and processes. Example of the topics of interest include: - The science of secure software - Survey of threat modeling techniques - Empirical research in software security - The fundamentals of data analytics for secure software - Assessment of the challenges of developing secure software using the agile approach - Assessment of the usability of security code analysis tools - The impact of security assessment on the developers' security awareness - The efficiency of security training - Combinatorial testing for software security ------------------------------------------------------------------------- ACM CCS 2016 23rd ACM Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016. (Submissions Due 23 May 2016) http://www.sigsac.org/ccs/CCS2016/call-for-papers/ The conference seeks submissions from academia, government, and industry presenting novel research results in all practical and theoretical aspects of computer and communications security. Papers should be related to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make a convincing argument for the relevance of the results to secure systems. All topic areas related to computer and communications security are of interest and in scope. Accepted papers will be published by ACM Press in the conference proceedings. ------------------------------------------------------------------------- IEEE Transactions on Computers, Special Section on Secure Computer Architectures. (Submissions Due 30 May 2016) http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tcsi_sca.pdf Editors: Ruby Lee (Princeton University, USA), Patrick Schaumont (Virginia Tech, USA), Ron Perez (Cryptography Research Inc., USA), and Guido Bertoni (ST Microelectronics, USA). Nowadays, computer architectures are profoundly affected by a new security landscape, caused by the dramatic evolution of information technology over the past decade. First, secure computer architectures have to support a wide range of security applications that extend well beyond the desktop environment, and that also include handheld, mobile and embedded architectures, as well as high-end computing servers. Second, secure computer architectures have to support new applications of information security and privacy, as well as new information security standards. Third, secure computer architectures have to be protected and be tamper-resistant at multiple abstraction levels, covering network, software, and hardware. This Special Section from Transactions on Computers aims to capture this evolving landscape of secure computing architectures, to build a vision of opportunities and unresolved challenges. It is expected that contributed submissions will place emphasis on secure computing in general and on engineering and architecture design aspects of security in particular. IEEE Transactions on Computers seeks original manuscripts for a Special Section on Secure Computer Architectures tentatively scheduled to appear in the July 2017 issue. The topics of interest for this special section include: - Cryptographic Primitives - Homomorphic Computing and Multiparty Computing - Scalability Issues of Server-level Secure Computing - High Performance/Low Power Cryptography - Oblivious RAM - Side-Channel Analysis - Side-channel attacks and defenses - Hardware Trojans and Backdoors - Hardware Vulnerabilities - Counters, Caches, Shared Memory - Computing Architectures for Isolation - Smartphone Security - Embedded Systems Security - Secure Processors and Systems - Hardware Security - Secure Virtualization and Memory Safety - Security Simulation, Testing, Validation and Verification - Metrics for Tamper Resistance - Security Metrics - Standards in Secure Computing - Instruction-Sets for Security and Cryptography - Dedicated and Protected Storage - Secure Computer Interfaces ------------------------------------------------------------------------- SSR 2016 3rd International conference on Security Standardization Research, Gaithersburg, MD, USA, December 5-6, 2016. (Submissions Due 30 May 2016) http://csrc.nist.gov/groups/ST/ssr2016/ Over the last two decades a huge range of standards have been developed covering many different aspects of cyber security. These documents have been published by national and international formal standardization bodies, as well as by industry consortia. Many of these standards have become very widely used - to take just one example, the ISO/IEC 27000 series have become a commonly used basis for managing corporate information security. Despite their wide use, there will always be a need to revise existing security standards and to add new standards to cover new domains. The purpose of this conference is to discuss the many research problems deriving from studies of existing standards, the development of revisions to existing standards, and the exploration of completely new areas of standardization. Indeed, many security standards bodies are only beginning to address the issue of transparency, so that the process of selecting security techniques for standardization can be seen to be as scientific and unbiased as possible. This conference is intended to cover the full spectrum of research on security standardization, including, but not restricted to, work on cryptographic techniques (including ANSI, IEEE, IETF, ISO/IEC JTC 1/SC 27, ITU-T and NIST), security management, security evaluation criteria, network security, privacy and identity management, smart cards and RFID tags, biometrics, security modules, and industry-specific security standards (e.g. those produced by the payments, telecommunications and computing industries for such things as payment protocols, mobile telephony and trusted computing). Papers offering research contributions to the area of security standardization are solicited for submission to the SSR 2016 conference. Papers may present theory, applications or practical experience in the field of security standardization, including, but not necessarily limited to: - access control - biometrics - cloud computing - critical national infrastructure (CNI) protection - consistency and comparison of multiple standards - critiques of standards - cryptanalysis - cryptographic protocols - cryptographic techniques - evaluation criteria - formal analysis of standards - history of standardization - identity management - industrial control systems security - internet security - interoperability of standards - intrusion detection - key management and PKIs - management of the standardization process - mobile security - network security - open standards and open source - payment system security - privacy - regional and international standards - RFID tag security - risk analysis - security controls - security management - security protocols - security services - security tokens - smart cards - telecommunications security - trusted computing - web security ------------------------------------------------------------------------- SADFE 2016 11th International Conference on Systematic Approaches to Digital Forensics Engineering, Kyoto, Japan, September 20-22, 2016. (Submissions Due 1 June 2016) http://sadfe.org SADFE-2016 is concerned with the generation, analysis and sustainability of digital evidence and evolving t tools and techniques that are used in this effort. Advancement in this field requires innovative methods, systems, and practices, which are grounded in solid research coupled with an understanding of user needs. Digital forensics at SADFE focuses on the issues introduced by the coupling of rapidly advancing technologies and increased globalization. We believe digital forensic engineering is vital to security, the administration of justice and the evolution of culture. Potential topics include, but are not limited to: Digital Data and Evidence Collection: - Identification, authentication and collection of digital evidence - Extraction and management of forensic artifacts - Identification and redaction of personally identifying/sensitive information - Evidence and digital memory preservation, curation and storage - Compliance of architectures and processes (including network processes) with forensic requirements - Data, digital knowledge, and web mining systems for identification and authentication of data - Honeynets and other deception technologies that collect data for forensic analysis - Innovative forensic techniques for new technologies Digital Evidence Management, Integrity and Analytics: - Advanced search, analysis, and presentation of digital evidence - Cybercrime analysis, modeling and reconstruction technologies - Tools and techniques for combining digital and non-digital evidence - Supporting both qualitative and quantitative evidence - Handling of evidence and the preservation of data integrity and admissibility - Digital evidence in the face of encryption - Forensic-support technologies: forensic-enabled and proactive monitoring/response Scientific Principle-Based Digital Forensic Processes - Examination environments for digital data - Legal/technical aspects of admissibility and evidence tests - Forensic tool validation: legal implications and issues - Handling increasing volumes of digital discovery - Computational Forensics and Validation Issues in Forensic Authentication and Validation. - Forensic Readiness by Design - Forensics tool validation - Computational systems and computational forensic analysis Legal, Ethical and Technical Challenges - Forensics, policy and ethical implications new and evolving technologies - Legal and privacy implications for digital and computational forensic analysis - New Evidence Decisions - Legal case construction and digital evidence support - Transnational Investigations/Case Integration - Managing geographically, politically and/or jurisdictionally dispersed data artifacts - Case studies illustrating privacy, legal and legislative issues - Courtroom expert witness and case presentation The Impacts of the following on any of the above - Technological challenges - Legal and ethical challenges - Economic challenges - Political challenges - Cultural and professional challenges - New Trends (Internet of Things, Cloud Computing, Smart City, Big Data, etc.) ------------------------------------------------------------------------- PROOFS 2016 5th International Workshop on Security Proofs for Embedded Systems, Santa Barbara, California, USA, August 20, 2016. (Submissions Due 4 June 2016) http://www.proofs-workshop.org/ This workshop, the fifth in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss the application of formal methods to the field of embedded systems security. PROOFS seeks contributions about methodologies that increase the confidence level in the security of embedded systems, especially those which contain cryptographic algorithms. Exploratory works and use-cases are especially welcomed. ------------------------------------------------------------------------- SecureComm 2016 12th EAI International Conference on Security and Privacy in Communication Networks, Guangzhou, China, October 10-12, 2016. (Submissions Due 15 June 2016) http://securecomm.org SecureComm seeks high-quality research contributions in the form of well-developed papers. Topics of interest encompass research advances in ALL areas of secure communications and networking. Topics in other areas (e.g., formal methods, database security, secure software, theoretical cryptography) will be considered only if a clear connection to private or secure communication/networking is demonstrated. Topics of interest include, but are not limited to the following: - Security & Privacy in Wired, Wireless, Mobile, Hybrid, Sensor, Ad Hoc networks - Network Intrusion Detection and Prevention, Firewalls, Packet Filters - Malware Analysis and Detection including Botnets, Trojans and APTs - Web and Systems Security - Distributed Denial of Service Attacks and Defenses - Communication Privacy and Anonymity - Circumvention and Anti-Censorship Technologies - Network and Internet Forensics Techniques - Authentication Systems: Public Key Infrastructures, Key Management, Credential Management - Secure Routing, Naming/Addressing, Network Management - Security & Privacy in Pervasive and Ubiquitous Computing, e.g., RFIDs - Security & Privacy in Peer-to-Peer and Overlay Networks - Security & Privacy for Emerging Technologies: VoIP, Internet-of-Things, Social Networks - Security & Isolation in Cloud, Data Center and Software-Defined Networks ------------------------------------------------------------------------- IWDW 2016 15th International Workshop on Digital-forensics and Watermarking, Beijing, China, September 17-19, 2016. (Submissions Due 15 June 2016) http://www.iwdw.net/ The 15th International Workshop on Digital-forensics and Watermarking (IWDW 2016) is a premier forum for researchers and practitioners working on novel research, development and applications of digital watermarking and forensics techniques for multimedia security. We invite submissions of high-quality original research papers. Areas of interest include, but are not limited to: - Mathematical modeling of embedding and detection - Information theoretic, stochastic aspects of data hiding - Security issues, including attacks and counter-attacks - Combination of data hiding and cryptography - Optimum watermark detection and reliable recovery - Estimation of watermark capacity - Channel coding techniques for watermarking - Large-scale experimental tests and benchmarking - New statistical and perceptual models of multimedia content - Reversible data hiding - Data hiding in special media - Data hiding and authentication - Steganography and steganalysis - Digital multimedia forensics & anti-forensics - Copyright protection, DRM, forensic watermarking - Visual cryptography & secret image sharing - Security based on human vision system ------------------------------------------------------------------------- GenoPri 2016 3rd International Workshop on Genome Privacy and Security, Held in conjunction with the AMIA 2016 Annual Symposium, Chicago, IL, USA, November 12, 2016. (Submissions Due 22 August 2016) http://www.genopri.org/ Over the past several decades, genome sequencing technologies have evolved from slow and expensive systems that were limited in access to a select few scientists and forensics investigators to high-throughput, relatively low-cost tools that are available to consumers. A consequence of such technical progress is that genomics has become one of the next major challenges for privacy and security because (1) genetic diseases can be unveiled, (2) the propensity to develop specific diseases (such as Alzheimer's) can be revealed, (3) a volunteer, accepting to have his genomic code made public, can leak substantial information about his ethnic heritage and the genomic data of his relatives (possibly against their will), and (4) complex privacy issues can arise if DNA analysis is used for criminal investigations and medical purposes. As genomics is increasingly integrated into healthcare and "recreational" services (e.g., ancestry testing), the risk of DNA data leakage is serious for both individuals and their relatives. Failure to adequately protect such information could lead to a serious backlash, impeding genomic research, that could affect the well-being of our society as a whole. This prompts the need for research and innovation in all aspects of genome privacy and security, as suggested by the non-exhaustive list of topics on the workshop website. ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE CS Press ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulf Lindqvist Sean Peisert SRI International UC Davis and Menlo Park, CA Lawrence Berkeley ulf.lindqvist@sri.com National Laboratory speisert@ucdavis.edu Chair: Treasurer: Sean Peisert Yong Guan UC Davis and 3219 Coover Hall Lawrence Berkeley Department of Electrical and Computer National Laboratory Engineering speisert@ucdavis.edu Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2016 Chair: TC Awards Chair: Michael Locasto Hilarie Orman SRI International Purple Streak, Inc. oakland16-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year