_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/
_/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/
============================================================================
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 132 May 31, 2016
Hilarie Orman, Editor Sven Dietrich, Assoc. Editor
cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org
Richard Austin Yong Guan
Book Review Editor Calendar Editor
cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org
============================================================================
The newsletter is also at http://www.ieee-security.org/cipher.html
Cipher is published 6 times per year
Contents:
* Letter from the Editor
* Commentary and Opinion and News
o Richard Austin's review of "Cyber War versus Cyber Realities:
Cyber Conflict in the International System" by Brandon Valeriano
and Ryan C. Harris
o Book reviews, Conference Reports and Commentary and News items
from past Cipher issues are available at the Cipher website
o News items
o Missiles and Floppies
o Hospital Chain Endures Malware Attack
o FBI No Stranger to Hacking
o Microsoft Wants to Tell You About Search Warrants
o Computer science education has no cybersecurity?
o $1M USD, and the FBI remains basically clueless (5 items)
o Malware and the Car
o When is a config glitch a "breach"? (2 items)
o Banking network used for theft, blame the banks, not the network
(2 items)
o Crypto Wars Drag On (2 items)
o Nakamoto is an Ozzie?
o Really Bad Idea: Unpack malware in the kernel
* List of Computer Security Academic Positions, by Cynthia Irvine
* Conference and Workshop Announcements
o Upcoming calls-for-papers and events
* Staying in Touch
o Information for subscribers and contributors
o Recent address changes
* Links for the IEEE Computer Society TC on Security and Privacy
o Becoming a member of the TC
o TC Officers
o TC publications for sale
====================================================================
Letter from the Editor
====================================================================
Dear Readers:
The Security and Privacy Symposium and Workshops were held last week,
and as usual, the research and ambiance were great. The Distinguished
Paper was "A2: Analog Malicious Hardware" by Kaiyuan Yang, Matthew
Hicks, Qing Dong, Todd Austin, and Dennis Sylvester from the
University of Michigan, and it was about a clever use of two
capacitors to hide an almost invisible and exploitable flaw into
hardware. Another paper, "Algorithmic Transparency via Quantitative
Input Influence: Theory and Experiments with Learning Systems" by
Anupam Datta, Shayak Sen, and Yair Zick of CMU, introduced a new (to
me) take on privacy of personal data. Even if data is publically
known or given freely, the uses of it may be improper, and that can be
considered a privacy violation. Thus the goal of "algorithmic
transparency."
The first European Security and Privacy Symposium, held in March, was
a success, by all accounts, and planning for Euro S&P 2017 is
underway. It will be in Paris.
Over the past few years, the Computer Society has been trying to
encourage conference organizers to keep a small surplus from the
events that they run, but it has been difficult to find a balance of
incentives that encourge financial conservatism and still benefit
future conferences and their attendees. The new proposed plan seems
to be a healthy way of sharing money between the Society, the
conferences, and the Technical Committee (which can use the money for
student travel grants, for example). A major barrier to such plans
has been the fact that funds can carry over for only a year or two.
This will be loosened, and the result should be that organizers can
count on more financial flexibility in taking on new projects (like
Euro S&P).
Ulf Lindqvist, our Technical Committee Chair, would like all our
S&P fans and conference attendees know that joining the Technical
Committee is free, and you can sign up through the Computer Society
website. In the future, in order to vote for new officers of the
TC, people will need to be current members of the Computer Society
(which is not free). The TC recommends joining up and participating
in governance activities.
Richard Austin, our intrepid and fearless book reviewer, takes us to a
discussion of cyber conflict. What is the meaning of "cyberwar"? Is
there a meaningful difference between different levels of conflict,
and how can we think of them in the context of traditional conflict?
The continuing aftermath of the Apple iPhone and the FBI has generated
a lot of news, but so have other notable issues in banking, government
security lapses, and other topics. Our news list is overbrimming.
Keep your bits on a conditional branch and don't overflow the buffer,
Hilarie Orman
cipher-editor @ ieee-security.org
====================================================================
Commentary and Opinion
====================================================================
____________________________________________________________________
Book Review By Richard Austin
05/17/2016
____________________________________________________________________
Cyber War versus Cyber Realities: Cyber Conflict in the International System
by Brandon Valeriano and Ryan C. Harris
Oxford University Press 2015
ISBN 978-0-19-020479-2
Table of Contents:
http://www.oxfordscholarship.com/view/10.1093/acprof:oso/9780190204792.001.0001/acprof-9780190204792
There are troubling questions in the cyber world with disturbing
implications for how we view our jobs, our profession and the vast
industry infrastructure that supports them. If one imagines a
continuum running from cybercrime through cyber terrorism to cyber
war, where are we? Popular media is awash with assurances that we are
in the midst of a cyber war and are just waiting for a "cyber Pearl
Harbor" that will devastate society as we know it. Mikko Hypponen, in
his keynote at the Berlin FIRST Conference in 2015, raised the
disturbing possibility that cyber security professionals were
legitimately targetable as military assets under the Law of Armed
Conflict. It appears that national security agencies are hoarding
undisclosed vulnerabilities in widely used software and systems to
allow them to be used as components in cyber weapons rather than
disclosing them so they can be remediated.
The authors acknowledge the troubling questions but pose very
interesting questions in response: What do we actually know? What
does the research, where it's been done, reveal? Their answers,
though necessarily tentative and, as they note, subject to
invalidation by future events, suggest a more nuanced future that may
not be all that much different from the past.
The book opens with a broad survey of "The Contours of the Cyber
Conflict World" and quickly identifies wide misuse of the term "cyber
war" with potential for wide misunderstanding and overreaction. The
concept of "war" has become muddled with the idea that it reflects a
level of effort (e.g., "war on drugs", "war on illiteracy", etc.)
rather than a situation where substantial violence is done to people
and property in pursuit of a political end. They also identify a
persistent focus on the worst possibilities (failure of the power
grid, failure of the international banking system ...) rather than
most-of-the-time reality. They make the important point that in a
risk-adverse world, it is much easier to obtain budget and resources
by concentrating on highly destructive possibilities. The authors do
not deny that calamitous events are possible but that they are
relatively unlikely and therefore an exclusive focus on the worst
possibilities biases planning and broader discussion.
Chapter 2, "Cyber Power, Cyber Weapons and Cyber Operations", is
excellent in its development of meaningful terminology. They tackle
the important question of what can be defined as "cyber war" and what
qualifies as "cyber conflict" which brings much needed clarity to
discussions of "cyber war" and whether we are actually in the midst of
one.
Chapter 3, "Theories of Cyber Conflict", positions cyber conflict
within the international system. As the authors note, this is largely
uncharted territory as much of the current discourse is focused on
calamitous possibilities with little attention to how entities
actually interact when disagreements arise. A telling quote is "When
cyber operations are used, they typically are low-scale events akin
more to propaganda and espionage than warfare. This leads to cyber
restraint, a form of operations derived from deterrence theory but not
dependent on it" (p. 46). This observation is based on analysis of
the cyber operations that have been observed and not on the all too
familiar catalog of apocalyptic possibilities. In reading their
argument, one is reminded of Herman Kahn's escalation ladder (conflict
at a low level runs the possibility of escalating to conflict at a
more severe one) and the famous quote from "War Games" to the effect
that the best way to successfully negotiate the escalation ladder is
to never set foot on it.
Chapters 4 through 7 form a detailed look at what has actually been
observed in cyber conflicts to date. The focus is on what actually
occurred, the real impacts observed and what those suggest about the
real nature of cyber conflict. These chapters are well-researched and
their apt analysis is hard to refute.
Chapter 6, "Cyber Rules", examines the types of norms that should
govern cyber operations. The concept that governs traditional
military conflict is that of "Just War" where conflict only occurs for
defensible reasons as a last resort and is conducted so as to minimize
collateral damage such as non-combatant casualties. These goals are
challenging to achieve in the cyber realm (e.g., Stuxnet, one of the
most "lawyered up" pieces of software still spread to non-targeted
systems though, as far as we know, it never detonated on any them).
The authors propose a set of guidelines for "cyber justice and an
international system of cyber norms" (p. 201) which form a good
starting point for discussion.
This is an important book which deals with very difficult questions.
The authors bring a fresh approach in their diligent focus on the
available evidence and how that evidence can be fitted to what we know
about how the international system works. While this brief review
cannot begin to do justice to the book's content (my copy is festooned
with sticky notes and looks like someone spilled a bottle of yellow
ink on the interior), I hope that I have aroused sufficient interest
for you to read it. As the authors note in their conclusion, the
cyber "realm will only be as dangerous as we let it" (p. 228) and
cyber security professionals are deeply involved in that process. I
heartily second the author's admonishment that we have to stop letting
ourselves be compelled by the hype and follow their well-researched
leadership in asking "But what is it that we actually know?"
It has been said "Be careful, for writing books is endless, and much
study wears you out" so Richard Austin fearlessly samples the latest
offerings of the publishing houses and opines as to which might most
profitably occupy your scarce reading time. He welcomes your thoughts
and comments via raustin at ieee dot org
____________________________________________________________________
Book reviews from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports
are archived at http://www.ieee-security.org/Cipher/ConfReports.html
====================================================================
News Briefs
====================================================================
News briefs from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/NewsBriefs.html
Missiles and Floppies
The real reason America controls its nukes with ancient floppy disks
https://www.washingtonpost.com/news/the-switch/wp/2016/05/26/the-real-reason-america-controls-its-nukes-with-ancient-floppy-disks/
The Washington Post
by Brian Fung
May 26, 2016
Summary:
The US military has had its ups and downs with modern technology, and
it remains wary of wholesale adoption of newfangled things like USB
drives and the Internet. Despite the fact that malware was originally
spread via floppy disks, they are apparently viewed as the most secure
data transfer method for our missle systems. These systems are "not
on the Internet", probably because the most secure way to attach to
the Internet is to cut the cable and disable wifi. But the military
has an even larger problem trying to attract young talent to its
cybersecurity ranks. Industry offers high salaries and glitzy dreams
of wealth, and the military entices only a tiny percentage of new
graduates.
-------------------------------
Hospital Chain Endures Malware Attack
MedStar paralyzed as hackers hit U.S. hospital
http://www.sltrib.com/home/3717279-155/medstar-paralyzed-as-hackers-hit-us
The Salt Lake Tribune
By Jack Gillum, David Dishneau and Tami Abdollah
The Associated Press
Mar 29, 2016
Summary:
Cipher has previously noted that the healthcare industry is a target
for malware attacks, and several hospitals in the MedStar system were
hit in late March. The problems may have been caused by the infamous
ransomware crypto attack. MedStar may have recovered by shutting down
its systems and restoring from backups.
-------------------------------
NIST Tackles Random Bits
NIST invites comments on the second draft of Special Publication (SP)
800-90C, http://csrc.nist.gov/publications/PubsDrafts.html#800-90C
Recommendation for Random Bit Generator (RBG) Constructions. This
Recommendation specifies constructions for the implementation of
RBGs. An RBG may be a deterministic random bit generator (DRBG) or a
non-deterministic random bit generator (NRBG). The constructed RBGs
consist of DRBG mechanisms, as specified in
http://csrc.nist.gov/publications/PubsSPs.html#800-90A SP 800-90A and
entropy sources, as specified in
http://csrc.nist.gov/publications/PubsSPs.html#800-90B SP 800-90B.
Email comments to: rbg_comments@nist.gov with subject "Comments on
Draft SP 800-90C" preferably using the
http://csrc.nist.gov/publications/drafts/800-90/sp800_90c_second_draft_comment_template.docx
Comment Template. Comments due by: Monday, June 13, 2016 at 5:00PM
EDT.
On May 2-3, 2016, NIST will host a workshop on Random Number
Generation (http://www.nist.gov/itl/csd/ct/rbg_workshop2016.cfm) to
discuss the SP 800-90 series of documents--specifically, SP 800-90B
and SP 800-90C.
-------------------------------
FBI No Stranger to Hacking
F.B.I. Used Hacking Software Decade Before iPhone Fight
http://www.nytimes.com/2016/04/14/technology/fbi-tried-to-defeat-encryption-10-years-ago-files-show.html
The New York Times
By Matt Apuzzo
Apr 14, 2016
Summary:
According to recently revealed documents, the FBI resorted to hacking in 2003
when an investigation was stymied by encryption. The animal rights group
was using PGP for their communication, and even a full wiretap was not
getting the FBI enough information to prosecute. Then the FBI managed to
intall surreptitious monitoring software on the suspects' computers. As
a result, they were convicted, and the conviction was upheld in 2009.
The Federal Appeals Court noted that use of encryption could be considered
as evidence of criminal intent.
-------------------------------
Microsoft Wants to Tell You About Search Warrants
Microsoft sues over law banning tech firms from telling customers
about data requests
https://www.washingtonpost.com/world/national-security/microsoft-sues-to-block-law-banning-tech-firms-from-telling-customers-about-search-warrants/2016/04/14/6f8c36e4-01dc-11e6-9d36-33d198ea26c5_story.html
The Washington Post
By Ellen Nakashima
Apr 14, 2016
Summary:
On average, the FBI issues more than 5 warrants per day to Microsoft
for the purpose of obtaining customer data. Most of these are for
unlimited duration and have a gag order attached. Microsoft has filed
suit, claiming that under the Fourth Amendment, customers should
be notified about the data collection. It seems clear that any
presumption of privacy of customer data held by large companies
is ... unwarranted.
-------------------------------
Computer science education has no cybersecurity?
Why computer science programs don't require cybersecurity classes.
http://www.slate.com/articles/technology/future_tense/2016/04/why_computer_science_programs_don_t_require_cybersecurity_classes.html
Slate.com
By Josephine Wolff
Apr 16, 2016
Summary:
Professor Wolff believes that cybsecurity is a quickly changing field.
Although it deserves study, requiring it of all computer science
majors should not be done until the community agrees on what the
essentials really are. Absent metrics and evalutions of effectivity,
such a requirement might result in detracting from the ability to
teach students the core concepts of computer science.
-------------------------------
$1M USD, and the FBI remains basically clueless (5 items). Last March
the FBI demanded Apple's help in breaking into iPhones. Apple resisted,
and since then, the FBI has gained access to at least two of phones
without the company's help, something it had claimed it did not
know how to do, despite having a state-of-art cybercrime lab. The FBI
claims that it still does not know how to get the data because in
at least one case, it paid an outside firm for the data but did not
get any insight into how the encryption protections were breached.
-----
Once again, the government finds a way to crack an iPhone without Apple's help
https://www.washingtonpost.com/business/justice-department-drops-another-demand-for-apples-help-with-passcode/2016/04/23/4fedbfd8-090c-11e6-bdcb-0133da18418d_story.html
The Washington Post
Ellen Nakashima
Apr 25, 2016
Summary:
Saying that someone had come forward with the passcode for unlocking an
iPhone that was part of a criminal investigation, the FBI dropped one
of its demands that Apple provide assistance by developing a bypassable
operating system. The fact that two iPhones have been accessed with
Apple's help seemed to undermind the FBI's claims that no alternative
technology existed. This might affect the standard of evidence that the
government must supply in future, similar, cases.
-----
U.S. Presses Bid to Force Apple to Unlock iPhone in New York
http://www.nytimes.com/2016/04/09/technology/us-presses-bid-to-force-apple-to-unlock-iphone-in-new-york.html
The New York Times
By Eric Lichtblau and Katie Benner
Apr 8, 2016
Summary:
Law enforcement demanded Apple's help in unlocking two iPhones. They
claimed that because of differences in Apple's operating systems, the
technique used on the San Bernardino terrorist's phone would not work
on phones at the center of investigations in Boston and Brooklyn.
-----
FBI cracks iPhone of San Bernardino terrorist without Apple's help
http://money.cnn.com/2016/03/28/news/companies/fbi-apple-iphone-case-cracked/index.html
CNN Money
By Laurie Segall, Jose Pagliery and Jackie Wattles
Mar. 28, 2016
Summary:
The FBI, after going to court to get access to iPhone data relevant to the
San Bernardino attacks, abruptly postponed the case when it used nearly
found technology to exploit a flaw. This caused a debate to erupt about
disclosing the flaw so that Apple could patch its operating system and
protect its users world-wide from malicious hackers.
-----
FBI paid professional hackers one-time fee to crack San Bernardino iPhone
https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html
The Washington Post
By Ellen Nakashima
Apr 12, 2016
Summary:
A "gray hat" firm, knowing of a flaw in Apple's operating system used on
the iPhone of a terrorist, used that knowledge and some custom hardware
to unlock that phone's data. The FBI director indicated that the bureau
had paid more than one million dollars for the data.
-----
FBI won't reveal method for cracking San Bernardino iPhone
https://www.washingtonpost.com/world/national-security/fbi-wont-reveal-method-for-cracking-san-bernardino-iphone/2016/04/26/d6d66126-0bc3-11e6-bfa1-4efa856caf2a_story.html
The Washington Post
By Ellen Nakashima
Apr 26, 2016
Summary:
The FBI deflected a debate about disclosing the flaw that was used to access
data on the San Bernardino terrorist's iPhone. Claiming that they had
"limited understanding" of the means used to bypass Apple's cryptographic
protections, the bureau implied that its $1M expenditure was for the data
only, not the technique. Thus, it can offer no information to help Apple
fix bugs in its operating system.
-------------------------------
Malware and the car
Next cyberattack front could be your car
https://www.washingtonpost.com/news/powerpost/wp/2016/05/18/next-cyberattack-front-could-be-your-car/
The Washington Post
By Joe Davidson, Columnist
May 18, 2016
Summary:
The Government Accountability Office (GAO) has taken a look at the security of
the smart devices that are beginning to connect cars to the Internet, and
they are concerned. Their report, http://www.gao.gov/assets/680/676064.pdf Vehicle Cybersecurity, paints a gloomy pictures of the
threats looming against a landscape of unstoppable automation.
(cf http://ieee-security.org/Cipher/BookReviews/2016/CSmith_by_austin.html
book review in March Cipher)
-------------------------------
Malware and the car
(cf >book review in March Cipher
http://ieee-security.org/Cipher/BookReviews/2016/CSmith_by_austin.html)
Next cyberattack front could be your car
https://www.washingtonpost.com/news/powerpost/wp/2016/05/18/next-cyberattack-front-could-be-your-car/
The Washington Post
By Joe Davidson, Columnist
May 18, 2016
Summary:
The Government Accountability Office (GAO) has taken a look at the security of
the smart devices that are beginning to connect cars to the Internet, and
they are concerned. Their report, Vehicle Cybersecurity
(http://www.gao.gov/assets/680/676064.pdf), paints a gloomy pictures of the
threats looming against a landscape of unstoppable automation.
-------------------------------
When is a config glitch a "breach"? (2 items)
GSA says cyber 'mistake' was 'no breach'; others investigate
https://www.washingtonpost.com/news/powerpost/wp/2016/05/16/gsa-says-cyber-mistake-was-no-breach-others-investigate/
The Washington Post
By Joe Davidson, Columnist
May 16, 2016
Summary:
Apparently the Government Services Administration (GSA) uses Google for
online chatting, and apparently they had their access permissions set
just a little too wide. Although 100 "Google drives" were publically
accessible, the GSA believes that no information was shared inappropriately.
As far as they know. Both GSA's Inspector General and Congress would like
to know more.
-----
Congress hits FDIC cyber breach that 'boggles the mind'
https://www.washingtonpost.com/news/powerpost/wp/2016/05/13/congress-hits-official-called-naive-or-incompetent-over-fdic-cyberbreaches/
FDIC reports five 'major incidents' of cybersecurity breaches since fall
https://www.washingtonpost.com/news/powerpost/wp/2016/05/09/fdic-reports-five-major-incidents-of-cybersecurity-breaches-since-fall/
The Washington Post
By Joe Davidson, Columnist
May 16, 2016
Summary:
Somehow, several employees leaving the FDIC downloaded the personal data of
thousands of customers when they thought they were taking only their own
data. The employees have said that they did not further disclose the
information. Congress, when notified, was disturbed. The FDIC says it
is taking several measures to improve cybersecurity, including restricting
the use of USB drives through operating system modifications.
-------------------------------
Banking network used for theft, but blame the banks, not the network (2 items)
$81 Million Sneak Attack on World Banking
http://www.nytimes.com/2016/05/01/business/dealbook/hackers-81-million-sneak-attack-on-world-banking.html Hackers'
The New York Times
By Michael Corkery
Apr 30, 2016
Summary:
Using a thoroughly penetrated banking computer system in Bangladesh, hackers
made off with $81M dollars by transferring money using the SWIFT banking
network. This was only a fraction of what the thieves were attempting
to steal.
http://www.nytimes.com/2016/05/13/business/dealbook/swift-global-bank-network-attack.html Once Again, Thieves Enter Swift Financial Network and Steal
The New York Times
By Michael Corkery
May 13, 2016
Summary:
A unnamed commercial bank was the victim of a theft that was simiar to the
Bangladesh bank exploit. Experts suspect that thieves are using insider
information to get credentials that allow them to submit fraudulent
transfer instructions over the SWIFT banking network.
-------------------------------
Crypto Wars Drag On (2 items)
Senate bill draft would prohibit unbreakable encryption
http://www.sltrib.com/home/3756215-155/senate-bill-draft-would-prohibit-unbreakable
The Salt Lake Tribune
By Tami Abdollah
The Associated Press
Apr 8, 2016
Summary:
The Senate Intelligence Committee drafted a bill aimed at ensuring that
law enforcement would always have access to encrypted data. The onus
of the requirement would fall on technology companies. The opposition
claimed that this would mandate "back doors" that would put all customers
at risk.
------
Police and Tech Giants Wrangle Over Encryption on Capitol Hill
http://www.nytimes.com/2016/05/09/technology/police-and-tech-giants-wrangle-over-encryption-on-capitol-hill.html
The New York Times
By Cecilia Kang
May 9, 2016
Summary:
A visit to by the Manhattan district attorney, Cyrus Vance, was one of
several events highlightint the divide between law enforcement and
tech companies over encryption technology. The lobbying efforts of
both sides were initiated by the FBI's demands that Apple produce
methods for accessing iPhone data. Apple contends that this would
be bad for the security of the phones that are becoming the core of
digital identites.
-------------------------------
Nakamoto is an Ozzie?
Australian Entrepreneur Says He Created Bitcoin, but Doubts Persist
http://www.nytimes.com/2016/05/03/business/dealbook/bitcoin-craig-wright-satoshi-nakamoto.html
The New York Times
By Paul Mozur and Nathaniel Popper
May 2, 2016
Summary:
Saying that he didn't care if anyone believed him or not, Craig Steven
Wright, an Australian entrepreneur, claimed the title of Bitcoin
inventor. The tech world did not rush in to coronate him, though.
While Bitcoin struggles to find a pathway for future growth, finding
the person who originated the concept may help to clarify the vision
and consolidate the community. Wright's demonstration of possessing
a private key that provides that he is the Bitcoin inventor did not
seem to satisfy skeptics.
-------------------------------
Really Bad Idea: Unpack malware in the kernel
Symantec antivirus bug allows utter exploitation of memory
http://www.theregister.co.uk/2016/05/17/tavis_ormandy_zeroes_in_on_antivirus_remotecrash_bug/
The Register
by Richard Chirgwin
May 19, 2016
Summary:
When a respected anti-virus software company produces a vector for
spreading malware across almost all major platforms, it's news. The
Symantec Core Antivirus Engine is called when scanning material of
malware, and it runs in OS kernels and scans, among other things,
email. A bug in the unpacking routine
(https://bugs.chromium.org/p/project-zero/issues/detail?id=820) of an
early version of the software caused a buffer overflow. A buffer
overflow in the kernel of Linux, MacOS, or Windows is Really Bad News
(a nightmare scenario for Symantec).
-------------------------------
====================================================================
Listing of academic positions available
by Cynthia Irvine
====================================================================
http://cisr.nps.edu/jobscipher.html
--------------
This job listing is maintained as a service to the academic
community. If you have an academic position in computer security and
would like to have in it included on this page, send the following
information:
Institution,
City, State,
Position title,
date position announcement closes, and
URL of position description
to: irvine@cs.nps.navy.mil
------
(nothing new since Nov 2015)
--------------
Received directly by Cipher:
PhD candidates sought for research in the field of formal modeling and
analysis of security. The position is within the project entitled
"Attack-Defense Trees for Computer Security: Formal Modeling of
Preventive and Reactive Countermeasures".
For further inquiries please contact Dr. Barbara Kordy (barbara.kordy@irisa.fr)
For more information about this vacancy please check
http://people.irisa.fr/Barbara.Kordy/vacancies/PhD_16.pdf
====================================================================
Conference and Workshop Announcements and Calls-for-Papers
====================================================================
The complete Cipher Calls-for-Papers is located at
http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html
The Cipher event Calendar is at
http://www.ieee-security.org/Calendar/cipher-hypercalendar.html
Cipher calendar entries are announced on Twitter; follow ciphernews
____________________________________________________________________
Cipher Event Calendar
____________________________________________________________________
Calendar of Security and Privacy Related Events
maintained by Hilarie Orman
Date (Month/Day/Year), Event, Locations, web page for more info.
5/30/16: IEEE Transactions on Computers,
Special Section on Secure Computer Architectures;
http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tcsi_sca.pdf;
Submissions are due
5/30/16: SSR, 3rd International conference on Security Standardization Research
Gaithersburg, MD, USA;
http://csrc.nist.gov/groups/ST/ssr2016/;
Submissions are due
5/30/16: WTMC, International Workshop on Traffic Measurements for
Cybersecurity,
Co-located with 11th ACM Asia Conference on Computer and
Communications Security (AsiaCCS 2016),
Xi'an, China; http://wtmc.info
5/30/16: IoTPTS, 2nd ACM International Workshop on IoT Privacy, Trust,
and Security,
Co-located with 11th ACM Asia Conference on Computer and
Communications Security (AsiaCCS 2016), Xi'an, China;
https://sites.google.com/site/iotpts2016/
5/30/16- 6/ 1/16: IFIP SEC, 31th IFIP TC-11 SEC 2016 International Information
Security and Privacy Conference,
Ghent, Belgium; http://ifipsec.org/2016/
5/31/16: Mycrypt, 2nd International Conference on Cryptology & Malicious
Security, Kuala Lumpur, Malaysia;
https://foe.mmu.edu.my/mycrypt2016;
Submissions are due
5/31/16- 6/ 3/16: ASIACCS, 11th ACM Asia Conference on Computer and
Communications Security,
Xi'an, China;
http://meeting.xidian.edu.cn/conference/AsiaCCS2016/home.html
5/31/16: CPSS, 2nd ACM Cyber-Physical System Security Workshop,
Held in conjunction with ACM AsiaCCS 2016 Conference,
Xi'an, China; http://icsd.i2r.a-star.edu.sg/cpss16/
6/ 1/16- 6/ 3/16: MSPN, International Conference on Mobile, Secure and
Programmable Networking,
Paris, France; http://cedric.cnam.fr/workshops/mspn2016/
6/ 4/16: PROOFS, 5th International Workshop on Security Proofs for
Embedded Systems,
Santa Barbara, California, USA; http://www.proofs-workshop.org/;
Submissions are due
6/ 4/16: FNSS, 2nd International Conference on Future Networks Systems
and Security,
Paris, France; http://fnss.org;
Submissions are due
6/9/16: TELERISE, 2nd International Workshop on TEchnical and LEgal aspects
of data pRIvacy and SEcurity, Co-located with ICWE 2016,
Universita` della Svizzera Italiana (USI) Lugano, Switzerland;
http://www.iit.cnr.it/telerise2016/
6/10/16: SADFE, 11th International Conference on Systematic Approaches to
Digital Forensics Engineering,
Kyoto, Japan; http://sadfe.org;
Submissions are due
6/10/16- 6/14/16: STPSA, 11th IEEE International Workshop on Security, Trust,
and Privacy for Software Applications,
Held in conjunction with COMPSAC 2016,
Atlanta, GA, USA;
http://staging.computer.org/web/compsac2016/stpsa
6/15/16: SecureComm, 12th EAI International Conference on Security
and Privacy in Communication Networks,
Guangzhou, China; http://securecomm.org;
Submissions are due
6/15/16: IWDW, 15th International Workshop on Digital-forensics and
Watermarking,
Beijing, China; http://www.iwdw.net/;
Submissions are due
6/15/16: BigTrust, 1st International Workshop on Trust, Security
and Privacy for Big Data,
Granada, Spain; http://csee.hnu.edu.cn/hbs/;
Submissions are due
6/16/16- 6/18/16: I-SAT, International Workshop on Information Security,
Assurance, and Trust,
Vancouver, BC, Canada; http://i-sat.ca
6/19/16- 6/22/16: ACNS, 14th International Conference on Applied Cryptography
and Network Security,
London, United Kingdom; http://acns2016.sccs.surrey.ac.uk/
6/27/16: GraMSec, 3rd International Workshop on Graphical Models for Security,
Co-located with CSF 2016,
Lisbon, Portugal; http://gramsec.uni.lu/
6/28/16- 7/ 1/16: CSF, 29th IEEE Computer Security Foundations Symposium,
Lisbon, Portugal; http://csf2016.tecnico.ulisboa.pt/
6/30/16: SPACE, 6th International Conference on Security, Privacy
and Applied Cryptography Engineering,
Hyderabad, India; http://www.math.umn.edu/~math-sa-sara0050/space16/;
Submissions are due
7/ 1/16: NordSec, 21st Nordic Conference on Secure IT Systems,
Oulu, Finlanda; http://nordsec.oulu.fi;
Submissions are due
7/ 6/16- 7/ 8/16: PMSPCR, Workshop on Process Mining for Security, Privacy,
Compliance & Resilience,
Held in conjunction with the 19th International Conference on
Business Information Systems (BIS 2016),
Leipzig, Germany;
http://bis.kie.ue.poznan.pl/bis2016/workshops/pmspcr-2016/
7/ 7/16- 7/ 8/16: DIMVA, 13th International Conference on Detection of
Intrusions and Malware & Vulnerability Assessment,
San Sebastian, Spain;
http://dimva2016.mondragon.edu
7/18/16: EuroUSEC, 1st European Workshop on Usable Security,
Affiliated with PETS 2016,
Darmstadt, Germany; https://eurousec.secuso.org/2016/
7/18/16- 7/20/16: WiSec, 9th ACM Conference on Security and Privacy in Wireless
and Mobile Networks,
Darmstadt, Germany; http://www.sigsac.org/wisec/WiSec2016/
7/18/16- 7/21/16: DBSec, 30th Annual IFIP WG 11.3 Working Conference on Data
and Applications Security and Privacy,
Trento, Italy; http://dbsec2016.fbk.eu
7/18/16- 7/22/16: SHPCS, 11th International Workshop on Security and High
Performance Computing Systems,
Held in conjunction with the 2016 International Conference on
High Performance Computing & Simulation (HPCS 2016),
Innsbruck, Austria;
http://hpcs2016.cisedu.info/2-conference/workshops---hpcs2016/workshop09-shpcs
7/19/16- 7/21/16: HAISA, International Symposium on Human Aspects of
Information Security & Assurance,
Frankfurt Germany; http://haisa.org/
7/19/16- 7/22/16: PETS, 16th Privacy Enhancing Technologies Symposium,
Darmstadt, Germany; http://petsymposium.org/
7/20/16- 7/22/16: SIN, 9th International Conference on Security of
Information and Networks,
Rutgers University, New Jersey, NJ, USA; http://www.sinconf.org
7/22/16: WISCS, 3rd ACM Workshop on Information Sharing and
Collaborative Security,
Held in conjunction with 23rd ACM Conference on Computer and
Communications Security (CCS 2016),
Hofburg Palace, Vienna, Austria;
https://sites.google.com/site/wiscs2016/;
Submissions are due
7/23/16- 7/26/16: TrustCom, 15th IEEE International Conference on Trust,
Security and Privacy in Computing and Communications,
Tianjin, China; http://adnet.tju.edu.cn/TrustCom2016/
7/26/16- 7/28/16: SECRYPT, 13th International Conference on Security and
Cryptography,
Lisbon, Portugal; http://www.secrypt.icete.org
7/27/16: TrustED, 6th International Workshop on Trustworthy Embedded Devices,
Held in conjunction with 23rd ACM Conference on Computer and
Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria;
http://www.trusted-workshop.de; Submissions are due
7/29/16: ICISS, 12th International Conference on Information Systems Security,
Jaipur, India; http://www.iciss.org.in;
Submissions are due
8/ 1/16- 8/ 4/16: NSAA, Workshop on Network Security Analytics and Automation,
Held in conjunction with the 25th International Conference on Computer
Communication and Networks (ICCCN 2016),
Waikoloa, Hawaii, USA; http://icccn.org/icccn16/
8/20/16: PROOFS, 5th International Workshop on Security Proofs for
Embedded Systems,
Santa Barbara, California, USA; http://www.proofs-workshop.org/
8/22/16: GenoPri, 3rd International Workshop on Genome Privacy and Security,
Held in conjunction with the AMIA 2016 Annual Symposium,
Chicago, IL, USA; http://www.genopri.org/;
Submissions are due
8/29/16- 8/30/16: TRUST, 9th International Conference on Trust & Trustworthy
Computing,
Vienna, Austria; http://trust2016.sba-esearch.org/
8/29/16- 9/ 2/16: IWCC, 5th International Workshop on Cyber Crime,
Co-located with the 11th International Conference on Availability,
Reliability and Security (ARES 2016),
Salzburg, Austria; http://stegano.net/IWCC2016/
9/ 7/16- 9/ 9/16: ISC, 19th Information Security Conference,
Honolulu, Hawaii, USA; http://manoa.hawaii.edu/isc2016
9/12/16- 9/14/16: IWSEC, 11th International Workshop on Security,
Tokyo, Japan; http://www.iwsec.org/2016/
9/17/16- 9/19/16: IWDW, 15th International Workshop on Digital-forensics and
Watermarking,
Beijing, China; http://www.iwdw.net/
9/19/16- 9/21/16: RAID, 19th International Symposium on Research in Attacks,
Intrusions and Defenses,
Paris, France; http://www.raid2016.org/
9/20/16- 9/22/16: SADFE, 11th International Conference on
Systematic Approaches to Digital Forensics Engineering,
Kyoto, Japan; http://sadfe.org
9/26/16- 9/27/16: WISTP, 10th WISTP International Conference on Information
Security Theory and Practice,
Heraklion, Crete, Greece; http://www.wistp.org/
9/26/16- 9/30/16: ESORICS, 21st European Symposium on Research in Computer
Security,
Heraklion, Crete; http://www.ics.forth.gr/esorics2016/
10/ 1/16: INTRICATE-SEC, 5th International Workshop on Security Intricacies
in Cyber-Physical Systems and Services,
Taipei, Taiwan; https://goo.gl/562zhD;
Submissions are due
10/10/16-10/12/16: SecureComm, 12th EAI International Conference on Security
and Privacy in Communication Networks,
Guangzhou, China; http://securecomm.org
10/17/16-10/19/16: CNS, 4th IEEE Conference on Communications and
Network Security,
Philadelphia, PA, USA; http://cns2016.ieee-cns.org/
10/24/16-10/28/16: ACM CCS, 23rd ACM Conference on Computer and
Communications Security,
Vienna, Austria; http://www.sigsac.org/ccs/CCS2016/call-for-papers/
10/24/16: WISCS, 3rd ACM Workshop on Information Sharing and
Collaborative Security,
Held in conjunction with 23rd ACM Conference on Computer and
Communications Security (CCS 2016),
Hofburg Palace, Vienna, Austria; http://www.trusted-workshop.de
10/28/16: TrustED, 6th International Workshop on Trustworthy Embedded Devices,
Held in conjunction with 23rd ACM Conference on Computer and
Communications Security (CCS 2016), Hofburg Palace,
Vienna, Austria; http://www.trusted-workshop.de
11/ 2/16-11/ 4/16: NordSec, 21st Nordic Conference on Secure IT Systems,
Oulu, Finlanda; http://nordsec.oulu.fi
11/12/16: GenoPri, 3rd International Workshop on Genome Privacy and Security,
Held in conjunction with the AMIA 2016 Annual Symposium,
Chicago, IL, USA; http://www.genopri.org/
11/23/16-11/25/16: FNSS, 2nd International Conference on Future Networks Systems
and Security,
Paris, France; http://fnss.org
12/ 1/16-12/ 2/16: Mycrypt, 2nd International Conference on Cryptology &
Malicious Security,
Kuala Lumpur, Malaysia; https://foe.mmu.edu.my/mycrypt2016
12/ 5/16-12/ 6/16: SSR, 3rd International conference on Security
Standardization Research,
Gaithersburg, MD, USA; http://csrc.nist.gov/groups/ST/ssr2016/
12/14/16-12/16/16: BigTrust, 1st International Workshop on Trust, Security
and Privacy for Big Data,
Granada, Spain; http://csee.hnu.edu.cn/hbs/
12/16/16-12/18/16: SPACE, 6th International Conference on Security, Privacy
and Applied Cryptography Engineering,
Hyderabad, India; http://www.math.umn.edu/~math-sa-sara0050/space16/
12/16/16-12/20/16: ICISS, 12th International Conference on Information Systems
Security,
Jaipur, India; http://www.iciss.org.in
3/27/17- 3/29/17: INTRICATE-SEC, 5th International Workshop on
Security Intricacies in Cyber-Physical Systems and Services,
Taipei, Taiwan; https://goo.gl/562zhD
____________________________________________________________________
Journal, Conference and Workshop Calls-for-Papers
(new since Cipher E131)
___________________________________________________________________
IEEE Transactions on Computers, Special Section on Secure Computer Architectures
(Submission Due 30 May 2016)
http://www.computer.org/cms/Computer.org/transactions/cfps/cfp_tcsi_sca.pdf
Editors: Ruby Lee (Princeton University, USA),
Patrick Schaumont (Virginia Tech, USA),
Ron Perez (Cryptography Research Inc., USA),
and Guido Bertoni (ST Microelectronics, USA).
Nowadays, computer architectures are profoundly affected by a new security
landscape, caused by the dramatic evolution of information technology over
the past decade. First, secure computer architectures have to support a wide
range of security applications that extend well beyond the desktop
environment, and that also include handheld, mobile and embedded architectures,
as well as high-end computing servers. Second, secure computer architectures
have to support new applications of information security and privacy, as
well as new information security standards. Third, secure computer
architectures have to be protected and be tamper-resistant at multiple
abstraction levels, covering network, software, and hardware. This Special
Section from Transactions on Computers aims to capture this evolving
landscape of secure computing architectures, to build a vision of opportunities
and unresolved challenges. It is expected that contributed submissions will
place emphasis on secure computing in general and on engineering and
architecture design aspects of security in particular. IEEE Transactions
on Computers seeks original manuscripts for a Special Section on Secure
Computer Architectures tentatively scheduled to appear in the July 2017
issue. The topics of interest for this special section include:
- Cryptographic Primitives
- Homomorphic Computing and Multiparty Computing
- Scalability Issues of Server-level Secure Computing
- High Performance/Low Power Cryptography
- Oblivious RAM
- Side-Channel Analysis
- Side-channel attacks and defenses
- Hardware Trojans and Backdoors
- Hardware Vulnerabilities - Counters, Caches, Shared Memory
- Computing Architectures for Isolation
- Smartphone Security
- Embedded Systems Security
- Secure Processors and Systems
- Hardware Security
- Secure Virtualization and Memory Safety
- Security Simulation, Testing, Validation and Verification
- Metrics for Tamper Resistance
- Security Metrics
- Standards in Secure Computing
- Instruction-Sets for Security and Cryptography
- Dedicated and Protected Storage
- Secure Computer Interfaces
-------------------------------------------------------------------------
SSR 2016 3rd International conference on Security Standardization Research,
Gaithersburg, MD, USA, December 5-6, 2016.
(Submission Due 30 May 2016)
http://csrc.nist.gov/groups/ST/ssr2016/
Over the last two decades a huge range of standards have been
developed covering many different aspects of cyber security. These
documents have been published by national and international formal
standardization bodies, as well as by industry consortia. Many of
these standards have become very widely used - to take just one
example, the ISO/IEC 27000 series have become a commonly used basis
for managing corporate information security. Despite their wide use,
there will always be a need to revise existing security standards and
to add new standards to cover new domains. The purpose of this
conference is to discuss the many research problems deriving from
studies of existing standards, the development of revisions to
existing standards, and the exploration of completely new areas of
standardization. Indeed, many security standards bodies are only
beginning to address the issue of transparency, so that the process of
selecting security techniques for standardization can be seen to be as
scientific and unbiased as possible. This conference is intended to
cover the full spectrum of research on security standardization,
including, but not restricted to, work on cryptographic techniques
(including ANSI, IEEE, IETF, ISO/IEC JTC 1/SC 27, ITU-T and NIST),
security management, security evaluation criteria, network security,
privacy and identity management, smart cards and RFID tags,
biometrics, security modules, and industry-specific security standards
(e.g. those produced by the payments, telecommunications and computing
industries for such things as payment protocols, mobile telephony and
trusted computing). Papers offering research contributions to the area
of security standardization are solicited for submission to the SSR
2016 conference. Papers may present theory, applications or practical
experience in the field of security standardization, including, but
not necessarily limited to:
- access control
- biometrics
- cloud computing
- critical national infrastructure (CNI) protection
- consistency and comparison of multiple standards
- critiques of standards
- cryptanalysis
- cryptographic protocols
- cryptographic techniques
- evaluation criteria
- formal analysis of standards
- history of standardization
- identity management
- industrial control systems security
- internet security
- interoperability of standards
- intrusion detection
- key management and PKIs
- management of the standardization process
- mobile security
- network security
- open standards and open source
- payment system security
- privacy
- regional and international standards
- RFID tag security
- risk analysis
- security controls
- security management
- security protocols
- security services
- security tokens
- smart cards
- telecommunications security
- trusted computing
- web security
-------------------------------------------------------------------------
Mycrypt 2016 2nd International Conference on Cryptology & Malicious
Security, Kuala Lumpur, Malaysia, December 1-2, 2016.
(Submission Due 31 May 2016)
https://foe.mmu.edu.my/mycrypt2016
Original papers of substantial technical contribution in the areas
of cryptology and malicious security are solicited for submission to
the International Conference on Cryptology & Malicious Security.
Submissions to Mycrypt 2016 should be aimed towards the following
topic categories:
- paradigm-shifting, unconventional cryptology (e.g. malicious crypto,
unconventional formulations of underlying problems, or new hard problems)
- position papers on breakthrough cryptologic/security research
- revisits/critiques/analysis of long-standing crypto paradigms/approaches
/models/formulations (in fact, we also encourage paired submissions by
crypto factions of opposing views, where each paper in the pair argues
for/against a paradigm)
- approaches/solutions to long-standing open problems; or formulations
of long-standing/thus-far adhoc security approaches
- analysis of crypto/security standardization processes & how they may
be subverted
- cryptofications of the real world (e.g. new types of adversarial models
and/or notions inspired by real world incidences/problems, modelling
humans-in-the-security-loop)
- crypto & beyond: cryptologic techniques in union with techniques from
other disciplines
-------------------------------------------------------------------------
PROOFS 2016 5th International Workshop on Security Proofs for Embedded Systems,
Santa Barbara, California, USA, August 20, 2016.
(Submission Due 4 June 2016)
http://www.proofs-workshop.org/
This workshop, the fifth in an annual series, brings together leading
researchers and practitioners from academia, government, and industry
to discuss the application of formal methods to the field of embedded
systems security. PROOFS seeks contributions about methodologies that
increase the confidence level in the security of embedded systems,
especially those which contain cryptographic algorithms. Exploratory
works and use-cases are especially welcomed.
-------------------------------------------------------------------------
FNSS 2016 2nd International Conference on Future Networks Systems
and Security, Paris, France, November 23 - 25, 2016.
(Submission Due 4 June 2016)
http://fnss.org
The network of the future is envisioned as an effective, intelligent, adaptive,
active and high performance Internet that can enable applications ranging
from smart cities to tsunami monitoring. The network of the future will be
a network of billions or trillions of entities (devices, machines, things,
vehicles) communicating seamlessly with one another and is rapidly gaining
global attention from academia, industry, and government. The International
Conference on Future Networks Systems and Security aims to provide a forum
that brings together researchers from academia, practitioners from industry,
standardization bodies, and government to meet and exchange ideas on recent
research and future directions for the evolution of the future Internet.
The technical discussion will be focused on the technology, communications,
systems and security aspects of relevance to the network of the future.
-------------------------------------------------------------------------
SADFE 2016 11th International Conference on Systematic Approaches to
Digital Forensics Engineering, Kyoto, Japan, September 20-22, 2016.
(Submission Due 10 June 2016)
http://sadfe.org
SADFE-2016 is concerned with the generation, analysis and sustainability of
digital evidence and evolving t tools and techniques that are used in this
effort. Advancement in this field requires innovative methods, systems,
and practices, which are grounded in solid research coupled with an
understanding of user needs. Digital forensics at SADFE focuses on the
issues introduced by the coupling of rapidly advancing technologies and
increased globalization. We believe digital forensic engineering is vital
to security, the administration of justice and the evolution of culture.
Potential topics include, but are not limited to:
Digital Data and Evidence Collection:
- Identification, authentication and collection of digital evidence
- Extraction and management of forensic artifacts
- Identification and redaction of personally identifying/sensitive information
- Evidence and digital memory preservation, curation and storage
- Compliance of architectures and processes (including network processes) with forensic requirements
- Data, digital knowledge, and web mining systems for identification and
authentication of data
- Honeynets and other deception technologies that collect data for forensic
analysis
- Innovative forensic techniques for new technologies
Digital Evidence Management, Integrity and Analytics:
- Advanced search, analysis, and presentation of digital evidence
- Cybercrime analysis, modeling and reconstruction technologies
- Tools and techniques for combining digital and non-digital evidence
- Supporting both qualitative and quantitative evidence
- Handling of evidence and the preservation of data integrity and admissibility
- Digital evidence in the face of encryption
- Forensic-support technologies: forensic-enabled and proactive
monitoring/response
Scientific Principle-Based Digital Forensic Processes
- Examination environments for digital data
- Legal/technical aspects of admissibility and evidence tests
- Forensic tool validation: legal implications and issues
- Handling increasing volumes of digital discovery
- Computational Forensics and Validation Issues in Forensic Authentication and
Validation.
- Forensic Readiness by Design
- Forensics tool validation
- Computational systems and computational forensic analysis
Legal, Ethical and Technical Challenges
- Forensics, policy and ethical implications new and evolving technologies
- Legal and privacy implications for digital and computational forensic analysis
- New Evidence Decisions
- Legal case construction and digital evidence support
- Transnational Investigations/Case Integration
- Managing geographically, politically and/or jurisdictionally
dispersed data artifacts
- Case studies illustrating privacy, legal and legislative issues
- Courtroom expert witness and case presentation
The Impacts of the following on any of the above
- Technological challenges
- Legal and ethical challenges
- Economic challenges
- Political challenges
- Cultural and professional challenges
- New Trends (Internet of Things, Cloud Computing, Smart City, Big Data, etc.)
-------------------------------------------------------------------------
SecureComm 2016 12th EAI International Conference on Security and Privacy
in Communication Networks, Guangzhou, China, October 10-12, 2016.
(Submission Due 15 June 2016)
http://securecomm.org
SecureComm seeks high-quality research contributions in the form of
well-developed papers. Topics of interest encompass research advances
in ALL areas of secure communications and networking. Topics in other
areas (e.g., formal methods, database security, secure software,
theoretical cryptography) will be considered only if a clear connection
to private or secure communication/networking is demonstrated. Topics
of interest include, but are not limited to the following:
- Security & Privacy in Wired, Wireless, Mobile, Hybrid, Sensor, Ad Hoc
networks
- Network Intrusion Detection and Prevention, Firewalls, Packet Filters
- Malware Analysis and Detection including Botnets, Trojans and APTs
- Web and Systems Security
- Distributed Denial of Service Attacks and Defenses
- Communication Privacy and Anonymity
- Circumvention and Anti-Censorship Technologies
- Network and Internet Forensics Techniques
- Authentication Systems: Public Key Infrastructures, Key Management,
Credential Management
- Secure Routing, Naming/Addressing, Network Management
- Security & Privacy in Pervasive and Ubiquitous Computing, e.g., RFIDs
- Security & Privacy in Peer-to-Peer and Overlay Networks
- Security & Privacy for Emerging Technologies: VoIP, Internet-of-Things,
Social Networks
- Security & Isolation in Cloud, Data Center and Software-Defined Networks
-------------------------------------------------------------------------
IWDW 2016 15th International Workshop on Digital-forensics and Watermarking,
Beijing, China, September 17-19, 2016.
(Submission Due 15 June 2016)
http://www.iwdw.net/
The 15th International Workshop on Digital-forensics and Watermarking
(IWDW 2016) is a premier forum for researchers and practitioners working
on novel research, development and applications of digital watermarking and
forensics techniques for multimedia security. We invite submissions of
high-quality original research papers. Areas of interest include, but
are not limited to:
- Mathematical modeling of embedding and detection
- Information theoretic, stochastic aspects of data hiding
- Security issues, including attacks and counter-attacks
- Combination of data hiding and cryptography
- Optimum watermark detection and reliable recovery
- Estimation of watermark capacity
- Channel coding techniques for watermarking
- Large-scale experimental tests and benchmarking
- New statistical and perceptual models of multimedia content
- Reversible data hiding
- Data hiding in special media
- Data hiding and authentication
- Steganography and steganalysis
- Digital multimedia forensics & anti-forensics
- Copyright protection, DRM, forensic watermarking
- Visual cryptography & secret image sharing
- Security based on human vision system
-------------------------------------------------------------------------
BigTrust 2016 1st International Workshop on Trust, Security and Privacy
for Big Data, Granada, Spain, December 14-16, 2016.
(Submission Due 15 June 2016)
http://csee.hnu.edu.cn/hbs/
Big Data has the potential for enabling new insights to change science,
engineering, medicine, healthcare, finance, business, and ultimately society
itself. Current work on Big Data focuses on information processing such as
data mining and analysis. However, trust, security and privacy of Big Data
are vital concerns that have received less research focus. Regarding the
above context, this workshop proposal is aimed at bringing together people
from both academia and industry to present their most recent work related
to trust, security and privacy issues in Big Data, and exchange ideas and
thoughts in order to identify emerging research topics and define the future
of Big Data. BigTrust 2016 is a part of ICA3PP 2016 16th International
Conference on Algorithms and Architectures for Parallel Processing. The
scope and interests for the special issue include but are not limited to
the following list:
- Big Data Science, Foundations, and applications
- Trust in Big Data
- Security & Privacy in Big Data
-------------------------------------------------------------------------
SPACE 2016 6th International Conference on Security, Privacy and Applied
Cryptography Engineering, Hyderabad, India, December 16-18, 2016.
(Submission Due 30 June 2016)
http://www.math.umn.edu/~math-sa-sara0050/space16/
SPACE 2016 is the sixth in this series of conferences which started in 2011.
This annual event is devoted to various aspects of security, privacy, applied
cryptography, and cryptographic engineering. SPACE 2016 is being organized
by C.R.Rao Advanced Institute of Mathematics, Statistics and Computer
Science, Hyderabad-India (AIMSCS). The conference will include invited
tutorials and keynote talks from world-renowned experts. The conference
will be accompanied by two days of tutorials aiming at Master's and Ph.D.
students featuring lectures in the mornings and practical sessions in the
afternoon. Original papers are invited on all aspects of security, privacy,
and cryptography engineering.
-------------------------------------------------------------------------
NordSec 2016 21st Nordic Conference on Secure IT Systems,
Oulu, Finland, November 2-4, 2016.
Submission Due 1 July 2016)
http://nordsec.oulu.fi
NordSec addresses a broad range of topics within IT security with the
aim of bringing together computer security researchers and encouraging
interaction between academia and industry. NordSec 2016 is co-located
with the 10th International Crisis Management Workshop and Oulu Winter
School. NordSec welcomes contributions within, but not limited to, the
following areas:
- Access control and security models
- Applied cryptography
- Cloud security
- Commercial security policies and enforcement
- Cyber crime, warfare, and forensics
- Economic, legal, and social aspects of security
- Enterprise security
- Hardware and smart card security
- Mobile and embedded security
- Internet of Things and M2M security
- Internet, communication, and network security
- Intrusion detection
- Language-based techniques for security
- New ideas and paradigms in security
- Operating system security
- Privacy and anonymity
- Security education and training
- Security evaluation and measurement
- Security management and audit
- Security protocols
- Security usability
- Social engineering and phishing
- Software security and malware
- Trust and identity management
- Trusted computing
- Vulnerability testing
-------------------------------------------------------------------------
WISCS 2016 3rd ACM Workshop on Information Sharing and Collaborative Security,
Held in conjunction with 23rd ACM Conference on Computer and Communications
Security (CCS 2016), Hofburg Palace, Vienna, Austria, October 24, 2016.
(Submission Due 22 July 2016)
https://sites.google.com/site/wiscs2016/
Sharing of cyber-security related information is believed to greatly enhance
the ability of organizations to defend themselves against sophisticated
attacks. If one organization detects a breach sharing associated security
indicators (such as attacker IP addresses, domain names, file hashes etc.)
provides valuable, actionable information to other organizations. The
analysis of shared security data promises novel insights into emerging attacks.
Sharing higher level intelligence about threat actors, the tools they use
and mitigations provides defenders with much needed context for better
preparing and responding to attacks. In the US and the EU major efforts
are underway to strengthen information sharing. Yet, there are a number of
technical and policy challenges to realizing this vision. Which information
exactly should be shared? How can privacy and confidentiality be protected?
How can we create high-fidelity intelligence from shared data without
getting overwhelmed by false positives? The 3rd Workshop on Information
Sharing and Collaborative Security (WISCS 2016) aims to bring together
experts and practitioners from academia, industry and government to present
innovative research, case studies, and legal and policy issues. The
workshop solicits original research papers in these areas, both
full and short papers.
-------------------------------------------------------------------------
TrustED 2016 6th International Workshop on Trustworthy Embedded Devices,
Held in conjunction with 23rd ACM Conference on Computer and
Communications Security (CCS 2016),
Hofburg Palace, Vienna, Austria, October 28, 2016.
(Submission Due 27 July 2016)
http://www.trusted-workshop.de
TrustED considers selected security and privacy (S&P) aspects of cyber physical
systems and their environments, which influence trust and trust establishment
in such environments. A major theme of TrustED 2016 will be security and
privacy aspects of the Internet of Things Paradigm. The IoTs promises to make
reality Mark Weisser's vision of ubiquitous computation set out in his 1991
influential paper. Yet to make such vision successful, it is widely
acknowledged that security of super large distributed systems has to be
guaranteed and the privacy of the collected data protected. Submissions
exploring new paradigms to assure security and privacy in the IoTs are thus
strongly encouraged. The workshop topics include but are not limited to:
- Trustworthy and secure embedded systems
- Novel constructions, implementations and applications with physical
security primitives (e.g., PUFs, PhySec)
- Hardware entangled cryptography
- Novel security architectures for the IoTs
- Frameworks and tools to design, validate and test trustworthy embedded
systems
- Secure execution environments (e.g., TrustZone, TPMs) on mobile devices
- Remote attestation and integrity validation
- Privacy aspects of embedded systems (e.g., medical devices, electronic IDs)
- Physical and logical convergence (e.g., secure and privacy-preserving
facility management)
- Novel paradigms to established trust in large distributed environments
-------------------------------------------------------------------------
ICISS 2016 12th International Conference on Information Systems Security,
Jaipur, India, December 16-20, 2016.
(Submission Due 29 July 2016)
http://www.iciss.org.in
The ICISS Conference held annually, provides a forum for disseminating latest
research results in information and systems security. Like previous years,
proceedings of the conference will be published as part of the Springer
Verlag series of Lecture Notes in Computer Science. Submissions are encouraged
from academia, industry and government, addressing theoretical and practical
problems in information and systems security and related areas. Topics of
interest include but are not limited to:
- Access and Usage Control
- Authentication and Audit
- Cloud Security
- Cyber-physical Systems Security
- Digital Forensics
- Distributed Systems Security
- Identity Management
- Intrusion Tolerance and Recovery
- Language-based Security
- Network Security
- Privacy and Anonymity
- Security and Usability
- Sensor and Ad Hoc Network Security
- Software Security
- Vulnerability Detection and Mitigation
- Application Security
- Biometric Security
- Cryptographic Protocols
- Data Security and Privacy
- Digital Rights Management
- Formal Models in Security
- Intrusion Detection and Prevention
- Key Management
- Malware Analysis and Mitigation
- Operating Systems Security
- Secure Data Streams
- Security Testing
- Smartphone Security
- Usable Security
- Web Security
-------------------------------------------------------------------------
GenoPri 2016 3rd International Workshop on Genome Privacy and Security,
Held in conjunction with the AMIA 2016 Annual Symposium,
Chicago, IL, USA, November 12, 2016.
(Submission Due 22 August 2016)
http://www.genopri.org/
Over the past several decades, genome sequencing technologies have evolved
from slow and expensive systems that were limited in access to a select
few scientists and forensics investigators to high-throughput, relatively
low-cost tools that are available to consumers. A consequence of such
technical progress is that genomics has become one of the next major
challenges for privacy and security because (1) genetic diseases can
be unveiled, (2) the propensity to develop specific diseases (such as
Alzheimer's) can be revealed, (3) a volunteer, accepting to have his
genomic code made public, can leak substantial information about his
ethnic heritage and the genomic data of his relatives (possibly against
their will), and (4) complex privacy issues can arise if DNA analysis is
used for criminal investigations and medical purposes. As genomics is
increasingly integrated into healthcare and "recreational" services (e.g.,
ancestry testing), the risk of DNA data leakage is serious for both
individuals and their relatives. Failure to adequately protect such
information could lead to a serious backlash, impeding genomic research,
that could affect the well-being of our society as a whole. This prompts
the need for research and innovation in all aspects of genome privacy
and security, as suggested by the non-exhaustive list of topics on the
workshop website.
-------------------------------------------------------------------------
INTRICATE-SEC 2017 5th International Workshop on Security Intricacies in
Cyber-Physical Systems and Services, Taipei, Taiwan, March 27-29, 2017.
(Submission Due 1 October 2016)
https://goo.gl/562zhD
Cyber-physical systems (CPS) are ubiquitous in critical infrastructures
such as electrical power generation, transmission, and distribution networks,
water management, and transportation, but also in both industrial and home
automation. For flexibility, convenience, and efficiency, CPS are increasingly
supported by commodity hardware and software components that are deliberately
interconnected using open standard general purpose information and
communication technology (ICT). The long life-cycles of CPS and
increasingly incremental changes to these systems require novel approaches
to the composition and inter-operability of services provided. The
paradigm of service-oriented architectures (SoA) has successfully been used
in similar long-lived and heterogeneous software systems. However,
adapting the SoA paradigm to the CPS domain requires maintaining the
security, reliability and privacy properties not only of the individual
components but also, for complex interactions and service orchestrations
that may not even exist during the initial design and deployment of an
architecture. An important consideration therefore is the design and
analysis of security mechanisms and architectures able to handle cross
domain inter-operability over multiple domains involving components with
highly heterogeneous capabilities. The INTRICATE-SEC workshop aims to
provide a platform for academics, industry, and government professionals
to communicate and exchange ideas on provisioning secure CPS and Services.
====================================================================
Information on the Technical Committee on Security and Privacy
====================================================================
____________________________________________________________________
Information for Subscribers and Contributors
____________________________________________________________________
SUBSCRIPTIONS:
Two options, each with two options:
1. To receive the full ascii CIPHER issues as e-mail, send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe".
OR
send a note to cipher-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
2. To receive a short e-mail note announcing when a new issue of
CIPHER is available for Web browsing send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe postcard".
OR
send a note to cipher-postcard-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
To remove yourself from the subscription list, send e-mail to
cipher-admin@ieee-security.org with subject line "unsubscribe" or
"unsubscribe postcard" or, if you have subscribed directly to the
xmission.com mailing list, use your password (sent monthly) to
unsubscribe per the instructions at
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard
Those with access to hypertext browsers may prefer to read Cipher
that way. It can be found at URL http://www.ieee-security.org/cipher.html
CONTRIBUTIONS:
to cipher @ ieee-security.org are invited. Cipher is a NEWSletter,
not a bulletin board or forum. It has a fixed set of departments,
defined by the Table of Contents. Please indicate in the
subject line for which department your contribution is intended.
Calendar and Calls-for-Papers entries should be sent to
cipher-cfp @ ieee-security.org
and they will be automatically included in both departments. To
facilitate the semi-automated handling, please send either a text
version of the CFP or a URL from which a text version can be easily
obtained. For Calendar entries, please include a URL and/or e-mail
address for the point-of-contact. For Calls for Papers, please submit
a one paragraph summary. See this and past issues for examples. ALL
CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS
APPLY. All reuses of Cipher material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy,
publications using Cipher material should obtain permission from the
contributors.
____________________________________________________________________
Recent Address Changes
____________________________________________________________________
Address changes from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/AddressChanges.html
_____________________________________________________________________
How to become <> a member of the
IEEE Computer Society's TC on Security and Privacy
_____________________________________________________________________
You may easily join the TC on Security & Privacy by completing
the on-line for at IEEE at
http://www.computer.org/portal/web/tandc/tclist
______________________________________________________________________
TC Publications for Sale
______________________________________________________________________
The proceedings of previous conferences are available from the
Computer Society's Digital Library.
IEEE Security and Privacy Symposium
IEEE Computer Security Foundations
IEEE CS Press
____________________________________________________________________________
TC Officers and SP Steering Committee
____________________________________________________________________________
Chair: Security and Privacy Symposium Chair Emeritus:
Ulf Lindqvist Michael Locasto
SRI International SRI International
Menlo Park, CA oakland16-chair@ieee-security.org
ulf.lindqvist@sri.com
Chair: Treasurer:
Sean Peisert Yong Guan
UC Davis and 3219 Coover Hall
Lawrence Berkeley Department of Electrical and Computer
National Laboratory Engineering
speisert@ucdavis.edu Iowa State University, Ames, IA 50011
(515) 294-8378
yguan (at) iastate.edu
Newsletter Editor and Security and Privacy Symposium, 2017 Chair:
TC Awards Chair: Kevin Butler
Hilarie Orman Department of Computer and
Purple Streak, Inc. Information Science and Engineering
500 S. Maple Dr. University of Florida
Woodland Hills, UT 84653 butler at ufl.edu
cipher-editor@ieee-security.org
____________________________________________________________________________
BACK ISSUES:
Cipher is archived at: http://www.ieee-security.org/cipher.html
Cipher is published 6 times per year