_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 134 September 19, 2016 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Richard Austin's review of the book, "How to Measure Anything in Cybersecurity Risk" by Douglas W. Hubbard and Richard Seiersen o News Items - Microsoft Shoots Itself in the Trusted Boot - TCP Sequence Numbers, The Once and Future Flaw - Repressive Governments Buy iPhone Spyware (3 items) - Microsoft Fights Feds For User Privacy - Federal Directive Clarifies Cyberattack Handling - Democrats Made Transparent by Hackers - Bit By Stolen Bitcoin (two items) - NIST SHA-3 Derived Function - HTTP 2 Implementations Open DDOS Channels - Pizza Hacker Convicted - Crypto Backdoor Socialization by FBI (2 items) - AP to FBI: Tell Us How You Hacked the iPhone o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Crisp fall weather is a yearly reminder that it is time to get your research results written up because the deadline for the Security and Privacy Symposium abstracts is November 4. And don't forget that the 2nd European Security and Privacy Symposium will be held next year in Paris. The Computer Society is holding its annual elections right now, and if you are a member, take a moment to vote for the officers who will guide the organization for the next 2 years. It is with gratitude and regret that we note the retirement of our constant reader, Richard Austin, who has been reviewing some of the finest books in our field for 10 years. This issue contains his last commentary for us, and his good-by to his readers is therein. As I went over the list of volumes that he has commented on, it is apparent that a practitioner's bookshelf could be populated on his selections alone. Risk, attack, testing, forensics, defense, cyberwar, ... the panoply of computer security has been laid out in a feast of books guided by Austin's good taste and insights. Each review tells the reader, chapter by chapter, why the material is helpful, optional, or essential. His service to our readers is great, and so is the absence left by his retirement. We wish him a happy grandfatherhood! Hackers threaten our election and our security is rocked, When the frost is on the punkin and the iPhone's been unlocked. (with apologies to James Whitcomb Riley) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin September 15, 2016 How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen ____________________________________________________________________ Wiley 2016. ISBN 978-1-119-08529-4 Table of Contents: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1119085292.html This is a very useful follow-up to Hubbard's previous book "How to Measure Anything: Finding the Value of Intangibles in Business" applied to cybersecurity risk. Though this book can be read standalone, many details are referenced to the previous one, and it would be good to have a copy at hand for reference. The book addresses the very important question: Is it really possible to do anything beyond rating scales when assessing cybersecurity risk? We're all familiar with variations of high-medium-low and the sometimes arcane rituals of how to "multiply" a medium rate of occurrence by a low impact. We've also likely felt vaguely uncomfortable about doing math on ratings but haven't really had an alternative. The authors are quick to assure us that there is a better way that will allow us to defensibly produce quantitative risk assessments using the data and knowledge we have (but may not realize we have). Their techniques relies on simulation - they call it "Monte Carlo" which would have put my long-ago professor in a computer simulation course into hysterics: "Monte Carlo is a method for integrating messy functions not a catchy byword for applying simulation to problems". A quick Google shows that "Monte Carlo" enjoys wide usage in the sense used by the authors but I still have the emotional scars from that course and won't use the term that way. To do a good simulation, you need reasonable data and the authors spend a good portion of the book showing that we know a lot more than we think we do. One of their core techniques is "calibration" which basically means that when an expert says that something has a probability of .2 to .4 they really mean it. While that sounds suspiciously obvious, the authors quote substantial research to show that experts, in the beginning, really don't believe their estimates (in the sense of being willing to wager on the outcome) but can be taught to produce good estimates. The tool they use for their simulation studies is the spreadsheet (examples available on the book's website), but rather than creating another spreadsheet oracle, they clearly explain how the spreadsheet calculations work so that the astute reader will be able to understand and defend their conclusions. There are a couple of pimples on this otherwise excellent presentation. First is that too much is made of the great frequentist versus subjectivist divide in the field of statistics. Outside of academia, I find that the professional statisticians I know (a biased sample if ever there was one) are frequentists when they can be and subjectivists the rest of the time. As one of the more waggish opined: "Whatever makes the math easier". If you must classify yourself, my advice is to follow the authors and be unabashedly subjectivist (or Bayesian). The second is the some of the presentation is frankly polemical and boils down to "If you don't agree with us then you don't understand statistics at all". The authors are experts in their field (otherwise we wouldn't be reading their book) and the research results of applying their techniques speak for themselves, so the polemics could have been left out with no loss to the presentation. Some readers may suffer from a phobia when it comes to statistics and probability (usually traceable to a bad experience in their first statistics class). The authors have successfully taught their methods to audiences from many backgrounds and the book is heavily tutorial in nature. When you finish working your way through it, you will be able to stare probability distributions, confidence intervals and other scary accoutrements of quantitative risk assessment in the eye without flinching. This is an awesome book on a critical topic. The decisions we made in securing our information assets, the infrastructures that support them and the services that depend on them are too critical for us to depend on mumbo jumbo when making decisions about risk. The authors make a forceful case that there is a better way that depends on comprehensible techniques with a substantial body of research in many fields behind them. I fervently hope that you will studiously read this book and apply its techniques in your own work. We and our profession will be all the better for it. ---------------------------------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin has fearlessly sampled the latest offerings of the publishing houses and opines as to which might most profitably occupy your scarce reading time. Fare thee well! The time has come for your humble correspondent to retire from the workaday world and start a new phase of life as a professional grandpa. I have thoroughly enjoyed these ten years of writing book reviews for IEEE Cipher and want to express my deep appreciation to you, our readers, the IEEE Computer Society Technical Committee on Security and Privacy and my longsuffering editor, Hilarie Orman (who has taught me there is always a better way to say things), for this once-in-a-lifetime opportunity. I wish you well as you carry our wonderful profession into the future and confront the myriad challenges that make this the most interesting profession on Earth. With fond regards. Richard Austin MS, CISSP ==================================================================== News Briefs ==================================================================== Microsoft Fights Feds For User Privacy https://www.washingtonpost.comews/the-switch/wp/2016/07/22/microsofts-president-explains-the-companys-quiet-legal-war-for-user-privacy/ Microsoft's president explains the company's quiet legal war for user privacy Washington Post By Andrea Peterson Jul 22, 2016 Summary: Brad Smith, the president of Microsoft, explained in an interview how Microsoft has been opposing some actions by the Justice Department. The issues are transparency of warrants and subpoenas and gag orders pertaining to them, and the legitimacy of subpoenas for data that is stored outside the US. --------------------------------------------- Federal Directive Clarifies Cyberattack Handling In a major cyber hack, who do you call? The White House spells it out. https://www.washingtonpost.com/worldational-security/in-a-major-cyber-hack-who-do-you-call-the-white-house-spells-it-out/2016/07/26/08b3287e-52db-11e6-bbf5-957ad17b4385_story.html Washington Post By Ellen Nakashima Jul 26, 2016 Summary: As cybersecurity "incidents" become more serious and more common, the US Federal government has issued a directive about which agencies handle responses and how the severity of a breach is determined. There are 5 levels of severity, depending on how seriously the incident affects public health or safety, national security, economic security, foreign relations, civil liberties or public confidence. --------------------------------------------- Democrats Made Transparent by Hackers The anxiety for Democrats, Are more leaks to come? https://www.washingtonpost.com/politics/the-anxiety-for-democrats-are-more-leaks-to-come/2016/07/25/0d8798e8-5282-11e6-bbf5-957ad17b4385_story.html Washington Post By Tom Hamburger and Ellen Nakashima Jul 25, 2016 Summary: When WikiLeaks released emails from the Democratic National Committee, it began to seem as though party should abandon all hope of private communication and simply post all their thoughts on Twitter. The sources behind the hacking that collected the emails are unknown, but Russians are suspected in this and other breaches. --------------------------------------------- Bit By Stolen Bitcoin Hackers steal bitcoins worth millions in attack on exchange http://money.cnn.com/2016/08/03/technology/bitcoin-exchange-bitfinex-hacked/index.html CNN Money By Jethro Mullen Aug 3, 2016 Summary: One of the largest bitcoin exchanges in the world was seriously hacked, resulting in a loss of 119,756 bitcoins. Bitfinex in Hong Kong said it had reported the event to law enforcement, but it gave no further information. Bitcoin customers lose 36% of their money after hack http://money.cnn.com/2016/08/07/technology/bitcoin-bitfinex-account-loss/index.html CNN Money Aug 8, 2016 by Jackie Wattles Summary: The Bitfinex bitcoin exchange stopped operating in the wake of a breach that resulted in a significant loss of value. They distributed the loss over the accounts of all customers. While the exchange still maintains the user accounts, it has ceased transactions. --------------------------------------------- NIST SHA-3 Derived Function SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash http://csrc.nist.gov/publications/drafts/800-185/sp800_185_draft.pdf NIST press release Aug 4, 2016 Summary: NIST has published a draft of SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash, today for public comment. The public comment period is from August 4, 2016 through Septmeber 30, 2016. Comments should be sent to: SP800-185@nist.gov --------------------------------------------- HTTP 2 Implementations Open DDOS Channels Black Hat: Be wary of HTTP/2 on Web servers http://www.networkworld.com/article/3103498/security/black-hat-be-wary-of-http-2-on-web-servers.html Network World By Tim Greene Aug 3, 2016 Summary: The HTTP/2 web communication protocol is an important revision to the long-time standard HTTP, and it offers ways to improve performance and to optimize communication. No good deed ever goes unpunished, though. The security vendor Imperva, looking at the protocol with an evil eye, found 4 ways in which implementation have introduced vulnerabilities that can result in simple ways to crash the servers. In one case, a client can advise the server on how size a compression table. As a result, it was possible to cause the server to allocate nearly a gigabyte of memory with only 14 streams. --------------------------------------------- Pizza Hacker Convicted Russian MP's son convicted of hacking scheme http://www.bbc.comews/technology-37194989 BBC news Aug 26, 2016 Summary: Proving that there is big money to be made from small businesses, the US Secret Service arrested a Russian traveling to the Maldives for hacking into the credit card systems of 3700 businesses, many of them pizza chains in the US. As many as 3 million credit card numbers were stolen. --------------------------------------------- Microsoft Shoots Itself in the Trusted Boot Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea http://www.theregister.co.uk/2016/08/10/microsoft_secure_boot_ms16_100/ The Register By Chris Williams 8/10/2016 Summary: Developers are frequently hampered by security policies that are meant to secure the product they are working on. Apparently Microsoft engineers installed a special policy for the purpose of allowing them to boot development versions of the operating system. That policy might as well be called the "boot anything" policy. It passes all the security checks built into Secure Boot, but it will boot any operating system image provided by the user. While Microsoft's intention has been to prevent users from booting alternative OS's, this "Boot Anything" policy has been digitally signed by Microsoft, and there is probably no effective way to revoke it. This adds some fuel to the fire over the FBI's constant lobbying for guaranteed law enforcement access to any digital device. Critics of the idea point out that it is difficult to assure that a backdoor won't be misused. This seems to be a case in point. [Ed. Does anyone remember DEBUG mode in sendmail in the late 1980's?] --------------------------------------------- TCP Sequence Numbers, The Once and Future Flaw Serious security threat to many Internet users highlighted: Communications involving Linux and Android systems can be compromised quickly, easily and from anywhere https://www.sciencedaily.com/releases/2016/08/160809143253.htm Science Daily August 9, 2016 Summary: In 1985 Robert T. Morris noted that TCP connections could be hijacked simply by guessing the sequence numbers in a current connection. Nearly 30 years later, a minor change to the Linux kernel managed to bypass all mitigations and widen the attack surface. The recognition of the problem is due to researchers at UC Riverside. See also: Off-Path TCP Exploits: Global Rate Limit Considered Dangerous, by Yue Cao, et al. http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf Morris 1985 paper. https://pdos.csail.mit.edu/~rtm/papers/117.pdf --------------------------------------------- Repressive Governments Buy iPhone Spyware Apple boosts iPhone security after powerful spyware targets an activist http://www.latimes.com/business/technology/la-fi-tn-iphone-spyware-20160825-snap-story.html Los Angeles Times Aug 25, 2016 Summary: An iPhone vulnerability that allowed total compromise through a crafted text message led Apple to fix three zero-day vulnerabilities. The software was produced by an Israeli company, the NSO Group. The software was used in this case to target a political activist. Related stories: How Spy Tech Firms Let Governments See Everything on a Smartphone http://www.nytimes.com/2016/09/03/technologyso-group-how-spy-tech-firms-let-governments-see-everything-on-a-smartphone.html The New York Times By Nicole Perlroth Sep 4, 2016 Summary: The NSO Group supplies software that hacks into smart phones and lets governments spy on the phone's owner. Zamir Dahbash, an NSO Group spokesman, said that the sale of its spyware was restricted to authorized governments and that it was used solely for criminal and terrorist investigations. However, there are documented instances of use against non-criminal activists. Something Wicked in that Powerpoint How foreign governments spy using PowerPoint and Twitter https://www.washingtonpost.com/posteverything/wp/2016/08/02/how-foreign-governments-spy-using-email-and-powerpoint/ Washington Post By Ron Deibert Aug 2, 2016 Summary: Although we all recognize the risk of email attachments, the fact is that sometimes we have to open them. One political activist took a suspicious attachment to security lab, where they found that the Powerpoint contained malware that could turn an Android phone into a portal for cyberespionage. The phones microphone and camera could have been remotely controlled, and many messaging functions, even those using encryption, could have been relayed to remote users. Researchers say that governments also have used Twitter to target activists. --------------------------------------------- Crypto Backdoor Socialization by FBI Comey: FBI wants 'adult conversation' on device encryption http://www.deseretnews.com/article/765689079/Comey-FBI-wants-adult-conversation-on-device-encryption.html AP story reported in the Deseret News By Eric Tucker, Associated Press Aug 30, 2016 Summary: Speaking at a symposium sponsored by the Symantec Corporation in Washington, James Comey, FBI Director, presented his case for a "legislative fix" to the problems facing law enforcement when the want to get information from digital devices that have encryption protection. He said what he wants to do "is collect information this year so that next year we can have an adult conversation." Related story: FBI chief calls for national talk over encryption vs. safety http://caribbeanbusiness.com/fbi-chief-calls-for-national-talk-over-encryption-vs-safety/ Caribbean Business Aug 30, 2016 AP story Speaking to the American Bar Association in San Francisco, FBI Director James Comey, said that in the past 10 months the agency was frustrated in its attempts to access data on more than 10% of the electronic devices it seized for investigations. He expects to start a discussion after the start of White House administration about how to mitigate the problems his agency faces. --------------------------------------------- AP to FBI: Tell Us How You Hacked the iPhone AP, other media sue FBI for details on iPhone hacking tool http://www.ksl.com/?sid=41497834&nid=157&title=ap-other-media-sue-fbi-for-details-on-iphone-hacking-toolp KSL.com By Eric Tucker, Associated Press Sep 16, 2016 Summary: When the FBI said that it had unlocked an iPhone connected to the San Bernandino terrorists, the agency implied that it had paid a million dollars for the break. The vendor, the exact amount, and the method remain a mystery to the public. Under the US Freedom of Information Act, the Associated Press and other news organizations have asked for release of the details. ------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html Nothing new since Cipher E133 -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 9/17/16- 9/19/16: IWDW, 15th International Workshop on Digital-forensics and Watermarking, Beijing, China; http://www.iwdw.net/ 9/19/16: ICSS, Industrial Control System Security Workshop, Held in conjunction with 32nd Annual Computer Security Applications Conference (ACSAC 2016), Los Angeles, California, USA; https://www.acsac.org/2016/workshops/icss/; Submissions are due 9/19/16- 9/21/16: RAID, 19th International Symposium on Research in Attacks, Intrusions and Defenses, Paris, France; http://www.raid2016.org/ 9/20/16- 9/22/16: SADFE, 11th International Conference on Systematic Approaches to Digital Forensics Engineering, Kyoto, Japan; http://sadfe.org 9/26/16- 9/27/16: WISTP, 10th WISTP International Conference on Information Security Theory and Practice, Heraklion, Crete, Greece; http://www.wistp.org/ 9/26/16- 9/30/16: ESORICS, 21st European Symposium on Research in Computer Security, Heraklion, Crete; http://www.ics.forth.gr/esorics2016/ 10/ 1/16: IEEE Communications Magazine, Feature Topic on Traffic Measurements for Cyber Security; http://www.comsoc.org/commag/cfp/traffic-measurements-cyber-security; Submissions are due 10/ 1/16: INTRICATE-SEC, 5th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Taipei, Taiwan, https://goo.gl/562zhD; Submissions are due 10/ 1/16: SG-CRC, 2nd Singapore Cyber Security R&D Conference, Singapore; http://www.comp.nus.edu.sg/~tsunami/sg-crc17/; Submissions are due 10/ 3/16: DFRWS-EU, DFRWS digital forensics EU conference, Lake Constance, Germany http://www.dfrws.org/conferences/dfrws-eu-2017; Submissions are due 10/10/16-10/12/16: SecureComm, 12th EAI International Conference on Security and Privacy in Communication Networks, Guangzhou, China; http://securecomm.org 10/17/16-10/19/16: CNS, 4th IEEE Conference on Communications and Network Security, Philadelphia, PA, USA; http://cns2016.ieee-cns.org/ 10/19/16: WWW, WWW Security and Privacy Track, Perth, Australia; http://www.www2017.com.au/call-for-papers/security-and-privacy.php; Submissions are due 10/24/16-10/28/16: ACM CCS, 23rd ACM Conference on Computer and Communications Security, Vienna, Austria; http://www.sigsac.org/ccs/CCS2016/call-for-papers/ 10/24/16: WISCS, 3rd ACM Workshop on Information Sharing and Collaborative Security, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; http://www.trusted-workshop.de 10/28/16: TrustED, 6th International Workshop on Trustworthy Embedded Devices, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; http://www.trusted-workshop.de 10/28/16: CCSW, 8th ACM Cloud Computing Security Workshop, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; https://www.zurich.ibm.com/ccsw16/index.html 10/28/16: CPS-SPC 2016 2nd ACM Workshop on Cyber-Physical Systems Security & Privacy, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; http://eecs.oregonstate.edu/cps-spc/index.html 11/ 1/16: HOST, IEEE International Symposium on Hardware Oriented Security and Trust, McLean, VA, USA; http://www.hostsymposium.org; Submissions are due 11/ 1/16: ASIACCS, ACM Symposium on Information, Computer and Communications Security, Abu Dhabi, United Arab Emirates; http://asiaccs2017.com/; Submissions are due 11/ 2/16-11/ 4/16: NordSec, 21st Nordic Conference on Secure IT Systems, Oulu, Finlanda; http://nordsec.oulu.fi 11/ 4/16: SP, 38th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2017/; Submissions are due 11/12/16: GenoPri, 3rd International Workshop on Genome Privacy and Security, Held in conjunction with the AMIA 2016 Annual Symposium, Chicago, IL, USA; http://www.genopri.org/ 11/23/16-11/25/16: FNSS, 2nd International Conference on Future Networks Systems and Security, Paris, France; http://fnss.org 11/30/16: PETS, 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, USA; https://petsymposium.org/; Submissions are due 12/ 1/16: IEEE MultiMedia, Special Issue on Cybersecurity for Cyber-Enabled Multimedia Applications; https://www.computer.org/web/computingnow/mmcfp4; Submissions are due 12/ 1/16-12/ 2/16: Mycrypt, 2nd International Conference on Cryptology & Malicious Security, Kuala Lumpur, Malaysia; https://foe.mmu.edu.my/mycrypt2016 12/ 2/16: Advances in Multimedia journal, Special Issue on Emerging Challenges and Solutions for Multimedia Security; http://www.hindawi.com/journals/am/si/561923/cfp/; Submissions are due 12/ 4/16-12/ 7/16: WIFS, 8th IEEE International Workshop on Information Forensics and Security, Abu Dhabi, UAE; http://www.wifs2016.org 12/ 5/16-12/ 6/16: SSR, 3rd International conference on Security Standardization Research, Gaithersburg, MD, USA; http://csrc.nist.gov/groups/ST/ssr2016/ 12 6/16: ICSS, Industrial Control System Security Workshop, Held in conjunction with 32nd Annual Computer Security Applications Conference (ACSAC 2016), Los Angeles, California, USA; https://www.acsac.org/2016/workshops/icss/ 12/14/16-12/16/16: BigTrust, 1st International Workshop on Trust, Security and Privacy for Big Data, Granada, Spain; http://csee.hnu.edu.cn/hbs/ 12/16/16-12/18/16: SPACE, 6th International Conference on Security, Privacy and Applied Cryptography Engineering, Hyderabad, India; http://www.math.umn.edu/~math-sa-sara0050/space16/ 12/16/16-12/20/16: ICISS, 12th International Conference on Information Systems Security, Jaipur, India; http://www.iciss.org.in 1/30/17- 2/ 1/17: IFIP 119 DF, 13th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org/ 2/21/17- 2/22/17: SG-CRC, 2nd Singapore Cyber Security R&D Conference Singapore http://www.comp.nus.edu.sg/~tsunami/sg-crc17/ 2/26/17- 3/ 1/17: NDSS, Network and Distributed System Security Symposium, San Diego, California, USA; https://www.internetsociety.org/events/ndss-symposium/ ndss-symposium-2017/ndss-2017-call-papers; 2/28/17: PETS, 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, USA; https://petsymposium.org/; Submissions are due 3/ 1/17: IEEE Security & Privacy Magazine, Special issue on Digital Forensics; https://www.computer.org/web/computingnow/spcfp6; Submissions are due 3/21/17- 3/23/17: DFRWS-EU, DFRWS digital forensics EU conference, Lake Constance, Germany http://www.dfrws.org/conferences/dfrws-eu-2017 3/27/17- 3/29/17: INTRICATE-SEC, 5th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Taipei, Taiwan; https://goo.gl/562zhD 4/ 2/17- 4/ 6/17: ASIACCS, ACM Symposium on Information, Computer and Communications Security, Abu Dhabi, United Arab Emirates; http://asiaccs2017.com/ 4/ 3/17- 4/ 7/17: WWW, WWW Security and Privacy Track, Perth, Australia; http://www.www2017.com.au/call-for-papers/security-and-privacy.php 4/26/17- 4/28/17: IEEE EuroSP, 2nd IEEE European Symposium on Security and Privacy, Paris, France; http://www.ieee-security.org/TC/EuroSP2017/cfp.php 5/ 1/17- 5/ 5/17: HOST, IEEE International Symposium on Hardware Oriented Security and Trust, McLean, VA, USA; http://www.hostsymposium.org 5/22/17- 5/24/17: SP, 38th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2017/ 7/18/17- 7/21/17: PETS, 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, USA; https://petsymposium.org/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E133) ___________________________________________________________________ ICSS 2016 Industrial Control System Security Workshop, Held in conjunction with 32nd Annual Computer Security Applications Conference (ACSAC 2016), Los Angeles, CA, USA, December 6, 2016. (Submissions due 19 September 2016) https://www.acsac.org/2016/workshops/icss/ Supervisory control and data acquisition (SCADA) and industrial control systems monitor and control a wide range of industrial and infrastructure processes such as water treatment, power generation and transmission, oil and gas refining and steal manufacturing. Such systems are usually built using a variety of commodity computer and networking components, and are becoming increasingly interconnected with corporate and other Internet-visible networks. As a result, they face significant threats from internal and external actors. For example, in 2010 the Stuxnet malware was specifically written to attack SCADA systems and caused millions of dollars in damages.The critical requirement for high availability in SCADA and industrial control systems, along with the use of resource constrained computing devices, legacy operating systems and proprietary software applications limits the applicability of traditional information security solutions. The goal of this workshop is to explore new security techniques that are applicable in the control systems context. Papers of interest including (but not limited to) the following subject categories are solicited: - Intrusion detection and prevention - Malware - Vulnerability analysis and risk management - Digital forensics - Virtualization - Application security - Performance evaluation of security methods and tools in control systems - Cybersecurity Education ------------------------------------------------------------------------- IEEE Communications Magazine, Feature Topic on Traffic Measurements for Cyber Security, (Submissions Due 1 October 2016) http://www.comsoc.org/commag/cfp/traffic-measurements-cyber-security Guest Editors: Wojciech Mazurczyk (Warsaw University of Technology, Poland), Koji Nakao (KDDI / NICT, Japan), Maciej Korczyski (Delft University of Technology, The Netherlands), Engin Kirda (Northeastern University, USA), Cristian Hesselman (SIDN Labs, The Netherlands), and Katsunari Yoshioka (Yokohama National University, Japan) In today's world, societies are becoming more and more dependent on open networks such as the Internet - where commercial activities, business transactions and government services are realized. This has led to the fast development of new cyber threats and numerous information security issues which cyber criminals exploit. The inability to provide trusted secure services in contemporary computer network technologies has a tremendous unfavorable socio-economic impact on global enterprises as well as individuals. Current communication networks are increasingly becoming pervasive, complex, and ever-evolving due to factors like enormous growth in the number of network users, continuous appearance of network applications, increasing amount of data transferred, and diversity of user behaviors. Understanding and measuring traffic in such networks is a not only difficult yet vital task for network management but recently also for cyber security purposes. Network traffic measuring and monitoring can, enable the analysis of the spreading of malicious software and its capabilities or can help us understand the nature of various network threats including those that exploit users' behavior and other user's sensitive information. On the other hand, network traffic investigation can also help us assess the effectiveness of the existing countermeasures or contribute to building new, better ones. Recently, traffic measurements have been utilized in the area of economics of cyber security e.g. to assess ISP "badness" or to estimate the revenue of cyber criminals. The aim of this feature topic is to bring together the research accomplishments by academic and industry researchers. The other goal is to show the latest research results in the field of cyber security and understand how traffic measurements can influence it. We encourage prospective authors to submit related distinguished research papers on the subject of both theoretical approaches and practical case reviews. This special issue presents some of the most relevant ongoing research in cyber security seen from the traffic measurements perspective. Topics include, but are not limited to the following: - Measurements for network incidents response, investigation and evidence handling - Measurements for network anomalies detection - Measurements for economics of cyber security - Network traffic analysis to discover the nature and evolution of the cyber security threats - Measurements for assessing the effectiveness of the threats detection/prevention methods and countermeasures - Novel passive, active and hybrid measurements techniques for cyber security purposes - Traffic classification and topology discovery tools for monitoring the evolving status of the network from the cyber security perspective - Correlation of measurements across multiple layers, protocols or networks for cyber security purposes - Novel visualization approaches to detect network attacks and other threats - Analysis of network traffic to provide new insights about network structure and behavior from the security perspective - Measurements of network protocol and applications behavior and its impact on cyber security and users' privacy - Measurements related to network security and privacy ------------------------------------------------------------------------- INTRICATE-SEC 2017 5th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Taipei, Taiwan, March 27-29, 2017. (Submissions Due 1 October 2016) https://goo.gl/562zhD Cyber-physical systems (CPS) are ubiquitous in critical infrastructures such as electrical power generation, transmission, and distribution networks, water management, and transportation, but also in both industrial and home automation. For flexibility, convenience, and efficiency, CPS are increasingly supported by commodity hardware and software components that are deliberately interconnected using open standard general purpose information and communication technology (ICT). The long life-cycles of CPS and increasingly incremental changes to these systems require novel approaches to the composition and inter-operability of services provided. The paradigm of service-oriented architectures (SoA) has successfully been used in similar long-lived and heterogeneous software systems. However, adapting the SoA paradigm to the CPS domain requires maintaining the security, reliability and privacy properties not only of the individual components but also, for complex interactions and service orchestrations that may not even exist during the initial design and deployment of an architecture. An important consideration therefore is the design and analysis of security mechanisms and architectures able to handle cross domain inter-operability over multiple domains involving components with highly heterogeneous capabilities. The INTRICATE-SEC workshop aims to provide a platform for academics, industry, and government professionals to communicate and exchange ideas on provisioning secure CPS and Services. ------------------------------------------------------------------------- SG-CRC 2017 2nd Singapore Cyber Security R&D Conference, Singapore, February 21-22, 2017. (Submissions Due 1 October 2016) http://www.comp.nus.edu.sg/~tsunami/sg-crc17/ This conference will bring together academics and practitioners from across the world to participate in a vibrant programme consisting of research papers, industrial best practices, and tools exhibition. This conference focus on techniques and methodologies oriented to construct resilient systems against cyber-attacks that will helps to construct safe execution environments, improving security of both hardware and software by means of using mathematical tools and engineering approaches for designing, verifying, and monitoring cyber physical systems. Authors are invited to submit original work on the topics that fall in the general area of cyber security. Submissions may focus on theoretical results, experiments, or a mix of both. ------------------------------------------------------------------------- DFRWS-EU 2017 DFRWS digital forensics EU conference, Lake Constance, Germany, March 21-23, 2017. (Submissions Due 3 October 2016) http://www.dfrws.org/conferences/dfrws-eu-2017 This year two premier research conferences in Europe, the DFRWS digital forensics conference (DFRWS EU 2017) and the International Conference on IT Security Incident Management & IT Forensics (IMF 2017) are brought together. Established in 2001, DFRWS has become the premier digital forensics conference, dedicated to solving real world challenges, and pushing the envelope of what is currently possible in digital forensics. Since 2003, IMF has established itself as one of the premier venues for presenting research on IT security incident response and management and IT forensics. While the first IMF conference was organized to establish a research forum for German speaking researchers and practitioners from the field, it soon became an International conference attracting many experts across Europe. IMF 2017, being the 10th Conference, is also an important mile stone in bringing the two worlds of IT security incident response and management and forensics together. Both DFRWS and IMF organise informal collaborative environments each year that bring together leading researchers, practitioners, industry, tool developers, academics, law enforcement, and other government bodies from around the globe to tackle current and emerging challenges in their fields. The co-hosting of the two events will help generate new discussions and ideas by bringing together two strong research communities: DFRWS's community encompassing a broad range of topics in digital forensics, and IMF's community focusing on IT security incident response and management. ------------------------------------------------------------------------- WWW 2017 WWW Security and Privacy Track, Perth, Australia, April 3-7, 2017. (Submissions Due 19 October 2016) http://www.www2017.com.au/call-for-papers/security-and-privacy.php The Security and Privacy track at the International World Wide Web Conference offers researchers working on security, privacy, trust, and abuse of trust to present their work to the broad community of researchers, with myriad backgrounds and interests, who will be attending the 2017 World Wide Web Conference. Relevant topics include: - Human and usability factors in Web security & privacy - Measurement of online crime/underground economics - Tracking, profiling, and countermeasures against them - Measurement, analysis, and circumvention of Web censorship - Browser security - Authentication and authorization for Web-based services - Social network security and privacy - Security and privacy of web protocols - Abusive content such as online harassments, spam, and fake reviews - Privacy-enhancing technologies for the Web - Legal, ethical, policy issues of Web security and privacy - Security for Web services (e.g., blogs, Web feed, wikis, social networks) - Applications of cryptography to the web - Security in Web-based electronic commerce (e-cash, auctions, etc.) - Security and privacy for intelligent assistants ------------------------------------------------------------------------- HOST 2017 IEEE International Symposium on Hardware Oriented Security and Trust, McLean, VA, USA, May 1-5, 2017. (Submissions Due 1 November 2016) http://www.hostsymposium.org IEEE International Symposium on Hardware Oriented Security and Trust (HOST) aims to facilitate the rapid growth of hardware-based security research and development. HOST highlights new results in the area of hardware and system security. Relevant research topics include techniques, tools, design/test methods, architectures, circuits, and applications of secure hardware. HOST 2017 invites original contributions related to, but not limited by, the following topics: - Hardware Trojan attacks and detection techniques - Hardware techniques to facilitate software and/or system security - Hardware-based security primitives (PUFs, RNGs) - System-on-chip (SoC) security - Side-channel attacks and protection - Security, privacy, and trust protocols - Metrics, policies, and standards related to hardware security - Hardware IP trust (watermarking, metering, trust verification) - Trusted manufacturing including split manufacturing and 3D ICs - Security analysis and protection of Internet of Things (IoT) - Secure and efficient implementation of crypto algorithms - Reverse engineering and hardware obfuscation - Supply chain risks mitigation (e.g., counterfeit detection & avoidance) - Hardware tampering attacks and protection - Applications of hardware security to secure system development ------------------------------------------------------------------------- ASIACCS 2017 ACM Symposium on Information, Computer and Communications Security Abu Dhabi, United Arab Emirates, April 2-6, 2017. (Submissions Due 1 November 2016) http://asiaccs2017.com/ Building on the success of ACM Conference on Computer and Communications Security (CCS), the ACM Special Interest Group on Security, Audit, and Control (SIGSAC) formally established the annual ACM Asia Conference on Computer and Communications Security (ASIACCS). Topics of interest include but are not limited to: - Access control - Accounting and audit - Applied cryptography - Authentication - Big data security and privacy - Biometrics - Blockchain and alternatives - Cloud computing security - Computer forensics - Cyber-physical security - Data and application security - Embedded systems security - Formal methods for security - Hardware-based security & applications - IoT security & privacy - Key management - Malware and botnets - Mobile computing security - Network security - Operating system security - Practical post-quantum security - Privacy-enhancing technology - Runtime attacks and defenses - Secure computation - Security architectures - Security of critical infrastructures - Security metrics - Software security - Threat modeling - Trusted computing - Usable security and privacy - Web security - Wireless security and privacy ------------------------------------------------------------------------- SP 2017 38th IEEE Symposium on Security and Privacy, San Jose, CA, USA, May 22-24, 2017. (Submissions Due 4 November 2016) http://www.ieee-security.org/TC/SP2017/ Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control and authorization - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Censorship resistance - Cloud security - Distributed systems security - Economics of security and privacy - Embedded systems security - Forensics - Hardware security - Intrusion detection and prevention - Malware and unwanted software - Mobile and Web security and privacy - Language-based security - Network and systems security - Privacy technologies and mechanisms - Protocol security - Secure information flow - Security and privacy for the Internet of Things - Security and privacy metrics - Security and privacy policies - Security architectures - Usable security and privacy This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Systematization of Knowledge Papers: As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate. Submissions will be distinguished by the prefix "SoK:" in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. ------------------------------------------------------------------------- PETS 2017 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, USA, July 18 - July 21, 2017. (Submissions Due 31 August 31 2016; 30 November 2016; 28 February 28 2017) https://petsymposium.org/ The annual Privacy Enhancing Technologies Symposium (PETS) brings together privacy experts from around the world to present and discuss recent advances and new perspectives on research in privacy technologies. Papers undergo a journal-style reviewing process and accepted papers are published in Proceedings on Privacy Enhancing Technologies (PoPETs), a scholarly, open access journal. Submitted papers should present novel practical and/or theoretical research into the design, analysis, experimentation, or fielding of privacy-enhancing technologies. While PETS/PoPETs has traditionally been home to research on anonymity systems and privacy-oriented cryptography, we strongly encourage submissions on a number of both well-established and emerging privacy-related topics, for which examples are provided below. PoPETs also solicits submissions for Systematization of Knowledge (SoK) papers. These are papers that critically review, evaluate, and contextualize work in areas for which a body of prior literature exists, and whose contribution lies in systematizing the existing knowledge in that area. ------------------------------------------------------------------------- IEEE MultiMedia, Special Issue on Cybersecurity for Cyber-Enabled Multimedia Applications, (Submissions Due 1 December 2016) https://www.computer.org/web/computingnow/mmcfp4 Guest Editors: Qun Jin (Waseda University, Japan), Yong Xiang (Deakin University, Australia), Guozi Sun (Nanjing University of Posts and Telecommunications, China), Yao Liu (University of South Florida, USA), and Chin-Chen Chang (Feng Chia University, Taiwan) With the rapid popularity of social network applications and advanced digital devices, the past few years have witnessed the explosive growth of multimedia big data in terms of both scale and variety. Such increasing multimedia data determines a new way of communication: seamless network connection, the joyfulness user experience, and free information sharing. Meanwhile, security issues related to such multimedia big data have arisen, and an urgent demand for novel technologies has emerged to deal with copyright protection, multimedia forgery detection, and cybersecurity, especially for cyber-enabled multimedia applications. Although many promising solutions have been proposed recently, it is still challenging for the multimedia community to effectively and efficiently handle security challenges over large-scale multimedia data, especially when the scale comes up from tens of thousands to tens of millions or even billions. This special issue aims to bring together the greatest research efforts in cybersecurity for cyber-enabled multimedia applications to specifically deal with the security challenges in the multimedia big data era. The main goals are to investigate novel ideas and research work of cybersecurity issues with multimedia big data; find or develop effective and efficient techniques and methods in computer vision, multimedia processing, and sensor networks for specific cybersecurity tasks, such as data hiding, and forensics; survey the progress of this area in the past years; and explore interesting and practical cyber-enabled multimedia applications. Submissions should be unpublished and present innovative research work offering contributions either from a methodological or application point of view. Topics of interest include, but are not limited to, the following: - Emerging fundamental issues in multimedia big data security - Text, audio, images, and video data hiding - Multimedia steganography and corresponding steganalysis - Multimedia watermarking, fingerprinting, and hashing - Multimedia forensics and data source identification - Cryptography, secret sharing, and biometrics - Multimedia network security, privacy, and protection - Multimedia big data trust management and access control - Secure covert communications and cybersecurity - Secure cyber-enabled multimedia applications in health, education, and so on ------------------------------------------------------------------------- Advances in Multimedia journal, Special Issue on Emerging Challenges and Solutions for Multimedia Security, (Submissions Due 2 December 2016) http://www.hindawi.com/journals/am/si/561923/cfp/ Guest Editors: Wojciech Mazurczyk (Warsaw University of Technology, Poland), Artur Janicki (Warsaw University of Technology, Poland), Hui Tian (National Huaqiao University, China), and Honggang Wang (University of Massachusetts Dartmouth, USA) Today's world's societies are becoming more and more dependent on open networks such as the Internet, where commercial activities, business transactions, government services, and entertainment services are realized. This has led to the fast development of new cyber threats and numerous information security issues which are exploited by cyber criminals. The inability to provide trusted secure services in contemporary computer network technologies could have a tremendous socioeconomic impact on global enterprises as well as on individuals. In the recent years, rapid development in digital technologies has been augmented by the progress in the field of multimedia standards and the mushrooming of multimedia applications and services penetrating and changing the way people interact, communicate, work, entertain, and relax. Multimedia services are becoming more significant and popular and they enrich humans' everyday life. Currently, the term multimedia information refers not only to text, image, video, or audio content but also to graphics, flash, web, 3D data, and so forth. Multimedia information may be generated, processed, transmitted, retrieved, consumed, or shared in various environments. The lowered cost of reproduction, storage, and distribution, however, also invites much motivation for large-scale commercial infringement. The above-mentioned issues have generated new challenges related to protection of multimedia services, applications, and digital content. Providing multimedia security is significantly different from providing typical computer information security, since multimedia content usually involves large volumes of data and requires interactive operations and real-time responses. Additionally, ensuring digital multimedia security must also signify safeguarding of the multimedia services. Different services require different methods for content distribution, payment, interaction, and so forth. Moreover, these services are also expected to be "smart" in the environment of converged networks, which means that they must adapt to different network conditions and types as multimedia information can be utilized in various networked environments, for example, in fixed, wireless, and mobile networks. All of these make providing security for multimedia even harder to perform. This special issue intends to bring together diversity of international researchers, experts, and practitioners who are currently working in the area of digital multimedia security. Researchers both from academia and industry are invited to contribute their work for extending the existing knowledge in the field. The aim of this special issue is to present a collection of high-quality research papers that will provide a view on the latest research advances not only on secure multimedia transmission and distribution but also on multimedia content protection. Potential topics include, but are not limited to: - Emerging technologies in digital multimedia security - Digital watermarking - Fingerprinting in multimedia signals - Digital media steganology (steganography and steganalysis) - Information theoretic analysis of secure multimedia systems - Security/privacy in multimedia services - Multimedia and digital media forensics - Quality of Service (QoS)/Quality of Experience (QoE) and their relationships with security - Security of voice and face biometry - Multimedia integrity verification and authentication - Multimedia systems security - Digital rights management - Digital content protection - Tampering and attacks on original information - Content identification and secure content delivery - Piracy detection and tracing - Copyright protection and surveillance - Forgery detection - Secure multimedia networking - Multimedia network protection, privacy, and security - Secure multimedia system design, trusted computing, and protocol security ------------------------------------------------------------------------- IEEE Security & Privacy Magazine, Special issue on Digital Forensics, (Submissions Due 1 March 2017) https://www.computer.org/web/computingnow/spcfp6 Guest Editors: Wojciech Mazurczyk (Warsaw University of Technology & FernUniversitat in Hagen, Poland), Steffen Wendzel (Fraunhofer FKIE, Germany), Luca Caviglione (National Research Council of Italy, Italy), and Simson L. Garfinkel (National Institute of Standards and Technology, USA) Modern societies are becoming increasingly dependent on open networks where commercial activities, business transactions, and government services are delivered. Despite the benefits, these networks have led to new cyberthreats and cybersecurity issues. Abuse of and mistrust for telecommunications and computer network technologies have significant socioeconomic impacts on global enterprises as well as individuals. Cybercriminal activities such as fraud often require the investigations that span across international borders. In addition, they're often subject to different jurisdictions and legal systems. The increased intricacy of the communication and networking infrastructure complicates investigation of such activities. Clues of illegal digital activities are often buried in large volumes of data that makes crime detection and evidence collection difficult. This poses new challenges for law enforcement and compels computer societies to utilize digital forensics to combat the growing number of cybercrimes. Forensic professionals must be fully prepared to gather effective digital evidence. Forensic techniques must keep pace with new technologies; therefore, digital forensics is becoming more important for law enforcement and information and network security. This multidisciplinary area includes several fields, including law, computer science, finance, networking, data mining, and criminal justice. It faces diverse challenges and issues in terms of the efficiency of digital evidence processing and related forensic procedures. This special issue aims to collect the most relevant ongoing research efforts in digital forensics field. Topics include, but aren't limited to: - real-world case studies, best practices, and readiness; - challenges and emerging trends; - digital forensic triage; - antiforensics and anti-antiforensics approaches; - networking incident response, investigation, and evidence handling; - network forensics and traffic analysis; - detecting illegal sites and traffic (for instance, child abuse/exploitation); - malware and targeted attacks including analysis and attribution; - information-hiding techniques (network stenography, covert channels, and so on); - stealth communication through online games and its detection; - use and implications of machine learning in digital forensics; - big data and digital forensics; - network traffic fingerprinting and attacks; - cybercrimes design, detection, and investigation; - cybercrime issues and solutions from a digital forensics perspective; - nontraditional forensic scenarios and approaches (for instance, vehicles, SCADA, automation and control); - social networking forensics; - cloud forensics; - law enforcement and digital forensics; and - digital forensics for incident response, research, policy compliance enforcement, and so on. ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line for at IEEE at http://www.computer.org/portal/web/tandc/tclist ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulf Lindqvist Michael Locasto SRI International SRI International Menlo Park, CA oakland16-chair@ieee-security.org ulf.lindqvist@sri.com Chair: Treasurer: Sean Peisert Yong Guan UC Davis and 3219 Coover Hall Lawrence Berkeley Department of Electrical and Computer National Laboratory Engineering speisert@ucdavis.edu Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2017 Chair: TC Awards Chair: Kevin Butler Hilarie Orman Department of Computer and Purple Streak, Inc. Information Science and Engineering 500 S. Maple Dr. University of Florida Woodland Hills, UT 84653 butler at ufl.edu cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year