_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 135 November 29, 2016 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Calendar Editor cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News Items - Really secure messaging meets the US govmt - We Don't Need No Stinkin' Jurisdiction - Cyber Spy or Hoarder? - NSA's Hacking Tools Taken by Hoarding Contractor? - Yahoo Surveillance: All of the Emails All of the Time - From Spam Filters to Terrorist Detectors - No Room for Security in Computer Science - Turning Number Theory to the Evil Side - Metadata: the Apple to Law Enforcement Pipeline - Your Webcam Unleashed: the Massive Internet Attack - The Little Logic Flaw That Undermined Linux Security - Cyberwarfare, It's Here, It's There, It's Everywhere - Free translation service? Some Android phones send all text messages to China - Odd DNS Footprints and Speculation about the Trump Organization o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The past two months have yielded a cornucopia of items related to security and privacy. The US presidential election demonstrated how vulnerable computer systems are to hacking, and even NSA was subjected to yet another embarrassing exfiltration of classified material by a trusted contractor. Furthermore, a discussion about the integrity of online information has emerged. Although information integrity has been part of cybersecurity in the technical sense of being the dual of security classification, this does not begin to encompass the provenance issues that we face today. The Internet is a phenomenon driven by the desire and need for communication, but in fulfilling that need, it has created questions about the power and meaning of information within a democratic society. Can the research and practitioner community address this challenge? There is a full agenda conferences for the tail of 2016 and start of 2017, and almost any topic in security and privacy will be addressed at one or more venues. They await your papers and your attendance. One of our news articles mentions that upwards of a million jobs will be created in cybersecurity over the next few years, yet academia usually omits it from the computer science curriculum. There's opportunity there for those who are eager to get into a field that seems to be permanently in the midst of major issues in industry and international affairs. Along these lines, please note that the GREPSEC workshop for invited graduate students will be held in 2017, see http://ieee-security.org/grepsec. Applications will be taken in January. Four kernel errors, Three Samsung fires, Two Apple subpoenas, And a conspiracy in a DNS tree. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ---------------------------------------------------------------------- Really secure messaging meets the US govmt This app promises privacy through encrypted messaging, but a U.S. subpoena puts it to test http://www.latimes.com/business/technology/la-fi-tn-signal-privacy-20161004-snap-story.html Associated Press, LA Times Oct 4, 2016 Summary: Open Whisper Systems produces a messaging app that uses end-to-end encryption. All the keys and usage information are contained in the user devices --- the company collects no information from them. The secrecy of the communication has been put to the test by a subpoena from the US government demanding information about one of its users. The ACLU is representing the small company in the matter. The company does not have the information that the government wants because the app is designed with user privacy in mind. Related stories: Moxie Marlinspike: The Coder Who Encrypted Your Texts http://www.wsj.com/articles/moxie-marlinspike-the-coder-who-encrypted-your-texts-1436486274 WSJ By Danny Yadron July 9, 2015 Summary: If you missed out on the genesis of the Whisper app and its creator Moxie Marlingspike, this is a good synopsis of the story of a peculiar coder. The story is behind a paywall, but if you are a subscriber, it's worth perusing. ------------ How Hillary Clinton Helped Build WhatsApp's State-of-the-Art Encryption http://foreignpolicy.com/2016/04/06/how-hillary-clinton-helped-build-whatsapps-state-of-the-art-encryption/ Foreign Policy By Elias Groll April 6, 2016 Summary: It was a different world back in 2010 when Secretary of State Hillary Clinton started an initiative to use the Internet to help foster political change in countries with severe political censorship. After some twists and turns in funding authorities, an agency called Radio Free Asia created the Open Technology Fund. From that fund, Moxie Marlinspike got $2.3 million dollars to develop an end-to-end encrypted messaging app, the same technology that now underlies WhatsApp, a company that was acquired by Facebook for $22 billion dollars in 2014. ---------------------------------------------------------------------- We Don't Need No Stinkin' Jurisdiction A rule change to make it easier to catch pedophiles will lead to government mass hacking, critics say https://www.washingtonpost.com/local/public-safety/a-move-designed-to-catch-pedophiles-will-lead-to-mass-government-hacking-critics-say/2016/09/29/0d4ba0e0-81c6-11e6-b002-307601806392_story.html The Washington Post Sep 30, 2016 by Ellen Nakashima and Rachel Weiner Summary: An amendment to Rule 41 of the Federal Rules of Criminal Procedure is set to go into effect in December, and it will dramatically change how the government obtains warrants that allow it to hack computers in the course of criminal investigations. The warrants will not be bound to a particular jurisdiction if the government cannot identify the location of the computers. Instead, any judge will be able to issue a warrant that will apply regardless of jurisdiction. The government argues that it cannot investigate computer crimes without this tool, critics say it may violate the Fourth Amendment. ---------------------------------------------------------------------- Cyber Spy or Hoarder? N.S.A. Contractor Arrested in Possible New Theft of Secrets The New York Times http://www.nytimes.com/2016/10/06/us sa-leak-booz-allen-hamilton.html by By Jo Becker, Adam Goldman, Michael S. Schmidt and Matt Apuzzo Oct 5, 2016 Summary: A former NSA contractor was charged with stealing classified information from the agency over a period of years, but the purpose of the the theft remains unclear. The many terabytes of information taken by Harold T. Martin might contain the NSA's "hacking tools" which were mysteriously revealed this year. ---------------- NSA's Hacking Tools Taken by Hoarding Contractor? Trove of Stolen Data Is Said to Include Top-Secret U.S. Hacking Tools http://www.nytimes.com/2016/10/20/us/harold-martin-nsa.html The New York Times By Scott Shane, Matt Apuzzo and Jo Becker Oct. 19, 2016 Summary: The former NSA contractor accused of copying a massive amount of classified data apparently had the hacker tools produced by NSA and released onto the Internet by an anonymous group in August. His motive in taking the information remains unknown, as does his possible sharing of the information with the anonymous group. ---------------------------------------------------------------------- Yahoo Surveillance: All of the Emails All of the Time Yahoo scanned all of its users' incoming emails on behalf of U.S. intelligence officials https://www.washingtonpost.com ews/the-switch/wp/2016/10/04/yahoo-scanned-all-of-its-users-incoming-emails-on-behalf-of-u-s-intelligence-officials/ The Washington Post by Andrea Peterson Oct 5, 2016 Summary: Yahoo complied with a US government subpoena by scanning all email in real time and reporting the results to the government. A staff attorney for the ACLU called the demand "unprecedented and unconstitutional." According to insiders, Yahoo's CEO did not consult the security staff when ordering the reconfiguration of the company's email servers. The solution that was implemented may have made all of Yahoo's email vulnerable to hackers. --------------- From Spam Filters to Terrorist Detectors Yahoo Said to Have Aided U.S. Email Surveillance by Adapting Spam Filter http://www.nytimes.com/2016/10/06/technology/yahoo-email-tech-companies-government-investigations.html The New York Times By Charlie Savage and Nicole Perlroth Oct 5, 2016 Summary: The US government demanded that Yahoo search all email for a digital pattern that it associated with foreign terrorist organizations, and the company complied by adapting a filter that it had developed for detecting child pornography. The subpoena was issued by the secret Foreign Intelligence Court. Yahoo cannot disclose any information about the matter, but Apple commented that it received nearly 600 "gag orders" related to government data collection in the first several months of 2016. ---------------------------------------------------------------------- No Room for Security in Computer Science Most Top Computer Science Programs Skip Cybersecurity http://theinstitute.ieee.org/career-and-education/education/most-top-computer-science-programs-skip-cybersecurity IEEE - The Institute by Monica Rozenfeld Oct 11, 2016 Summary: Two Boston area experts, Roy Wattanasin and Ming Chow, are trying to raise awareness of the fragmented state of cybersecurity education in computer science curricula. No school in the Boston area seems to offer a course that focuses primarily on cybersecurity, and there is no agreement on the skill set that should be taught. They gave a presentation about their survey findings at the Hackers on Planet Earth (HOPE) conference in July of this eyar. ---------------------------------------------------------------------- Turning Number Theory to the Evil Side How the NSA Could Put Undetectable Trapdoors in Millions of Crypto Keys http://arstechnica.com/security/2016/10/how-the-nsa-could-put-undetectable-trapdoors-in-millions-of-crypto-keys Ars Technicha by Dan Goodin October 11, 2016 Summary: Researchers have called into question the security of the prime numbers underlying some commonly used implementations of the Diffie-Hellman protocol. The numbers are secure if the associated discrete logarithm problem is hard to solve, but not all prime numbers lead to hard problems. If a nefarious party (or NSA) chooses a prime for which he has secret information that makes discrete logarithms relatively easy, then the resulting communication protocol will be easy for him to decipher. This distressing fact has no silver lining because there is no simple way to determine if a given prime is easy. The details of the number field sieve algorithm provide the mathematical underpinning to the weakness. ---------------------------------------------------------------------- Metadata: the Apple to Law Enforcement Pipeline Report: Apple Shares Unencrypted iMessage Metadata With Cops http://www.crmbuyer.com/story/83959.html?rss=1&utm_source=outbrain&utm_medium=cpc&utm_campaign=outbraincrmall Privacy CRM Buyer, E-Commerce Times, ECT News Network By David Jones Oct 5, 2016 Summary: Although Apple has asserted that it does not collect or share data about its users private information, that protection does not cover the "metadata" of iMessage conversations. Documents obtained from the Florida Department of Law Enforcement's Electronic Surveillance Support Team show that information about contacts, IP addresses, and the dates and times of conversations are share with law enforcement. ---------------------------------------------------------------------- Who Leaked Stuxnet? Former Joint Chiefs of Staff vice chairman to plea to false statements in classified leak, court files show https://www.washingtonpost.com/local/public-safety/former-joint-chiefs-of-staff-vice-chairman-to-plea-to-false-statements-in-classified-leak/2016/10/17/a84b9986-9483-11e6-9b7c-57290af48a49_story.html The Washington Post By Spencer S. Hsu and Ellen Nakashima Oct 17, 2016 Summary: The New York Times broke a story in 2012 about secret malware that delayed Iran's nuclear development program. The apparent source of that story, retired four-star Marine Corps general James E. "Hoss" Cartwright, pleaded guilt to lying to FBI in an investigation into a leak of classified information. Cartwright denies being the source of the New York Times story, but acknowledges that he mislead the FBI about his conversations with reporters. The story was about the the Stuxnet virus, and its exact origin remains a mystery. ---------------------------------------------------------------------- Your Webcam Unleashed: the Massive Internet Attack Why Twitter, Spotify and other major online services are down https://www.washingtonpost.com ews/the-switch/wp/2016/10/21/someone-attacked-a-major-part-of-the-internets-infrastructure/ The Washington Post By Andrea Peterson Oct 21, 2016 Summary: A denial-of-service attack brought parts of the Internet to its knees for a day, and the source of the traffic was a surprise. Someone had harnassed perhaps millions of "Internet ready" devices such as webcams and thermostats for the purpose of inundating a major DNS provider, Dyn, with useless traffic that prevented it from dealing with real requests. Because many "Internet of Things" devices are shipped with little or no security, they are easy targets for hackers. ---------------------------------------------------------------------- The Little Logic Flaw That Undermined Linux Security Dirty COW explained: Get a moooo-ve on and patch Linux root hole http://www.theregister.co.uk/2016/10/21/linux_privilege_escalation_hole/ TheRegister By Shaun Nichols Oct 24, 2016 Summary: Eleven years ago Linus Torvalds noticed an obscure kernel bug in the Linux operating system. Being the "kernel boss" and the figure credited with the creation of Linux in the first place, he was the natural person to both notice the bug and to fix it. Because it was had to trigger the bug, he felt it was a low priority problem. But Linux has changed a lot in the last decade, and with one thing and another, the bug became easier to trigger, and the consequences could be a complete compromise of security. The "copy-on-write" feature of the kernel had a timing problem that would allow a user to overwrite privileged executables. A patch was issued quickly, but there are Linux systems in so many devices that it is unrealistic to think that they will all be upgraded immediately. ---------------------------------------------------------------------- Cyberwarfare, It's Here, It's There, It's Everywhere Under the Din of the Presidential Race Lies a Once and Future Threat: Cyberwarfare http://www.nytimes.com/2016/11/07/us/politics/under-the-din-of-the-presidential-race-lies-a-once-and-future-threat-cyberwarfare.html The New York Times by David E. Sanger Nov. 6, 2016 Summary: There were surprises in the US elections this year, one of them being that international cyberhacking figured heavily in the speculations about leaks and social media influence. David Rothkopf, the chief executive and editor of Foreign Policy, who has written two histories of the National Security Council, comments that "Most of the biggest stories of this election cycle have had a cybercomponent to them — or the use of information warfare techniques that the Russians, in particular, honed over decades." The specter of information theft and information manipulation will hang over us for a long time to come. ---------------------------------------------------------------------- Free translation service? Some Android phones send all text messages to China Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say http://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html The New York Times By Matt Apuzzo and Michael S. Schmidt Nov. 15, 2016 Summary: A Chinese company wrote software that was installed on many Android phones, and that software deliberately sent copies of text messages to a server in China. The security firm Kryptowire discovered the communication inadvertantly when company executive noticed that a phone he had recently bought seemed to have unexplained network activity. The "feature" was not disclosed to users. The Chinese company, Adups, said it was all a configuration control problem. The software was not supposed to be installed on American phones. It was intended to help a Chinese customer provide better customer support. ---------------------------------------------------------------------- Odd DNS Footprints and Speculation about the Trump Organization Was a server registered to the Trump Organization communicating with Russia's Alfa Bank? http://www.slate.com/articles ews_and_politics/cover_story/2016/10/was_a_server_registered_to_the_trump_organization_communicating_with_russia.html slate.com By Frank Foer Nov 15, 2016 Summary: Some DNS experts thought to help out with the security of the US election by looking for patterns of suspicious activity associated with accessing Internet sites associated with the parties, the candidates, and other information sites. They found some puzzling patterns for a server associated with Trump enterprises. That server seemed to be communicating with Alfa Bank, an entity located in Russia that operates in the West. Because the DNS information does not in itself prove that the two companies communicated, there is no accusation of collaboration. Nonetheless, in the view of some experts, the pattern is consistent with an uncommon sort of communication channel. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available new since Cipher E134 ==================================================================== The Computer Science (CS) Department at the University of Idaho (UI) College of Engineering (CoEngr) seeks 3 faculty at the rank of Assistant/Associate Professor in either Moscow or Idaho Falls with emphasis in 1) large-scale database management (big data), data analytics and data mining, machine learning, visualization, and/or high performance computing or 2) Expertise in cybersecurity is sought for industrial control systems including embedded systems security, computer and network security, or digital forensics, reverse engineering hardware/software, malware analysis, specialized experience with power and energy systems, operations technology (OT). Startup funding and research support will be extended to help the new appointees establish a successful career and develop an externally funded research program. The successful candidates will have an earned PhD in CS or a closely related field, demonstrated strong commitment to research and teaching, excellent written and oral communication skills, ability to work with collaborating entities (industry, national laboratories, government and academia) and authorized to work in the US. The Idaho Falls campus is located at University Place at the Center for Advanced Energy Studies (CAES) and the Idaho National Laboratory (INL). Teaching/advising is primarily graduate (MS and PhD) studies although video conferencing delivery of upper division undergraduate (UG) courseware to either Moscow or Coeur d'Alene may be required. The main campus in Moscow is home to nearly 12,000 students where the CS program provides BS, MS and PhD degrees and the Coeur d'Alene campus provides upper division UG courseware for the BSCS as well as CS graduate degrees. Faculty will engage and teach graduate students, mentor graduate student research and demonstrate success in scholarly pursuits (funding, publications, and presentations) toward sustaining research program funding. Data Science and Analytics (Idaho Falls https://uidaho.peopleadmin.com/postings/15335) We seek candidates with the ability to conduct numeral analysis, manage experimental facilities, engineer/analyze and manage (big) data, utilize/innovate data visualization tools and techniques (machine learning, data mining, distributed storage and processing and/or high performance computing (HPC) and related AI data analytics techniques. Security of Cyber Physical Systems (Idaho Falls https://uidaho.peopleadmin.com/postings/15996) and Moscow https://uidaho.peopleadmin.com/postings/15978) The CoEngr has received a $2.1M Idaho Global Entrepreneurial Mission (IGEM) grant to build educational and research capacity in Security Management of Cyber Physical Control Systems (CPCS). CPCS are the systems that underpin key sectors of our national economy, from our transportation network to our water supply to the fundamental elements of our power grid (e.g., SCADA and ICS). We seek candidates that can team with industry including Idaho National Laboratory (INL) and other universities (including Boise State University and Idaho State University) to develop products and build expertise to protect these vital systems including foster technology transfer/commercialization to strengthen and expand the workforce by delivering cyber security expertise to Idaho industry and improve the talent pipeline for computer science and engineering graduates. These faculty will become a members of the research Center for Secure and Dependable Systems (CSDS). We seek candidates with expertise in cybersecurity is sought for industrial control systems including embedded systems security, computer and network security, or digital forensics, reverse engineering hardware/software, malware analysis, specialized experience with power and energy systems, operations technology (OT). --- Existing research centers of excellence include the Institute for Bioinformatics and Evolutionary Studies, National Institute for Advanced Transportation Technology, Center for Secure and Dependable Systems, Center for Modeling Complex Interactions and the Northwest Knowledge Network. A significant number of our faculty have joint appointments with INL. We are a certified National Center of Academic Excellence (CAE) in Information Assurance and Cybersecurity Education which is also a $3.7M NSF Scholarship for Service funded enterprise. We highly encourage candidates from underrepresented US minority groups and/or females to apply for this position. The UI is an affirmative action/equal opportunity employer and does not discriminate on the basis of age, color, disability, gender, gender identity, marital status, national or ethnic origin, race, religion, sexual orientation or veteran status. Jennifer Flynn, MPA Assistant to the Center Executive Officer, Dr. Marc Skinner Office-208-757-5402 Cell-503-621-7718 http://www.uidaho.edu/idahofalls/ ------------------------------------------------- ================================================================= Jobs Listed through http://cisr.nps.edu/jobscipher.html by Cynthia Irvine University at Albany Albany, NY Cyber Security, Assistant/Associate/Full Professor Application deadline: Open until filled https://albany.interviewexchange.com/jobofferdetails.jsp?JOBID=75668 -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== Calendar of Security and Privacy Related Events maintained by Hilarie Orman Cipher calendar announcements are on Twitter; follow "ciphernews" Calls or announcements added since Cipher E134 Date (Month/Day/Year), Event, Locations, web page for more info. 11/23/16-11/25/16: FNSS, 2nd International Conference on Future Networks Systems and Security, Paris, France; http://fnss.org 11/30/16: PETS, 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, USA; https://petsymposium.org/; Submissions are due 12/ 1/16: IEEE MultiMedia, Special Issue on Cybersecurity for Cyber-Enabled Multimedia Applications; https://www.computer.org/web/computingnow/mmcfp4; Submissions are due 12/ 1/16: CPSS, 3rd ACM Cyber-Physical System Security Workshop, Abu Dhabi, UAE; http://icsd.i2r.a-star.edu.sg/cpss17/; Submissions are due 12/ 1/16: USEC, Usable Security Mini Conference, Co-located with NDSS 2017, San Diego, California, USA; http://www.dcs.gla.ac.uk/~karen/usec/; Submissions are due 12/ 1/16-12/ 2/16: Mycrypt, 2nd International Conference on Cryptology & Malicious Security, Kuala Lumpur, Malaysia; https://foe.mmu.edu.my/mycrypt2016 12/ 2/16: Advances in Multimedia journal, Special Issue on Emerging Challenges and Solutions for Multimedia Security; http://www.hindawi.com/journals/am/si/561923/cfp/; Submissions are due 12/ 4/16-12/ 7/16: WIFS, 8th IEEE International Workshop on Information Forensics and Security, Abu Dhabi, UAE; http://www.wifs2016.org 12/ 5/16-12/ 6/16: SSR, 3rd International conference on Security Standardization Research, Gaithersburg, MD, USA; http://csrc.nist.gov/groups/ST/ssr2016/ 12/ 6/16: ICSS, Industrial Control System Security Workshop, Held in conjunction with 32nd Annual Computer Security Applications Conference (ACSAC 2016), Los Angeles, California, USA; https://www.acsac.org/2016/workshops/icss/ 12/ 6/16: IWSPA, 3rd ACM International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2017, Scottsdale, Arizona, USA; http://capex.cs.uh.edu/?q=content/international-workshop-security-and-privacy-analytics-2017; Submissions are due 12/14/16-12/16/16: BigTrust, 1st International Workshop on Trust, Security and Privacy for Big Data, Granada, Spain; http://csee.hnu.edu.cn/hbs/ 12/16/16-12/18/16: SPACE, 6th International Conference on Security, Privacy and Applied Cryptography Engineering, Hyderabad, India; http://www.math.umn.edu/~math-sa-sara0050/space16/ 12/16/16-12/20/16: ICISS, 12th International Conference on Information Systems Security, Jaipur, India; http://www.iciss.org.in 12/23/16: IFIPSEC, 32nd IFIP TC-11 SEC 2017 International Information Security and Privacy Conference, Rome, Italy; http://ifipsec.org/2017/; Submissions are due 1/15/17: BioSTAR, International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with the 38th IEEE Symposium on Security and Privacy (IEEE S&P 2017), San Jose, CA, USA; http://biostar.cybersecurity.bio/; Submissions are due 1/15/17: WTMC, 2nd International Workshop on Traffic Measurements for Cybersecurity, Co-located with the 38th IEEE Symposium on Security and Privacy (IEEE S&P 2017), San Jose, CA, USA; http://wtmc.info; Submissions are due 1/15/17: WoC, 3rd IEEE International Workshop on Container Technologies and Container Clouds, Held in conjunction with IEEE International Conference on Cloud Engineering (IC2E 2017), Vancouver, Canada; http://researcher.watson.ibm.com/researcher/view_group.php?id=7476; Submissions are due 1/15/17: WACC, International Workshop on Assured Cloud Computing and QoS aware Big Data, Held in conjunction with 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID 2017), Madrid, Spain; http://www.eubra-bigsea.eu/WACC_2017; Submissions are due 1/20/17: IoTPTS, 3rd International Workshop on IoT Privacy, Trust, and Security, Held in conjunction with the 12th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2017); https://sites.google.com/site/iotpts2017/; Submissions are due 1/21/17: DSC, IEEE Conference on Dependable and Secure Computing, Taipei, Taiwan; http://dsc17.cs.nctu.edu.tw/; Submissions are due 1/30/17- 2/ 1/17: IFIP 119 DF, 13th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org/ 2/ 3/17: IWPE, 3rd International Workshop on Privacy Engineering, Co-located with IEEE Symposium on Security and Privacy (SP 2017), San Jose, CA, USA; http://ieee-security.org/TC/SPW2017/IWPE/; Submissions are due 2/21/17- 2/22/17: SG-CRC, 2nd Singapore Cyber Security R&D Conference, Singapore; http://www.comp.nus.edu.sg/~tsunami/sg-crc17/ 2/26/17: USEC, Usable Security Mini Conference, Co-located with NDSS 2017, San Diego, California, USA; http://www.dcs.gla.ac.uk/~karen/usec/ 2/26/17- 3/ 1/17: NDSS, Network and Distributed System Security Symposium, San Diego, California, USA; https://www.internetsociety.org/events/ndss-symposium/ ndss-symposium-2017/ndss-2017-call-papers; 2/28/17: Journal of Visual Communication and Image Representation, Special Issue on Data-driven Multimedia Forensics and Security; http://www.journals.elsevier.com/journal-of-visual-communication-and-image-representation; Submissions are due 2/28/17: PETS, 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, USA; https://petsymposium.org/; Submissions are due 3/ 1/17: IEEE Security & Privacy Magazine, Special issue on Digital Forensics; https://www.computer.org/web/computingnow/spcfp6; Submissions are due 3/21/17- 3/23/17: DFRWS-EU, DFRWS digital forensics EU conference, Lake Constance, Germany http://www.dfrws.org/conferences/dfrws-eu-2017 3/24/17: IWSPA, 3rd ACM International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2017, Scottsdale, Arizona, USA; http://capex.cs.uh.edu/?q=content/international-workshop-security-and-privacy-analytics-2017 3/27/17- 3/29/17: INTRICATE-SEC, 5th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Taipei, Taiwan https://goo.gl/562zhD 4/ 2/17- 4/ 6/17: ASIACCS, ACM Symposium on Information, Computer and Communications Security, Abu Dhabi, United Arab Emirates; http://asiaccs2017.com/ 4/ 2/17: CPSS, 3rd ACM Cyber-Physical System Security Workshop, Abu Dhabi, UAE; http://icsd.i2r.a-star.edu.sg/cpss17/ 4/ 2/17: IoTPTS, 3rd International Workshop on IoT Privacy, Trust, and Security, Held in conjunction with the 12th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2017); https://sites.google.com/site/iotpts2017/ 4/ 3/17- 4/ 7/17: WWW, WWW Security and Privacy Track, Perth, Australia; http://www.www2017.com.au/call-for-papers/security-and-privacy.php 4/ 4/17- 4/ 7/17: WoC, 3rd IEEE International Workshop on Container Technologies and Container Clouds, Held in conjunction with IEEE International Conference on Cloud Engineering (IC2E 2017), Vancouver, Canada; http://researcher.watson.ibm.com/researcher/view_group.php?id=7476 4/26/17- 4/28/17: IEEE EuroSP, 2nd IEEE European Symposium on Security and Privacy, Paris, France; http://www.ieee-security.org/TC/EuroSP2017/cfp.php 5/ 1/17- 5/ 5/17: HOST, IEEE International Symposium on Hardware Oriented Security and Trust, McLean, VA, USA; http://www.hostsymposium.org 5/14/17- 5/17/17: WACC, International Workshop on Assured Cloud Computing and QoS aware Big Data, Held in conjunction with 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID 2017), Madrid, Spain; http://www.eubra-bigsea.eu/WACC_2017 5/22/17- 5/24/17: SP, 38th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2017/ 5/25/17: BioSTAR, International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with the 38th IEEE Symposium on Security and Privacy (IEEE S&P 2017), San Jose, CA, USA; http://biostar.cybersecurity.bio/ 5/25/17: WTMC, 2nd International Workshop on Traffic Measurements for Cybersecurity, Co-located with the 38th IEEE Symposium on Security and Privacy (IEEE S&P 2017), San Jose, CA, USA; http://wtmc.info 5/25/17: IWPE, 3rd International Workshop on Privacy Engineering, Co-located to IEEE Symposium on Security and Privacy (SP 2017), San Jose, CA, USA; http://ieee-security.org/TC/SPW2017/IWPE/ 5/29/17- 5/31/17: IFIPSEC, 32nd IFIP TC-11 SEC 2017 International Information Security and Privacy Conference, Rome, Italy; http://ifipsec.org/2017/ 7/18/17- 7/21/17: PETS, 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, USA; https://petsymposium.org/ 8/ 7/17- 8/10/17: DSC, IEEE Conference on Dependable and Secure Computing, Taipei, Taiwan; http://dsc17.cs.nctu.edu.tw/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E134) ___________________________________________________________________ PETS 2017 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, USA, July 18 - July 21, 2017. (Submission Due 31 August 2016; 30 November 2016; 28 February 2017) https://petsymposium.org/ The annual Privacy Enhancing Technologies Symposium (PETS) brings together privacy experts from around the world to present and discuss recent advances and new perspectives on research in privacy technologies. Papers undergo a journal-style reviewing process and accepted papers are published in Proceedings on Privacy Enhancing Technologies (PoPETs), a scholarly, open access journal. Submitted papers should present novel practical and/or theoretical research into the design, analysis, experimentation, or fielding of privacy-enhancing technologies. While PETS/PoPETs has traditionally been home to research on anonymity systems and privacy-oriented cryptography, we strongly encourage submissions on a number of both well-established and emerging privacy-related topics, for which examples are provided below. PoPETs also solicits submissions for Systematization of Knowledge (SoK) papers. These are papers that critically review, evaluate, and contextualize work in areas for which a body of prior literature exists, and whose contribution lies in systematizing the existing knowledge in that area. ------------------------------------------------------------------------- IEEE MultiMedia, Special Issue on Cybersecurity for Cyber-Enabled Multimedia Applications, (Submission Due 1 December 2016) https://www.computer.org/web/computingnow/mmcfp4 Guest Editors: Qun Jin (Waseda University, Japan), Yong Xiang (Deakin University, Australia), Guozi Sun (Nanjing University of Posts and Telecommunications, China), Yao Liu (University of South Florida, USA), and Chin-Chen Chang (Feng Chia University, Taiwan) With the rapid popularity of social network applications and advanced digital devices, the past few years have witnessed the explosive growth of multimedia big data in terms of both scale and variety. Such increasing multimedia data determines a new way of communication: seamless network connection, the joyfulness user experience, and free information sharing. Meanwhile, security issues related to such multimedia big data have arisen, and an urgent demand for novel technologies has emerged to deal with copyright protection, multimedia forgery detection, and cybersecurity, especially for cyber-enabled multimedia applications. Although many promising solutions have been proposed recently, it is still challenging for the multimedia community to effectively and efficiently handle security challenges over large-scale multimedia data, especially when the scale comes up from tens of thousands to tens of millions or even billions. This special issue aims to bring together the greatest research efforts in cybersecurity for cyber-enabled multimedia applications to specifically deal with the security challenges in the multimedia big data era. The main goals are to investigate novel ideas and research work of cybersecurity issues with multimedia big data; find or develop effective and efficient techniques and methods in computer vision, multimedia processing, and sensor networks for specific cybersecurity tasks, such as data hiding, and forensics; survey the progress of this area in the past years; and explore interesting and practical cyber-enabled multimedia applications. Submissions should be unpublished and present innovative research work offering contributions either from a methodological or application point of view. Topics of interest include, but are not limited to, the following: - Emerging fundamental issues in multimedia big data security - Text, audio, images, and video data hiding - Multimedia steganography and corresponding steganalysis - Multimedia watermarking, fingerprinting, and hashing - Multimedia forensics and data source identification - Cryptography, secret sharing, and biometrics - Multimedia network security, privacy, and protection - Multimedia big data trust management and access control - Secure covert communications and cybersecurity - Secure cyber-enabled multimedia applications in health, education, and so on ------------------------------------------------------------------------- CPSS 2017 3rd ACM Cyber-Physical System Security Workshop, Abu Dhabi, UAE, April 2, 2017. (Submission Due 1 December 2016) http://icsd.i2r.a-star.edu.sg/cpss17/ Cyber-Physical Systems (CPS) consist of large?scale interconnected systems of heterogeneous components interacting with their physical environments. There are a multitude of CPS devices and applications being deployed to serve critical functions in our lives. The security of CPS becomes extremely important. This workshop will provide a platform for professionals from academia, government, and industry to discuss how to address the increasing security challenges facing CPS. Besides invited talks, we also seek novel submissions describing theoretical and practical security solutions to CPS. Papers that are pertinent to the security of embedded systems, SCADA, smart grid, and critical infrastructure networks are all welcome, especially in the domains of energy and transportation. Topics of interest include, but are not limited to: - Authentication and access control for CPS - Autonomous vehicle security - Availability, recovery and auditing for CPS - Data security and privacy for CPS - Embedded systems security - EV charging system security - Industrial control system security - Intrusion detection for CPS - IoT security - Key management in CPS - Legacy CPS system protection - Lightweight crypto and security - Risk assessment for CPS - SCADA security - Security architectures for CPS - Smart grid security - Threat modeling for CPS - Urban transportation system security - Vulnerability analysis for CPS - Wireless sensor network security ------------------------------------------------------------------------- USEC 2017 Usable Security Mini Conference, Co-located with NDSS 2017, San Diego, California, USA, February 26, 2017. (Submission Due 1 December 2016) http://www.dcs.gla.ac.uk/~karen/usec/ One cannot have security and privacy without considering both the technical and human aspects thereof. If the user is not given due consideration in the development process, the system is likely to enable users to protect their privacy and security in the Internet. Usable security and security is more complicated than traditional usability. This is because traditional usability principles cannot always be applied. For example, one of the cornerstones of usability is that people are given feedback on their actions, and are helped to recover from errors. In authentication, we obfuscate password entry (a usability fail) and we give people no assistance to recover from errors. Moreover, security is often not related to the actual functionality of the system, so people often see it as a bolt-on, and an annoying hurdle. These and other usability challenges of security are the focus of this workshop. We invite submissions on all aspects of human factors including mental models, adoption, and usability in the context of security and privacy. USEC 2017 aims to bring together researchers already engaged in this interdisciplinary effort with other computer science researchers in areas such as visualization, artificial intelligence, machine learning and theoretical computer science as well as researchers from other domains such as economics, legal scientists, social scientists, and psychology. We particularly encourage collaborative research from authors in multiple disciplines. It is the aim of USEC to contribute to an increase of the scientific quality of research in human factors in security and privacy. To this end, we encourage the use of replication studies to validate research findings. This important and often very insightful branch of research is sorely under-represented in human factors in security and privacy research to date. Papers in these categories should be clearly marked as such and will not be judged against regular submissions on novelty. Rather, they will be judged based on scientific quality and value to the community. We also encourage reports of failed experiments, since their publication will serve to prevent others falling into the same traps. Topics include, but are not limited to: - Human factors related to the deployment of the Internet of Things (New topic for 2017) - Usable security / privacy evaluation of existing and/or proposed solutions - Mental models that contribute to, or complicate, security or privacy - Lessons learned from designing, deploying, managing or evaluating security and privacy technologies - Foundations of usable security and privacy incl. usable security and privacy patterns - Ethical, psychological, sociological, economic, and legal aspects of security and privacy technologies ------------------------------------------------------------------------- Advances in Multimedia journal, Special Issue on Emerging Challenges and Solutions for Multimedia Security, (Submission Due 2 December 2016) http://www.hindawi.com/journals/am/si/561923/cfp/ Guest Editors: Wojciech Mazurczyk (Warsaw University of Technology, Poland), Artur Janicki (Warsaw University of Technology, Poland), Hui Tian (National Huaqiao University, China), and Honggang Wang (University of Massachusetts Dartmouth, USA) Today's world's societies are becoming more and more dependent on open networks such as the Internet, where commercial activities, business transactions, government services, and entertainment services are realized. This has led to the fast development of new cyber threats and numerous information security issues which are exploited by cyber criminals. The inability to provide trusted secure services in contemporary computer network technologies could have a tremendous socioeconomic impact on global enterprises as well as on individuals. In the recent years, rapid development in digital technologies has been augmented by the progress in the field of multimedia standards and the mushrooming of multimedia applications and services penetrating and changing the way people interact, communicate, work, entertain, and relax. Multimedia services are becoming more significant and popular and they enrich humans' everyday life. Currently, the term multimedia information refers not only to text, image, video, or audio content but also to graphics, flash, web, 3D data, and so forth. Multimedia information may be generated, processed, transmitted, retrieved, consumed, or shared in various environments. The lowered cost of reproduction, storage, and distribution, however, also invites much motivation for large-scale commercial infringement. The above-mentioned issues have generated new challenges related to protection of multimedia services, applications, and digital content. Providing multimedia security is significantly different from providing typical computer information security, since multimedia content usually involves large volumes of data and requires interactive operations and real-time responses. Additionally, ensuring digital multimedia security must also signify safeguarding of the multimedia services. Different services require different methods for content distribution, payment, interaction, and so forth. Moreover, these services are also expected to be "smart" in the environment of converged networks, which means that they must adapt to different network conditions and types as multimedia information can be utilized in various networked environments, for example, in fixed, wireless, and mobile networks. All of these make providing security for multimedia even harder to perform. This special issue intends to bring together diversity of international researchers, experts, and practitioners who are currently working in the area of digital multimedia security. Researchers both from academia and industry are invited to contribute their work for extending the existing knowledge in the field. The aim of this special issue is to present a collection of high-quality research papers that will provide a view on the latest research advances not only on secure multimedia transmission and distribution but also on multimedia content protection. Potential topics include, but are not limited to: - Emerging technologies in digital multimedia security - Digital watermarking - Fingerprinting in multimedia signals - Digital media steganology (steganography and steganalysis) - Information theoretic analysis of secure multimedia systems - Security/privacy in multimedia services - Multimedia and digital media forensics - Quality of Service (QoS)/Quality of Experience (QoE) and their relationships with security - Security of voice and face biometry - Multimedia integrity verification and authentication - Multimedia systems security - Digital rights management - Digital content protection - Tampering and attacks on original information - Content identification and secure content delivery - Piracy detection and tracing - Copyright protection and surveillance - Forgery detection - Secure multimedia networking - Multimedia network protection, privacy, and security - Secure multimedia system design, trusted computing, and protocol security ------------------------------------------------------------------------- IWSPA 2017 3rd ACM International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2017, Scottsdale, Arizona, USA, March 24, 2017. (Submission Due 6 December 2016) http://capex.cs.uh.edu/?q=content /international-workshop-security-and-privacy-analytics-2017 Increasingly, sophisticated techniques from machine learning, data mining, statistics and natural language processing are being applied to challenges in security and privacy fields. However, experts from these areas have no medium where they can meet and exchange ideas so that strong collaborations can emerge, and cross-fertilization of these areas can occur. Moreover, current courses and curricula in security do not sufficiently emphasize background in these areas and students in security and privacy are not emerging with deep knowledge of these topics. Hence, we propose a workshop that will address the research and development efforts in which analytical techniques from machine learning, data mining, natural language processing and statistics are applied to solve security and privacy challenges ("security analytics"). Submissions of papers related to methodology, design, techniques and new directions for security and privacy that make significant use of machine learning, data mining, statistics or natural language processing are welcome. Furthermore, submissions on educational topics and systems in the field of security analytics are also highly encouraged. ------------------------------------------------------------------------- IFIPSEC 2017 32nd IFIP TC-11 SEC 2017 International Information Security and Privacy Conference, Rome, Italy, May 29-31, 2017. (Submission Due 23 December 2016) http://ifipsec.org/2017/ The IFIP SEC conference is the flagship event of the International Federation for Information Processing (IFIP) Technical Committee 11 on Security and Privacy Protection in Information Processing Systems (TC-11, www.ifiptc11.org). Previous SEC conferences were held in Ghent (Belgium) 2016, Hamburg (Germany) 2015, Marrakech (Morroco) 2014, Auckland (New Zealand) 2013, Heraklion (Greece) 2012, Lucerne (Switzerland) 2011, and Brisbane (Australia) 2010. We seek submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of security and privacy protection in ICT Systems. Topics of interest include, but are not limited to: - Access control and authentication - Applied cryptography - Audit and risk analysis - Biometrics - Big data security and privacy - Cloud security and privacy - Critical infrastructure protection - Cyber-physical systems security - Data protection - Data and applications security - Digital forensics - Human aspects of security and privacy - Identity management - Information security education - Information security management - Information technology mis-use and the law - Managing information security functions - Mobile security - Multilateral security - Network & distributed systems security - Privacy protection and Privacy-by-design - Privacy enhancing technologies - Security and privacy in crowdsourcing - Security and privacy in pervasive systems - Security and privacy in the Internet of Things - Security and privacy policies - Surveillance and counter-surveillance - Trust management - Usable security ------------------------------------------------------------------------- BioSTAR 2017 International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with the 38th IEEE Symposium on Security and Privacy (IEEE S&P 2017), San Jose, CA, USA, May 25, 2017. (Submission Due 15 January 2017) http://biostar.cybersecurity.bio/ As computing and communication systems continue to expand and offer new services, these advancements require more dynamic, diverse, and interconnected computing infrastructures. Unfortunately, defending and maintaining resilient and trustworthy operation of these complex systems are increasingly difficult challenges. Conventional approaches to Security, Trust, Assurance and Resilience (STAR for short) are often too narrowly focused and cannot easily scale to manage large, coordinated and persistent attacks in these environments. Designs found in nature are increasingly used as a source of inspiration for STAR and related networking and intelligence solutions for complex computing and communication environments. Nature's footprint is present in the world of Information Technology, where there are an astounding number of computational bio-inspired techniques. These well-regarded approaches include genetic algorithms, neural networks, ant algorithms, immune systems just to name a few. For example several networking management and security technologies have successfully adopted some of nature's approaches, such as swarm intelligence, artificial immune systems, sensor networks, moving target defense, diversity-based software design, etc. Nature has also developed an outstanding ability to recognize individuals or foreign objects and adapt/evolve to protect a group or a single organism. Solutions that incorporate these nature-inspired characteristics often have improved performance and/or provided new capabilities beyond more traditional methods. The aim of this workshop is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of nature-inspired STAR aspects in computing and communications. Topics of interests include, but are not limited to: - Nature-inspired anomaly and intrusion detection - Adaptation algorithms - Biometrics - Nature-inspired algorithms and technologies for STAR - Biomimetics - Artificial Immune Systems - Adaptive and Evolvable Systems - Machine Learning, neural networks, genetic algorithms for STAR - Nature-inspired analytics and prediction - Cognitive systems - Sensor and actuator networks and systems - Information hiding solutions (steganography, watermarking) for network traffic - Cooperative defense systems - Cloud-supported nature-inspired STAR - Theoretical development in heuristics - Management of decentralized networks - Nature-inspired algorithms for dependable networks - Platforms for STAR services - Diversity in computing and communications - Survivable and sustainable systems - STAR management systems - Autonomic cyber defenses ------------------------------------------------------------------------- WTMC 2017 2nd International Workshop on Traffic Measurements for Cybersecurity, Co-located with the 38th IEEE Symposium on Security and Privacy (IEEE S&P 2017), San Jose, CA, USA, May 25, 2017. (Submission Due 15 January 2017) http://wtmc.info Current communication networks are increasingly becoming pervasive, complex, and ever-evolving due to factors like enormous growth in the number of network users, continuous appearance of network applications, increasing amount of data transferred, and diversity of user behaviors. Understanding and measuring traffic in such networks is a difficult yet vital task for network management but recently also for cybersecurity purposes. Network traffic measuring and monitoring can, for example, enable the analysis of the spreading of malicious software and its capabilities or can help to understand the nature of various network threats including those that exploit users' behavior and other user's sensitive information. On the other hand network traffic investigation can also help to assess the effectiveness of the existing countermeasures or contribute to building new, better ones. Recently, traffic measurements have been utilized in the area of economics of cybersecurity e.g. to assess ISP or to estimate the revenue of cyber criminals. The aim of this workshop is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of cybersecurity and understand how traffic measurements can influence it. We encourage prospective authors to submit related distinguished research papers on the subject of both: theoretical approaches and practical case reviews. This workshop presents some of the most relevant ongoing research in cybersecurity seen from the traffic measurements perspective. The workshop will be accessible to both non-experts interested in learning about this area and experts interesting in hearing about new research and approaches. Topics of interest include, but are not limited to: - Measurements for network incidents response, investigation and evidence handling - Measurements for network anomalies detection - Measurements for economics of cybersecurity - Network traffic analysis to discover the nature and evolution of the cybersecurity threats - Measurements for assessing the effectiveness of the threats detection/prevention methods and countermeasures - Novel passive, active and hybrid measurements techniques for cybersecurity purposes - Traffic classification and topology discovery tools for monitoring the evolving status of the network from the cybersecurity perspective - Correlation of measurements across multiple layers, protocols or networks for cybersecurity purposes - Novel visualization approaches to detect network attacks and other threats - Analysis of network traffic to provide new insights about network structure and behavior from the security perspective - Measurements of network protocol and applications behavior and its impact on cybersecurity and users' privacy - Measurements related to network security and privacy ------------------------------------------------------------------------- WoC 2017 3rd IEEE International Workshop on Container Technologies and Container Clouds, Held in conjunction with IEEE International Conference on Cloud Engineering (IC2E 2017), Vancouver, Canada, April 4-7, 2017. (Submission Due 15 January 2017) http://researcher.watson.ibm.com/researcher/view_group.php?id=7476 Containers are a lightweight OS-level virtualization abstraction primarily based on namespace isolation and control groups. In the recent years, container-based virtualization for applications has gained immense popularity thanks to the success of technologies like Docker. Container packaging mechanisms like Docker, LXD and Rkt, as well as management frameworks like Kubernetes, Mesos, etc., are witnessing widespread adoption in the industry today. Container technologies have eliminated the feature parity between development and production environment by enabling developers to package applications and their dependencies as a single unit that can be run across diverse operating environments. Though containers provide a great amount of flexibility and portability from a developer's perspective, there are several important challenges that need to be addressed by the infrastructure provider, in order to run these virtualized applications in a cloud environment. The second workshop on container technologies and container clouds solicits contributions in this area from researchers and practitioners in both the academia and industry. The workshop welcomes submissions describing unpublished research, position papers as well as deployment experiences on various topics related to containers as outlined below: - Security, isolation and performance of containers - Network architectures for multi-host container deployments - Orchestration models for cloud scale deployments - High availability systems for containerized workloads - Leveraging hardware support for containers and containerized workloads - Migrating and optimizing traditional workloads for containers - Operational issues surrounding management of large clusters of containers - Container use cases and challenges for HPC, Big Data and IoT applications - Other topics relevant to containers ------------------------------------------------------------------------- WACC 2017 International Workshop on Assured Cloud Computing and QoS aware Big Data, Held in conjunction with 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID 2017), Madrid, Spain, May 14-17, 2017. (Submission Due 15 January 2017) http://www.eubra-bigsea.eu/WACC_2017 WACC draws together researchers, practitioners, and thought leaders from government, industry, and academia. The workshop provides a forum of dialogue centered upon the development and advancement of an effort to design, implement, and evaluate dependable cloud architectures that can provide assurances with respect to security, reliability, and timeliness of computations (or services). Some new "assured" target applications include, but are not limited to, dependable Big Data applications and streaming, data analytics and its tools, real-time computations for monitoring, control of cyber-physical systems such as power systems, and mission critical computations for rescue and recovery. The technical emphasis of WACC is design, implementation, and evaluation of cloud services, data analytics tools, and security solutions to enable dependable Big Data applications. Research on cloud services, ICT-skilled data scientists and application developers can find complementary solutions and partnerships to evaluate and integrate additional solutions. Data scientists can find new tools that could address existing needs. ------------------------------------------------------------------------- IoTPTS 2017 3rd International Workshop on IoT Privacy, Trust, and Security, Held in conjunction with the 12th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2017), Abu Dhabi, UAE, April 2, 2017. (Submission Due 20 January 2017) https://sites.google.com/site/iotpts2017/ The Internet of Things (IoT) is the next great technology frontier. At a basic level, IoT refers simply to networked devices, but the IoT vision is a complex ecosystem that ranges from cloud backend services and big-data analytics to home, public, industrial, and wearable sensor devices and appliances. Architectures for these systems are in the formative stages, and now is the time to ensure privacy, trust, and security are designed into these systems from the beginning. We encourage submissions on all aspects of IoT privacy, trust, and security. Topics of interest include (but are not limited) to the following areas: - Privacy and IoT data - Privacy attacks for IoT - Trust management and device discoverability for IoT - Usability of privacy and security systems in IoT - User risk perceptions and modeling for IoT - Policy Management and enforcement for IoT - Authentication and access control for users for IoT - Cryptography for IoT - Attack detection and remediation for IoT - Security architectures for IoT systems and applications ------------------------------------------------------------------------- DSC 2017 IEEE Conference on Dependable and Secure Computing, Taipei, Taiwan, August 7-10, 2017. (Submission Due 21 January 2017) http://dsc17.cs.nctu.edu.tw/ The IEEE Conference on Dependable and Secure Computing solicits papers, posters, practices, and experiences for presenting innovative research results, problem solutions, and new challenges in the field of dependable and secure computing. The whole spectrum of IT systems and application areas, including hardware design and software systems, with stringent relevant to dependability and security concerns are of interest to DSC. Authors are invited to submit original works on research and practice of creating, validating, deploying, and maintaining dependable and secure systems. The conference has two tracks for research papers, the "Computer Systems, Networks, and Software" track and the "System Electronics, VLSI, and CAD" track. In addition to research papers, the DSC conference will also include a submission category for experience and practice papers on new findings in the two aforementioned categories. The PC will evaluate a submission to the experience and practice track with the understanding that it predominantly contributes to the VLSI/CAD design knowhow or the extension of the community's knowledge about how the security protection of known techniques fares in real-world operations. Authors have to submit a short paper along with slides and an optional supplemental video to demonstrate the implementation and/or the practicability of the work. ------------------------------------------------------------------------- IWPE 2017 3rd International Workshop on Privacy Engineering, Co-located with IEEE Symposium on Security and Privacy (SP 2017), San Jose, CA, USA, May 25, 2017. (Submission Due 3 February 2017) http://ieee-security.org/TC/SPW2017/IWPE/ Ongoing news reports regarding global surveillance programs, massive personal data breaches in corporate databases, and notorious examples of personal tragedies due to privacy violations have intensified societal demands for privacy-friendly systems. In response, current legislative and standardization processes worldwide aim to strengthen individual's privacy by introducing legal, organizational and technical frameworks that personal data collectors and processors must follow. However, in practice, these initiatives alone are not enough to guarantee that organizations and software developers will be able to identify and adopt appropriate privacy engineering techniques in their daily practices. Even if so, it is difficult to systematically evaluate whether the systems they develop using such techniques comply with legal frameworks, provide necessary technical assurances, and fulfill users' privacy requirements. It is evident that research is needed in developing techniques and tools that can aid the translation of legal and normative concepts, as well as user expectations into systems requirements. Furthermore, methods that can support organizations and engineers in developing (socio-)technical systems that address these requirements is of increasing value to respond to the existing societal challenges associated with privacy. In this context, privacy engineering research is emerging as an important topic. Engineers are increasingly expected to build and maintain privacy-preserving and data-protection compliant systems in different ICT domains such as health, energy, transportation, social computing, law enforcement, public services; based on different infrastructures such as cloud, grid, or mobile computing and architectures. While there is a consensus on the benefits of an engineering approach to privacy, concrete proposals for models, methods, techniques and tools that support engineers and organizations in this endeavor are few and in need of immediate attention. To cover this gap, the topics of the International Workshop on Privacy Engineering (IWPE'17) focus on all the aspects surrounding privacy engineering, ranging from its theoretical foundations, engineering approaches, and support infrastructures, to its practical application in projects of different scale. Specifically, we are seeking the following kinds of papers: (1) technical papers that illustrate the engineering or application of a novel formalism, method or other research finding (e.g., a privacy enhancing protocol) with preliminary evaluation; (2) experience and practice papers that describe a case study, challenge or lessons learned from in a specific domain; (3) early evaluations of tools and other infrastructure that support engineering tasks in privacy requirements, design, implementation, testing, etc.; (4) interdisciplinary studies or critical reviews of existing privacy engineering concepts, methods, tools and frameworks; or (5) vision papers that take a clear position informed by evidence based on a thorough literature review. IWPE'17 welcomes papers that focus on novel solutions on the recent developments in the general area of privacy engineering. Topics of interests include, but are not limited to: - Integrating law and policy compliance into the development process - Privacy impact assessment during software development - Privacy risk management models - Privacy breach recovery Methods - Technical standards, heuristics and best practices for privacy engineering - Privacy engineering in technical standards - Privacy requirements elicitation and analysis methods - User privacy and data protection requirements - Management of privacy requirements with other system requirements - Privacy requirements elicitation and analysis techniques - Privacy engineering strategies and design patterns - Privacy-preserving architectures - Privacy engineering and databases, services, and the cloud - Privacy engineering in networks - Engineering techniques for fairness, transparency, and privacy in databases - Privacy engineering in the context of interaction design and usability - Privacy testing and evaluation methods - Validation and verification of privacy requirements - Privacy Engineering and design - Engineering Privacy Enhancing Technologies (PETs) - Integration of PETs into systems - Models and approaches for the verification of privacy properties - Tools and formal languages supporting privacy engineering - Teaching and training privacy engineering - Adaptations of privacy engineering into specific software development processes - Pilots and real-world applications - Evaluation of privacy engineering methods, technologies and tools - Privacy engineering and accountability - Privacy engineering and business processes - Privacy engineering and manageability of data in (large) enterprises - Organizational, legal, political and economic aspects of privacy engineering ------------------------------------------------------------------------- Journal of Visual Communication and Image Representation, Special Issue on Data-driven Multimedia Forensics and Security, (Submission Due 28 February 2017) http://www.journals.elsevier.com/journal-of-visual-communication-and-image-representation Guest Editors: Anderson Rocha (University of Campinas, Brazil), Shujun Li (Universityof Surrey, UK), C.-C. Jay Kuo (University of Southern California, US), Alessandro Piva (University of Florence, Italy), and Jiwu Huang (Shenzhen University, China) In the last decade a large number of multimedia forensic and security techniques have been proposed to evaluate integrity of multimedia data. However, most of these solutions adopt very limiting and simplifying working conditions, being more appropriate for laboratorial tests than for real-world deployment. Unfortunately, with big data requirements on the table, the stakes are higher now. Forensics and security experts are no longer required to provide the society with solutions for specific cases. Instead, we need to cope with shear amounts of data and in different operational and acquisition conditions. In addition to the traditional multimedia forensics and security research around integrity and authentication, digital images and videos have also been the core components in other related application domains, e.g. biometrics, image and video based information hiding, image and video collection forensics, automatic child porn detection, digital triage of image and video evidence, attacks on image and video-based CAPTCHAs, etc. A common feature of the above listed multimedia forensics and security problems is that they can all be solved by machine learning techniques driven by training data. In recent years, some new and powerful modeling and machine learning paradigms have been developed that allow us to glean over massive amounts of data and directly extract useful information for proper decision making, thus creating new techniques to solve those multimedia forensics and security problems with improved performance. This Special Issue invites researchers in all related fields (including but not limited to image and video signal processing, machine learning, computer vision and pattern recognition, cyber security, digital forensics) to join us in a quest for pinpointing the next-generation image and video forensics and security solutions of tomorrow, capable of processing image and video data using the recently-developed deep learning paradigm and other new modelling and learning techniques. ALL submissions must highlight their machine-learning based approach and discuss how their solutions deal with large collections of data. The core data used in your work should be visual data (images and videos). Video data may also include RGB, IR, and depth data. The topics of interest of this Special Issue are listed below. The list is not exhaustive and prospective authors should contact the editors in case of any question. Submissions can contemplate original research, serious dataset collection and benchmarking, or critical surveys. Example Topics of Interest: - Attacks on visual CAPTCHAs - Biometrics and counter-spoofing - Content-protection and counter-protection - Counter forensics - Cyber threat analysis for image and video data - Forensic data fusion (if at least one source contains images and videos) - Image and video collection forensics - Incident response related to image and video data - Multimedia evidence recovery and validation - Multimedia forensics (forgery detection, attribution, CGI classification) - Multimedia provenance (phylogeny, digital triage of multimedia evidence) - Sensitive content detection (porn and child porn detection, violence detection) - Surveillance for forensics and security applications - Visual analytics for forensics and security applications - Visual information hiding: designs and attacks ------------------------------------------------------------------------- IEEE Security & Privacy Magazine, Special issue on Digital Forensics, (Submission Due 1 March 2017) https://www.computer.org/web/computingnow/spcfp6 Guest Editors: Wojciech Mazurczyk (Warsaw University of Technology & FernUniversitat in Hagen, Poland), Steffen Wendzel (Fraunhofer FKIE, Germany), Luca Caviglione (National Research Council of Italy, Italy), and Simson L. Garfinkel (National Institute of Standards and Technology, USA) Modern societies are becoming increasingly dependent on open networks where commercial activities, business transactions, and government services are delivered. Despite the benefits, these networks have led to new cyberthreats and cybersecurity issues. Abuse of and mistrust for telecommunications and computer network technologies have significant socioeconomic impacts on global enterprises as well as individuals. Cybercriminal activities such as fraud often require the investigations that span across international borders. In addition, they're often subject to different jurisdictions and legal systems. The increased intricacy of the communication and networking infrastructure complicates investigation of such activities. Clues of illegal digital activities are often buried in large volumes of data that makes crime detection and evidence collection difficult. This poses new challenges for law enforcement and compels computer societies to utilize digital forensics to combat the growing number of cybercrimes. Forensic professionals must be fully prepared to gather effective digital evidence. Forensic techniques must keep pace with new technologies; therefore, digital forensics is becoming more important for law enforcement and information and network security. This multidisciplinary area includes several fields, including law, computer science, finance, networking, data mining, and criminal justice. It faces diverse challenges and issues in terms of the efficiency of digital evidence processing and related forensic procedures. This special issue aims to collect the most relevant ongoing research efforts in digital forensics field. Topics include, but aren't limited to: - real-world case studies, best practices, and readiness; - challenges and emerging trends; - digital forensic triage; - antiforensics and anti-antiforensics approaches; - networking incident response, investigation, and evidence handling; - network forensics and traffic analysis; - detecting illegal sites and traffic (for instance, child abuse/exploitation); - malware and targeted attacks including analysis and attribution; - information-hiding techniques (network stenography, covert channels, and so on); - stealth communication through online games and its detection; - use and implications of machine learning in digital forensics; - big data and digital forensics; - network traffic fingerprinting and attacks; - cybercrimes design, detection, and investigation; - cybercrime issues and solutions from a digital forensics perspective; - nontraditional forensic scenarios and approaches (for instance, vehicles, SCADA, automation and control); - social networking forensics; - cloud forensics; - law enforcement and digital forensics; and - digital forensics for incident response, research, policy compliance enforcement, and so on. ------------------------------------------------------------------------- SOUPS 2017 13th Symposium on Usable Privacy and Security, Santa Clara, CA, USA, July 12-14, 2017. (Submission Due 1 March 2017) https://www.usenix.org/conference/soups2017/call-for-papers The 2017 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. We invite authors to submit previously unpublished papers describing research or experience in all areas of usable privacy and security. We welcome a variety of research methods, including both qualitative and quantitative approaches. Topics include, but are not limited to: - Innovative security or privacy functionality and design - Field studies of security or privacy technology - Usability evaluations of new or existing security or privacy features - Security testing of new or existing usability features - Longitudinal studies of deployed security or privacy features - Studies of administrators or developers and support for security and privacy - The impact of organizational policy or procurement decisions - Lessons learned from the deployment and use of usable privacy and security features ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulf Lindqvist Michael Locasto SRI International SRI International Menlo Park, CA oakland16-chair@ieee-security.org ulf.lindqvist@sri.com Vice Chair: Treasurer: Sean Peisert Yong Guan UC Davis and 3219 Coover Hall Lawrence Berkeley Department of Electrical and Computer National Laboratory Engineering speisert@ucdavis.edu Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2017 Chair: TC Awards Chair: Kevin Butler Hilarie Orman Department of Computer and Purple Streak, Inc. Information Science and Engineering 500 S. Maple Dr. University of Florida Woodland Hills, UT 84653 butler at ufl.edu cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year