_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 137 March 20, 2017 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o IEEE "Security and Privacy" Magazine seeking new Editor in Chief o NSA Hoarder Indicted o Mexican activists, targeted by spyware o Doll Hacking o Cloud Leak o Ethereum o CIA and IoT o WikiLeaks CIA, commentary o DNS and the Trump-Russia Connection o In Memoriam, Becky Bace o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The ieee-security.org website has moved to a new hosting company, and with that move, it finally has secured SSL support. Enjoy the https prefix, with it you can rest assured that you are safe from *fake* conference news. That's very important because the Euro S&P conference is next month, and the S&P Symposium is in May. If you have not already registered, do so now, safely and securely. Two items in our news list are worthy of special mention. The first is that the Security and Privacy magazine is taking applications for a new Editor in Chief. The second is the note of Becky Bace's passing. She was an early leader in instrusion detection research, and an enthusiastic supporter of the field of cybersecurity. Her precocious intelligence and opinionated views led her exasperated father to call her "infidel", and she delightedly embraced the term, naming her consulting business Infidel, Inc. If you have noticed a dearth of women in the field of computer security, you are not alone. It is one of the most gender-skewed disciplines in the field. At a recent meeting of the Technical Activities Committee of the Computer Society, I urged all TC chairs to try to be aware of the participation by minorities, quoting an ACM conference chair who said, "If we cannot solve the problem for 50% of the population, then we cannot solve it at all." It remains to be seen if the TCSP, or any part of the Computer Society, will consider steps towards increased diversity. To cyberarms, that come before the melt of ICE, and make the winds of March throw secrets far afield, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== IEEE "Security and Privacy" Magazine seeking new Editor in Chief Please note that the deadline for IEEE Security & Privacy magazine Editor in Chief applicants is 1 June 2017. Prospective candidates are asked to provide a PDF file containing a complete curriculum vitae, a brief plan for the publication's future, and a letter of support from their institution or employer. For complete information, please visit: https://www.computer.org/web/pressroom/eic-for-2018-2020>https://www.computer.org/web/pressroom/eic-for-2018-2020. Questions and submission materials can be sent to Christine Anthony (canthony@computer.org). --------------------------------------- NSA Hoarder Indicted Former NSA contractor indicted in stolen data case CNNPolitics.com Feb. 8, 2017 By Tal Kopan, Evan Perez and Laura Jarrett http://www.cnn.com/2017/02/08/politicssa-contractor-alleged-classified-theft-harold-martin-indictment Summary: The strange case of Harold Thomas Martin III has resulted in an indictment of 20 counts of "willful retention of national defense information," but not the espionage charges that seemed a possibility when the case was first revealed. Although Martin stole 50 terabytes of NSA information, he seems to have been a compulsive "data hoarder" rather than a spy. He was a contractor for Booz Allen Hamilton. --------------------------------------- Mexican activists, targeted by spyware Spyware's Odd Targets: Backers of Mexico's Soda Tax The New York Times Feb. 11, 2017 By Nicole Perlroth https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html Summary: NSO Group is a company with the motto "Make the World a Safer Place", but activisits in Mexico have reason to doubt that their products do that. The company sells cyberarms, and they assert that they sell only to governments. Their spyware shows up in messages sent to the phones of activisits, those with the rather non-terroristic agenda of increasing the tax on soft drinks. The spyware is capable of sending every phone interaction to remote observers, and it is a very intrusive form of surveillance. Apparently these tools are cats that just won't stay in the bags. --------------------------------------- Doll Hacking The Bright-Eyed Talking Doll That Just Might Be a Spy By Kimiko de Freytas-Tamura New York Times Feb. 27, 2017 https://www.nytimes.com/2017/02/17/technology/cayla-talking-doll-hackers.html Summary: The Trojan Horse may well be a toy doll. A cute talking doll manufactured by United States-based Genesis Toys and distributed by the Vivid Toy group is real tattle-tale because it records ambient voices and sends the voice prints of children to Nuance Communications, a computer-software company. Germans have taken a very dim view of the technology, calling the toy the "Stasi-Barbie". With toys like this, who needs NSO software (see previous article)? --------------------------------------- Cloud Leak A major security flaw means you have to change your passwords again The Washington Post Feb 28, 2017 By Hayley Tsukayama https://www.washingtonpost.comews/the-switch/wp/2017/02/24/a-major-security-flaw-means-you-have-to-change-your-passwords-again/ Summary: Pity the poor software engineers at Cloudflare. They were simply "changing over from older code to newer code" but didn't realize that "Running both at the same time created an unforeseen issue that ... caused a data leak." Unfortunately, that data leak may have exposed personal information, including passwords, for millions of users who never heard of Cloudflare. Their technology is trusted by banks, retailers, and messaging services, and the extent of the exposure is unknown. Just to be safe, change your passwords. My fingertips are calloused from following that kind of advice. --------------------------------------- Ethereum Business Giants to Announce Creation of a Computing System Based on Ethereum The New York Times Feb. 27, 2017 By Nathaniel Popper https://www.nytimes.com/2017/02/27/business/dealbook/ethereum-alliance-business-banking-security.html Summary: Thirty businesses took one giant step for "smart contracts" with the announcement of the Enterprise Ethereum Alliance. They will use blockchain technology from Ethereum (https://www.ethereum.org ) which has "applications that run exactly as programmed without any possibility of down time, censorship, fraud or third party interference" (you can watch blockchain activity at https://etherscan.io/ ). In doing so, they are adding to a handful of similar ventures all hoping to become the center of the distributed trust universe. Blockchain technology underlies the digital currency BitCoin, and Ethereum uses the same "mining" technology for adding transactions to a verifiable database. Ethereum allows transactions to include conditional payments of the form "if A then B pays C the amount M." By some estimates, large banks could save 30% of their infrastructures costs by using smart contracts. --------------------------------------- CIA and IoT WikiLeaks: The CIA is using popular TVs, smartphones and cars to spy on their owners The Washington Post Mar 7, 2017 By Craig Timberg, Elizabeth Dwoskin and Ellen Nakashima https://www.washingtonpost.comews/the-switch/wp/2017/03/07/why-the-cia-is-using-your-tvs-smartphones-and-cars-for-spying Summary: Is the CIA in your TV? According to documents released by WikiLeaks, they could be lurking there, or in almost anything that connects to the Internet. Security experts who have been looking at the documents believe that someone with access to a Top Secret CIA development system copied them about a year ago. There was no release of source code, but the documents show how the CIA's internal organizations feed their voracious appetite for compromising personal devices. Their goal is often to conduct surveillance, but in one case, they considered the possibility of assassination by invading the control systems of cars. Some researchers have questioned the risk/benefit trade-off of such tools, noting that they seem to inevitably, and quickly, escape from "responsible" hands (see NSO software article above). ----- WikiLeaks CIA, commentary WikiLeaks disclosure exposes rapid growth of CIA digital operations - and agency vulnerabilities The Washington Post Mar 7, 2017 By Craig Timberg, Elizabeth Dwoskin and Ellen Nakashima https://www.washingtonpost.com/worldational-security/wikileaks-disclosure-exposes-rapid-growth-of-cia-digital-operations--and-agency-vulnerabilities/2017/03/08/6f7fd412-0429-11e7-b9fa-ed727b644a0b_story.html Those who have read the WikiLeaks documents about CIA hacking have gleaned some major and minor insights into the secret digital hacking division known as the Directorate of Digital Innovation. With dozens of subordinate branches, it seems to be distributed around the world and covers all kinds of hacking and surveillance. Instructions to its youngest employees include advice on getting free alcohol from airlines and admonishments to have their cover stories well-rehearsed before entering airport security. Although the disclosure of their activities may cause some targets to ditch their current smartphones or TVs (or even toys, see article above about the Stasi Barbie), security experts feel that the CIA will rebound quickly with new technology. The vulnerabilities that they depend on come and go, and they are always looking for the next security flaw, it's just business as usual. --------------------------------------- DNS and the Trump-Russia Connection FBI investigation continues into 'odd' computer link between Russian bank and Trump Organization CNNPolitics.com Mar 9, 2017 By Pamela Brown and Jose Pagliery http://www.cnn.com/2017/03/09/politics/fbi-investigation-continues-into-odd-computer-link-between-russian-bank-and-trump-organization/index.html Summary: You might thinking that this is a political article and that "DNS" is some kind of Democratic organization, but this is a network traffic mystery involving the Internet's Domain Name System. This was first reported last year (see http://ieee-security.org/Cipher/Newsbriefs//2016/news-112916.html#TrumpRussiaServer), and although it was not much noted at the time, it seems that the FBI has been looking into it. You cannot learn much from DNS traffic, and that is the only thing underlying the original reports of peculiar lookups. What is known is that a machine belonging to Alfa Bank in Russia (suspected of having ties to the Russian government), made thousands of DNS lookups to an obscure email server belonging to the Trump organization. The question is "why?" and the answer is unknown. Explanations range from "because some hacker issued fake queries in order to implicate the Trump organization" to "because there was a secret messaging application used to communicate between the two camps." The DNS lookups themselves are not even a smoking gun, but the investigation may (or may not) yield correlated information. --------------------------------------- In Memoriam: Becky Bace Obituary for Rebecca Gurley Bace Originally Published in The Birmingham News Mar. 19, 2017 http://obits.al.com/obituaries/birmingham/obituary.aspx?n=rebecca-gurley-bace-becky&pid=184565476 Summary: If you ever met Becky Bace, you'd remember her vibrant personality, and we are sad to report the passing of a longtime presence in the intrusion detection profession. She was leader of the pioneering Computer Misuse and Anomaly Detection (CMAD) Research Program at the National Security Agency from 1989 to 1995. She went on to other positions, including Los Alamos Labs, her own firm Infidel, Inc., and was a consultant for Trident Capital. An oral history from 2012 is here: http://conservancy.umn.edu/bitstream/handle/11299/144022/oh410rgb.pdf?sequence=1&isAllowed=y More information about remembrances can be found at http://infidel.net . ----------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Nothing new since Cipher E136 http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar Calendar of Security and Privacy Related Events maintained by Hilarie Orman ____________________________________________________________________ 3/21/17- 3/23/17: DFRWS-EU, DFRWS digital forensics EU conference, Lake Constance, Germany http://www.dfrws.org/conferences/dfrws-eu-2017 3/22/17: TrustBus, 14th International Conference on Trust, Privacy, and Security in Digital Business, Lyon, France; http://www.ds.unipi.gr/trustbus2017/; Submissions are due 3/24/17: IWSPA, 3rd ACM International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2017, Scottsdale, Arizona, USA; http://capex.cs.uh.edu/?q=content/international-workshop-security-and-privacy-analytics-2017 3/27/17- 3/29/17: INTRICATE-SEC, 5th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Taipei, Taiwan https://goo.gl/562zhD 3/28/17: RAID, 20th International Symposium on Research in Attacks, Intrusions and Defenses, Atlanta, GA, USA; https://www.raid2017.org/; Submissions are due 3/31/17: DSC, 2017 IEEE Conference on Dependable and Secure Computing, Taipei, Taiwan; http://dsc17.cs.nctu.edu.tw/; Submissions are due 4/ 2/17- 4/ 6/17: ASIACCS, ACM Symposium on Information, Computer and Communications Security, Abu Dhabi, United Arab Emirates; http://asiaccs2017.com/ 4/ 2/17: CPSS, 3rd ACM Cyber-Physical System Security Workshop, Abu Dhabi, UAE; http://icsd.i2r.a-star.edu.sg/cpss17/ 4/ 2/17: IoTPTS, 3rd International Workshop on IoT Privacy, Trust, and Security, Held in conjunction with the 12th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2017); https://sites.google.com/site/iotpts2017/ 4/ 3/17- 4/ 7/17: WWW, WWW Security and Privacy Track, Perth, Australia; http://www.www2017.com.au/call-for-papers/security-and-privacy.php 4/ 4/17: CUING, 1st International Workshop on Criminal Use of Information Hiding, Held in conjunction with the 12th International Conference on Availability, Reliability and Security (ARES 2017), Reggio Calabria, Italy; https://www.ares-conference.eu/conference/workshops/cuing-2017/; Submissions are due 4/14/17: NSPW, New Security Paradigms Workshop, Islamorada, FL, USA; http://www.nspw.org/cfp/nspw2017-cfp.pdf; Submissions are due 4/14/17: CNS, 5th IEEE Conference on Communications and Network Security, Las Vegas, Nevada, USA; http://cns2017.ieee-cns.org/; Submissions are due 4/15/17: WCSF, 3rd IEEE International Workshop on Cloud Security and Forensics, Held in conjunction with the 16th IEEE International Conference on Trust, Security And Privacy in Computing And Communications (TrustCom2017), Sydney, Australia; https://forensicsandsecurity.com/workshop.php; Submissions are due 4/19/17: ESORICS, 22nd European Symposium on Research in Computer Security, Oslo, Norway; https://www.ntnu.edu/web/esorics2017/; Submissions are due 4/24/17- 4/26/17: WICSPIT, Workshop on Innovative CyberSecurity and Privacy for Internet of Things: Strategies, Technologies, and Implementations, Held in conjunction with the International Conference on Internet of Things, Big Data and Security (IoTBDS 2017), Porto, Portugal; http://iotbds.org/WICSPIT.aspx 4/26/17- 4/28/17: IEEE EuroSP, 2nd IEEE European Symposium on Security and Privacy, Paris, France; http://www.ieee-security.org/TC/EuroSP2017/cfp.php 5/ 1/17- 5/ 5/17: HOST, IEEE International Symposium on Hardware Oriented Security and Trust, McLean, VA, USA; http://www.hostsymposium.org 5/10/17: DASC, 15th IEEE International Conference on Dependable, Autonomic and Secure Computing Orlando, Florida, USA; http://cse.stfx.ca/~dasc2017/; Submissions are due 5/14/17- 5/17/17: WACC, International Workshop on Assured Cloud Computing and QoS aware Big Data, Held in conjunction with 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID 2017), Madrid, Spain; http://www.eubra-bigsea.eu/WACC_2017 5/15/17: PST, 15th Conference on Privacy, Security and Trust, Calgary, Alberta, Canada; http://www.ucalgary.ca/pst2017/; Submissions are due 5/19/17: ACM CCS, 24th ACM Conference on Computer and Communication Security, Dallas, TX, USA; https://www.sigsac.org/ccs/CCS2017; Submissions are due 5/21/17: GraMSec, International Workshop on Graphical Models for Security, Santa Barbara, CA, USA; http://gramsec.uni.lu; Submissions are due 5/22/17- 5/24/17: SP, 38th IEEE Symposium on Security and Privacy, San Jose, CA, USA; https://www.ieee-security.org/TC/SP2017/ 5/25/17: BioSTAR, International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with the 38th IEEE Symposium on Security and Privacy (IEEE S&P 2017), San Jose, CA, USA; http://biostar.cybersecurity.bio/ 5/25/17: WTMC, 2nd International Workshop on Traffic Measurements for Cybersecurity, Co-located with the 38th IEEE Symposium on Security and Privacy (IEEE S&P 2017), San Jose, CA, USA; http://wtmc.info 5/25/17: IWPE, 3rd International Workshop on Privacy Engineering, Co-located to IEEE Symposium on Security and Privacy (SP 2017), San Jose, CA, USA; http://ieee-security.org/TC/SPW2017/IWPE/ 5/29/17- 5/31/17: IFIPSEC, 32nd IFIP TC-11 SEC 2017 International Information Security and Privacy Conference, Rome, Italy; http://ifipsec.org/2017/ 6/ 1/17: ACSAC 2017 33rd Annual Computer Security Applications Conference, San Juan, Puerto Rico; http://www.acsac.org; Submissions are due 6/10/17: ISDDC, International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada; http://www.scs.ryerson.ca/iwoungan/ISDDC17/; Submissions are due 6/29/17: GameSec, 8th Conference on Decision and Game Theory for Security, Vienna, Austria; http://www.gamesec-conf.org/cfp.php; Submissions are due 7/ 3/17- 7/ 5/17: IVSW, 2nd International Verification and Security Workshop, Thessaloniki, Greece; http://tima.imag.fr/conferences/ivsw/ivsw17/ 7/10/17- 7/12/17: ACNS, 15th International Conference on Applied Cryptography and Network Security, Kanazawa, Japan; https://cy2sec.comm.eng.osaka-u.ac.jp/acns2017/ 7/12/17- 7/14/17: SOUPS, 13th Symposium on Usable Privacy and Security, Santa Clara, CA, USA; https://www.usenix.org/conference/soups2017/call-for-papers 7/17/17- 7/19/17: DBSec, 31st Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Philadelphia, PA, USA; https://dbsec2017.ittc.ku.edu/ 7/18/17- 7/20/17: WiSec, 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Boston, MA, USA; http://wisec2017.ccs.neu.edu/ 7/18/17- 7/21/17: PETS, 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, USA; https://petsymposium.org/ 7/28/17: Security and Communication Networks journal, Special Issue on Emerging and Unconventional: New Attacks and Innovative Detection Techniques; https://www.hindawi.com/journals/scn/si/761087/cfp/; Submissions are due 8/ 1/17- 8/ 4/17: WCSF, 3rd IEEE International Workshop on Cloud Security and Forensics, Held in conjunction with the 16th IEEE International Conference on Trust, Security And Privacy in Computing And Communications (TrustCom2017), Sydney, Australia; https://forensicsandsecurity.com/workshop.php 8/ 7/17- 8/10/17: DSC, IEEE Conference on Dependable and Secure Computing, Taipei, Taiwan; http://dsc17.cs.nctu.edu.tw/ 8/16/17- 8/10/17: USENIX Security, 26th USENIX Security Symposium, Vancouver, Canada; https://www.usenix.org/conference/usenixsecurity17/call-for-papers 8/21/17: GraMSec, International Workshop on Graphical Models for Security, Santa Barbara, CA, USA; http://gramsec.uni.lu 8/22/17- 8/25/17: CSF, 30th IEEE Computer Security Foundations Symposium, Co-located with CRYPTO 2017, Santa Barbara, California, USA; http://csf2017.tecnico.ulisboa.pt/ 8/28/17- 8/30/17: PST, 15th Conference on Privacy, Security and Trust, Calgary, Alberta, Canada; http://www.ucalgary.ca/pst2017/ 8/28/17- 8/31/17: TrustBus, 14th International Conference on Trust, Privacy, and Security in Digital Business, Lyon, France; http://www.ds.unipi.gr/trustbus2017/ 8/29/17- 9/ 1/17: CUING, 1st International Workshop on Criminal Use of Information Hiding, Held in conjunction with the 12th International Conference on Availability, Reliability and Security (ARES 2017), Reggio Calabria, Italy; https://www.ares-conference.eu/conference/workshops/cuing-2017/ 9/11/17- 9/15/17: ESORICS, 22nd European Symposium on Research in Computer Security, Oslo, Norway; https://www.ntnu.edu/web/esorics2017/ 9/18/17- 9/20/17: RAID, 20th International Symposium on Research in Attacks, Intrusions and Defenses, Atlanta, GA, USA; https://www.raid2017.org/ 10/ 2/17-10/ 4/17: NSPW, New Security Paradigms Workshop, Islamorada, FL, USA; http://www.nspw.org/cfp/nspw2017-cfp.pdf 10/ 9/17-10/11/17: CNS, 5th IEEE Conference on Communications and Network Security, Las Vegas, Nevada, USA; http://cns2017.ieee-cns.org/ 10/23/17-10/25/17: GameSec, 8th Conference on Decision and Game Theory for Security, Vienna, Austria; http://www.gamesec-conf.org/cfp.php 10/25/17-10/27/17: ISDDC, International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada; http://www.scs.ryerson.ca/iwoungan/ISDDC17/ 10/30/17-11/ 3/17: ACM CCS, 24th ACM Conference on Computer and Communication Security, Dallas, TX, USA; https://www.sigsac.org/ccs/CCS2017 11/ 6/17-11/10/17: DASC, 15th IEEE International Conference on Dependable, Autonomic and Secure Computing, Orlando, Florida, USA; http://cse.stfx.ca/~dasc2017/ 12/ 4/17-12/ 8/17: ACSAC 2017 33rd Annual Computer Security Applications Conference, San Juan, Puerto Rico; http://www.acsac.org ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E136) ___________________________________________________________________ TrustBus 2017 14th International Conference on Trust, Privacy, and Security in Digital Business, Lyon, France, August 28-31, 2017. (Submissions Due 22 March 2017) http://www.ds.unipi.gr/trustbus2017/ TrustBus'2017 will bring together researchers from different disciplines, developers, and users all interested in the critical success factors of digital business systems. We are interested in papers, work-in-progress reports, and industrial experiences describing advances in all areas of digital business applications related to trust and privacy, including, but not limited to: - Anonymity and pseudonymity - Common practices, legal and regulatory issues in digital business - Delivery technologies and scheduling protocols - Economics of information systems security and privacy - Enterprise management and consumer protection - Intellectual property and digital rights management - Languages for description of services and contracts - Models for access control and authentication - Cryptographic building-blocks for e-business applications - Business architectures and underlying infrastructures - Design of business models with security requirements - Electronic cash, wallets and pay-per-view systems - Security, privacy and trust in e-services - Cloud computing security and privacy - Identity management, identity theft and trust management - Information audit and trust - Trust and reputation in digital business environments - Security and privacy in cyber physical systems - Methodologies for privacy by design and by default - Methodologies for privacy impact assessment - Privacy and Security Patterns - Security and privacy governance and management - Intrusion detection and information filtering - Online transaction processing - PKI & PMI - Security of P2P transactions and scenarios - Security, privacy and trust in real-time Internet e-Services - Reliability and security of content and data - Reputation in services provision - Secure process integration and management - Reliable auction, e-procurement and negotiation technology - Transactional Models - Security, privacy and trust in mobile commerce environments - Usability of security and privacy technologies and services - Security and privacy models for pervasive information systems - Shopping, trading, and contract management tools - Security and privacy policies - Multi-factor authentication schemes - Accountability, Transparency and Intervenability - Security and privacy in big data systems processing - Security and privacy of mobile applications ------------------------------------------------------------------------- RAID 2017 20th International Symposium on Research in Attacks, Intrusions and Defenses, Atlanta, GA, USA, September 18-20, 2017. (Submissions Due 28 March 2017) https://www.raid2017.org/ Over the last 20 years, the International Symposium on Research in Attacks, Intrusions and Defenses (RAID) has established itself as a venue where leading researchers and practitioners from academia, industry, and the government are given the opportunity to present novel research in a unique venue to an engaged and lively community. The conference is known for the quality and thoroughness of the reviews of the papers submitted, the desire to build a bridge between research carried out in different communities, and the emphasis given on the need for sound experimental methods and measurement to improve the state of the art in cybersecurity. RAID features a traditional poster session with a walking dinner on the first evening to encourage the presentation of work in progress and the active participation of younger members of the community. In this special year, the 20th anniversary of RAID's creation, we are soliciting research papers on topics covering all well-motivated security problems. We care about techniques that identify new real-world threats, techniques to prevent them, to detect them, to mitigate them or to assess their prevalence and their consequences. Measurement papers are encouraged, as well as papers offering public access to new tools or datasets, or experience papers that clearly articulate important lessons. Specific topics of interest to RAID include: - Computer, network and cloud computing security - SDN for/against security - Malware and unwanted software - Program analysis and reverse engineering - Mobile and Web security and privacy - Vulnerability analysis techniques - Usable security and privacy - Intrusion detection and prevention - Cyber intelligence techniques and (privacy preserving) threats intel sharing - Threats against critical infrastructures and mitigation thereof - Hardware security, Cyber physical systems, IoT security - Statistical and adversarial learning for computer security - Cyber crime and underground economies - The ecosystem behind Denial-of-Service attacks - Security measurement studies - Digital forensics - Computer security visualization techniques ------------------------------------------------------------------------- DSC 2017 IEEE Conference on Dependable and Secure Computing, Taipei, Taiwan, August 7-10, 2017. (Submissions Due 31 March 2017) http://dsc17.cs.nctu.edu.tw/ The IEEE Conference on Dependable and Secure Computing solicits papers, posters, practices, and experiences for presenting innovative research results, problem solutions, and new challenges in the field of dependable and secure computing. The whole spectrum of IT systems and application areas, including hardware design and software systems, with stringent relevant to dependability and security concerns are of interest to DSC. Authors are invited to submit original works on research and practice of creating, validating, deploying, and maintaining dependable and secure systems. ------------------------------------------------------------------------- CUING 2017 1st International Workshop on Criminal Use of Information Hiding, Held in conjunction with the 12th International Conference on Availability, Reliability and Security (ARES 2017), Reggio Calabria, Italy, August 29 - September 1, 2017. (Submissions Due 4 April 2017) https://www.ares-conference.eu/conference/workshops/cuing-2017/ With the constant rise of the number of Internet users, available bandwidth and an increasing number of services shifting into the connected world, criminals are increasingly active in the virtual world. With improving defensive methods cybercriminals have to utilize more and more sophisticated ways to perform their malicious activities. While protecting the privacy of users, many technologies used in current malware and network attacks have been abused in order to allow criminals to carry out their activities undetected. The aim of the First International Workshop on Criminal Use of Information Hiding (CUIng) is to bring together researchers, practitioners, law enforcement representatives, and security professionals in the area of analysis of information hiding (e.g. steganography, covert channels), obfuscation techniques and underground networks (darknets) in order to present novel research regarding the use of data and communication hiding methods in criminal environments and discuss ideas for fighting misuse of privacy enhancing technologies. ------------------------------------------------------------------------- NSPW 2017 New Security Paradigms Workshop, Islamorada, FL, USA, October 2-4, 2017. (Submissions Due 14 April 2017) http://www.nspw.org/cfp/nspw2017-cfp.pdf Since 1992, the New Security Paradigms Workshop (NSPW) has offered a unique forum for information security research involving high-risk, high-opportunity paradigms, perspectives, and positions. The workshop itself is highly interactive with presentations by authors prepared for in-depth discussions, and ample opportunity to exchange views with open-minded peers. NSPW is also distinguished by its deep-rooted tradition of positive feedback, collegiality, and encouragement. NSPW seeks embryonic, disruptive, and unconventional ideas that benefit from early feedback. The ideas are almost always not yet proven, and sometimes infeasible to validate to the extent expected in traditional forums. NSPW seeks ideas pushing the boundaries of science and engineering beyond what would typically be considered mainstream; papers that would be strong candidates in "conventional" information security venues are, as a rule of thumb, a poor fit for NSPW. We welcome papers with perspectives that augment traditional information security, both from computer science and other disciplines that study adversarial relationships (e.g., biology, economics, the social sciences). Submissions typically address current limitations of information security, directly challenge long-held beliefs or the very foundations of security, or view problems from an entirely novel angle leading to new solutions. In 2016, more than 50% of the presenters had never attended NSPW before. We are actively trying to continue this trend, and therefore we encourage submissions from new NSPW authors. ------------------------------------------------------------------------- CNS 2017 5th IEEE Conference on Communications and Network Security, Las Vegas, Nevada, USA, October 9-11, 2017. (Submissions Due 14 April 2017) http://cns2017.ieee-cns.org/ IEEE Conference on Communications and Network Security (CNS) is a premier forum for cyber security researchers, practitioners, policy makers, and users to exchange ideas, techniques and tools, raise awareness, and share experience related to all practical and theoretical aspects of communications and network security. The conference seeks submissions from academia, government, and industry presenting novel research results in all practical and theoretical aspects of communications and network security. ------------------------------------------------------------------------- WCSF 2017 3rd IEEE International Workshop on Cloud Security and Forensics, Held in conjunction with the 16th IEEE International Conference on Trust, Security And Privacy in Computing And Communications (TrustCom2017), Sydney, Australia, August 1-4, 2017. (Submissions Due 15 April 2017) https://forensicsandsecurity.com/workshop.php Cloud computing offers utility oriented Information and Communications Technology (ICT) services to corporate and consumer-level users all over the world. The evolution of cloud computing is driving the design of datacenters by architecting them as networks of virtual services; this enables users to access and run applications from anywhere in the world. As the prevalence and usage of networked cloud computer systems increases, the security of these systems can pose significant security concerns and the likelihood of these systems being used for criminal behaviour also increases. Thus, this new computing evolution has a direct effect on, and creates challenges for, cyber security and digital forensic practitioners. The field of digital forensics has grown rapidly over the last decade due to the rise of the Internet and associated crimes. However, while the theory is well established, the practical application of the discipline is still relatively new and constantly developing. Law enforcement agencies can no longer rely on traditional digital forensic methods of data acquisition through device seizure to gather relevant evidence pertaining to an investigation from cloud sources. Using traditional digital forensic methods will lead to the loss or overlooking of valuable evidential material hosted on cloud-based infrastructures. Cloud computing and its impact on digital forensics will continue to grow and traditional digital forensics methods are inadequate for cloud forensic investigations. High quality, previously unpublished submissions are solicited in the areas of cloud security and cloud forensics. ------------------------------------------------------------------------- ESORICS 2017 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017. (Submissions Due 19 April 2017) https://www.ntnu.edu/web/esorics2017/ This symposium, the annual European research event in Computer Security, started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. We encourage submissions of papers discussing industrial research and development. Topics of interest include, but are not limited to: - access control - accountability - ad hoc networks - anonymity - applied cryptography - authentication - biometrics - data and computation integrity - database security - data protection - digital content protection - digital forensics - distributed systems security - embedded systems security - inference control - information hiding - identity management - information flow control - information security governance and management - intrusion detection - formal security methods - language-based security - network security - phishing and spam prevention - privacy - privacy preserving data mining - risk analysis and management - secure electronic voting - security architectures - security economics - security metrics - security models - security and privacy for big data - security and privacy in cloud scenarios - security and privacy in complex systems - security and privacy in content centric networking - security and privacy in crowdsourcing - security and privacy in the IoT - security and privacy in location services - security and privacy for mobile code - security and privacy in pervasive / ubiquitous computing - security and privacy policies - security and privacy in social networks - security and privacy in web services - security and privacy in cyber-physical systems - security, privacy and resilience in critical infrastructures - security verification - software security - systems security - trust models and management - trustworthy user devices - usable security and privacy - web security - wireless security ------------------------------------------------------------------------- DASC 2017 15th IEEE International Conference on Dependable, Autonomic and Secure Computing, Orlando, Florida, USA, November 6-10, 2017. (Submissions Due 10 May 2017) http://cse.stfx.ca/~dasc2017/ IEEE DASC 2017 aims to bring together computer scientists, industrial engineers, and researchers to discuss and exchange experimental and theoretical results, novel designs, work-in-progress, experience, case studies, and trend-setting ideas in the areas of dependability, security, trust and/or autonomic computing systems. Topics of particular interests include the following tracks, but are not limited to: - Autonomic Computing Theory, Models, Architectures and Communications - Cloud Computing and Fog/edge Computing with Autonomic and Trusted Environment - Dependable Automatic Control Techniques and Systems - Dependability Models and Evaluation Algorithms - Dependable Sensors, Devices, Embedded Systems - Dependable Electronic-Mechanical Systems, Optic-Electronic Systems - Self-improvement in Dependable Systems - Self-healing, Self-protection and Fault-tolerant Systems - Hardware and Software Reliability, Verification and Testing - Software Engineering for Dependable Systems - Safety-critical Systems in Transportation and Power System - Security Models and Quantifications - Trusted P2P, Web Service, SoA, SaaS, EaaS, and PaaS - Self-protection and Intrusion-detection in Security - DRM, Watermarking Technology, IP Protection - Context-aware Access Control - Virus Detections and Anti-Virus Techniques/Software - Cyber Attack, Crime and Cyber War - Human Interaction with Trusted and Autonomic Computing Systems - Security, Dependability and Autonomic Issues in Ubiquitous Computing - Security, Dependability and Autonomic Issues in Cyber-Physical System - Security, Dependability and Autonomic Issues in Big Data, SDN, and IoT Systems - QoS in Communications and Services - Information and System Security - Reliable Computing and Trusted Computing - Wireless Emergency and Security Systems - Information Technology in Biomedicine - Multimedia Security Issues over Mobile and Wireless Networks - Multimedia in Mobile Computing: Issues, System Design and Performance Evaluation - Software Architectures and Design for Emerging Systems - Software Engineering for Emerging Networks, Systems, and Mobile Systems ------------------------------------------------------------------------- PST 2017 15th Conference on Privacy, Security and Trust, Calgary, Alberta, Canada, August 28-30, 2017. (Submissions Due 15 May 2017) http://www.ucalgary.ca/pst2017/ PST2017 provides a forum for researchers and practitioners to present their latest research results, developments and ideas in areas of privacy, security and trust. PST 2017 topics are inter-disciplinary across privacy, security and trust. Technologies  of interest include, but are not limited to: - Access Control - Adversarial Machine Learning - Anonymity, Accountability and Audit - Attacks on Security and Privacy - Authentication - Biometrics - Blockchain and Related Technologies - Computer and Network Forensics - Cryptographic Protocols - Distributed Trust and Consensus - Formal Methods for Security and Privacy - Identity Management - Intrusion Detection - Key Management - Metrics for Security and Privacy - Privacy Preserving/Enhancing Technologies - Program Analysis for Security and Privacy - Quantum-resistant Cryptography - Reputation Systems - Threat modeling and risk analysis ------------------------------------------------------------------------- ACM CCS 2017 24th ACM Conference on Computer and Communication Security, Dallas, TX, USA, October 30 - November 3, 2017. (Submissions Due 19 May 2017) https://www.sigsac.org/ccs/CCS2017 The ACM Conference on Computer and Communications Security (CCS) is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM). The conference brings together information security researchers, practitioners, developers, and users from all over the world to explore cutting-edge ideas and results. It provides an environment to conduct intellectual discussions. From its inception, CCS has established itself as a high-standard research conference in its area. ------------------------------------------------------------------------- GraMSec 2017 International Workshop on Graphical Models for Security, Santa Barbara, CA, USA, August 21, 2017. (Submissions Due 21 May 2017) http://gramsec.uni.lu Graphical security models provide an intuitive but systematic approach to analyze security weaknesses of systems and to evaluate potential protection measures. Cyber security researchers, as well as security professionals from industry and government, have proposed various graphical security modeling schemes. Such models are used to capture different security facets (digital, physical, and social) and address a range of challenges including vulnerability assessment, risk analysis, defense analysis, automated defensing, secure services composition, policy validation and verification. The objective of the GraMSec workshop is to contribute to the development of well-founded graphical security models, efficient algorithms for their analysis, as well as methodologies for their practical usage. The workshop seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of graphical models for security. ------------------------------------------------------------------------- ACSAC 2017 33rd Annual Computer Security Applications Conference, San Juan, Puerto Rico, December 4-8, 2017. (Submissions Due 1 June 2017) http://www.acsac.org The Annual Computer Security Applications Conference (ACSAC) is an internationally recognized forum where practitioners, researchers, and developers in information and system security meet to learn and to exchange practical ideas and experiences. If you are developing, researching, or implementing practical security solutions, consider sharing your experience and expertise at ACSAC. We are especially interested in submissions that address the application of security technology, the implementation of systems, and lessons learned. Some example topics are: - Access Control - Anonymity - Applied Cryptography - Assurance - Audit - Biometrics - Security case studies - Cloud Security - Cyber-Physical Systems - Denial of Service Protection - Distributed Systems Security - Embedded Systems Security - Enterprise Security Management - Evaluation and Compliance - Digital Forensics - Identity Management - Incident Response - Insider Threat Protection - Integrity - Intrusion Detection - Intellectual Property - Malware - Mobile/Wireless Security - Multimedia Security - Network Security - OS Security - P2P Security - Privacy & Data Protection - Privilege Management - Resilience - Security and Privacy of the Internet of Things - Security Engineering - Software Security - Supply Chain Security - Trust Management - Trustworthy Computing - Usability and Human-centric Aspects of Security - Virtualization Security - Web Security ------------------------------------------------------------------------- ISDDC 2017 International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada, October 25-27, 2017. (Submissions Due 10 June 2017) http://www.scs.ryerson.ca/iwoungan/ISDDC17/ The integration of network computing and mobile systems offers new challenges with respect to the dependability of integrated applications. At the same time, new threat vectors have emerged that leverage and magnify traditional hacking methods, enabling large scale and intelligence-driven attacks against a variety of platforms, including mobile, cloud, Internet-of-things (IoT), as well as conventional networks. The consequence of such fast evolving environment is the pressing need for effective and efficient paradigms, approaches, and tools for building, maintaining, and managing secure and dependable systems. This conference solicits papers addressing issues related to the design, analysis, and implementation, of dependable and secure infrastructures, systems, architectures, algorithms, and protocols that deal with network computing, mobile/ubiquitous systems, cloud systems, and IoT systems. The goal of the ISDDC 2017 conference is to provide a forum for researchers, students, scientists and engineers working in academia and industry to share their experiences, new ideas and research results in the above-mentioned areas. ------------------------------------------------------------------------- GameSec 2017 8th Conference on Decision and Game Theory for Security, Vienna, Austria, October 23-25, 2017. (Submissions Due 29 June 2017) http://www.gamesec-conf.org/cfp.php The goal of GameSec is to bring together academic and industrial researchers in an effort to identify and discuss the major technical challenges and recent results that highlight the connection between game theory, control, distributed optimization, economic incentives and real world security, reputation, trust and privacy problems in a variety of technological systems. Submissions should solely be original research papers that have neither been published nor submitted for publication elsewhere. - Game theory and mechanism design for security and privacy - Pricing and economic incentives for building dependable and secure systems - Dynamic control, learning, and optimization and approximation techniques - Decision making and decision theory for cybersecurity and security requirements engineering - Socio-technological and behavioral approaches to security - Risk assessment and risk management - Security investment and cyber insurance - Security and privacy for the Internet-of-Things (IoT), cyber-physical systems, resilient control systems - New approaches for security and privacy in cloud computing and for critical infrastructure - Security and privacy of wireless and mobile communications, including user location privacy - Game theory for intrusion detection - Empirical and experimental studies with game-theoretic or optimization analysis for security and privacy ------------------------------------------------------------------------- Security and Communication Networks journal, Special Issue on Emerging and Unconventional: New Attacks and Innovative Detection Techniques, (Submissions Due 28 July 2017) https://www.hindawi.com/journals/scn/si/761087/cfp/ Guest Editors: Luca Caviglione (National Research Council of Italy,Italy), Wojciech Mazurczyk (Warsaw University of Technology & FernUniversität in Hagen, Poland), Steffen Wendzel (Fraunhofer FKIE, Germany), and Sebastian Zander (Murdoch University, Australia). In the last years, advancements of the information and communication technologies have spawned a variety of innovative paradigms, such as cloud and fog computing, the Internet of Things (IoT), or complex vehicle-to-vehicle frameworks. As a consequence, the cybersecurity panorama is now getting populated with complex, emerging, and unconventional attacks, which require deep investigation and proper understanding. For example, the diffusion of online social networks brought social engineering to the next level, while IoT led to a completely new set of hazards also endangering the user at a physical level. Modern threats also exploit a variety of advanced methods to increase their stealthiness in order to remain unnoticed for long periods, as well as reduce the effectiveness of many digital forensics techniques and detection tools. Therefore, new and emerging technologies changed the modern cybersecurity landscape, which nowadays is populated by novel attacks and also requires innovative detection and prevention methods. In this perspective, the special issue aims at investigating the most advanced and innovative forms of attacks and scenarios, for instance, considering automotive or building automation settings. To complete the picture, a relevant attention will be given to works dealing with innovative forms of detection and forensics analysis, which are mandatory to counteract sophisticated malware able to hide or take advantage of unconventional and complex scenarios. This issue accepts high quality papers containing novel original research results and review articles of exceptional merit covering the most cutting-edge cybersecurity threats and countermeasures. Potential topics include but are not limited to the following: - Novel advanced and persistent threats aiming at automotive and smart buildings/cities - Security issues and profiling hazards in smart buildings/cities - IoT and device specific attacks, for example, battery drain attacks or attacks on IoT routing protocols - Hazards taking advantage from social media, for example, social bots and new social engineering attacks - Information hiding threats to counteract forensics tools and analysis - Network steganography for data exfiltration and new information-hiding-capable threats - Energy-based detection of slow and hidden attacks, including low-attention rising threats for mobile and handheld devices - Scalable countermeasures for preventing steganography in big-data-like sources - Novel threats targeting vehicles and cloud and software defined networking technologies - Bioinspired attacks and detection mechanisms - Ransomware: novel trends, characteristics, and detection - Moving Target Defense (MTD) solutions against infections ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulf Lindqvist Michael Locasto SRI International SRI International Menlo Park, CA oakland16-chair@ieee-security.org ulf.lindqvist@sri.com Vice Chair: Treasurer: Sean Peisert Yong Guan UC Davis and 3219 Coover Hall Lawrence Berkeley Department of Electrical and Computer National Laboratory Engineering speisert@ucdavis.edu Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2017 Chair: TC Awards Chair: Kevin Butler Hilarie Orman Department of Computer and Purple Streak, Inc. Information Science and Engineering 500 S. Maple Dr. University of Florida Woodland Hills, UT 84653 butler at ufl.edu cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year