_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 138 June 3, 2017 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * List of Computer Security Academic Positions, by Cynthia Irvine * Commentary and Opinion and News o Sven Dietrich's review of "The Hardware Hacker - Adventures in making & breaking hardware" by Andrew "bunnie" Huang News items o 9 Minutes and Hacked o Hack of the Month Club o NSA and the Great Ransomware Attack (and related stories) o Inadequate controls o The Fitbit Fink o Police Slow to Grok Cybercrime o All Your Sirens Are Belong ... o The CIA Has Cisco Switches at its Mercy o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calendar of Events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The IEEE Computer Society's Security and Privacy Symposium was held last week in San Jose, California. It set a record for the number of papers presented and had a record number of attendees (60 and 587 respectively). The video recordings of the talks were up on YouTube with an hour of the presentation, coming ever closer to real-time coverage. In addition to the excellent papers, there were three pieces of news. One was that the conference location will change yet again. After decades in Oakland, two years in San Francisco, and 4 years in San Jose, the conference will return to San Francisco for 4 years. The Hyatt Regency in the Embarcadero region is the new location. The second change concerns the schedule for reviewing and publishing papers. The attendees at the business meeting approved a year-round review process. Papers will be reviewed within 60 days of submission, and accepted papers will be available online in the Computer Society's Digital Library some weeks later. Finally, the incoming Technical Committee Vice Chair is Ulfar Erlingsson; his term and that of the new TC Chair Sean Peisert will begin in 2018. Our current events news list includes several articles about the short path from NSA toolkit to worldwide ransomware attacks. No nightmare is too bizarre for our current reality. Smothered by the Security Blanket of Surveillance, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Nothing new since Cipher E137 http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ____________________________________________________________________ Book Review By Sven Dietrich 6/2/2017 ____________________________________________________________________ The Hardware Hacker - Adventures in making & breaking hardware by Andrew "bunnie" Huang No Starch Press 2017. ISBN 978-1-59327-758-1 While we play with computer hardware, whether we be Luddites, creative technologists, security researchers, or otherwise, we often appreciate the fine piece of technology in our hands. Andrew "bunnie" Huang takes us on a journey through the manufacturing sites of hardware, technology flea markets, and the soul of intellectual property of Southeast Asia. Written as a collection of essays, this book brings you to the world of hardware via an exploration of Huang's own hardware projects, critical thinking about fake hardware in production environments, and the realism of forensics on allegedly new hardware. This book is fun to read. It mixes highly technical references, expands on the shopping list for hardware projects, and walks you through the factory floors of Shenzhen. Ther are fascinating examples of actual creation and hacking of hardware. He describes building your own laptop, taking apart a cheap ($12) mobile phone, and dissecting a simple SD card while determining its microcontroller. The book is illustrated with many images of his creations and hacker analyses, showing the innards of technology. Huang also describes his explorations of the factories in China, with its stacks of logic boards, assembly lines, and machine tools. The book covers these topics in four parts, each subdivided into its own chapters: part 1 - adventures in manufacturing, part 2 - thinking differently, intellectual property in China, part 3 - what open hardware means to me, part 4 - a hacker's perspective. I hope you will enjoy reading this book as much as I did. Andrew "bunnie" Huang is a master in his field and is not shy to share a view of his world. - Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot .org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------------------------ 9 Minutes and Hacked - CNN Money Identity thieves used stolen data 9 minutes after it was posted online http://money.cnn.com/2017/05/26/technology/identity-thieves-stolen-data-ftc/index.html By Selena Larson May. 26, 2017 Summary: In a controlled study by the FTC (see https://www.consumer.ftc.gov/blog/how-fast-will-identity-thieves-use-stolen-info), cybertheives were able to utilize personal data shared online very quickly after it was posted and noticed by a Twitter bot. In another test, it took 10 times as long. Nonetheless, the mean time to exploit is significantly longer than organizational response times. Significantly, two-factor authentication was a full deterrent to account access. ------------------------------------ Hack of the Month Club - The Washington Post The hacking group that leaked NSA secrets claims it has data on foreign nuclear programs https://www.washingtonpost.com/news/the-switch/wp/2017/05/16/the-hacking-group-that-leaked-the-nsas-secrets-claims-it-has-data-on-foreign-nuclear-programs/ By Brian Fung May 16, 2017 Summary: A group that released information and software from NSA digital hacking tools has threatened to release some kind of data about nuclear or missile programs in China, Iran, North Korea, and Russia. They indicated that this and further information might be disseminated through a subscription service. More Windows 10 vulnerability exploits might be in the works. The hacker group seems to be searching for a way to capitalize on its expertise in digital weaponry acquisition. ------------------------------------ Ooh La La, Russkies Try Hacking the French Election - The Guardian Emmanuel Macron's campaign hacked on eve of French election https://www.theguardian.com/world/2017/may/06/emmanuel-macron-targeted-by-hackers-on-eve-of-french-election By Kim Willsher and Jon Henley May 12, 2017 Summary: Although Emmanuel Macron prevailed in the French presidential election, his campaign was subjected to an 11th hour disinformation/hacking attack by a group that TrendMicro identified as probably being part of the Russian KGB. A large number of documents from Macron's campaign computers were anonymously posted online just before the election. The volume was huge, but an initial assessment indicated that the documents were a mix of mundane campaign files and bogus inflammatory messages. ------------------------------------ - NSA and the Great Ransomware Attack The Washington Post Ransom reportedly demanded in cyberattack on England's health-care system https://www.washingtonpost.com/world/hospitals-across-england-report-it-failure-amid-suspected-major-cyber-attack/2017/05/12/84e3dc5e-3723-11e7-b373-418f6849a004_story.html By Craig Timberg, Griff Witte and Ellen Nakashima May 12, 2017 /n Summary: The WannaCry crypto ransomware attack hit the British National Healthcare System and other businesses around the world. The software was based on part of a digital arsenal developed by NSA and disclosed by a group called Shadow Brokers. Although Microsoft immediately released a patch to disable the core vulnerability exploited by the ransomware, older computers and many others remained unpatched and unprotected. Although the attack spread around the world, the perpetrators may not have profited proportionately. Backups of files and restoration procedures may have saved some victims, and others may have abandoneed their data. Related Stories: NSA Bean Spill The Washington Post Hackers have just dumped a treasure trove of NSA data. Here's what it means https://www.washingtonpost.com/news/monkey-cage/wp/2017/04/15/shadowy-hackers-have-just-dumped-a-treasure-trove-of-nsa-data-heres-what-it-means/ By Henry Farrell Apr 15, 2017 Summary: The first announcement that the NSA cyber hacking tools had been released to a public website was troubling for multiple reasons. Technology companies were dismayed that the vulnerabilities had not been made available to the software providers in the first place; this practice, called "equities", depends on trust between technology providers and the government. However, subsequent statements from Microsoft showed that they had issued patches for Windows systems a month before the disclosure. Whether they were warned by the hackers or by the government remains unknown. Another troubling aspect concerned extracting information from the international banking communications network, SWIFT. That undermined trust in the agreement between the EU and the US that information would be shared under formal safeguards. The hacking software may be viewed by European court as evidence that the US cannot be trusted to uphold European privacy rules, and that makes it difficult for US technology services to operate in Europe. No, It Wasn't a Zero Day - Ars Technica Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/ By Dan Goodin 4/15/2017 Summary: Although the NSA hacking tools revealed vulnerabiliites in the Microsoft Windows operating system, they were not "zero day" exploits. For unexplained reasons, Microsoft issued patches a month before the tools became public knowledge. Nonetheless, not all Windows systems were patched. NSA Knows Windows Hacks - The Washington Post NSA considered harmful to Windows users https://www.washingtonpost.com/news/the-switch/wp/2017/04/17/what-windows-users-should-know-about-the-latest-bugs-revealed-by-nsa-leakers/ Apr 20, 2017 Summary: A hacking group released the source for many of NSA's own hacking tools, and it included a serious zero day vulnerability for Windows' users. Microsoft issued a patch, but older systems have no protection. ------------------------------------ Inadequate controls - The New York Times N.S.A. Halts Collection of Americans' Emails About Foreign Targets https://www.nytimes.com/2017/04/28/us/politics/nsa-surveillance-terrorism-privacy.html Apr 28, 2017 /n Summary: On April 28 NSA issued a ( https://www.nsa.gov/news-features/press-room/statements/2017-04-28-702-statement.shtml ) statement saying that it had ended a long-standing, warrantless surveillance practice. Its communications surveillance program had been collecting messages that mentioned the email addresses of foreign targets even when the sender and recipient were US citizens who never communicated with the target. NSA had revealed this to the FISA courts previously and said that its technology could not be tuned to prevent the collection of these messages. The practice became public knowledge with the disclosure of the Snowden papers. NSA says it has corrected the problem. The result is that Americans can now mention foreign email addresses without turning the surveillance apparatus onto themselves. On the other hand, if foreign targets mention Americans, then the Americans can then be subject to warrantless surveillance. ------------------------------------ The Fitbit Fink - CNN Cops use murdered woman's fitbit to charge her husband http://www.cnn.com/2017/04/25/us/fitbit-womans-death-investigation-trnd/?iid=ob_homepage_deskrecommended_pool By Amanda Watts Apr 27, 2017 Summary: In another novel use of the Internet of Things, police in Connecticut used data from a murdered woman's Fitbit as evidence to contradict her husband's account of an attack and to bring charges against him. The husband claimed that his wife walked only a short distance in the time before the attack, but her Fitbit registered 10 times as many steps. In a separate case in Ohio, a man's alibi was undermined by his http://www.cnn.com/2017/02/08/us/pacemaker-arson---trnd/ pacemaker data. He is facing charges of aggravated arson and insurance fraud. ------------------------------------ Police Slow to Grok Cybercrime - The Washington Post Local police don't go after most cybercriminals. We need better training https://www.washingtonpost.com/posteverything/wp/2017/04/21/local-police-dont-go-after-most-cybercriminals-we-need-better-training/ By Nick Selby Apr 21, 2017 Summary: A Texas police detective who is also an Internet cybercrime author makes the case that local police need more training in Internet crime in order to provide effective protection for citizens. "The FBI can't do it all," he notes. Selby would like local police to have the tools to go after the scams that hurt the ordinary person --- identity theft, credit card fraud, etc. Although the amount of loss may be small, the victim faces hours of lost time and thousands in attorney's fees in the wake of the crime. The local police don't have the ability to build a case against the cybercriminal, even when they know the perpetrator. ------------------------------------ All Your Sirens Are Belong ... - The Washington Post Someone hacked every tornado siren in Dallas. It was loud https://www.washingtonpost.com/news/the-intersect/wp/2017/04/09/someone-hacked-every-tornado-siren-in-dallas-it-was-loud/ By Avi Selk Apr 9, 2017 Summary: Over a million people in Dallas were subjected to 90 minutes of city sirens due to a hack carried out within the city. Officials determined that someone with physical access to the siren hub caused the cacaphony. ------------------------------------ CIA Has Cisco Switches at its Mercy - Ars Technica A simple command allows the CIA to commandeer 318 models of Cisco switches https://arstechnica.com/security/2017/03/a-simple-command-allows-the-cia-to-commandeer-318-models-of-cisco-switches/ By Dan Goodin Mar 20, 2017 Summary: Cisco has been around since the Internet was in knee pants, and so has the telnet protocol. When WikiLeaks revealed that the CIA has ways to take control of Cisco switches, it turned out the source of the vulnerability was Cisco's modifications to this venerable communication service. It carries the control commands for configuring network services on the switches. Cisco has no workaround for the problem other than disabling telnet or setting strict access controls that prevent unauthorized devices from completing telnet connections. WikiLeaks came under criticism for not giving Cisco a chance to respond before releasing the information about the existence of a vulnerability. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 6/ 8/17: ACSAC, 33rd Annual Computer Security Applications Conference, San Juan, Puerto Rico; http://www.acsac.org; Submissions are due 6/ 9/17: FDTC, 14th Workshop on Fault Diagnosis and Tolerance in Cryptography, Taipei, Taiwan; http://conferenze.dei.polimi.it/FDTC17/index.html; Submissions are due 6/10/17: ISDDC, International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada; http://www.scs.ryerson.ca/iwoungan/ISDDC17/; Submissions are due 6/10/17: AsianHOST, IEEE Asian Hardware-Oriented Security and Trust Symposium, Beijing, China; http://asianhost.org/2017/; Submissions are due 6/15/17: WISTP, 11th International Conference on Information Security Theory and Practice, Crete, Greece; http://www.wistp.org; Submissions are due 6/17/17: STM, 13th International Workshop on Security and Trust Management, Co-located with with ESORICS 2017, Oslo, Norway; http://stm2017.di.unimi.it; Submissions are due 6/19/17: CECC, Central European Cybersecurity Conference, Ljubljana, Slovenia; https://www.fvv.um.si/cecc2017/; Submissions are due 6/25/17: DPM, 12th Workshop on Data Privacy Management, Co-located with ESORICS 2017, Oslo, Norway; http://deic.uab.cat/conferences/dpm/dpm2017/; Submissions are due 6/29/17: GameSec, 8th Conference on Decision and Game Theory for Security, Vienna, Austria; http://www.gamesec-conf.org/cfp.php; Submissions are due 6/30/17: IET Networks, Special Issues on Security architecture and technologies for 5G; http://digital-library.theiet.org/files/IET_NET_CFP_SEC.pdf; Submissions are due 6/30/17: SPIFEC, 1st European Workshop on Security and Privacy in Fog and Edge Computing, Held In conjunction with ESORICS 2017, Oslo, Norway; https://www.nics.uma.es/pub/spifec; Submissions are due 7/ 3/17- 7/ 5/17: IVSW, 2nd International Verification and Security Workshop, Thessaloniki, Greece; http://tima.imag.fr/conferences/ivsw/ivsw17/ 7/ 5/17: CTC, 7th International Symposium on Secure Virtual Infrastructures - Cloud and Trusted Computing, Rhodes, Greece; http://www.otmconferences.org/index.php/conferences/ctc-2017; Submissions are due 7/ 7/17: SSS, 19th Annual International Symposium on Stabilization, Safety, and Security of Distributed Systems, Boston, Massachusetts, USA; http://bitly.com/SSS-2017; Submissions are due 7/ 9/17: FPS, 10th International Symposium on Foundations & Practice of Security, Nancy, France; http://fps2017.loria.fr/; Submissions are due 7/10/17- 7/12/17: ACNS, 15th International Conference on Applied Cryptography and Network Security, Kanazawa, Japan; https://cy2sec.comm.eng.osaka-u.ac.jp/acns2017/ 7/12/17- 7/14/17: SOUPS, 13th Symposium on Usable Privacy and Security, Santa Clara, CA, USA; https://www.usenix.org/conference/soups2017/call-for-papers 7/17/17- 7/19/17: DBSec, 31st Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Philadelphia, PA, USA; https://dbsec2017.ittc.ku.edu/ 7/18/17- 7/20/17: WiSec, 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Boston, MA, USA; http://wisec2017.ccs.neu.edu/ 7/18/17- 7/21/17: PETS, 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, USA; https://petsymposium.org/ 7/28/17: Security and Communication Networks journal, Special Issue on Emerging and Unconventional: New Attacks and Innovative Detection Techniques; https://www.hindawi.com/journals/scn/si/761087/cfp/; Submissions are due 8/ 1/17- 8/ 4/17: WCSF, 3rd IEEE International Workshop on Cloud Security and Forensics, Held in conjunction with the 16th IEEE International Conference on Trust, Security And Privacy in Computing And Communications (TrustCom2017), Sydney, Australia; https://forensicsandsecurity.com/workshop.php 8/ 4/17: MIST, 9th ACM CCS International Workshop on Managing Insider Security Threats, Dallas, USA; http://isyou.info/conf/mist17; Submissions are due 8/ 4/17: WPES, Workshop on Privacy in the Electronic Society, Dallas, Texas, USA; https://cs.pitt.edu/wpes2017; Submissions are due 8/ 7/17- 8/10/17: DSC, IEEE Conference on Dependable and Secure Computing, Taipei, Taiwan; http://dsc17.cs.nctu.edu.tw/ 8/16/17- 8/10/17: USENIX Security, 26th USENIX Security Symposium, Vancouver, Canada; https://www.usenix.org/conference/usenixsecurity17/call-for-papers 8/21/17: GraMSec, International Workshop on Graphical Models for Security, Santa Barbara, CA, USA; http://gramsec.uni.lu 8/22/17- 8/25/17: CSF, 30th IEEE Computer Security Foundations Symposium, Co-located with CRYPTO 2017, Santa Barbara, California, USA; http://csf2017.tecnico.ulisboa.pt/ 8/28/17- 8/30/17: PST, 15th Conference on Privacy, Security and Trust, Calgary, Alberta, Canada; http://www.ucalgary.ca/pst2017/ 8/28/17- 8/31/17: TrustBus, 14th International Conference on Trust, Privacy, and Security in Digital Business, Lyon, France; http://www.ds.unipi.gr/trustbus2017/ 8/29/17- 9/ 1/17: CUING, 1st International Workshop on Criminal Use of Information Hiding, Held in conjunction with the 12th International Conference on Availability, Reliability and Security (ARES 2017), Reggio Calabria, Italy; https://www.ares-conference.eu/conference/workshops/cuing-2017/ 9/ 1/17: Ad Hoc Networks, Special Issue on Security of IoT-enabled Infrastructures in Smart Cities; https://www.journals.elsevier.com/ad-hoc-networks/call-for-papers/special-issue-on-security-of-iot-enabled-infrastructures-in; Submissions are due 9/ 1/17: Security and Communication Networks journal, Special Issue on User Authentication in the IoE Era: Attacks, Challenges, Evaluation, and New Designs; https://www.hindawi.com/journals/scn/si/908453/cfp/; Submissions are due 9/ 1/17: IFIP119-DF, 14th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India; http://www.ifip119.org; Submissions are due 9/11/17- 9/15/17: ESORICS, 22nd European Symposium on Research in Computer Security, Oslo, Norway; https://www.ntnu.edu/web/esorics2017/ 9/14/17- 9/15/17: STM, 13th International Workshop on Security and Trust Management, Co-located with with ESORICS 2017, Oslo, Norway; http://stm2017.di.unimi.it 9/14/17- 9/15/17: DPM, 12th Workshop on Data Privacy Management, Co-located with ESORICS 2017, Oslo, Norway; http://deic.uab.cat/conferences/dpm/dpm2017/ 9/14/17- 9/15/17: SPIFEC, 1st European Workshop on Security and Privacy in Fog and Edge Computing, Held In conjunction with ESORICS 2017, Oslo, Norway; https://www.nics.uma.es/pub/spifec 9/18/17- 9/20/17: RAID, 20th International Symposium on Research in Attacks, Intrusions and Defenses, Atlanta, GA, USA; https://www.raid2017.org/ 9/25/17: FDTC, 14th Workshop on Fault Diagnosis and Tolerance in Cryptography, Taipei, Taiwan; http://conferenze.dei.polimi.it/FDTC17/index.html 9/28/17- 9/29/17: WISTP, 11th International Conference on Information Security Theory and Practice, Crete, Greece; http://www.wistp.org 10/ 2/17-10/ 4/17: NSPW, New Security Paradigms Workshop, Islamorada, FL, USA; http://www.nspw.org/cfp/nspw2017-cfp.pdf 10/ 9/17-10/11/17: CNS, 5th IEEE Conference on Communications and Network Security, Las Vegas, Nevada, USA; http://cns2017.ieee-cns.org/ 10/19/17-10/20/17: AsianHOST, IEEE Asian Hardware-Oriented Security and Trust Symposium, Beijing, China; http://asianhost.org/2017/ 10/23/17-10/24/17: CTC, 7th International Symposium on Secure Virtual Infrastructures - Cloud and Trusted Computing, Rhodes, Greece; http://www.otmconferences.org/index.php/conferences/ctc-2017 10/23/17-10/25/17: GameSec, 8th Conference on Decision and Game Theory for Security, Vienna, Austria; http://www.gamesec-conf.org/cfp.php 10/23/17-10/25: FPS, 10th International Symposium on Foundations & Practice of Security, Nancy, France; http://fps2017.loria.fr/ 10/25/17-10/27/17: ISDDC, International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada; http://www.scs.ryerson.ca/iwoungan/ISDDC17/ 10/30/17-11/ 3/17: ACM CCS, 24th ACM Conference on Computer and Communication Security, Dallas, TX, USA; https://www.sigsac.org/ccs/CCS2017 10/30/17-11/ 3/17: MIST, 9th ACM CCS International Workshop on Managing Insider Security Threats, Dallas, USA; http://isyou.info/conf/mist17 10/30/17: WPES, Workshop on Privacy in the Electronic Society, Dallas, Texas, USA; https://cs.pitt.edu/wpes2017 11/ 5/17-11/ 8/17: SSS, 19th Annual International Symposium on Stabilization, Safety, and Security of Distributed Systems, Boston, Massachusetts, USA; http://bitly.com/SSS-2017 11/ 6/17-11/10/17: DASC, 15th IEEE International Conference on Dependable, Autonomic and Secure Computing, Orlando, Florida, USA; http://cse.stfx.ca/~dasc2017/ 11/16/17-11/17/17: CECC, Central European Cybersecurity Conference, Ljubljana, Slovenia; https://www.fvv.um.si/cecc2017/ 12/ 1/17: Information & Communications Technology Express, Special Issue on Critical Infrastructure (CI) & Smart Grid Cyber Security; https://www.journals.elsevier.com/ict-express/call-for-papers/special-issue-on-ci-smart-grid-cyber-security; Submissions are due 12/ 4/17-12/ 8/17: ACSAC, 33rd Annual Computer Security Applications Conference San Juan, Puerto Rico; http://www.acsac.org 1/ 3/18- 1/ 5/18: IFIP119-DF, 14th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India; http://www.ifip119.org ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E137) ___________________________________________________________________ ACSAC 2017 33rd Annual Computer Security Applications Conference, San Juan, Puerto Rico, December 4-8, 2017. (Submission Due 8 June 2017) http://www.acsac.org The Annual Computer Security Applications Conference (ACSAC) is an internationally recognized forum where practitioners, researchers, and developers in information and system security meet to learn and to exchange practical ideas and experiences. If you are developing, researching, or implementing practical security solutions, consider sharing your experience and expertise at ACSAC. We are especially interested in submissions that address the application of security technology, the implementation of systems, and lessons learned. Some example topics are: - Access Control - Anonymity - Applied Cryptography - Assurance - Audit - Biometrics - Security case studies - Cloud Security - Cyber-Physical Systems - Denial of Service Protection - Distributed Systems Security - Embedded Systems Security - Enterprise Security Management - Evaluation and Compliance - Digital Forensics - Identity Management - Incident Response - Insider Threat Protection - Integrity - Intrusion Detection - Intellectual Property - Malware - Mobile/Wireless Security - Multimedia Security - Network Security - OS Security - P2P Security - Privacy & Data Protection - Privilege Management - Resilience - Security and Privacy of the Internet of Things - Security Engineering - Software Security - Supply Chain Security - Trust Management - Trustworthy Computing - Usability and Human-centric Aspects of Security - Virtualization Security - Web Security ------------------------------------------------------------------------- FDTC 2017 14th Workshop on Fault Diagnosis and Tolerance in Cryptography, Taipei, Taiwan, September 25, 2017. (Submission Due 9 June 2017) http://conferenze.dei.polimi.it/FDTC17/index.html Fault injection is one of the most exploited means for extracting confidential information from embedded devices and for compromising their intended operation. Therefore, research on developing methodologies, techniques, architectures and design tools for robust cryptographic systems (both hardware and software), and on protecting them against both accidental faults and intentional attacks is essential. Of particular interest are models and metrics for quantifying the protection of systems and protocols against malicious injection of faults and to estimate the leaked confidential information. FDTC is the reference event in the field of fault analysis, attacks and countermeasures. Topics of interest include but are not limited to: - Fault injection and exploitation: mechanisms (e.g., using lasers, electromagnetic induction, or clock / power supply manipulation), attacks on cryptographic devices (HW and SW) or protocols, combined implementation attacks - Countermeasures: Fault resistant hardware / implementations of cryptographic algorithms, countermeasures to detect fault injections, techniques providing fault tolerance (inherent reliability), fault resistant protocols, measures to prevent fault injection (e.g., physical protection, fault diagnosis) - Models and metrics for fault attack analysis: metrics for fault attacks robustness and the leaked information, models of fault injection, modeling and analysis (e.g., modeling the reliability of systems or protocols) - Fault attack resistant architectures: fault attack resistant processor designs, fault attack resistant hardware, fault attack resistant software - Design tools supporting analysis of fault attacks and countermeasures: early estimation of fault attack robustness, automatic applications of fault countermeasures, fault attacks and reliability - Case studies of attacks, fault diagnosis, and tolerance techniques ------------------------------------------------------------------------- ISDDC 2017 International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada, October 25-27, 2017. (Submission Due 10 June 2017) http://www.scs.ryerson.ca/iwoungan/ISDDC17/ The integration of network computing and mobile systems offers new challenges with respect to the dependability of integrated applications. At the same time, new threat vectors have emerged that leverage and magnify traditional hacking methods, enabling large scale and intelligence-driven attacks against a variety of platforms, including mobile, cloud, Internet-of-things (IoT), as well as conventional networks. The consequence of such fast evolving environment is the pressing need for effective and efficient paradigms, approaches, and tools for building, maintaining, and managing secure and dependable systems. This conference solicits papers addressing issues related to the design, analysis, and implementation, of dependable and secure infrastructures, systems, architectures, algorithms, and protocols that deal with network computing, mobile/ubiquitous systems, cloud systems, and IoT systems. The goal of the ISDDC 2017 conference is to provide a forum for researchers, students, scientists and engineers working in academia and industry to share their experiences, new ideas and research results in the above-mentioned areas. ------------------------------------------------------------------------- AsianHOST 2017 IEEE Asian Hardware-Oriented Security and Trust Symposium, Beijing, China, October 19-20, 2017. (Submission Due 10 June 2017) http://asianhost.org/2017/ IEEE Asian Hardware Oriented Security and Trust Symposium (AsianHOST) aims to facilitate the rapid growth of hardware security research and development in Asia and South Pacific areas. AsianHOST highlights new results in the area of hardware and system security. Relevant research topics include techniques, tools, design/test methods, architectures, circuits, and applications of secure hardware. AsianHOST 2017 invites original contributions related to, but not limited by, the following topics: - Hardware Trojan attacks and detection techniques - Side-channel attacks and countermeasures - Metrics, policies, and standards related to hardware security - Secure system-on-chip (SoC) architecture - Security rule checks at IP, IC, and System levels - Hardware IP trust (watermarking, metering, trust verification) - FPGA security - Trusted manufacturing including split manufacturing, 2.5D, and 3D ICs - Emerging nanoscale technologies in hardware security applications - Security analysis and protection of Internet of Things (IoT) - Cyber-physical system (CPS) security and resilience - Reverse engineering and hardware obfuscation at all levels of abstraction - Supply chain risks mitigation including counterfeit detection & avoidance - Hardware techniques that ensure software and/or system security - Analysis of real attacks and threat evaluation ------------------------------------------------------------------------- WISTP 2017 11th International Conference on Information Security Theory and Practice, Crete, Greece, September 28-29, 2017. (Submission Due 15 June 2017) http://www.wistp.org The 11th WISTP International Conference on Information Security Theory and Practice (WISTP'2017) seeks original submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy, as well as experimental studies of fielded systems, the application of security technology, the implementation of systems, and lessons learned. We encourage interdisciplinary contributions bringing law, business, and policy perspectives on security issues. Submissions with regards to the security of future ICT technologies, such as cyber-physical systems, cloud services, data science and the Internet of Things are particularly welcome. ------------------------------------------------------------------------- STM 2017 13th International Workshop on Security and Trust Management, Co-located with with ESORICS 2017, Oslo, Norway, September 14-15, 2017. (Submission Due 17 June 2017) http://stm2017.di.unimi.it STM (Security and Trust Management) is a working group of ERCIM (European Research Consortium in Informatics and Mathematics). The workshop seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of security and trust in ICT. Topics of interest include, but are not limited to: - Access control - Anonymity - Applied cryptography - Authentication - Complex systems security - Data and application security - Data protection - Data/system integrity - Digital rights management - Economics of security and privacy - Formal methods for security and trust - Identity management - Legal and ethical issues - Mobile security - Networked systems security - Operating systems security - Privacy - Security and trust metrics - Security and trust policies - Security and trust management architectures - Security and trust for big data - Security and trust in cloud environments - Security and trust in content delivery networks - Security and trust in crowdsourcing - Security and trust in grid computing - Security and trust in the Internet of Things - Security and trust in pervasive computing - Security and trust in services - Security and trust in social networks - Social implications of security and trust - Trust assessment and negotiation - Trust in mobile code - Trust models - Trust management policies - Trust and reputation systems - Trusted platforms - Trustworthy systems and user devices ------------------------------------------------------------------------- CECC 2017 Central European Cybersecurity Conference, Ljubljana, Slovenia, November 16-17, 2017. (Submission Due 19 June 2017) https://www.fvv.um.si/cecc2017/ The Central European Cybersecurity Conference - CECC 2017 aims at establishing a venue for the exchange of information on cybersecurity and its many aspects in central Europe. CECC 2017 encourages the dialogue between researchers of technical and social aspects of cybersecurity, both crucial in attaining adequate levels of cybersecurity. Complementary contributions dealing with its economic aspects as well as any legal, investigation or other issues related to cybersecurity are welcome, too. All accepted and presented research papers will be available in Open Access conference proceedings published by the University of Maribor Press and submitted for indexing by DBLP, Elsevier SCOPUS and Thomson Reuters Web of Science Core Collection. ------------------------------------------------------------------------- DPM 2017 12th Workshop on Data Privacy Management, Co-located with ESORICS 2017, Oslo, Norway, September 14-15, 2017. (Submission Due 25 June 2017) http://deic.uab.cat/conferences/dpm/dpm2017/ Organizations are increasingly concerned about the privacy of information that they manage (several people have filed lawsuits against organizations violating the privacy of customer's data). Thus, the management of privacy-sensitive information is very critical and important for every organization. This poses several challenging problems, such as how to translate the high-level business goals into system-level privacy policies, administration of privacy-sensitive data, privacy data integration and engineering, privacy access control mechanisms, information-oriented security, and query execution on privacy-sensitive data for partial answers. The aim of this workshop is to discuss and exchange the ideas related to privacy data management. We invite papers from researchers and practitioners working in privacy, security, trustworthy data systems and related areas to submit their original papers in this workshop. The main topics, but not limited to, include: - Privacy Information Management - Privacy Policy-based Infrastructures and Architectures - Privacy-oriented Access Control Languages and Models - Privacy in Trust Management - Privacy in Digital Currencies - Privacy Data Integration - Privacy Risk Assessment and Assurance - Privacy Services - Privacy Policy Analysis - Cryptography - Cryptanalysis - Query Execution over Privacy Sensitive Data - Privacy Preserving Data Mining - Hippocratic and Water-marking Databases - Privacy for Integrity-based Computing - Privacy Monitoring and Auditing - Privacy in Social Networks - Privacy in Ambient Intelligence (AmI) Applications - Individual Privacy vs. Corporate/National Security - Code-based Cryptology - Privacy in computer networks - Privacy and RFIDs - Privacy and Big Data - Privacy in sensor networks ------------------------------------------------------------------------- GameSec 2017 8th Conference on Decision and Game Theory for Security, Vienna, Austria, October 23-25, 2017. (Submission Due 29 June 2017) http://www.gamesec-conf.org/cfp.php The goal of GameSec is to bring together academic and industrial researchers in an effort to identify and discuss the major technical challenges and recent results that highlight the connection between game theory, control, distributed optimization, economic incentives and real world security, reputation, trust and privacy problems in a variety of technological systems. Submissions should solely be original research papers that have neither been published nor submitted for publication elsewhere. - Game theory and mechanism design for security and privacy - Pricing and economic incentives for building dependable and secure systems - Dynamic control, learning, and optimization and approximation techniques - Decision making and decision theory for cybersecurity and security requirements engineering - Socio-technological and behavioral approaches to security - Risk assessment and risk management - Security investment and cyber insurance - Security and privacy for the Internet-of-Things (IoT), cyber-physical systems, resilient control systems - New approaches for security and privacy in cloud computing and for critical infrastructure - Security and privacy of wireless and mobile communications, including user location privacy - Game theory for intrusion detection - Empirical and experimental studies with game-theoretic or optimization analysis for security and privacy ------------------------------------------------------------------------- IET Networks, Special Issues on Security architecture and technologies for 5G, (Submission Due 30 June 2017) http://digital-library.theiet.org/files/IET_NET_CFP_SEC.pdf Guest Editors: Hongke Zhang (Beijing Jiaotong University, China), Chi-Yuan Chen (National Ilan University, Taiwan), Shui Yu (Deakin University, Australia), and Wei Quan (Beijing Jiaotong University, China). 5G security challenges come from many aspects. Firstly, secure network architectures are required as the basis for 5G to support a huge number of connected devices. Secondly, 5G will migrate or bring in many promising network technologies, such as Software Defined Networking (SDN), Network Functions Virtualization (NFV), Information Centric Network (ICN), Device to Device (D2D), Network Slicing, Cloud Computing/Fog Computing and so on. These technologies should also provide security guarantee for 5G architecture. Thirdly, more and more user data and network traffic will be carried in the 5G network. Big Data Security should be considered to protect these data, including the data privacy, data sources, data analytics and so on. Fourthly, 5G will promote many interesting applications, which also require secure supports, such as Vehicular Network, Internet of Energy (IoE) and VR/AR. We call for survey and research papers in the 5G security scope. We aim to provide a platform for researchers to further explore the security issues, technologies, architecture for 5G networks. ------------------------------------------------------------------------- SPIFEC 2017 1st European Workshop on Security and Privacy in Fog and Edge Computing, Held In conjunction with ESORICS 2017, Oslo, Norway, September 14-15, 2017. (Submission Due 30 June 2017) https://www.nics.uma.es/pub/spifec The main goal of Fog Computing and other related Edge paradigms, such as Multi-Access Edge Computing, is to decentralize the Cloud and bring some of its services closer to the edge of the network, where data are generated and decisions are made. Cloud-enabled edge platforms will be able to cooperate not only with each other but with the cloud, effectively creating a collaborative and federated environment. This paradigm shift will fulfill the needs of novel services, such as augmented reality, that have particularly stringent requirements like extremely low latency. It will also help improve the vision of the Internet of Things by improving its scalability and overall functionality, among other benefits. To enable this vision, a number of platforms and technologies need to securely coexist, including sensors and actuators, edge-deployed systems, software-defined networks, hardware virtualization, data mining mechanisms, etc. However, this paradigm shift calls for new security challenges and opportunities to leverage services for new scenarios and applications. The field of edge computing security is almost unexplored, and demands further attention from the research community and industry in order to unleash the full potential of this paradigm. ------------------------------------------------------------------------- CTC 2017 7th International Symposium on Secure Virtual Infrastructures - Cloud and Trusted Computing, Rhodes, Greece, October 23-24, 2017. (Submission Due 5 July 2017) http://www.otmconferences.org/index.php/conferences/ctc-2017 Current and future service-based software needs to remain focused towards the development and deployment of large and complex intelligent and networked information systems, required for internet-based and intranet-based systems in organizations, as well to move to IoT integration and big data analytics. Today, service-based software covers a very wide range of application domains as well as technologies and research issues. This has found realization through Cloud Computing, Big Data, and IoT. Vital element in such networked, virtualized, and sensor-based information systems are the notions of trust, security, privacy and risk management. The conference solicits submissions from both academia and industry presenting novel research in the context of Cloud Computing, Big Data, and IoT, presenting theoretical and practical approaches to cloud, big data, and IoT trust, security, privacy and risk management. The conference will provide a special focus on the intersection between cloud paradigm, big data analytics, and IoT integration, bringing together experts from the three communities to discuss on the vital issues of trust, security, privacy and risk management in Cloud Computing, shedding the light on novel issues and requirements in big data and IoT domains. Potential contributions could cover new approaches, methodologies, protocols, tools, or verification and validation techniques. We also welcome review papers that analyze critically the current status of trust, security, privacy and risk management in the cloud, big data, and IoT. Papers from practitioners who encounter trust, security, privacy, and risk management problems, and seek understanding are finally welcome. For 2017, a special emphasis will be put on "Secure and Trustworthy Big Data Analytics and IoT Integration: From the Periphery to the Cloud". ------------------------------------------------------------------------- SSS 2017 19th Annual International Symposium on Stabilization, Safety, and Security of Distributed Systems, Boston, Massachusetts, USA, November 5-8, 2017. (Submission Due 7 July 2017) http://bitly.com/SSS-2017 SSS is an international forum for researchers and practitioners in the design and development of distributed systems with a focus on systems that are able to provide guarantees on their structure, performance, and/or security in the face of an adverse operational environment. Research in distributed systems is now at a crucial point in its evolution, marked by the importance and variety of dynamic distributed systems such as peer-to-peer networks, large-scale sensor networks, mobile ad-hoc networks, and cloud computing. Moreover, new applications such as grid and web services, distributed command and control, and a vast array of decentralized computations in a variety of disciplines has driven the need to ensure that distributed computations are self-stabilizing, performant, safe and secure. The symposium takes a broad view of the self-managed distributed systems area and encourages the submission of original contributions spanning fundamental research and practical applications within its scope, covered by the three symposium tracks: (i) Stabilizing Systems: Theory and Practice, (ii) Distributed Computing and Communication Networks, as well as (iii) Computer Security and Information Privacy. ------------------------------------------------------------------------- FPS 2017 10th International Symposium on Foundations & Practice of Security, Nancy, France, October 23-25, 2017. (Submission Due 9 July 2017) http://fps2017.loria.fr/ Protecting the communication and data infrastructure of an increasingly inter-connected world has become vital to the normal functioning of all aspects of our world. Security has emerged as an important scientific discipline whose many multifaceted complexities deserve the attention and synergy of the mathematical, computer science and engineering communities. The aim of FPS is to discuss and exchange theoretical and practical ideas that address security issues in inter-connected systems. It aims to provide scientific presentations as well as to establish links, promote scientific collaboration, joint research programs, and student exchanges between institutions involved in this important and fast moving research field. We also invite papers from researchers and practitioners working in security, privacy, trustworthy data systems and related areas to submit their original papers. ------------------------------------------------------------------------- Security and Communication Networks journal, Special Issue on Emerging and Unconventional: New Attacks and Innovative Detection Techniques, (Submission Due 28 July 2017) https://www.hindawi.com/journals/scn/si/761087/cfp/ Guest Editors: Luca Caviglione (National Research Council of Italy,Italy), Wojciech Mazurczyk (Warsaw University of Technology & FernUniversität in Hagen, Poland), Steffen Wendzel (Fraunhofer FKIE, Germany), and Sebastian Zander (Murdoch University, Australia). In the last years, advancements of the information and communication technologies have spawned a variety of innovative paradigms, such as cloud and fog computing, the Internet of Things (IoT), or complex vehicle-to-vehicle frameworks. As a consequence, the cybersecurity panorama is now getting populated with complex, emerging, and unconventional attacks, which require deep investigation and proper understanding. For example, the diffusion of online social networks brought social engineering to the next level, while IoT led to a completely new set of hazards also endangering the user at a physical level. Modern threats also exploit a variety of advanced methods to increase their stealthiness in order to remain unnoticed for long periods, as well as reduce the effectiveness of many digital forensics techniques and detection tools. Therefore, new and emerging technologies changed the modern cybersecurity landscape, which nowadays is populated by novel attacks and also requires innovative detection and prevention methods. In this perspective, the special issue aims at investigating the most advanced and innovative forms of attacks and scenarios, for instance, considering automotive or building automation settings. To complete the picture, a relevant attention will be given to works dealing with innovative forms of detection and forensics analysis, which are mandatory to counteract sophisticated malware able to hide or take advantage of unconventional and complex scenarios. This issue accepts high quality papers containing novel original research results and review articles of exceptional merit covering the most cutting-edge cybersecurity threats and countermeasures. Potential topics include but are not limited to the following: - Novel advanced and persistent threats aiming at automotive and smart buildings/cities - Security issues and profiling hazards in smart buildings/cities - IoT and device specific attacks, for example, battery drain attacks or attacks on IoT routing protocols - Hazards taking advantage from social media, for example, social bots and new social engineering attacks - Information hiding threats to counteract forensics tools and analysis - Network steganography for data exfiltration and new information-hiding-capable threats - Energy-based detection of slow and hidden attacks, including low-attention rising threats for mobile and handheld devices - Scalable countermeasures for preventing steganography in big-data-like sources - Novel threats targeting vehicles and cloud and software defined networking technologies - Bioinspired attacks and detection mechanisms - Ransomware: novel trends, characteristics, and detection - Moving Target Defense (MTD) solutions against infections ------------------------------------------------------------------------- MIST 2017 9th ACM CCS International Workshop on Managing Insider Security Threats, Dallas, USA, October 30 - November 3, 2017. (Submission Due 4 August 2017) http://isyou.info/conf/mist17 During the past two decades, information security technology developments have been mainly concerned with intrusion detection to prevent unauthorized attacks from outside the network. This includes hacking, virus propagation, spyware and more. However, according to a recent Gartner Research Report, information leaks have drastically increased from insiders who are legally authorized to access corporate information. The unauthorized leak of critical or proprietary information can cause significant damage to corporate image and reputation, perhaps even weakening its competitiveness in the marketplace. On a larger scale, government and public sectors may suffer competitive loss to other nations due to an internal intelligence breach. While the leaking of critical information by insiders has a lower public profile than that of viruses and hacker attacks, the financial impact and loss can be just as devastating. The objective of this workshop is to showcase the most recent challenges and advances in security and cryptography technologies and management systems for preventing information breaches by insiders. The workshop promotes state-of-the-art research, surveys and case analyses of practical significance. Physical, managerial, and technical countermeasures will be covered in the context of an integrated security management system that protects critical cyber-infrastructure against unauthorized internal attack. We expect that this workshop will be a trigger for further research and technology improvements related to this important subject. ------------------------------------------------------------------------- WPES 2017 Workshop on Privacy in the Electronic Society, Dallas, Texas, USA, October 30, 2017. (Submission Due 4 August 2017) https://cs.pitt.edu/wpes2017 The need for privacy-aware policies, regulations, and techniques has been widely recognized. This workshop discusses the problems of privacy in the global interconnected societies and possible solutions. The 2017 Workshop, held in conjunction with the ACM CCS conference, is the sixteenth in a yearly forum for papers on all the different aspects of privacy in today's electronic society. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of electronic privacy, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues. Topics of interest include, but are not limited to, anonymization and trasparency, crowdsourcing for privacy and security, data correlation and leakage attacks, data security and privacy, data and computations integrity in emerging scenarios, electronic communication privacy, economics of privacy, information dissemination control, models, languages, and techniques for big data protection, personally identifiable information, privacy-aware access control, privacy and anonymity on the web, privacy in biometric systems, privacy in cloud and grid systems, privacy and confidentiality management, privacy and data mining, privacy in the Internet of Things, privacy in the digital business, privacy in the electronic records, privacy enhancing technologies, privacy and human rights, privacy in health care and public administration, privacy metrics, privacy in mobile systems, privacy in outsourced scenarios, privacy policies, privacy vs. security, privacy of provenance data, privacy in social networks, privacy threats, privacy and virtual identity, user profiling, and wireless privacy. ------------------------------------------------------------------------- Ad Hoc Networks, Special Issue on Security of IoT-enabled Infrastructures in Smart Cities, (Submission Due 1 September 2017) https://www.journals.elsevier.com/ad-hoc-networks/call-for-papers /special-issue-on-security-of-iot-enabled-infrastructures-in Guest Editors: Steven Furnell (Plymouth University, United Kingdom), Abbas M. Hassan (Al Azhar University, Qena, Egypt), and Theo Tryfonas (University of Bristol, United Kingdom). Internet of Things (IoT) is a paradigm that involves a network of physical objects containing embedded technologies to collect, communicate, sense, and interact with their internal states or the external environment through wireless or wired connections. IoT uses unique addressing schemes and network i nfrastructures to create new application or services. Smart cities are developed urban environments where any citizen can use any service anywhere and anytime. IoT has become a generator of smart cities aiming at overcoming the problems inherent in traditional urban developments. The nature of IoT information exchange among the connected objects 'Things' and remote locations for data storage and data processing gives the ability to collect numerous amounts of data about individuals, and other things in the smart city. Hence, these data can be passed to malicious or have vulnerabilities such as man-in-the-middle attack or denial-of-service (DoS) attacks. Therefore, collected and transferred bands of data via IoT infrastructure would affect the national security and privacy. Driven by the concept that IoT is the major builder in the coming smart cities, security and privacy have become inevitable requirements not only for personal safety, but also for assuring the sustainability of the ubiquitous city. Although, there are available researches that address the security challenges in IoT data, this special issue aims to address the security and privacy challenges emerging from deploying IoT in smart cities with a special emphasize on the IoT device, infrastructures, networking, and protocols. In addition, the special issue provides an up-to-date statement of the current research progresses in IoT security, privacy challenges, and mitigation approaches for protecting the individuals' safety and the sustainability of the smart city. The topics of interest include but are not limited to: - Innovative techniques for IoT infrastructure security - Internet of Things (IoT) devices and protocols security - Cross-domain trust management in smart communities - Cloud computing-based security solutions for IoT data - Security and privacy frameworks for IoT-based smart cities - Critical infrastructures resilience and security in smart cities - Biometric modalities involved in IoT security for smart cities - Security challenges and mitigation approaches for smart cities - Cyber attacks detection and prevention systems for IoT networks - Interoperable security for urban planning and applications - Ethics, legal, and social considerations in IoT security ------------------------------------------------------------------------- Security and Communication Networks journal, Special Issue on User Authentication in the IoE Era: Attacks, Challenges, Evaluation, and New Designs, (Submission Due 1 September 2017) https://www.hindawi.com/journals/scn/si/908453/cfp/ Guest Editors: Ding Wang (Peking University, Beijing, China), Shujun Li (University of Surrey, Guildford, UK), and Qi Jiang (University of Waterloo, Ontario, Canada and Xidian University, Xi'an, China). We are venturing into the new era of Internet of Everything (IoE) where smaller and smarter computing devices have begun to be integrated into the cyber-physical-social environments in which we are living our lives. Despite its great potential, IoE also exposes devices and their users to new security and privacy threats, such as attacks emanating from the Internet that can impact human users' health and safety. User authentication, as a first line of defense, has been widely deployed to prevent unauthorized access and, in many cases, is also the primary line of defense. However, conventional user authentication mechanisms are not capable of addressing these new challenges. Firstly, it is not possible to directly utilize many Internet-centric security solutions because of the inherent characteristics of IoE devices (e.g., their limited computational capabilities and power supply). Secondly, IoE devices may lack conventional user interfaces, such as keyboards, mice, and touch screens, so that many traditional solutions simply cannot be applied. In summary, the subjects of user authentication in IoE are compelling, yet largely underexplored, and new technologies are needed by both the industry and academia. This special issue aims to provide a venue for researchers to disseminate their recent research ideas and results about user authentication in IoE. Potential topics include but are not limited to the following: - Lightweight authentication - Password-based authentication - Biometric-based authentication - Multi-factor authentication - Continuous/implicit authentication - Authentication for fog/edge computing - Authentication for cloud computing - Anonymous authentication - Privacy enhancing technologies for authentication - New paradigms for user authentication - Attacks on authentication for IoE devices - Human aspects of authentication in IoE - Foundational principles for authentication - Evaluation metrics for authentication schemes ------------------------------------------------------------------------- IFIP119-DF 2018 14th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 3-5, 2018. (Submission Due 1 September 2017) http://www.ifip119.org The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Fourteenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately a hundred participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the fourteenth volume in the well-known Advances in Digital Forensics book series (Springer, Heidelberg, Germany) during the summer of 2018. Technical papers and posters are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- Information & Communications Technology Express, Special Issue on Critical Infrastructure (CI) & Smart Grid Cyber Security, (Submission Due 1 December 2017) https://www.journals.elsevier.com/ict-express/call-for-papers /special-issue-on-ci-smart-grid-cyber-security Guest Editors: Leandros A. Maglaras (De Montfort University, UK), Ki-Hyung Kim (Ajou University, Korea), Helge Janicke (De Montfort University, UK), Mohamed Amine Ferrag, Guelma University, Algeria), Artemios G. Voyiatzis (SBA Research, Austria), Pavlina Fragkou (T.E.I of Athens, Greece), Athanasios Maglaras (T.E.I. of Thessaly, Greece), and Tiago J. Cruz (University of Coimbra, Portugal). Cyber-physical systems are becoming vital to modernizing the national critical infrastructure (CI) systems. A smart grid is an energy transmission and distribution network enhanced through digital control, monitoring, and telecommunications capabilities. It provides a real-time, two-way flow of energy and information to all stakeholders in the electricity chain, from the generation plant to the commercial, industrial, and residential end user. Each smart grid subsystem and its associated assets require specific security functions and solutions. For example, the solution to secure a substation is not the same as the solution to secure demand response and home energy management systems. Usual cyber security technologies and best practices - such as antivirus, firewalls, intrusion prevention systems, network security design, defense in depth, and system hardening - are necessary to protect the smart grid. However, history showed they are only part of the solution. Owing to the rapid increase of sophisticated cyber threats with exponentially destructive effects advanced cyber security technologies must be developed. The title of this special issue of ICT Express is therefore coined concisely as "Special Issue on CI & Smart Grid Cyber Security". This special issue focuses on innovative methods and techniques in order to address unique security issues relating to CI and smart grids. Original submissions reflecting latest research observation and achievement in the following areas are invited: - Hardware Security Solutions - Incident response - Real-time threat intelligence - Situation Awareness - Security information and event management (SIEM) systems - Machine Learning Techniques - Safety-Security Interactions - System Vulnerabilities - Cyber Security Engineering - Human Awareness & Training - Intrusion Detection Systems - Trust and privacy - Malware Analysis - Behavioral Modeling - Secure Communication Protocols - Malware analysis - Network security and protocols - Hardware enforced virtualization ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulf Lindqvist Michael Locasto SRI International SRI International Menlo Park, CA oakland16-chair@ieee-security.org ulf.lindqvist@sri.com Vice Chair: Treasurer: Sean Peisert Yong Guan UC Davis and 3219 Coover Hall Lawrence Berkeley Department of Electrical and Computer National Laboratory Engineering speisert@ucdavis.edu Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2017 Chair: TC Awards Chair: Kevin Butler Hilarie Orman Department of Computer and Purple Streak, Inc. Information Science and Engineering 500 S. Maple Dr. University of Florida Woodland Hills, UT 84653 butler at ufl.edu cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year