Electronic CIPHER, Issue 140, September 18, 2017 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 140 September 18, 2017 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of "The Internet of Risky Things - Trusting the devices That Surround Us" by Sean Smith o News - BitCoins diverted? Or not? - Roomba the Spy - Wifi worst case scenario - Browser Extension for "Trust" Enables Privacy Breaches - Voter Data and Amazon's Leaky Buckets - Cyber Command moves up - Elections and the Software They Rely On - Power to the hackers - Yawn, YA Data Breach (5 items) - Kaspersky too spooky for govmt use? (2 items) o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: It is interesting to me that although the Internet is large and complex, it does not have emergent behaviors similar to category 5 hurricanes. Perhaps another couple of orders of magnitude of growth will bring in enough differential energies to start driving data bits through concrete walls. Sometimes, though, it seems to me that even now that "data levels" are rising and we are at risk of drowning in the rising tide of information. The second Secure Development Conference, SecDev, will be held next week in Cambridge Massachusetts. This is a TCSP sponsored event for secure system engineering. It focuses on the tools and big, practical ideas for producing secure systems. Don't forget that the schedule for submitting research papers for the Security and Privacy Symposium is now a nearly year-round process with a deadline at the first of each month. Papers submitted by October 1 will have the full revision period available for inclusion in the 2018 proceedings. Papers submitted by November 1 will have a one month revision period or will be candidates for 2019. The IEEE Computer Society election is upon us. Voting ends in a few days, so if you are a member, go to computer.org and read the election information, and vote. The name is Equifax, They'll leak your data fast, According to this here in the Daily Hacks (with apologies to Frank Loesser) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review by Sven Dietrich September 18, 2017 ____________________________________________________________________ "The Internet of Risky Things - Trusting the devices That Surround Us" by Sean Smith O'Reilly Media 2017. ISBN ISBN-13 978-1-491963623 240 pages The Internet is much more than the traditional platforms of big servers, desktops, laptop, and mobile phones; its growth now encompasses embedded devices, such as DVRs, thermostats, cameras, networked speakers, remote-controlled light bulbs and more, i.e. the "Internet of Things (IoT)". Sean Smith provides an excellent overview in "The Internet of Risky Things" with examples to make us stop and think about security issues. Written as a series of anecdotes about security and embedded devices spanning many years, quotes from researchers, papers, and articles, and interspersed with the occasional picture of an embedded device logic board or an XKCD comic to illustrate a point, the book is a great introduction to IoT's issues of security and trust. The stories, whether factual occurrences or dystopian warnings, paint an easily followed framework, where the reader can dip into a large collection of references at the end of each chapter. The reading level of the references goes from news articles to full-fledged research articles relevant to the topic, making an easy entry to each topic as well as an opportunity to strengthen existing knowledge. Along the way, Sean Smith shares his classroom experience teaching this fascinating topic in his role as computer science faculty at Dartmouth College. A quickdown of the ten chapters follows. The first chapter, "Brave New Internet", is a quick intro the already changed landscape of the Internet as mentioned above. Next, "Examples and Building Blocks" shows examples of making embedded devices connect to the Internet. The third chapter "The Future Has Been Here Before" reminds us that there have been serious incidents with Internet-connected real-world devices in the past, such as radiation-emitting medical devices, even if the scale of connectivity was not the same. Following that, "Overcoming Design Patterns for Insecurity" documents several categories of security design flaws for embedded devices that garnered attention. The fifth chapter, "Names and Identity in the IoT", covers the aspect of authentication for the IoT devices, as the scale of deployment of those devices is unprecedented. "The Internet of Tattletale Devices" reminds us that we entrust information about ourselves and our habits into the IoT that can be either observed or queried by parties that we do not necessarily want to share them with, leading to privacy violations and possible surveillance. The seventh chapter "Business, Things, and Risks" considers business cases for IoT and its consequences. That is succeeded by "Laws, Things, and Society", which muses on the impact of IoT devices on legal issues for international and transborder concerns. The ninth chapter "The Digital Divide and the IoT" examines how the IoT could exacerbate the digital divide which is already present with the Internet of Computers. Finally, "The Future of Humans and Machines", talks about the larger impact on humanity by choosing to adopt IoT devices, mental models, the ethical considerations, and whether or not IoT is truly for the betterment of society. I hope you will enjoy reading this book as much as I did. Sean Smith is a seasoned researcher and expert in his field, and shares his knowledge with the reader in an accessible, easy, yet thought-provoking manner. ---------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== BitCoins diverted? Or not? Pennsylvania police, hunting for stolen laptops, say they stumbled on $40 million bitcoin scam The Washington Post By Kyle Swenson Jul 24, 2017 https://www.washingtonpost.com/news/morning-mix/wp/2017/07/24/pennsylvania-police-hunting-for-stolen-laptops-say-they-stumbled-on-40-million-bitcoin-scam Summary: Bitcoin, phishing, and AlphaBay, Theodore Price's story has all the elements for a good tech detective thriller. The Pennsylvania man is headed to trial, but will his confession to stealing Bitcoin wallets stand up in court? Initially investigated to stealing a few laptops and some jewelry, Price upped the ante by confessing to buying software on AlphaBay that used a phishing attack to replace his victims' Bitcoin wallets with his wallet, one of small value. Can you prove Bitcoin theft in court? We'll see. ------------------ Roomba the Spy Roomba maker may share maps of users' homes with Google, Amazon or Apple Technology | The Guardian By Alex Hern Jul 25, 2017 https://www.theguardian.com/technology/2017/jul/25/roomba-maker-could-share-maps-users-homes-google-amazon-apple-irobot-robot-vacuum Summary: It used to be that time was money, but now data is money. Any data. IRobot, the maker of the Roomba robotic vaccuum, sees the device as enabling an ecosystem of smart home IoT components. The Roomba, could, they say, create a detailed map of a home while going about its business of sucking up floor-level debris. The information would be provided to IoT home device manufacturers. Privacy advocates feel this is a dirty trick. Jim Killock, executive director of the Open Rights Group, called it "creepy" [Ed. in both senses, we presume]. ------------------ Wifi worst case scenario Bug in top smartphones could lead to unstoppable malware, researcher says Technology | The Guardian By Alex Hern Jul 28, 2017 https://www.theguardian.com/technology/2017/jul/27/broadpwn-smartphone-malware-bug-iphone-samsung-google Summary: The economy of scale can lead to a lack of diversity in electronic devices, and this hit home when a basic wifi vulnerability was revealed at Black Hat. Broadcom supplies the wifi chips that are used iPhones, Samsung Galaxies, and Google Nexus devices, and unless those users upgrade to the July releases of their OS and security fixes, not only are they vulnerable to remote exploits, they can also become a vector for compromising any other device within wifi range. The exploit can launch itself against any device with the Broadcom chip, and it needs no other access point --- no compromised app, no evil router, etc. Just the chip, please. ------------------ Browser Extension for "Trust" Enables Privacy Breaches 'Anonymous' browsing data can be easily exposed, researchers reveal Technology | The Guardian By Alex Hern Aug 1, 2017 https://www.theguardian.com/technology/2017/aug/01/data-browsing-habits-brokers Summary: A journalist and a data scientist walked into a data broker and ordered the browsing history of 3 million German users. The data tender gave them 3 billion entries. The journalist and the data scientist unraveled the "anonymized" entries and exposed embarrassing information. That exploit was presented at DefCon. The two person team said that most of the information came from a browser plug-in called "Web of Trust". Perhaps "Web of Trust" should have been named "We Will Embarrass You". Its business model depends on users giving up their browsing history in exchange for a website rating service. The provider makes money by selling the browsing histories to third parties, like the ones that sold German user data to the journalist and data scientist. This actually old news: 'Web Of Trust' Browser Add-On Caught Selling Users' Data - Uninstall It Now in the Hacker News from November 7, 2016, http://thehackernews.com/2016/11/web-of-trust-addon.html ------------------ Voter Data and Amazon's Leaky Buckets 1.8 million Chicago voter records exposed online CNN Money By Selena Larson Aug. 17, 2017 http://money.cnn.com/2017/08/17/technology/business/chicago-voter-records-exposed-upguard/index.html Summary: Security researcher Jon Hendren of Upguard devotes one day a week to a sort of treasure hunt. Instead of taking a metal detector for a walk on the beach, he looks for leaky buckets, particularly for misconfigured settings on Amazon Web Services storage containers. He hit a small jackpot when he found personal information for 1.8 million Illinois voters. The Election Systems & Software company said they had stored backup copies of voter information with AWS. Hendren notified the company and the leak was patched. If anyone else accessed the data, forensic experts hope to find them. Hendren says that the misconfiguration is all too common. Jim Allen, a spokesman for the Chicago Board of Elections, said the leak did not contain or affect anyone's voting ballots, which are handled by a different vendor. [Ed. And does the Chicago Board of Elections intend to check compliance by that vendor?] ------------------ Cyber Command moves up President Trump announces move to elevate Cyber Command The Washington Post By Thomas Gibbons-Neff and Ellen Nakashima Aug 18, 2017 https://www.washingtonpost.com/news/checkpoint/wp/2017/08/18/president-trump-announces-move-to-elevate-cyber-command Summary: The US military is organized into several structures, including 4 "departments", and nine "combatant commands". A tenth command has been added by elevating Cyber Command from its position within NSA. However, it will still be led by the director of the NSA for at least the next year while the process of nominating and confirming a replacement runs its course. Defense Secretary Jim Mattis will choose the nominee. Cyber Command is described as the Pentagon's offensive cyber-force, yet its new importance is said to "bolster US defenses". ------------------ Elections and the Software They Rely On Software Glitch or Russian Hackers? Election Problems Draw Little Scrutiny The New York Times By Nicole Perlroth, Michael Wines and Matthew Rosenberg Sep 1, 2017 https://www.nytimes.com/2017/09/01/us/politics/russia-election-hacking.html Summary: This is a good article about the wider problems of hacking election software. It is not just the ballot casting and tabulating that is at risk, but the infrastructure around registering and verifying voters is also a "juicy" target for hackers. Some people suspect that electronic pollbooks were hacked in the 2016 presidential elections, others feel that a few operational problems are par for the course. Was there hacking? Can we protect our systems before the next election? It is a question of national importance, but it is up to each state to find a solution. ------------------ Power to the hackers Hackers attacking US and European energy firms could sabotage power grids Technology | The Guardian By Alex Hern Sep 6, 2017 https://www.theguardian.com/technology/2017/sep/06/hackers-attacking-power-grids-in-us-and-europe-have-potential-to-sabotage Summary: The security firm Symantec warns that a hacker group called "Dragonfly" may have gathered a significant capability to infiltrate and disrupt energy grids in the US, Turkey, and Switzerland. ------------------ Yawn, YA Data Breach Equifax Says Cyberattack May Have Affected 143 Million Customers The New York Times By Tara Siegel Bernard, Tiffany Hsu, Nicole Perlroth and Ron Lieber Sep 7, 2017 https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html Summary: The personal identifying data for 143 million Americans was exposed by the consumer reporting service Equifax. This was no theoretical, unexploited vulnerability. Forensic evidence showed that the information was accessed from mid-May to July. The company discovered the activity on July 29. This was an identity thief's dream, and it is not known how the 143 million consumers might have been or will be affected. Equifax Officially Has No Excuse Wired By Lily Hay Newman Sep 14, 2017 https://www.wired.com/story/equifax-breach-no-excuse/ Summary: The vulnerability that disclosed consumers' personal identifying data from the Equifax website was in Apache Struts, a framework building websites. Apache found the problem in March, produced a patch, and provided information on how to remedy the situation. Equifax's failure to protect their data seems to indicate a lax attitude about security in general. Apache Struts Statement on Equifax Security Breach The Apache Software Foundation September 9, 2017 https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax Summary: The Apache Foundation issued a statement about the flaw in their product, Struts, that led to the Equifax data disclosure. Although the flaw had been present for nine years, Apache did not know about it until March of this year. At that point, they fixed the problem and issued a patch. How the Equifax data breach happened: What we know now @CNNTech by Jackie Wattles and Selena Larson September 16, 2017 http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html Summary: The Apache Struts security flaw was identified by "a cybersecurity arm of the US Department of Homeland Security". Equifax has said that they were aware of this in March and tried to patch their vulnerable systems. They apparently overlooked their "online dispute portal", and months later they discovered that 143 million consumers had had their personal information accessed by operators unknown. ------------------ Kaspersky too spooky for govmt use? Local governments keep using this software — but it might be a back door for Russia The Washington Post By Jack Gillum and Aaron C. Davis Jul 24, 2017 https://www.washingtonpost.com/investigations/local-governments-keep-using-this-software--but-it-might-be-a-back-door-for-russia/2017/07/23/39692918-6c99-11e7-8961-ec5f3e1e2a5c_story.html Summary: The US General Services Administration removed Kaspersky Lab from its list of approved vendors. Although Kaspersky produces an effective anti-virus product, there are suspicions about the Moscow-based vendor and its possible collusion with the Russian government. Nonetheless, many state, county, and municipal governments continue to use the product, leaving questions about the security of their services, now and in the future. DHS says "nyet Kaspersky" U.S. moves to ban use of Kaspersky software in federal agencies amid concerns of Russian espionage The Washington Post By Ellen Nakashima and Jack Gillum Sep 13, 2017 https://www.washingtonpost.com/world/national-security/us-to-ban-use-of-kaspersky-software-in-federal-agencies-amid-concerns-of-russian-espionage/2017/09/13/36b717d0-989e-11e7-82e4-f1076f6d6152_story.html Summary: The acting directory of the US Department of Homeland Security, Elaine Duke, has ordered the removal of Kaspersky software from federal civilian agency computers within 90 days. The US military does not use Kaspersky. Although the security firm denies any ties to the Russian government, the founder has ties to Russian military intelligence in his background. The DHS order does not apply to state and local governments, and many of these entities use Kaspersky and have said they will continue to do so. ------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 9/18/17: IFIP119-DF, 14th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India; http://www.ifip119.org Submissions are due 9/18/17- 9/20/17: RAID, 20th International Symposium on Research in Attacks, Intrusions and Defenses, Atlanta, GA, USA; https://www.raid2017.org/ 9/24/17: ICSS, Industrial Control System Security Workshop, Held in conjunction with the 33rd Annual Computer Security Applications Conference (ACSAC), San Juan, Puerto Rico; https://www.acsac.org/2017/workshops/icss/ Submissions are due 9/25/17: HOST, IEEE International Symposium on Hardware-Oriented Security and Trust, Washington DC, USA; http://www.hostsymposium.org Submissions are due 9/25/17: FDTC, 14th Workshop on Fault Diagnosis and Tolerance in Cryptography, Taipei, Taiwan; http://conferenze.dei.polimi.it/FDTC17/index.html 9/28/17- 9/29/17: WISTP, 11th International Conference on Information Security Theory and Practice, Crete, Greece; http://www.wistp.org 10/ 1/17: Elsevier Online Social Networks and Media Journal, Special Issue on Information and Opinion Diffusion in Online Social Networks and Media; http://www.journals.elsevier.com/online-social-networks-and-media/ Submissions are due 10/ 1/17: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due (monthly deadline) 10/ 2/17-10/ 4/17: NSPW, New Security Paradigms Workshop, Islamorada, FL, USA; http://www.nspw.org/cfp/nspw2017-cfp.pdf 10/ 6/17: PKC, 21st IACR International Conference on Practice and Theory in Public-Key Cryptography Rio de Janeiro, Brazil; https://pkc.iacr.org/2018/ Submissions are due 10/ 9/17-10/11/17: CNS, 5th IEEE Conference on Communications and Network Security, Las Vegas, Nevada, USA; http://cns2017.ieee-cns.org/ 10/16/17: HST, 18th annual IEEE Symposium on Technologies for Homeland Security Washington D.C., USA; http://ieee-hst.org Submissions are due 10/19/17-10/20/17: AsianHOST, IEEE Asian Hardware-Oriented Security and Trust Symposium, Beijing, China; http://asianhost.org/2017/ 10/23/17-10/24/17: CTC, 7th International Symposium on Secure Virtual Infrastructures - Cloud and Trusted Computing, Rhodes, Greece; http://www.otmconferences.org/index.php/conferences/ctc-2017 10/23/17-10/25/17: GameSec, 8th Conference on Decision and Game Theory for Security, Vienna, Austria; http://www.gamesec-conf.org/cfp.php 10/23/17-10/25: FPS, 10th International Symposium on Foundations & Practice of Security, Nancy, France; http://fps2017.loria.fr/ 10/25/17-10/27/17: ISDDC, International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada; http://www.scs.ryerson.ca/iwoungan/ISDDC17/ 10/27/17: Security and Communication Networks journal, Special Issue on Cybersecurity in the Internet of Things https://www.hindawi.com/journals/scn/si/932024/cfp/ Submissions are due 10/30/17-11/ 3/17: ACM CCS, 24th ACM Conference on Computer and Communication Security, Dallas, TX, USA; https://www.sigsac.org/ccs/CCS2017 10/30/17-11/ 3/17: MIST, 9th ACM CCS International Workshop on Managing Insider Security Threats, Dallas, USA; http://isyou.info/conf/mist17 10/30/17: WPES, Workshop on Privacy in the Electronic Society, Dallas, Texas, USA; https://cs.pitt.edu/wpes2017 11/ 1/17: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due (monthly deadline; one month revision period for 2018 inclusion) 11/ 5/17-11/ 8/17: SSS, 19th Annual International Symposium on Stabilization, Safety, and Security of Distributed Systems, Boston, Massachusetts, USA; http://bitly.com/SSS-2017 11/ 6/17-11/10/17: DASC, 15th IEEE International Conference on Dependable, Autonomic and Secure Computing, Orlando, Florida, USA; http://cse.stfx.ca/~dasc2017/ 11/16/17-11/17/17: CECC, Central European Cybersecurity Conference, Ljubljana, Slovenia; https://www.fvv.um.si/cecc2017/ 11/30/17: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain; https://petsymposium.org/ Submissions are due 12/ 1/17: Information & Communications Technology Express, Special Issue on Critical Infrastructure (CI) & Smart Grid Cyber Security; https://www.journals.elsevier.com/ict-express/call-for-papers /special-issue-on-ci-smart-grid-cyber-security; Submissions are due 12/ 1/17: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due (monthly deadline for 2019 conference) 12/ 4/17-12/ 8/17: ACSAC, 33rd Annual Computer Security Applications Conference San Juan, Puerto Rico; http://www.acsac.org 12/ 5/17: ICSS, Industrial Control System Security Workshop, Held in conjunction with the 33rd Annual Computer Security Applications Conference (ACSAC), San Juan, Puerto Rico; https://www.acsac.org/2017/workshops/icss/ 1/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due (monthly deadline for 2019 conference) 1/ 3/18- 1/ 5/18: IFIP119-DF, 14th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India; http://www.ifip119.org 2/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due (monthly deadline for 2019) 2/28/18: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain; https://petsymposium.org/ Submissions are due 3/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due (monthly deadline for 2019) 3/ 25/18- 3/28/18: PKC, 21st IACR International Conference on Practice and Theory in Public-Key Cryptography, Rio de Janeiro, Brazil; https://pkc.iacr.org/2018/ 4/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due 5/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due 5/ 2/18- 5/ 3/18: HST, 18th annual IEEE Symposium on Technologies for Homeland Security, Washington D.C., USA; http://ieee-hst.org 5/21/18- 5/23/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html 5/18: HOST, IEEE International Symposium on Hardware-Oriented Security and Trust, Washington DC, USA; http://www.hostsymposium.org 7/24/18-7/27/18: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain; https://petsymposium.org/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E139) ___________________________________________________________________ IFIP119-DF 2018 14th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 3-5, 2018. (Submissions Due 18 September 2017) http://www.ifip119.org The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Fourteenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately a hundred participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the fourteenth volume in the well-known Advances in Digital Forensics book series (Springer, Heidelberg, Germany) during the summer of 2018. Technical papers and posters are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- CSS 2017 Industrial Control System Security Workshop, Held in conjunction with the 33rd Annual Computer Security Applications Conference (ACSAC), San Juan, Puerto Rico, December 5, 2017. (Submissions Due 24 September 2017) https://www.acsac.org/2017/workshops/icss/ Supervisory control and data acquisition (SCADA) and industrial control systems monitor and control a wide range of industrial and infrastructure processes such as water treatment, power generation and transmission, oil and gas refining and steel manufacturing. Such systems are usually built using a variety of commodity computer and networking components and are becoming increasingly interconnected with corporate and other Internet-visible networks. As a result, they face significant threats from internal and external actors. For example, in 2010 the Stuxnet malware was specifically written to attack SCADA systems and caused millions of dollars in damages. The critical requirement for high availability in SCADA and industrial control systems, along with the use of resource constrained computing devices, legacy operating systems, and proprietary software applications limit the applicability of traditional information security solutions. The goal of this workshop is to explore new security techniques that are applicable in the control systems context. Papers of interest including (but not limited to) the following subject categories are solicited: - Intrusion detection and prevention - Malware - Vulnerability analysis and risk management - Digital forensics - Virtualization - Application Security - Performance evaluation of security methods and tools in control systems - Cybersecurity Education ------------------------------------------------------------------------- HOST 2018 IEEE International Symposium on Hardware-Oriented Security and Trust, Washington DC, USA, May 2018. (Submissions Due 25 September 2017) http://www.hostsymposium.org IEEE International Symposium on Hardware Oriented Security and Trust (HOST) 2018 aims to facilitate the rapid growth of hardware-based security research and development. HOST highlights new results in the area of hardware security. Relevant research topics include architectures, design methods, circuits, and applications of secure hardware. HOST 2018 invites original contributions related to (but not limited to) the following: - Hardware security primitives (Crypto, PUFs, RNGs) - Hardware design techniques to facilitate software and/or system security - Architecture support for security - Side-channel analysis, attacks, and protection - Hardware Trojan attacks, detection, and countermeasures - Hardware security test and verification - FPGA and system-on-chip (SoC) security - Supply chain risk mitigation (e.g., counterfeit detection & avoidance) - Reverse engineering and hardware obfuscation - Fault injection and mitigation - Metrics, policies, assessment, and standards related to hardware security - Hardware IP trust (watermarking, metering, trust verification) - Trusted manufacturing including split manufacturing and 2.5/3D integration - Hardware tampering attacks and protection ------------------------------------------------------------------------- Elsevier Online Social Networks and Media Journal, Special Issue on Information and Opinion Diffusion in Online Social Networks and Media, (Submissions Due 1 October 2017) http://www.journals.elsevier.com/online-social-networks-and-media/ Guest Editors: Marco Conti (IIT-CNR, Italy) and Andrea Passarella (IIT-CNR, Italy). Online Social Networks are a massively successful phenomenon, used by billions of users to interact. Nowadays, information diffusion in Online Social Networks and Media (OSNEM) has a major role, among many others, for recommendation systems, advertising, and political campaigns. Moverover, the way information circulates in OSNEM impacts on the formation of opinions and on the social roles of users and their influence on others. OSNEM are extensively used for spreading information, opinions and ideas, but also to propagate fake news and rumors. Therefore, prevention of spam, bots and fake accounts, information leakage, trustworthiness of information and trust between users are relevant research issues associated with information diffusion. This special issue seeks contributions pushing the state of the art in all facets of information and opinion diffusion in online social networks and media. We solicit manuscripts where quantitative and/or data-driven approach is used to investigate information and opinion diffusion in OSNEM. Topics include, but are not limited to: - Dynamics of trends, information and opinion diffusion in OSNEM - Recommendations and advertising in OSNEM - Spread of news, topics, and opinions - Trust, reputation, privacy in OSNEM information and opinion diffusion - Rumors and fake news spreading in OSNEM - Bots and fake users detection - Influence analysis and social influence - Identification of diffusion sources and influencers - Methods to modify/control/maximise information and opinion diffusion - Measurements of information and opinion diffusion in OSNEM - Models of information and opinion diffusion - Data-driven approaches to study information and opinion diffusion in OSNEM ------------------------------------------------------------------------- SP 2018 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 21-23, 2018. (Submissions Due first day of each month) https://www.ieee-security.org/TC/SP2018/cfpapers.html Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been he premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control and authorization - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Censorship resistance - Cloud security - Distributed systems security - Economics of security and privacy - Embedded systems security - Forensics - Hardware security - Intrusion detection and prevention - Malware and unwanted software - Mobile and Web security and privacy - Language-based security - Network and systems security - Privacy technologies and mechanisms - Protocol security - Secure information flow - Security and privacy for the Internet of Things - Security and privacy metrics - Security and privacy policies - Security architectures - Usable security and privacy This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Systematization of Knowledge Papers As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate. Submissions will be distinguished by the prefix ?SoK:? in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. Workshops The Symposium is also soliciting submissions for co-located workshops. Further details on submissions can be found at https://www.ieee-security.org/TC/SP2018/workshops.html. Ongoing Submissions To enhance the quality and timeliness of the scientific results presented as part of the Symposium, and to improve the quality of our reviewing process, IEEE S&P now accepts paper submissions 12 times a year, on the first of each month. The detailed process can be found at the conference call-for-papers page. ------------------------------------------------------------------------- PKC 2018 21st IACR International Conference on Practice and Theory in Public-Key Cryptography, Rio de Janeiro, Brazil, March 25-28, 2018. (Submissions Due 6 October 2017) https://pkc.iacr.org/2018/ PKC 2018 is the 21st edition of the International Conference on Practice and Theory of Public Key Cryptography, the main annual conference with an explicit focus on public-key cryptography. Original research papers on all aspects of public-key cryptography, covering theory, implementations and applications, are solicited for submission to PKC 2018. ------------------------------------------------------------------------- HST 2018 18th annual IEEE Symposium on Technologies for Homeland Security, Washington D.C., USA, May 2-3, 2018. (Submissions Due 16 October 2017) http://ieee-hst.org This symposium brings together innovators from leading academic, industry, businesses, Homeland Security Centers of Excellence, and government agencies to provide a forum to discuss ideas, concepts, and experimental results. Produced by IEEE with technical support from DHS S&T, IEEE, IEEE Boston Section, and IEEE-USA and organizational support from MIT Lincoln Laboratory, Raytheon, and MITRE, this year's event will once again showcase selected technical papers and posters highlighting emerging technologies to: - Secure Cyberspace - Secure Land and Maritime Borders - Enhance Biometrics & Forensics - Prevent Terrorism & Manage Incidents We are currently seeking technical paper and poster session submissions in each of the areas noted above. Papers examining the feasibility of transition to practice will also be considered. This year, papers focused on DHS high-priority technology gaps will be of particular interest. ------------------------------------------------------------------------- Security and Communication Networks journal, Special Issue on Cybersecurity in the Internet of Things, (Submissions Due 27 October 2017) https://www.hindawi.com/journals/scn/si/932024/cfp/ Guest Editors: Félix Gómez-Mármol (University of Murcia, Murcia, Spain), Patricia Arias-Cabarcos (Universität Mannheim, Mannheim, Germany), and Vijay Varadharajan (University of Newcastle, Newcastle, Australia). With the settlement of smartphones and tablets in modern societies, as well as the proliferation of an astronomic amount of other electronic devices such as wearables, e-Health sensors, electrical appliances, or vehicles (amidst others), all provided with Internet connection, all potentially dealing with sensitive information, and most of them mobile in essence, we are witnessing today the real advent of the Internet of Things (IoT). This new paradigm brings along many indubitable advantages, but also a nonnegligible number of security threats that should not go underestimated. Besides increasing in number, those threats are becoming more sophisticated and harmful (as it is the case of advanced persistent threats, or APTs), making it unfeasible for a human administrator to manually protect each and every device within the constellation of gadgets, artefacts, and computer systems of the IoT. Moreover, an alarming amount of the new solutions envisaged for the IoT pay higher attention to usability aspects, recklessly ignoring substantial security protection mechanisms, making the IoT an ideal playground for malicious hacking activities. Hence, it is imperative to find solutions aiming at the integral protection of the plethora of vulnerable devices within the IoT. Working on those solutions will help the wider adoption of these new technologies and help users to entrust them. Thus, this Special Issue seeks high-quality original papers presenting innovative solutions dealing with cybersecurity in the field of IoT. In particular, novel techniques and mechanisms aimed at the security and privacy protection of these environments are welcome. Likewise, we encourage review articles describing and analyzing the current state of the art in this field. Papers with a strong cryptographic background will not be considered as part of this special issue. Papers will be evaluated based on their originality, presentation, relevance, and contribution to the field of cybersecurity in the IoT, as well as their suitability to the special issue, and for their overall quality. The submitted papers have to describe original research which has not been published nor currently under review by other journals or conferences. Guest editors will make an initial determination of the suitability and scope of all submissions. Papers that either lack originality and clarity in presentation or fall outside the scope of the special issue will not be sent for review and authors will be promptly informed in such cases. Potential topics include but are not limited to the following: - Intrusion detection and prevention systems - Malware analysis - Privacy-preserving solutions - Countermeasures solutions - Seamless security solutions - Threats and vulnerabilities - Botnets analysis - BYOD security - Identity management - Authorization and access control - Trust and reputation management - Machine learning-based solutions - Security Information event management ------------------------------------------------------------------------- PETS 2018 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain, July 24-27, 2018. (Submissions Due 30 November 2017, 28 February 2018) https://petsymposium.org/ The annual Privacy Enhancing Technologies Symposium (PETS) brings together privacy experts from around the world to present and discuss recent advances and new perspectives on research in privacy technologies. Papers undergo a journal-style reviewing process and accepted papers are published in Proceedings on Privacy Enhancing Technologies (PoPETs), a scholarly, open access journal. Submitted papers should present novel practical and/or theoretical research into the design, analysis, experimentation, or fielding of privacy-enhancing technologies. While PETS/PoPETs has traditionally been home to research on anonymity systems and rivacy-oriented cryptography, we strongly encourage submissions on a number of both well-established and emerging privacy-related topics, for which examples are provided below. PoPETs also solicits submissions for Systematization of Knowledge (SoK) papers. These are papers that critically review, evaluate, and contextualize work in areas for which a body of prior literature exists, and whose contribution lies in systematizing the existing knowledge in that area. Authors are encouraged to view our FAQ about the submission process. - Behavioural targeting - Building and deploying privacy-enhancing systems - Crowdsourcing for privacy - Cryptographic tools for privacy - Data protection technologies - Differential privacy - Economics of privacy and game-theoretical approaches to privacy - Empirical studies of privacy in real-world systems - Forensics and privacy - Human factors, usability and user-centered design for PETs - Information leakage, data correlation and generic attacks to privacy - Interdisciplinary research connecting privacy to economics, law, ethnography, psychology, medicine, biotechnology - Location and mobility privacy - Machine learning and privacy - Measuring and quantifying privacy - Mobile devices and privacy - Obfuscation-based privacy - Policy languages and tools for privacy - Privacy in cloud and big-data applications - Privacy in social networks and microblogging systems - Privacy-enhanced access control, authentication, and identity management - Profiling and data mining - Reliability, robustness, and abuse prevention in privacy systems - Surveillance - Systems for anonymous communications and censorship resistance - Traffic analysis - Transparency enhancing tools - Web privacy ------------------------------------------------------------------------- Information & Communications Technology Express, Special Issue on Critical Infrastructure (CI) & Smart Grid Cyber Security, (Submissions Due 1 December 2017) https://www.journals.elsevier.com/ict-express/call-for-papers /special-issue-on-ci-smart-grid-cyber-security Guest Editors: Leandros A. Maglaras (De Montfort University, UK), Ki-Hyung Kim (Ajou University, Korea), Helge Janicke (De Montfort University, UK), Mohamed Amine Ferrag, Guelma University, Algeria), Artemios G. Voyiatzis (SBA Research, Austria), Pavlina Fragkou (T.E.I of Athens, Greece), Athanasios Maglaras (T.E.I. of Thessaly, Greece), and Tiago J. Cruz (University of Coimbra, Portugal). Cyber-physical systems are becoming vital to modernizing the national critical infrastructure (CI) systems. A smart grid is an energy transmission and distribution network enhanced through digital control, monitoring, and telecommunications capabilities. It provides a real-time, two-way flow of energy and information to all stakeholders in the electricity chain, from the generation plant to the commercial, industrial, and residential end user. Each smart grid subsystem and its associated assets require specific security functions and solutions. For example, the solution to secure a substation is not the same as the solution to secure demand response and home energy management systems. Usual cyber security technologies and best practices - such as antivirus, firewalls, intrusion prevention systems, network security design, defense in depth, and system hardening - are necessary to protect the smart grid. However, history showed they are only part of the solution. Owing to the rapid increase of sophisticated cyber threats with exponentially destructive effects advanced cyber security technologies must be developed. The title of this special issue of ICT Express is therefore coined concisely as "Special Issue on CI & Smart Grid Cyber Security". This special issue focuses on innovative methods and techniques in order to address unique security issues relating to CI and smart grids. Original submissions reflecting latest research observation and achievement in the following areas are invited: - Hardware Security Solutions - Incident response - Real-time threat intelligence - Situation Awareness - Security information and event management (SIEM) systems - Machine Learning Techniques - Safety-Security Interactions - System Vulnerabilities - Cyber Security Engineering - Human Awareness & Training - Intrusion Detection Systems - Trust and privacy - Malware Analysis - Behavioral Modeling - Secure Communication Protocols - Malware analysis - Network security and protocols - Hardware enforced virtualization ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulf Lindqvist Kevin R. B. Butler SRI International University of Florida Menlo Park, CA oakland17-chair@ieee-security.org ulf.lindqvist@sri.com Vice Chair: Treasurer: Sean Peisert Yong Guan UC Davis and 3219 Coover Hall Lawrence Berkeley Department of Electrical and Computer National Laboratory Engineering speisert@ucdavis.edu Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2018 Chair: TC Awards Chair: Jason Li Hilarie Orman Intelligent Automation Purple Streak, Inc. oakland18-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year