_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 142 January 30, 2018 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of "Attacking Network Protocols" by James Forshaw o From the News Media: - Cyber Attack Opportunities Knock - US Points WannaCry Finger at (Surprise) North Korea - Watching the Inauguration Through Hacked Police Cameras? - From the DNC to the US Senate, Russian Hackers Push the Boundaries - Be Secure, Be Slow o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar and CFP List * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: To start off the new year, Sven Dietrich has graced us with a review of a book that takes an attacker's view of network protocols. Despite the plethora of advice about designing security from the beginning, all software has bugs, and none moreso than communication protocols. Our news items for this issue have examples of the endless battles to make computing secure. For example, the world of operating system security was shaken by the discovery of side channel attacks on Intel and AMD processors that reveals supposedly protected information on shared servers and even web browsers. Spectre and Meltdown are interesting exploits, but it seems that the remedies slow down most operating systems, so we can expect some forthcoming design proposals for hardware that diminishes side channels without sacrificing speed. As usual, the upcoming months are jam-packed with conferences for researchers to share their findings. Attend and listen or read the proceedings at your leisure, the security world is always changing. Be aware, be vigilant, and may your data be safe. Be careful taking risks with stocks, Through a financial institution. Lest you succumb, Defenses stunned, To speculative execution. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich Jan. 29, 2018 ____________________________________________________________________ Attacking Network Protocols by James Forshaw No Starch Press 2017. ISBN 978-1-59327-750-5 336 pp. James Forshaw of Project Zero at Google authored this book. His presentation about the background materials for understanding network protocols makes for an easy read from start to finish. The book starts off with an introduction to networking basics before going onto how to capture application traffic, understanding network protocol structures, and using advanced concepts to capture traffic. One chapter covers analyzing traffic from the wire using tools such as WireShark (an entertaining task, from my personal experience). What makes this book exciting and relevant is the occasional interspersing with useful and directly applicable pieces of code (you can even download a ZIP archive with the code pieces from the book website) to support your traffic analysis inner geek. Also covered are the topics of reverse engineering applications, looking at network protocol security and its implementation. Then it segues into vulnerabilities, fuzzing, and finding and exploiting bugs (which after all is something many of us cherish). Overall, this is a compact book for the novice in traffic analysis wanting to make a foray into playing with packets and different capture environments, be it scripting, proxies, or more challenging Python code. There are ten chapters about feeling the network pulse and application analysis (static and dynamic), and topping it off is a network analysis toolkit in the Appendix. Whether you're a pen tester, fuzzer, or a serene developer seeking understanding of what not to do, this book is an excellent beginner's guide. I hope you will enjoy reading this book as much as I did. James Forshaw is a well-respected security practitioner, has made his share of contributions deserving of bug bounty, and in this book he gives an introduction to the best practices for attacking network protocols. ----------------------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html Posted January 2018 Purdue University Lafayette, Indiana Director, CERIAS Date position announcement closes: when filled URL of position description: https://chroniclevitae.com/jobs/0000405065-01 -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ----------------------- Cyber Attack Opportunities Knock Cyberattacks are becoming big opportunities for some small businesses https://www.washingtonpost.com/news/on-small-business/wp/2017/12/13/cyberattacks-are-becoming-big-opportunities-for-some-small-businesses/ By Gene Marks The Washington Post December 13, 2017 Summary: How to create an environment "free from malware"? Some companies are raising a lot of venture capital to achieve that goal for corporate clients. Some seek to provide an isolated environment with a strong "gatekeeper" for all web transactions. ----------------------- US Points WannaCry Finger at (surprise) North Korea U.S. declares North Korea carried out massive WannaCry cyberattack https://www.washingtonpost.com/world/national-security/us-set-to-declare-north-korea-carried-out-massive-wannacry-cyber-attack/2017/12/18/509deb1c-e446-11e7-a65d-1ac0fd7f097e_story.html By Ellen Nakashima and Philip Rucker The Washington Post Dec 19, 2017 Summary: North Korea's cybercrime capabilities have grown rapidly, and the US acknowledged this in attributing the WannaCry ransomware attack to the reclusive country. The attack caused a great deal of damage in Europe, though it may not have garnered much ransom payment. There are few ways to increase pressure against North Korea without causing even more suffering to the general populace which seems to face constant food shortages and forced labor. ----------------------- Watching the Inauguration Through Hacked Police Cameras? Romanian hackers took over D.C. surveillance cameras just before presidential inauguration, federal prosecutors say https://www.washingtonpost.com/local/public-safety/romanian-hackers-took-over-dc-surveillance-cameras-just-before-presidential-inauguration-federal-prosecutors-say/2017/12/28/7a15f894-e749-11e7-833f-155031558ff4_story.html By Rachel Weiner The Washington Post Dec 28, 2017 Summary: A year ago two Romanians manged to take over nearly 200 DC police cameras. Their motive seemed to be establishing a spam botnet, but it left the surveillance system inoperative during the presidential inauguration. The alleged culprits are facing extradition from Romania to the US. It is possible that they simply unleashed the malware and had no idea where it landed. The Internet of Things is sometimes a welcoming Petri dish. ----------------------- From the DNC to the US Senate, Russian Hackers Push the Boundaries Russian hackers who compromised DNC are targeting the Senate, company says https://www.washingtonpost.com/world/national-security/russian-hackers-who-compromised-the-dnc-are-targeting-the-us-senate/2018/01/12/7e9169ce-f7a9-11e7-91af-31ac729add94_story.html By Shane Harris The Washington Post Jan 12, 2018 Summary: The security firm Trend Micro reports that the Russian hacking group that stole Democratic Nation Committee emails and gave them to Wikileaks is actively preparing for the November midterm elections. The group known as Fancy Bear (aka Pawn Storm) is using spear phishing emails to direction Senate staffers to websites that mimic trusted sites for Senate documents and email. This allows the hackers to steal login credentials from unwary users. ----------------------- Be Secure, Be Slow Here's how, and why, the Spectre and Meltdown patches will hurt performance https://arstechnica.com/gadgets/2018/01/heres-how-and-why-the-spectre-and-meltdown-patches-will-hurt-performance/ By Peter Bright Ars Technica Jan 11, 2018 Summary: Modern computers speculate. They execute computer instructions before they are needed, while something slower is going on, and if the result is needed, it can be used immediately. This clever technique of speculative execution makes software run fast but not securely. The computer retains information about the side effects of the execution, even if the result is not used because of permission violations. This can cause a significant leakage of information on a shared server or in a browser with compromised Javascript code. Two ways of exploiting this principle emerged recently. The attacks, named Spectre and Meltdown, require fundamental changes in operating systems, and those changes, which are just now emerging as patches, make computer systems run noticeably more slowly. The slowdown may be a few per cent or much more, depending on the application. ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 1/31/18: SADFE, 12th International Workshop on Systematic Approaches to Digital Forensics Engineering, Co-located with 39th IEEE Symposium on Security and Privacy (IEEE S&P 2018), San Francisco, CA, USA; http://dfrws.org/conferences/dfrws-usa-2018 Submissions are due 2/ 1/18: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/cfpapers.html Submissions are due (monthly deadline) 2/ 1/18: WCCI-Blockchain, Blockchain Research and Applications Session, Held in conjunction with the 2018 World Congress on Computational Intelligence (WCCI 2018), Rio de Janeiro, Brasil; http://www.ieee-cifer.org Submissions are due 2/ 8/18: USENIX Security, 27th USENIX Security Symposium, Baltimore, MD, USA; https://www.ieee-security.org/TC/SP2019/cfpapers.html Submissions are due 2/12/18: SOUPS, 14th Symposium on Usable Privacy and Security, Baltimore, MD, USA; https://www.usenix.org/conference/soups2018 Submissions are due 2/13/18: Crypto, 38th International Cryptology Conference, Santa Barbara, CA, USA; https://crypto.iacr.org/2018/ Submissions are due 2/15/18: BioSTAR, 3rd International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with 39th IEEE Symposium on Security and Privacy (IEEE S&P 2018), San Francisco, CA, USA; http://biostar.cybersecurity.bio/ Submissions are due 2/16/18: WIIoTS, Workshop on Industrial Internet of Things Security, Bilbao, Spain; http://globaliotsummit.org Submissions are due 2/21/18: IVSW, 3rd International Verification and Security Workshop, Costa Brava, Spain; http://tima.imag.fr/conferences/ivsw/ivsw18/ Submissions are due 2/28/18: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain; https://petsymposium.org/ Submissions are due 3/ 1/18: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/cfpapers.html Submissions are due (monthly deadline) 3/ 5/18: SecDev, IEEE Security Development Conference, Cambridge, MA, USA; https://secdev.ieee.org/2018/papers/ Submissions are due 3/ 9/18: ESSoS, International Symposium on Engineering Secure Software and Systems, Campus Paris-Saclay, France; https://distrinet.cs.kuleuven.be/events/essos/2018/index.html Submissions are due 3/16/18: ARES, 13th International Conference on Availability, Reliability and Security, Hamburg, Germany; http://www.ares-conference.eu Submissions are due 3/21/18: IWSPA, 4th International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2018, Tempe, AZ, USA; http://capex.cs.uh.edu/?q=content/4th-international-workshop-security-and-privacy-analytics-2018 3/25/18- 3/28/18: PKC, 21st IACR International Conference on Practice and Theory in Public-Key Cryptography, Rio de Janeiro, Brazil; https://pkc.iacr.org/2018/ 3/30/18: DASC, 16th IEEE International Conference on Dependable, Autonomic and Secure Computing, Athens, Greece; http://cyber-science.org/2018/dasc/ Submissions are due 3/30/18: DBSec, 32nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Bergamo, Italy; http://dbsec18.unibg.it Submissions are due 4/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/cfpapers.html Submissions are due 4/10/18- 4/11/18: HotSoS, 5th Annual Hot Topics in the Science of Security Symposium, Raleigh, North Carolina, USA; https://cps-vo.org/group/hotsos/cfp 4/30/18: ICDF2C, 10th EAI International Conference on Digital Forensics & Cyber Crime, New Orleans, LA, USA; http://d-forensics.org/ Submissions are due 5/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/cfpapers.html Submissions are due 5/ 1/18: SciSec, 1st International Conference on Science of Cyber Security, Beijing, China; http://www.sci-cs.net/ Submissions are due 5/ 2/18- 5/ 3/18: HST, 18th annual IEEE Symposium on Technologies for Homeland Security, Washington D.C., USA; http://ieee-hst.org 5/21/18- 5/23/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/cfpapers.html 5/ /18: HOST, IEEE International Symposium on Hardware-Oriented Security and Trust, Washington DC, USA; http://www.hostsymposium.org 5/24/18: BioSTAR, 3rd International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with 39th IEEE Symposium on Security and Privacy (IEEE S&P 2018), San Francisco, CA, USA; http://biostar.cybersecurity.bio/ 5/30/18- 6/ 1/18: CNS, IEEE Conference on Communications and Network Security, Beijing, China; http://cns2018.ieee-cns.org/ 6/ 4/18- 6/ 7/18: WIIoTS, Workshop on Industrial Internet of Things Security, Bilbao, Spain; http://globaliotsummit.org 6/ 4/18- 6/ 8/18: ASIACCS, ACM Symposium on Information, Computer and Communications Security, Sungdo, Incheon, Korea; http://asiaccs2018.org/ 6/26/18- 6/27/18: ESSoS, International Symposium on Engineering Secure Software and Systems, Campus Paris-Saclay, France; https://distrinet.cs.kuleuven.be/events/essos/2018/index.html 7/ 2/18-7/ 4/18: IVSW, 3rd International Verification and Security Workshop, Costa Brava, Spain; http://tima.imag.fr/conferences/ivsw/ivsw18/ 7/ 8/18-7/13/18: WCCI-Blockchain, Blockchain Research and Applications Session, Held in conjunction with the 2018 World Congress on Computational Intelligence (WCCI 2018), Rio de Janeiro, Brasil; http://www.ieee-cifer.org 7/15/18-7/18/18: DFRWS, 18th Annual DFRWS USA 2018 Conference, Providence, Rhode Island, USA; http://dfrws.org/conferences/dfrws-usa-2018 7/16/18-7/18/18: DBSec, 32nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Bergamo, Italy; http://dbsec18.unibg.it 7/24/18-7/27/18: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain; https://petsymposium.org/ 8/12/18-8/14/18: SOUPS, 14th Symposium on Usable Privacy and Security, Baltimore, MD, USA; https://www.usenix.org/conference/soups2018 8/12/18-8/14/18: SciSec, 1st International Conference on Science of Cyber Security, Beijing, China; http://www.sci-cs.net/ 8/12/18-8/15/18: DASC, 16th IEEE International Conference on Dependable, Autonomic and Secure Computing, Athens, Greece; http://cyber-science.org/2018/dasc/ 8/15/18-8/17/18: USENIX Security, 27th USENIX Security Symposium, Baltimore, MD, USA; https://www.ieee-security.org/TC/SP2019/cfpapers.html 8/19/18-8/23/18: Crypto, 38th International Cryptology Conference, Santa Barbara, CA, USA; https://crypto.iacr.org/2018/ 8/27/18-8/30/18: ARES, 13th International Conference on Availability, Reliability and Security, Hamburg, Germany; http://www.ares-conference.eu 9/10/18- 9/12/18: ICDF2C, 10th EAI International Conference on Digital Forensics & Cyber Crime, New Orleans, LA, USA; http://d-forensics.org/ 9/30/18-10/ 2/18: SecDev, IEEE Security Development Conference, Cambridge, MA, USA; https://secdev.ieee.org/2018/papers/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E141) ___________________________________________________________________ SADFE 2018 12th International Workshop on Systematic Approaches to Digital Forensics Engineering, Co-located with 39th IEEE Symposium on Security and Privacy (IEEE S&P 2018), San Francisco, CA, USA, May 24, 2018. (Submissions are due 31 January 2018) http://sadfe.org/cfp/ SADFE (Systematic Approaches to Digital Forensic Engineering) promotes systematic approaches to digital forensic investigation on failures of today's cyber systems and networks. SADFE furthers Digital Forensic Engineering (DFE) advancement as a disciplined and holistic scientific practice. The 12th International Conference on Systematic Approaches to Digital Forensic Engineering (SADFE) is calling for paper submissions in the broad field of Digital Forensics from both practitioner and researcher's perspectives. With the dynamic change and rapid expansion of the types of electronic devices, networked applications, and investigation challenges, systematic approaches for automating the process of gathering, analyzing and presenting digital evidence are in unprecedented demands. The SADFE conference aims at promoting solutions for related problems. Past speakers and attendees of SADFE have included computer scientists, social scientists, forensic practitioners, lawyers and judges. The synthesis of hard technology and science with social science and practice forms the foundation of this conference. Papers focusing on any of the system, legal, or practical aspects of digital forensics are solicited. Topics to be Addressed: - Digital Data and Evidence Management: advanced digital evidence discovery, collection, management, storage and preservation - Digital Evidence, Data Integrity and Analytics: advanced digital evidence and digitized data analysis, correlation, and presentation - Forensics of embedded or non-traditional devices (e.g. digicams, cell phones, SCADA, obsolete storage media) - Forensic and digital data integrity issues for digital preservation and recovery - Scientific Principle-Based Digital Forensic Processes: systematic engineering processes supporting digital evidence management which are sound on scientific, technical and legal grounds - Legal/technical aspects of admissibility and evidence tests - Legal, Ethical and Technical Challenges ------------------------------------------------------------------------- SP 2019 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-22, 2019. (Submissions are due first day of each month) https://www.ieee-security.org/TC/SP2019/cfpapers.html Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been he premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control and authorization - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Censorship resistance - Cloud security - Distributed systems security - Economics of security and privacy - Embedded systems security - Forensics - Hardware security - Intrusion detection and prevention - Malware and unwanted software - Mobile and Web security and privacy - Language-based security - Network and systems security - Privacy technologies and mechanisms - Protocol security - Secure information flow - Security and privacy for the Internet of Things - Security and privacy metrics - Security and privacy policies - Security architectures - Usable security and privacy This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Systematization of Knowledge Papers As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate. Submissions will be distinguished by the prefix ?SoK:? in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. Workshops The Symposium is also soliciting submissions for co-located workshops. Further details on submissions can be found at https://www.ieee-security.org/TC/SP2019/workshops.html. Ongoing Submissions To enhance the quality and timeliness of the scientific results presented as part of the Symposium, and to improve the quality of our reviewing process, IEEE S&P now accepts paper submissions 12 times a year, on the first of each month. The detailed process can be found at the conference call-for-papers page. ------------------------------------------------------------------------- WCCI-Blockchain 2018 Blockchain Research and Applications Session, Held in conjunction with the 2018 World Congress on Computational Intelligence (WCCI 2018), Rio de Janeiro, Brasil, July 8-13, 2018. (Submissions are due 1 February 2018) http://www.ieee-cifer.org The blockchain emerged as a novel distributed consensus scheme that allows transactions, and any other data, to be securely stored and verified in a decentralized way. Considered by some as revolutionary as the Internet, the blockchain has the potential to underpin concepts, frameworks, regulations, and economics. The nascent field of blockchain research is highly interdisciplinary, and has the potential for fascinating research projects and results, sitting at the intersection of computer science, cryptography, economics, engineering, finance, law, mathematics, and politics. Many technical challenges arise with the rapid development of distributed ledger technologies. There is a great interest in applying blockchain to different application scenarios and in solving complex problems. This technology also offers superb opportunities to support the transformation of business models. This special session aims to provide a forum for researchers in this area to carefully analyze current systems or propose new ones, in order to create a scientific background for a solid development of new blockchain technology systems. ------------------------------------------------------------------------- USENIX Security 2018 27th USENIX Security Symposium, Baltimore, MD, USA, August 15-17, 2018. (Submissions are due 8 February 2018) https://www.usenix.org/conference/usenixsecurity18 The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security and privacy of computer systems and networks. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in computer security. USENIX Security is interested in all aspects of computing systems security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. ------------------------------------------------------------------------- SOUPS 2018 14th Symposium on Usable Privacy and Security, Baltimore, MD, USA, August 12-14, 2018. (Submissions are due 12 February 2018) https://www.usenix.org/conference/soups2018 The Fourteenth Symposium on Usable Privacy and Security will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. We invite authors to submit previously unpublished papers describing research or experience in all areas of usable privacy and security. We welcome a variety of research methods, including both qualitative and quantitative approaches. Papers will be judged on their scientific quality, overall quality, and value to the community. ------------------------------------------------------------------------- Crypto 2018 38th International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018. (Submissions are due 13 February 2018) https://crypto.iacr.org/2018/ Original contributions on all technical aspects of cryptology are solicited for submission to Crypto 2018, the 38th Annual International Cryptology Conference. Submissions are welcome on any cryptographic topic including, but not limited to: - Foundational theory and mathematics - The design, proposal, and analysis of cryptographic primitives and protocols - Secure implementation and optimization in hardware or software; and - Applied aspects of cryptography ------------------------------------------------------------------------- BioSTAR 2018 3rd International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with 39th IEEE Symposium on Security and Privacy (IEEE S&P 2018), San Francisco, CA, USA, May 24, 2018. (Submissions are due 15 February 2018) http://biostar.cybersecurity.bio/ As computing and communication systems continue to expand and offer new services, these advancements require more dynamic, diverse, and interconnected computing infrastructures. Unfortunately, defending and maintaining resilient and trustworthy operation of these complex systems are increasingly difficult challenges. Conventional approaches to Security, Trust, Assurance and Resilience (STAR for short) are often too narrowly focused and cannot easily scale to manage large, coordinated and persistent attacks in these environments. Designs found in nature are increasingly used as a source of inspiration for STAR and related networking and intelligence solutions for complex computing and communication environments. Nature's footprint is present in the world of Information Technology, where there are an astounding number of computational bio-inspired techniques. These well-regarded approaches include genetic algorithms, neural networks, ant algorithms, immune systems just to name a few. For example several networking management and security technologies have successfully adopted some of nature's approaches, such as swarm intelligence, artificial immune systems, sensor networks, moving target defense, diversity-based software design, etc. Nature has also developed an outstanding ability to recognize individuals or foreign objects and adapt/evolve to protect a group or a single organism. Solutions that incorporate these nature-inspired characteristics often have improved performance and/or provided new capabilities beyond more traditional methods. The aim of this workshop is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of nature-inspired STAR aspects in computing and communications. Topics of interests include, but are not limited to: - Nature-inspired anomaly and intrusion detection - Adaptation algorithms - Biometrics - Nature-inspired algorithms and technologies for STAR - Biomimetics - Artificial Immune Systems - Adaptive and Evolvable Systems - Machine Learning, neural networks, genetic algorithms for STAR - Nature-inspired analytics and prediction - Cognitive systems - Sensor and actuator networks and systems - Information hiding solutions (steganography, watermarking) for network traffic - Cooperative defense systems - Cloud-supported nature-inspired STAR - Theoretical development in heuristics - Management of decentralized networks - Nature-inspired algorithms for dependable networks - Platforms for STAR services - Diversity in computing and communications - Survivable and sustainable systems - STAR management systems - Autonomic cyber defenses ------------------------------------------------------------------------- WIIoTS 2018 Workshop on Industrial Internet of Things Security, Bilbao, Spain, June 4-7, 2018. (Submissions are due 16 February 2018) http://globaliotsummit.org The Industrial Internet of Things (IIoT) is an emerging paradigm in today's (control) industry, comprising Internet-enabled cyber-physical devices with the ability to couple to the new interconnection technologies such as cloud/fog computing. Under this perspective, the new industrial cyber-physical "things" can be accessible and available from remote locations, the information of which can be processed and stored in distributed locations, favouring the cooperation, the performance in field, and the achievement of operational tasks working at optimal times. However, the incorporation of the IIoT in the new scenarios of the fourth industrial revolution, also known as Industry 4.0, entails having to consider the new security and privacy issues that can threaten the wellbeing of the new IIoT ecosystem and its coexistence with the existing industrial technologies, with a high risk of impact on the end-users. Therefore, this workshop will create a collaboration platform for experts from academia, governments and industry to address the new IIoT security and privacy challenges. Papers related to security and privacy of embedded systems working in industrial and control environments, such as SCADA, smart grid, smart cities, manufacturing systems, water systems, and in critical infrastructures in general, are all welcome at WIIoTS 2018. ------------------------------------------------------------------------- IVSW 2018 3rd International Verification and Security Workshop, Costa Brava, Spain, July 2-4, 2018. (Submissions are due 21 February 2018) http://tima.imag.fr/conferences/ivsw/ivsw18/ Issues related to verification and security are increasingly important in modern electronic systems. In particular, the huge complexity of electronic systems has led to growth in quality, reliability and security needs in several application domains as well as pressure for low cost products. There is a corresponding increasing demand for cost-effective verification techniques and security solutions. These needs have increased dramatically with the increased complexity of electronic systems and the fast adoption of these systems in all aspects of our daily lives. The goal of IVSW is to bring industry practitioners and researchers from the fields of verification, validation, test, reliability and security to exchange innovative ideas and to develop new methodologies for solving the difficult challenges facing us today in various SoC design environments. The workshop seeks submissions from academia and industry presenting novel research results on the following topics of interest: - Verification challenges of IoT - High-level test generation for functional verification - Emulation techniques and FPGA prototyping - Triage and debug methodologies - Silicon debugging - Low-power verification - Formal techniques and their applications - Verification coverage - Performance validation and characterization - Design for Verifiability (DFV) - Memory and coherency verification - ESL design and Virtual Platforms - Design for security and security validation - CAD metrics and tools for security - Cryptography and trusted computing - Detection of Trojans and counterfeit electronics - Methods for IP protection (obfuscation, encryption, etc.) - Fault-based side-channel attacks and countermeasures - Hardware security primitives design and evaluation - Security for analog/mixed signal (AMS) circuits - Security in automotive, railway, avionics, space, Internet of Things (IoT) - Data analytics in verification and security - Cross layer security and verification - Security of design environment and tools, and supply chain ------------------------------------------------------------------------- PETS 2018 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain, July 24-27, 2018. (Submissions are due 28 February 2018) https://petsymposium.org/ The annual Privacy Enhancing Technologies Symposium (PETS) brings together privacy experts from around the world to present and discuss recent advances and new perspectives on research in privacy technologies. Papers undergo a journal-style reviewing process and accepted papers are published in Proceedings on Privacy Enhancing Technologies (PoPETs), a scholarly, open access journal. Submitted papers should present novel practical and/or theoretical research into the design, analysis, experimentation, or fielding of privacy-enhancing technologies. While PETS/PoPETs has traditionally been home to research on anonymity systems and rivacy-oriented cryptography, we strongly encourage submissions on a number of both well-established and emerging privacy-related topics, for which examples are provided below. PoPETs also solicits submissions for Systematization of Knowledge (SoK) papers. These are papers that critically review, evaluate, and contextualize work in areas for which a body of prior literature exists, and whose contribution lies in systematizing the existing knowledge in that area. Authors are encouraged to view our FAQ about the submission process. - Behavioural targeting - Building and deploying privacy-enhancing systems - Crowdsourcing for privacy - Cryptographic tools for privacy - Data protection technologies - Differential privacy - Economics of privacy and game-theoretical approaches to privacy - Empirical studies of privacy in real-world systems - Forensics and privacy - Human factors, usability and user-centered design for PETs - Information leakage, data correlation and generic attacks to privacy - Interdisciplinary research connecting privacy to economics, law, ethnography, psychology, medicine, biotechnology - Location and mobility privacy - Machine learning and privacy - Measuring and quantifying privacy - Mobile devices and privacy - Obfuscation-based privacy - Policy languages and tools for privacy - Privacy in cloud and big-data applications - Privacy in social networks and microblogging systems - Privacy-enhanced access control, authentication, and identity management - Profiling and data mining - Reliability, robustness, and abuse prevention in privacy systems - Surveillance - Systems for anonymous communications and censorship resistance - Traffic analysis - Transparency enhancing tools - Web privacy ------------------------------------------------------------------------- SecDev 2018 IEEE Security Development Conference, Cambridge, MA, USA, September 30-October 2, 2018. (Submissions are due 5 March 2018) https://secdev.ieee.org/2018/papers/ SecDev is a venue for presenting ideas, research, and experience about how to develop secure systems. SecDev is distinguished by its focus on the theory, techniques, and tools for how to "build security in" to computing systems, and not simply discover the absence of security. Its goal is to encourage and disseminate ideas for secure system development among academia, industry, and government. Developers have valuable experiences and ideas that can inform academic research, and researchers have concepts, studies, and even code and tools that could benefit developers. Great SecDev contributions could come from attendees of industrial conferences like AppSec, RSA, Black Hat, and Shmoocon; from attendees of academic conferences like IEEE S&P, IEEE CSF, USENIX Security, PLDI, FSE, ISSTA, SOUPS, and others; and from newcomers. SecDev solicits four types of contributions. First, SecDev is a forum for novel research papers that present innovations, experience-based insights, or a vision about how to "build security in" to existing and new computing systems. Position papers with exceptional visions will also be considered. Second, SecDev seeks Best Practices (BP) papers that provide an in-depth clarification and integration of solutions on a major security area. The paper needs to provide new perspectives and insights, although it could draw upon prior work. Third, SecDev seeks hands-on and interactive tutorials on processes, frameworks, languages, and tools for building security in. The goal is to share knowledge on the art and science of secure systems development. Fourth, SecDev seeks abstracts from practitioners to share their practical experiences and challenges in security development. ------------------------------------------------------------------------- ESSoS 2018 International Symposium on Engineering Secure Software and Systems, Campus Paris-Saclay, France, June 26-27, 2018. (Submissions are due 9 March 2018) https://distrinet.cs.kuleuven.be/events/essos/2018/index.html Software-based systems permeate the very fabric of our society from enterprise IT systems and mobile devices to smart home and city environments. Consequently, computer security is becoming an increasingly inter-disciplinary subject requiring attention to the various aspects of securing our software-based infrastructure. One must pay careful attention to ensure compatibility with existing software and the wider socio-technical context (e.g., users and organisations) which it inhabits. This, in turn, requires an approach that integrates insights from computer security research with rigorous software engineering methods to ensure the security and resilience of our digital infrastructure. ESSoS therefore welcomes contributions that are at the border of system security and software engineering. The goal of this symposium is to bring together researchers and practitioners to advance the state of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and software security communities. The symposium features two days of technical program including two keynote presentations. In addition to academic papers, the symposium encourages submission of high-quality, informative industrial experience papers about successes and failures in secure software engineering and the lessons learned. Furthermore, the symposium also accepts short idea papers that crisply describe a promising direction, approach, or insight. ------------------------------------------------------------------------- ARES 2018 13th International Conference on Availability, Reliability and Security, Hamburg, Germany, August 27-30, 2018. (Submissions are due 16 March 2018) http://www.ares-conference.eu The 13th International Conference on Availability, Reliability and Security ("ARES - The International Dependability Conference") will bring together researchers and practitioners in the area of dependability. ARES will highlight the various aspects of dependability - with special focus on the crucial linkage between availability, reliability and security. ARES aims at a full and detailed discussion of the research issues of dependability as an integrative concept that covers amongst others availability, safety, confidentiality, integrity, maintainability and security in the different fields of applications. ARES will emphasize the interplay between foundations and practical issues of dependability in emerging areas such as e-government, m-government, location-based applications, ubiquitous computing, autonomous computing, chances of grid computing etc. ARES is devoted to the critical examination and research challenges of the various aspects of Dependable Computing and the definition of a future road map. ------------------------------------------------------------------------- DASC 2018 16th IEEE International Conference on Dependable, Autonomic and Secure Computing, Athens, Greece, August 12-15, 2018. (Submissions are due 30 March 2018) http://cyber-science.org/2018/dasc/ IEEE DASC 2018 aims to bring together computer scientists, industrial engineers, and researchers to discuss and exchange experimental and theoretical results, novel designs, work-in-progress, experience, case studies, and trend-setting ideas in the areas of dependability, security, trust and/or autonomic computing systems. Topics of particular interests include the following tracks, but are not limited to: - Dependable, Autonomic, Secure Computing Systems, Architectures and Communications - Cloud Computing and Fog/edge Computing with Autonomic and Trusted Environment - Dependable Automatic Control Techniques and Systems - Dependable Sensors, Devices, Embedded Systems - Dependable Electronic-Mechanical Systems, Optic-Electronic Systems - Self-improvement in Dependable Systems - Self-healing, Self-protection and Fault-tolerant Systems - Hardware and Software Reliability, Verification and Testing - Software Engineering for Dependable Systems - Safety-critical Systems in Transportation and Power System - Security Models and Quantifications - Trusted P2P, Web Service, SoA, SaaS, EaaS, and PaaS - Self-protection and Intrusion-detection in Security - DRM, Watermarking Technology, IP Protection - Context-aware Access Control - Virus Detections and Anti-Virus Techniques/Software - Cyber Attack, Crime and Cyber War - Human Interaction with Trusted and Autonomic Computing Systems - Security, Dependability and Autonomic Issues in Ubiquitous Computing - Security, Dependability and Autonomic Issues in Cyber-Physical System - Security, Dependability and Autonomic Issues in Big Data, SDN, and IoT Systems - QoS in Communications and Services and Service Oriented Architectures - Information and System Security - Reliable Computing and Trusted Computing - Wireless Emergency and Security Systems - Information Technology in Biomedicine - Multimedia Security Issues over Mobile and Wireless Networks - Multimedia in Mobile Computing: Issues, System Design and Performance Evaluation - Software Architectures and Design for Emerging Systems - Software Engineering for Emerging Networks, Systems, and Mobile Systems - Evaluation Platforms for Dependable, Autonomic and Secure Computing Systems - Trustworthy Data, Secured Data Collection System, Model, and Architectures ------------------------------------------------------------------------- DBSec 2018 32nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Bergamo, Italy, July 16-18, 2018. (Submissions are due 30 March 2018) http://dbsec18.unibg.it DBSec is an annual international conference covering research in data and applications security and privacy. The 32nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec 2018) will be held in Bergamo, Italy. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, and applications security. Topics of interest include, but are not limited to: - access control - anonymity - applied cryptography in data security - authentication - big data security - data and system integrity - data protection - database security - digital rights management - identity management - intrusion detection - knowledge discovery and privacy - methodologies for data and application security - network security - organizational security - privacy - secure cloud computing - secure distributed systems - secure information integration - secure Web services - security and privacy in crowdsourcing - security and privacy in IT outsourcing - security and privacy in the Internet of Things - security and privacy in location-based services - security and privacy in P2P scenarios and social networks - security and privacy in pervasive/ubiquitous computing - security and privacy policies - security management - security metrics - threats, vulnerabilities, and risk management - trust and reputation systems - trust management - wireless and mobile security ------------------------------------------------------------------------- ICDF2C 2018 10th EAI International Conference on Digital Forensics & Cyber Crime, New Orleans, LA, USA, September 10-12, 2018. (Submissions are due 30 April 2018) http://d-forensics.org/ Cyberspace is becoming increasingly central to the basic function of modern society. Cybercrime and cyberwarfare have emerged as major threats to the integrity of digital information and to the functioning of cyber-controlled physical systems. Such threats have direct consequences for almost all individuals, businesses and organizations, government institutions, and civic processes. Digital forensics and cybercrime investigations are multidisciplinary areas that encompass law and law enforcement, computer science and engineering, IT operations, economics and finance, data analytics and criminal justice. ICDF2C brings together researchers and practitioners from all these areas in order to scientifically address the numerous challenges due to the rapid increase in the amount and variety of data under investigation, as well as the growing complexity of both the threats and the targeted systems. ------------------------------------------------------------------------- SciSec 2018 1st International Conference on Science of Cyber Security, Beijing, China, August 12-14, 2018. (Submissions are due 1 May 2018) http://www.sci-cs.net/ This new forum aims to catalyze the research collaborations between the relevant communities and disciplines that can work together to deepen our understanding of, and build a firm foundation for, the emerging Science of Cyber Security. Publications in this venue would distinguish themselves from others by taking or thinking from a holistic perspective about cyber security, rather than the building-block perspective. Each submission will be reviewed (double blind) by at least 3 reviewers. The program committee plans to select and award a Best Paper and a Best Student Paper. The post-conference proceedings will be published in Springer's Lecture Notes in Computer Science (LNCS) series. Areas of interest include: - Cybersecurity Dynamics - Cybersecurity Metrics and Their Measurements - First-principle Cybersecurity Modeling and Analysis (e.g., Dynamical Systems, Control-Theoretic, and Game-Theoretic Modeling) - Cybersecurity Data Analytics - Big Data for Cybersecurity - Artificial Intelligence for Cybersecurity - Machine Learning for Cybersecurity - Economics Approaches for Cybersecurity - Social Sciences Approaches for Cybersecurity - Statistical Physics Approaches for Cybersecurity - Complexity Sciences Approaches for Cybersecurity - Experimental Cybersecurity - Macroscopic Cybersecurity - Statistics Approaches for Cybersecurity - Human Factors for Cybersecurity - Compositional Security - Biology-inspired Approaches for Cybersecurity ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sean Peisert Kevin R. B. Butler UC Davis and University of Florida Lawrence Berkeley oakland17-chair@ieee-security.org National Laboratory speisert@ucdavis.edu Vice Chair: Treasurer: Ulfar Erlingsson Yong Guan Manager, Security Research 3219 Coover Hall Google Department of Electrical and Computer tcchair at ieee-security.org Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2018 Chair: TC Awards Chair: Jason Li Hilarie Orman Intelligent Automation Purple Streak, Inc. oakland18-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year