Electronic CIPHER, Issue 147, January 25, 2019 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 147 January 25, 2019 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of Practical Binary analysis : build your own Linux tools for binary instrumentation, analysis, and disassembly by Dennis Andriesse o Cyber News Items - The Cyber Security Hall of Fame - The People's Root Certificate Authoritynn - Dirty Cookies - VPNs that are Unprivate, Actually - Google Fine Not So Fine - Facebook is All Fine o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website http://ieee-security.org/cipher.html * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The flagship conference of the IEEE Computer Society's Technical Committee on Security and Privacy is the Security and Privacy Symposium, which has been held in May in the San Francisco Bay Area since 1980. The program committee is now making the final selections for the program, and now is the time to plan to attend the event. All the details are at https://ieee-security.org/TC/SP2019>https://ieee-security.org/TC/SP2019. I would like to take a moment to muse on the churn of ideas in the field of security and privacy. Blockchain technology, in particular, has a remarkable use of old ideas in new contexts. As an example, using Merkle trees for verifying the contents of data sets dates back to 1979, and the notion of a verifiable distributed log file dates back to 1990. Combine those ideas with digital signatures (1978) and Proof-of-Work (1993), and suddenly a new form of currency emerges (BitCoin). Was BitCoin a foreseeable possibility in 1980, or is it simply the case that some ideas are fundamental building blocks, waiting to be used by a new invention? Perhaps it is difficult to distinguish between a fundamental concept and a dead-end novelty when a field is young, or perhaps it is the case that fundamental ideas in a young field are lying about like stones in a New England pasture. In any case, I have gained an appreciation for the utility of re-examining previous research in the light of new contexts. Sometimes a conference paper seems to be a slight enhancement to an older idea, but it might just be on the cusp of a new discovery. On the other hand, there is a distressing tendency to ignore older work when developing new ideas. Some conferences have "Test of Time" awards to highlight particularly important "classic" papers, but there are probably more neglected gems than anyone has time to document. At the time of this writing the US Federal government was locked in a shutdown that prevented many of its employees from receiving paychecks for the time being. Although the situation has been alleviated by a 3-week funding agreement, the situation has affected normal functioning, and at best it will take some time for a recovery. Two affected agencies are of particular importance to the US research community: DHS and NSF. Each day of shutdown builds up time pressure on contractual processes to fund security research (and many other kinds of research). We hope for a favorable and speedy end to the impasse. For all the US security researchers employed by or funded by DHS: Down doobie doo, down down, They say that shutting down is hard to do, Now I know, I know it's half true, The Prez just says this is the end, Instead of shutting down I wish that we were getting paid again. Wall, woobie woo, wall, wall, Our government has come to a crawl, Nancy said, just plant a hedge. Come on Donnie, let's start anew, Cuz shutting down is hard to do. (with apologies to Neil Sedaka and anyone who cried over a romance when this parodied song was new) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich Jan. 25, 2019 ____________________________________________________________________ "Practical Binary analysis: build your own Linux tools for binary instrumentation, analysis, and disassembly" by Dennis Andriesse No Starch Press 2019. ISBN 1-59327-912-4, 978-1-59327-912-7 Some of us find fun and enjoyment in taking apart computer binaries (executable code) for understanding its functionality, its strengths, and its weaknesses. We look at machine code produced from source code (often C or C++) by compilers with various optimization and protection levels, and realize that the result may only barely resemble the original logical flow. Add the twist of malicious code writers who add obfuscation on many levels, and we immediately face an even tougher challenge for understanding these bits presented to us, sometimes in a time-critical fashion when dealing with incident response. Dennis Andriesse has put together a book that combines the necessary knowledge and tools enabling the reader to grasp not only the fundamentals of binary analysis, but also to put the newfound knowledge to the test in practical and illustrative examples of binary analysis. The book is structured into four parts, with the first three of which contain a total of thirteen chapters, and the last part contains four appendices. After a foreword by Herbert Bos, who does a fine job of placing this book in context, the first part of the book contains four chapters providing an overview needed for this context: how a binary executable file is structured, what the ELF and PE binary formats look like, and how you can build a parser (really: a binary loader) with libbfd to analyze binaries and extract interesting information. These are formats found on Linux and macOS systems (ELF) and on Windows (PE). The book focuses on the popular and widespread Intel x86 architecture, often referring to the 64-bit variant x86-64, or x64 for short. Part two provides binary analysis fundamentals, such as disassembly of code in a static or dynamic manner (non-running vs. running), or a combination of both. While the book does not provide a full coverage of disassembly techniques, it does differentiate between linear and recursive disassembly approaches and recommends use cases for each. The last chapter in this part gets into modifying binaries with a hex editor, something not for the faint of heart. Part three is really the heavy hitter in this book with six chapters covering the more advanced techniques for binary analysis. Here we find examples of customizing the binary analysis, modifying and instrumenting binaries, performing data flow analysis also known as dynamic taint analysis, and symbolic execution. One example shows how to detect Heartbleed, an SSL/TLS vulnerability, using dynamic taint analysis. Part four with the appendices is a mix of a crash course on x86 assembly, more details on ELF injection, a list of binary analysis tools, and a list of articles, research articles and books for quenching the thirst for more knowledge. Overall, this book is fun to read. It is quite suitable for the reader who is curious about how binaries are structured, what information can be gleaned from them (such as control flow, data flow, functionality, and even protection or obfuscation mechanisms), and for a course in software security or malware analysis. Reading the book brought back memories of old times spent modifying the Commodore 64 OS with peeks and pokes in the 1980s, and editing an A/UX (an ancestor of macOS) device driver in the 1990s, with the intent of retaining functionality after the demise of the software company that created the device driver. ------------------------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== (No changes since Cipher E146) http://cisr.nps.edu/jobscipher.html Send announcements to irvine@nps.edu with subject "Request for Cipher Job listing on CISR website" -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== News Briefs ==================================================================== The Cyber Security Hall of Fame From: Gene Spafford The Cyber Security Hall of Fame was on hiatus while stable funding was secured. That has happened, and nominations are open for the class of 2019. Current honorees are listed at http://www.cybersecurityhalloffame.com/ Help by nominating qualified candidates! See http://bit.ly/CSHOFNom http://bit.ly/CSHOFNom for details of nominations. ------------------------------------------------------------- The People's Root Certificate Authority Sennheiser discloses monumental blunder that cripples HTTPS on PCs and Macs Poorly secured certificate lets hackers impersonate any website on the Internet https://arstechnica.com/information-technology/2018/11/sennheiser-discloses-monumental-blunder-that-cripples-https-on-pcs-and-macs/ Ars Technica By Dan Goodin 11/28/2018 Summary: Imagine installing headphones on your computer and finding that thereafter major websites seemed to be forgeries. That risk was incurred by users of an app that installed a root certificate in on Windows and MacOS machines. That root certificate had its private key encoded within it. Although the key was itself encrypted, hackers only needed a few minutes to extract it. From there, they could install signed certificates for any website, and the affected computers would "trust" them. ------------------------------------------------------------- Dirty Cookies OPEN SESAME! - Hot new trading site leaked oodles of user data, including login tokens Data leaked by DX.Exchange would be "super easy" to criminalize. https://arstechnica.com/information-technology/2019/01/hot-new-trading-site-leaked-oodles-of-user-data-including-login-tokens/ Ars Technica 1/9/2019 By Dan Goodin Summary: A trading site, DX.Exchange, opened recently to fanfare about its facilities for trading currencies and stocks. Users are, of course, required to register for accounts before using it. Whatever attention went into its design apparently were not spent on security analysis. The site was configured to use JSON Web tokens for its authentication cookies, and it had the habit of sending the login credentials for many random users along with whatever it needed for a single session. Those credentials could be used to login to other accounts. ---------------------------------------------------- VPNs that are Unprivate, Actually Malware, User Privacy Failures Found in Top Free VPN Android Apps https://www.bleepingcomputer.com/news/security/malware-user-privacy-failures-found-in-top-free-vpn-android-apps/ Bleeping Computer January 21, 2019 By Sergiu Gatlan Summary: Virtual Private Networks are a technology for keeping Internet data encrypted and confined to a set of trusted sites. Many people use them for connecting to their employer's networks. There are many free VPN apps in the Google Play Store, and one researcher found that about 20% of them have security and/or privacy problems. That represents about a quarter of a billion downloads. For example, 25% of them had location tracking. ---------------------------------------------------- Google Fine Not So Fine Google fined record L44m by French data protection watchdog CNIL found that company failed to offer users transparent information on data use https://www.theguardian.com/technology/2019/jan/21/google-fined-record-44m-by-french-data-protection-watchdog The Guardian Alex Hern Jan. 21, 2019 Summary: France has begun taking data protection seriously, and it has levied a fine of 50 million euros against Google for violating regulations about informing users about its data use policies. The data was available, but it was presented in a confusing manner in multiple documents and web pages. ---------------------------------------------------- Facebook is All Fine Facebook Faces Potential Record U.S. Fine on Privacy Violations https://www.bloomberg.com/news/articles/2019-01-18/facebook-is-said-to-face-record-u-s-fine-on-privacy-violations Bloomberg January 18, 2019 By David McLaughlin Summary: The fallout from the Cambridge Analytica fiasco keeps hitting Facebook. It seems that in 2011 Facebook told the FTC that it would be very careful about keeping users' personal data protected. Because Cambridge Analytica (and perhaps other companies) had access to user data, the Facebook may be subject to a fine to be determined by the FTC. ------------------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 1/25/19: ACM WiSec, 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Miami beach, FL, USA; https://wisec19.fiu.edu/ Submissions are due 1/28/19- 1/30/19: IFIP 11.9 DF, 15th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org 1/30/19: Safethings, IEEE Workshop on the Internet of Safe Things, Held in conjunction with the 40th IEEE Symposium on Security and Privacy (SP 2019), San Francisco, California, USA; https://www.ieee-security.org/TC/SPW2019/SafeThings/ Submissions are due 1/31/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ Submissions are due 2/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (monthly deadline) 2/10/19: SACMAT, 24th ACM Symposium on Access Control Models and Technologies, Toronto, Canada; http://www.sacmat.org/ Submissions are due 2/15/19: USENIX-Security, 28th USENIX Security Symposium, Santa Clara, CA, USA; https://www.usenix.org/conference/usenixsecurity19 Submissions are due 2/18/19: DIMVA, 16th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Gothenburg, Sweden; https://www.dimva2019.org/ Submissions are due 2/24/19- 2/27/19: NDSS, 26th Annual Network and Distributed System Security Symposium, San Diego, California, USA; https://www.ndss-symposium.org/ndss2019/ndss-2019-call-for-papers/ 2/28/19: PET, 19th Privacy Enhancing Technologies Symposium, Stockholm, Sweden; https://petsymposium.org/cfp19.php Submissions are due 2/28/19: SSIoT, 1st IEEE EuroS&P Workshop on Software Security for Internet of Things, Co-located with IEEE EuroS&P 2019, Stockholm, Sweden; http://www.cse.chalmers.se/~russo/ssiot19/ Submissions are due 3/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (monthly deadline) 3/ 1/19: Blockchain, IEEE International Conference on Blockchain, Atlanta, GA, USA; http://www.blockchain-ieee.org/ Submissions are due 3/ 1/19: CPSS, 5th ACM Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2019, Auckland, New Zealand; http://jianying.space/cpss/CPSS2019/ Submissions are due 3/ 1/19: DBSec, 33rd Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Charleston, SC, USA; https://dbsec2019.cse.sc.edu/ Submissions are due 3/15/19: TrustData, 10th International Workshop on Trust, Security and Privacy for Big Data, Atlanta, USA; http://www.spaccs.org/trustdata2019/ Submissions are due 3/25/19- 3/27/19: CODASPY, 9th ACM Conference on Data and Application Security and Privacy, Dallas, TX, USA; http://www.codaspy.org 3/27/19: IWSPA, 5th International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2019, Dallas, TX, USA; https://sites.google.com/view/iwspa-2019/home 3/30/19: AIBlock, 1st International Workshop on Application Intelligence and Blockchain Security, Held in Conjunction With ACNS 2019, Bogota, Colombia; http://aiblock2019.compute.dtu.dk/ Submissions are due 3/30/19: CLOUDS&P, 1st Workshop on Cloud Security and Privacy, Held in Conjunction With ACNS 2019, Bogota, Colombia; http://cloudsp2019.encs.concordia.ca Submissions are due 4/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 4/22/19: ESORICS, 24th European Symposium on Research in Computer Security, Luxembourg; https://esorics2019.uni.lu Submissions are due 5/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 5/15/19- 5/17/19: ACM WiSec, 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Miami beach, FL, USA; https://wisec19.fiu.edu/ 5/15/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ Submissions are due 5/20/19- 5/22/19: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ 5/23/19: Safethings, IEEE Workshop on the Internet of Safe Things, Held in conjunction with the 40th IEEE Symposium on Security and Privacy (SP 2019), San Francisco, California, USA; https://www.ieee-security.org/TC/SPW2019/SafeThings/ 6/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (monthly deadline) 6/ 4/19- 6/ 6/19: SACMAT, 24th ACM Symposium on Access Control Models and Technologies, Toronto, Canada; http://www.sacmat.org/ 6/ 5/19- 6/ 7/19: AIBlock, 1st International Workshop on Application Intelligence and Blockchain Security, Held in Conjunction With ACNS 2019, Bogota, Colombia; http://aiblock2019.compute.dtu.dk/ 6/ 5/19- 6/ 7/19: CLOUDS&P, 1st Workshop on Cloud Security and Privacy, Held in Conjunction With ACNS 2019, Bogota, Colombia; http://cloudsp2019.encs.concordia.ca 6/10/19- 6/12/19: CNS, IEEE Conference on Communications and Network Security, Washington, D.C., USA; http://cns2019.ieee-cns.org/ 6/16/19: SSIoT, 1st IEEE EuroS&P Workshop on Software Security for Internet of Things, Co-located with IEEE EuroS&P 2019, Stockholm, Sweden; http://www.cse.chalmers.se/~russo/ssiot19/ 6/17/19- 6/19/19: EuroSP, 4th IEEE European Symposium on Security and Privacy, Stockholm, Sweden; https://www.ieee-security.org/TC/EuroSP2019/cfp.php 6/19/19- 6/20/19: DIMVA, 16th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Gothenburg, Sweden; https://www.dimva2019.org/ 7/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (monthly deadline) 7/ 8/19: CPSS, 5th ACM Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2019, Auckland, New Zealand; http://jianying.space/cpss/CPSS2019/ 7/14/19- 7/17/19: Blockchain, IEEE International Conference on Blockchain, Atlanta, GA, USA; http://www.blockchain-ieee.org/ 7/14/19- 7/17/19: TrustData, 10th International Workshop on Trust, Security and Privacy for Big Data, Atlanta, USA; http://www.spaccs.org/trustdata2019/ 7/15/19- 7/17/19: DBSec, 33rd Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Charleston, SC, USA; https://dbsec2019.cse.sc.edu/ 7/16/19- 7/20/19: PET, 19th Privacy Enhancing Technologies Symposium, Stockholm, Sweden; https://petsymposium.org/cfp19.php 8/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (monthly deadline) 8/14/19- 8/16/19: USENIX-Security, 28th USENIX Security Symposium, Santa Clara, CA, USA; https://www.usenix.org/conference/usenixsecurity19 9/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (monthly deadline) 9/ 1/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ Submissions are due 9/23/19- 9/27/19: ESORICS, 24th European Symposium on Research in Computer Security, Luxembourg; https://esorics2019.uni.lu 10/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (monthly deadline) 11/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (monthly deadline) 11/11/19-11/15/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ 12/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (monthly deadline) 1/ 1/20: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (monthly deadline) 5/18/20- 5/20/20: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E146) ___________________________________________________________________ SP 2020 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 18-20, 2020. (Submissions are due first day of each month) https://www.ieee-security.org/TC/SP2020/ Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been he premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control and authorization - Anonymity - Application security - Attacks and defenses - Authentication - Blockchains and distributed ledger security - Censorship resistance - Cloud security - Cyber physical systems security - Distributed systems security - Economics of security and privacy - Embedded systems security - Forensics - Hardware security - Intrusion detection and prevention - Malware and unwanted software - Mobile and Web security and privacy - Language-based security - Machine learning and AI security - Network and systems security - Privacy technologies and mechanisms - Protocol security - Secure information flow - Security and privacy for the Internet of Things - Security and privacy metrics - Security and privacy policies - Security architectures - Usable security and privacy - Trustworthy computing - Web security This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Systematization of Knowledge Papers As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate. Submissions will be distinguished by the prefix 'SoK:' in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. Workshops The Symposium is also soliciting submissions for co-located workshops. Further details on submissions can be found at https://www.ieee-security.org/TC/SP2020/workshops.html. Ongoing Submissions To enhance the quality and timeliness of the scientific results presented as part of the Symposium, and to improve the quality of our reviewing process, IEEE S&P now accepts paper submissions 12 times a year, on the first of each month. The detailed process can be found at the conference call-for-papers page. ------------------------------------------------------------------------- ACM WiSec 2019 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Miami beach, FL, USA, May 15-17, 2019. (Submissions are due 25 January 2019) https://wisec19.fiu.edu/ ACM WiSec is the leading ACM and SIGSAC conference dedicated to all aspects of security and privacy in wireless and mobile networks and their applications. In addition to the traditional ACM WiSec topics of physical, link, and network layer security, we welcome papers focusing on the increasingly diverse range of mobile or wireless applications such as Internet of Things, and Cyber-Physical Systems, as well as the security and privacy of mobile software platforms, usable security and privacy, biometrics, and cryptography. The conference welcomes both theoretical as well as systems contributions. Topics of interest include, but are not limited to: - Security protocols for wireless networking - Security & privacy for smart devices (e.g., smartphones) - Security of mobile applications for smartphones and wearables - Wireless and mobile privacy and anonymity - Secure localization and location privacy - Cellular network fraud and security - Jamming attacks and defenses - Key management (agreement or distribution) for wireless or mobile systems - Theoretical and formal approaches for wireless and mobile security - Physical layer and Information-theoretic security schemes for wireless systems - Cryptographic primitives for wireless and mobile security - NFC and smart payment applications - Security and privacy for mobile sensing systems - Wireless or mobile security for Cyber-Physical Systems (e.g, healthcare, smart grid, or IoT applications) - Vehicular networks security (e.g., drones, automotive, avionics, autonomous driving) - Physical tracking security and privacy - Usable mobile security and privacy - Economics of mobile security and privacy - Mobile malware and platform security - Security for cognitive radio and dynamic spectrum access systems ------------------------------------------------------------------------- ACM-CCS 2019 26th ACM Conference on Computer and Communications Security, London, United Kingdom, November 11-15, 2019. (Submissions are due 31 January 2019, 15 May 2019, 1 September 2019) http://www.sigsac.org/ccs/CCS2019/ The ACM Conference on Computer and Communications Security (CCS) is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM). The conference brings together information security researchers, practitioners, developers, and users from all over the world to explore cutting-edge ideas and results. It provides an environment to conduct intellectual discussions. From its inception, CCS has established itself as a high standard research conference in its area. The Conference on Computer and Communications Security (CCS) seeks submissions presenting novel contributions related to all real-world aspects of computer security and privacy. Theoretical papers must make a convincing case for the relevance of their results to practice. Authors are encouraged to write the abstract and introduction of their paper in a way that makes the results accessible and compelling to a general computer-security researcher. In particular, authors should bear in mind that anyone on the program committee may be asked to give an opinion about any paper. IMPORTANT: CCS will have three review cycles in 2019: the first with a submission deadline of January 31, the second with a submission deadline of May 15, and the third with a tentative submission deadline of September 1. The third review cycle is only for papers invited for resubmission from the first two cycles; no new submissions will be considered. Papers rejected from the first review cycle may not be submitted again (even in revised form) to the second review cycle. ------------------------------------------------------------------------- SACMAT 2019 24th ACM Symposium on Access Control Models and Technologies, Toronto, Canada, June 4-6, 2019. (Submissions are due 10 February 2019) http://www.sacmat.org/ The organizing committee of the 24th ACM Symposium on Access Control Models and Technologies (SACMAT 2019) invites contributions in all aspects of access control. The symposium will provide participants the opportunity to present work at different levels of development, from early work on promising ideas to fully developed technical results as well as system demonstrations. Papers offering novel research contributions are solicited for submission. Accepted papers will be presented at the symposium and published by the ACM in the symposium proceedings. In addition to the regular research track, this year SACMAT will again host a special track -- "Blue Sky/Vision Track". Researchers are invited to submit papers describing promising new ideas and challenges of interest to the community as well as access control needs emerging from other fields. We are particularly looking for potentially disruptive and new ideas which can shape the research agenda for the next 10 years. We encourage submissions that present ideas that may have not been completely developed and experimentally evaluated. Submissions to the regular track covering any relevant area of access control are welcomed. Areas include, but are not limited to, the following: - Access control for edge computing - Applications - Applied machine learning for access management - Attribute-based systems - Authentication - Big data - Biometrics - Blockchain - Cloud computing and network access control management - Cryptographic approaches - Cyber attacks and network dynamics - Cyber-physical systems and Internet of Things (IoT) - Databases and data management - Data protection on untrusted infrastructure - Design methodology - Distributed and mobile systems - Economic models and game theory - Enforcement mechanisms - Hardware enhanced security - Identity management - Identification of and protection from data leakage - Mechanisms, systems, and tools - Models and extensions - Obligations - Privacy-aware access control - Policy engineering and analysis - Requirements - Risk and uncertainty - Safety analysis - Theoretical foundations - Trust management - Usability ------------------------------------------------------------------------- USENIX-Security 2019 28th USENIX Security Symposium, Santa Clara, CA, USA, August 14-16, 2019. (Submissions are due 15 November 2018, 15 February 2019) https://www.usenix.org/conference/usenixsecurity19 The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security and privacy of computer systems and networks. The USENIX Security Symposium is moving to multiple submission deadlines for USENIX Security '19. This change includes changes to the review process and submission policies. Detailed information is available on the USENIX Security Publication Model Changes web page at www.usenix. org/conference/usenixsecurity19/publication-model-change. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in computer security. There will be two quarterly submission deadlines for USENIX Security '19. The fall quarter submissions deadline is Thursday, November 15, 2018, 5:00 pm PST. The winter quarter submissions deadline is Friday, February 15, 2019, 5:00 pm PST. The Symposium will span three days with a technical program including refereed papers, invited talks, posters, panel discussions, and Birds-of-a-Feather sessions. Co-located events will precede the Symposium on August 12 and 13. ------------------------------------------------------------------------- DIMVA 2019 16th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Gothenburg, Sweden, June 19-20, 2019. (Submissions are due 18 February 2019) https://www.dimva2019.org/ The annual DIMVA conference serves as a premier forum for advancing the state of the art in the broader areas of intrusion detection, malware analysis, and vulnerability assessment. Each year, DIMVA brings together international experts from academia, industry, and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI). DIMVA solicits submissions of high-quality, original scientific papers presenting novel research on malware analysis, intrusion detection, vulnerability assessment, and related systems security topics. ------------------------------------------------------------------------- SSIoT 2019 1st IEEE EuroS&P Workshop on Software Security for Internet of Things, Co-located with IEEE EuroS&P 2019, Stockholm, Sweden, June 16, 2019. (Submissions are due 28 February 2019) http://www.cse.chalmers.se/~russo/ssiot19/ The Internet of Things (IoT), connecting large numbers of small embedded devices to the internet, is currently being deployed in critical infrastructures, factories, hospitals, smart buildings, and so on. Compromised or faulty IoT components and systems can cause catastrophic damage to individuals, companies, and society. However, existing software for IoT has not been designed with security as a main objective, but rather to cope with constrained memory, power, processing, and bandwidth resources. Consequently, techniques are needed by which software for IoT can achieve a highest level of security and safety. Such techniques are getting mature for other domains, in particular for mainstream computing systems, but IoT devices feature peculiar characteristics that hinder employing conventional software security techniques. There is a great push to bring advanced software security to IoT. At the same time, a targeted scientific IoT software security forum for discussions, publications and networking is currently lacking. The IEEE Workshop on Software Security for IoT (SSIoT) 2019 is the first international conference focusing primarily on the software security for the Internet of Things (IoT). SSIoT aims to provide a forum for exploring and evaluating ideas on bringing secure software to IoT and a venue to publish novel research ideas on this topic. SSIoT strongly encourages proposals of new, speculative ideas, evaluations of new or known techniques in practical settings, and discussions of emerging threats and important problems. We are especially interested in position papers that are radical, forward-looking, and likely to lead to lively and insightful discussions that will influence future research on IoT security. ------------------------------------------------------------------------- Blockchain 2019 IEEE International Conference on Blockchain, Atlanta, GA, USA, July 14-17, 2019. (Submissions are due 1 March 2019) http://www.blockchain-ieee.org/ The emergence and popularity of blockchain techniques will significantly change the way of digital and networking systems' operation and management. In the meantime, the application of blockchain will exhibit a variety of complicated problems and new requirements, which brings more open issues and challenges for research communities. The goal of this conference is to promote community-wide discussion identifying the advanced applications, technologies and theories for blockchain. We seek submissions of papers that invent novel techniques, investigate new applications, introduce advanced methodologies, propose promising research directions and discuss approaches for unsolved issues. ------------------------------------------------------------------------- CPSS 2019 5th ACM Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2019, Auckland, New Zealand, July 8, 2019. (Submissions are due 1 March 2019) http://jianying.space/cpss/CPSS2019/ Cyber-Physical Systems (CPS) of interest to this workshop consist of large-scale interconnected systems of heterogeneous components interacting with their physical environments. There exist a multitude of CPS devices and applications deployed to serve critical functions in our lives thus making security an important non-functional attribute of such systems. This workshop will provide a platform for professionals from academia, government, and industry to discuss novel ways to address the ever-present security challenges facing CPS. We seek submissions describing theoretical and practical solutions to security challenges in CPS. Submissions pertinent to the security of embedded systems, IoT, SCADA, smart grid, and other critical infrastructure are welcome. ------------------------------------------------------------------------- DBSec 2019 33rd Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Charleston, SC, USA, July 15-17, 2019. (Submissions are due 1 March 2019) https://dbsec2019.cse.sc.edu/ DBSec is an annual international conference covering research in data and applications security and privacy. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, and applications security. Topics of interest include, but are not limited to: - access control - anonymity - applied cryptography in data security - authentication - big data security - data and system integrity - data protection - database security - digital rights management - distributed and decentralised security - identity management - intrusion detection - knowledge discovery and privacy - methodologies for data and application security - network security - organisational and social aspects of security - privacy - secure cloud computing - secure distributed systems - secure information integration - security and privacy in crowdsourcing - security and privacy in IT outsourcing - security and privacy in the Internet of Things - security and privacy in location-based services - security and privacy in P2P scenarios and social networks - security and privacy in pervasive/ubiquitous computing - security and privacy policies - security management and audit - security metrics - threats, vulnerabilities, and risk management - trust and reputation systems - trust management - Web security - wireless and mobile security ------------------------------------------------------------------------- TrustData 2019 10th International Workshop on Trust, Security and Privacy for Big Data, Atlanta, USA, July 14-17, 2019. (Submissions are due 15 March 2019) http://www.spaccs.org/trustdata2019/ The proliferation of new technologies such as Internet of Things and cloud computing calls for innovative ideas to retrieve, filter, and integrate data from a large number of diverse data sources. Big Data is an emerging paradigm applied to datasets whose volume/velocity/variability is beyond the ability of commonly used software tools to manage and process the data within a tolerable period of time. More importantly, Big Data has to be of high value, and should be protected in an efficient way. Since Big Data involves a huge amount of data that is of high-dimensionality and inter-linkage, existing trust, security, and privacy measures for traditional databases and infrastructures cannot satisfy its requirements. Novel technologies for protecting Big Data are attracting researchers and practitioners with more and more attention. The 10th International Workshop on Trust, Security and Privacy for Big Data (TrustData 2019) aims to bring together people from both academia and industry to present their most recent work related to trust, security and privacy issues in Big Data, and exchange ideas and thoughts in order to identify emerging research topics and define the future of Big Data. ------------------------------------------------------------------------- AIBlock 2019 1st International Workshop on Application Intelligence and Blockchain Security, Held in Conjunction With ACNS 2019, Bogota, Colombia, Jun 5-7, 2019. (Submissions due 30 March 2019) http://aiblock2019.compute.dtu.dk/ This workshop attempts to provide a platform for professionals from academia and industry to discuss challenges and potential solutions in this direction. We seek submissions describing either theoretical or practical solutions in relation to application intelligence security and blockchain security. Topics of interest include, but are not limited to: - Authentication - Blockchain Platforms - Blockchain-based Applications - Cryptocurrency Analysis - Data and System Integrity - Data Protection - Database Security - Decentralized Application Development - Formal Method - Intrusion Detection - Smart Contracts - Trust and Privacy of Applications - Vulnerability Analysis ------------------------------------------------------------------------- CLOUDS&P 2019 1st Workshop on Cloud Security and Privacy, Bogota, Colombia, June 5-7, 2019. (Submissions due 30 March 2019) http://cloudsp2019.encs.concordia.ca Cloud computing is emerging as a promising IT solution for enabling ubiquitous, convenient, and on-demand accesses to a shared pool of configurable computing resources. However, the widespread adoption of cloud is still being hindered by various serious security and privacy concerns. CLOUD S&P aims to provide a platform for researchers and practitioners to present and discuss a wide-range of security and privacy issues and their solutions to ensure better protection in a cloud ecosystem. This workshop invites submissions on new attacks and solutions on various cloud-centric technologies, as well as short surveys and case studies that shed light on the security implications of clouds. ------------------------------------------------------------------------- ESORICS 2019 24th European Symposium on Research in Computer Security, Luxembourg, September 23-27, 2019. (Submissions due 22 April 2019) https://esorics2019.uni.lu ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the 2019 Symposium, to be held in Luxembourg. The primary focus is on original, high quality, unpublished research and implementation experiences. We encourage submissions of papers discussing industrial research and development. Topics of interest include, but are not limited to: - access control - accountability - ad hoc networks - anonymity - applied cryptography - authentication - biometrics - blockchain and finance security - data and computation integrity - database security - data protection - deep learning for attack and defense - digital content protection - digital forensics - distributed systems security - embedded systems security - inference control - information hiding - identity management - information flow control - information security governance and management - intrusion detection - formal security methods - language-based security - network security - phishing and spam prevention - privacy - privacy preserving data mining - risk analysis and management - secure electronic voting - security architectures - security economics - security metrics - security models - security and privacy for big data - security and privacy in cloud scenarios - security and privacy in complex systems - security and privacy in content centric networking - security and privacy in crowdsourcing - security and privacy in the IoT - security and privacy in location services - security and privacy for mobile code - security and privacy in pervasive / ubiquitous computing - security and privacy policies - security and privacy in social networks - security and privacy in web services - security and privacy in cyber-physical systems - security, privacy and resilience in critical infrastructures - security verification - software security - systems security - trust models and management - trustworthy user devices - usable security and privacy - web security - wireless security ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sean Peisert Jason Li UC Davis and Intelligent Automation Lawrence Berkeley oakland18-chair@ieee-security.org National Laboratory speisert@ucdavis.edu Vice Chair: Treasurer: Ulfar Erlingsson Yong Guan Manager, Security Research 3219 Coover Hall Google Department of Electrical and Computer tcchair at ieee-security.org Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2019 Chair: TC Awards Chair: Mark Gondree Hilarie Orman Sonoma State University Purple Streak, Inc. oakland19-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year