_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 148 March 20, 2019 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * List of Computer Security Academic Positions, by Cynthia Irvine * Commentary and Opinion and News o News Items - Cryptographers Angry at US Visa Issuance Dysfunction - Shh! Your Hard Drive is Listening! - China Rejects Trash, Takes IDs - FCC's Opaque Neutrality Stance - Facebook, passwords exposed, again, of course - Take Another Little Peek at my Heart o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The 40th Symposium on Security and Privacy will be held May 20-22 at the San Francisco Hyatt. Registration is open, and the schedule should be available Real Soon. The website lists a chair for the 40th celebration, and we suspect that the Tuesday evening reception will have some kind of festivities. There are also co-located workshops starting on Thursday of that week. The 40th Symposium follows 9 years after the 30th Anniversay celebration of the Symposium, when it was still held in Oakland. Anniversaries use 1-based counting, meeting numbers use 0-based counting, and the difference between the two systems causes computer scientists as much angst as Daylight Savings Time. The decade boundaries cause people to think about the history of the fields of security and privacy and to wonder about the lasting contributions. I have been mulling over a somewhat contrarian view of things: "Cybersecurity is not very important" by Andrew Odlyzko. The paper has attracted a good deal of commentary in the short time that it has been available. Perhaps cybersecurity is less a matter of science and more a matter of practicality. Maybe we should not expect research to have widespread impacts, maybe incremental progress is the best we can do. It's complicated. "On a clear disk, You can seek forever." P. J. Denning In a clear text, You can seek out Facebook, And see all the user passwords Outshining every star. In a clear text, You can read sooner or later, All accounts and user data, Forever and ever and ever more. (Lerner and Lane, sorry about this) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== New since Cipher E147 Posted January 2019 University of Lusembourg Interdisciplinary Centre for Security, Reliability and Trust 2 PhD positions in "Security and privacy of resource constrained devices" and "Risk analysis and regulatory compliance of DLTs for transaction and management of securities" Closes April 2019 URL of position descriptions: http://www.luxli.lu/2018/11/02/two-phd-positions-at-the-university-of-luxembourg/ http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== News Briefs ==================================================================== Cryptographers Angry at US Visa Issuance Dysfunction Adi Shamir visa snub: US govt slammed after the S in RSA blocked from his own RSA conf https://www.theregister.co.uk/2019/03/05/rsa_cofounder_us_visa_row/ The Register Mar 6, 2019 By Iain Tomson Summary: Adi Shamir, the "S" in "RSA", looks forward to attending the annual RSA conference each year in San Francisco. This year he did not hear anything about his visa applicaiton, so he could not travel from Israel to California to appear in person. He did address the conference via Skype, and he suggested that if researchers could not travel to the US, then events should be held elsewhere. There was widespread speculation about the visa situation. Some people suspected that the US government shutdown had created a large backlog of paperwork. One said that it appeared that "no one is is in charge." --------------------------------------- Shh! Your Hard Drive is Listening! From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic https://www.theregister.co.uk/2019/03/07/hard_drive_eavesdropping/ The Register Mar 7, 2019 By Thomas Claburn Summary: Modern hard drives are magnificent pieces of machinery with precision engineering. One group of researchers wondered if the drives might be multi-purpose. Perhaps the delicate electronics could sense more than just the data on the drive. Could ambient sound waves deflect the read heads enough to serve as a sound sensor? The answer, surprisingly, is yes. Although the drive heads do not respond well enough to serve as a reliable microphone, they definitely respond to loud sounds, and that is detectable using extended features of the drive's firmware. Speak softly. --------------------------------------- China Rejects Trash, Takes IDs HMD admits the Nokia 7 Plus was sending personal data to China HMD calls the event "an error" and has issued a patch. https://arstechnica.com/gadgets/2019/03/hmd-admits-the-nokia-7-plus-was-sending-personal-data-to-china/ Ars Technica 3/22/2019 By Ron Amadeo Summary: An app that was installed on a batch of Nokia phones had a disturbing and unadvertised feature: it sent data about the phone usage to a server in China. All parties involved insist it was an innocent error. [Ed. And it won't happen again (until the next time).] --------------------------------------- FCC's Opaque Neutrality Stance FCC has to pay journalist $43,000 after hiding net neutrality records FCC pays journalist's legal fees after failing to comply with records request. https://arstechnica.com/tech-policy/2019/03/fcc-has-to-pay-journalist-43000-after-hiding-net-neutrality-records/ Ars Technica 3/22/2019 By Jon Brodkin Summary: Net neutrality is a policy that the FCC ended last year, after soliciting, and then apparently ignoring, public comments. The FCC maintained that millions of the comments were from fake accounts. A journalist requested the data from the FCC website that allegedly substantiated the claim, but the FCC was not forthcoming. A lawsuit was filed to force the revelation of the data, and a court granted a partial victory to the litigant. --------------------------------------- Facebook, passwords exposed, again, of course Facebook apps logged users' passwords in plaintext, because why not Unencrypted user credentials stored on Facebook internal servers as far back as 2012. https://arstechnica.com/information-technology/2019/03/facebook-developers-wrote-apps-that-stored-users-passwords-in-plaintext/ Ars Technica By Sean Gallagher 3/21/2019 Summary: Despite the widespread availablity of technology for storing passwords securely, Facebook engineers decided that there was no need to protect passwords inside the company's network enclave. This left the passwords visible to thousands of Facebook employees over a period of many years. --------------------------------------- Take Another Little Peek at my Heart HOT WIRE MY HEART - Critical flaw lets hackers control lifesaving devices implanted inside patients Implanted devices from Medtronic can have their firmware rewritten, DHS warns. https://arstechnica.com/information-technology/2019/03/critical-flaw-lets-hackers-control-lifesaving-devices-implanted-inside-patients/ Ars Technica By Dan Goodin 3/21/2019 Summary: There are many people alive today because they carry implanted medical devices in their bodies. The devices have computers and wireless communication capabilities. Unsurprisingly, if they are devoid of standard security protections, they are completely hackable. The Conexus Radio Frequency Telemetry Protocol, which is Medtronic's proprietary means for the monitors to wirelessly connect to implanted devices, has a "raft" of security weaknesses that leave them open to everything from privacy violations to complete reprogramming by anyone within wireless range. Medtronic emphasizes that no device has ever actually been hacked, and that they are responding to US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency' advisory https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01 with all due speed. --------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 3/25/19- 3/27/19: CODASPY, 9th ACM Conference on Data and Application Security and Privacy, Dallas, TX, USA; http://www.codaspy.org 3/26/19: RAID, International Symposium on Research in Attacks, Intrusions and Defenses, Beijing, China; http://www.raid-2019.org/callForPapers.html Submissions are due 3/27/19: IWSPA, 5th International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2019, Dallas, TX, USA; https://sites.google.com/view/iwspa-2019/home 3/30/19: AIBlock, 1st International Workshop on Application Intelligence and Blockchain Security, Held in Conjunction With ACNS 2019, Bogota, Colombia; http://aiblock2019.compute.dtu.dk/ Submissions are due 3/30/19: CLOUDS&P, 1st Workshop on Cloud Security and Privacy, Held in Conjunction With ACNS 2019, Bogota, Colombia; http://cloudsp2019.encs.concordia.ca Submissions are due 3/31/19: TrustData, 10th International Workshop on Trust, Security and Privacy for Big Data, Atlanta, USA; http://www.spaccs.org/trustdata2019/ Submissions are due 4/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 4/ 1/19: Blockchain, IEEE International Conference on Blockchain, Atlanta, GA, USA; http://www.blockchain-ieee.org/ Submissions are due 4/ 2/19: IWSEC, 14th International Workshop on Security, Tokyo, Japan; https://www.iwsec.org/2019/ Submissions are due 4/ 5/19: ISC, 22nd Information Security Conference, New York, NY, USA; https://isc2019.cs.stonybrook.edu/ Submissions are due 4/ 5/19: GraMSec, International Workshop on Graphical Models for Security, Co-located with CSF 2019 Hoboken, NJ, USA; http://gramsec.uni.lu Submissions are due 4/ 8/19: SecDev, IEEE Secure Development Conference, McLean, VA, USA; https://secdev.ieee.org/ Submissions are due 4/15/19: Elsevier Internet of Things, Special Issue on Machine Learning for Security, Privacy and Trust in IoT; https://www.journals.elsevier.com/internet-of-things/call-for-papers/machine-learning-for-security-privacy-and-trust-in-iot Submissions are due 4/16/19: SecureComm, 15th EAI International Conference on Security and Privacy in Communication Networks, Orlando, FL, USA; http://securecomm.org Submissions are due 4/22/19: ESORICS, 24th European Symposium on Research in Computer Security, Luxembourg; https://esorics2019.uni.lu Submissions are due 4/30/19: CRITIS, 14th International Conference on Critical Information Infrastructures Security, Linkoping, Sweden; https://critis2019.on.liu.se/ Submissions are due 5/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 5/ 1/19: SciSec, 2nd International Conference on Science of Cyber Security, Nanjing, China; http://www.sci-cs.net Submissions are due 5/15/19- 5/17/19: ACM WiSec, 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Miami beach, FL, USA; https://wisec19.fiu.edu/ 5/15/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ Submissions are due 5/20/19- 5/22/19: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ 5/23/19: Safethings, IEEE Workshop on the Internet of Safe Things, Held in conjunction with the 40th IEEE Symposium on Security and Privacy (SP 2019), San Francisco, California, USA; https://www.ieee-security.org/TC/SPW2019/SafeThings/ 6/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 6/ 4/19- 6/ 6/19: SACMAT, 24th ACM Symposium on Access Control Models and Technologies, Toronto, Canada; http://www.sacmat.org/ 6/ 5/19- 6/ 7/19: AIBlock, 1st International Workshop on Application Intelligence and Blockchain Security, Held in Conjunction With ACNS 2019, Bogota, Colombia; http://aiblock2019.compute.dtu.dk/ 6/ 5/19- 6/ 7/19: CLOUDS&P, 1st Workshop on Cloud Security and Privacy, Held in Conjunction With ACNS 2019, Bogota, Colombia; http://cloudsp2019.encs.concordia.ca 6/10/19- 6/12/19: CNS, IEEE Conference on Communications and Network Security, Washington, D.C., USA; http://cns2019.ieee-cns.org/ 6/16/19: SSIoT, 1st IEEE EuroS&P Workshop on Software Security for Internet of Things, Co-located with IEEE EuroS&P 2019, Stockholm, Sweden; http://www.cse.chalmers.se/~russo/ssiot19/ 6/17/19- 6/19/19: EuroSP, 4th IEEE European Symposium on Security and Privacy, Stockholm, Sweden,; https://www.ieee-security.org/TC/EuroSP2019/cfp.php 6/19/19- 6/20/19: DIMVA, 16th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Gothenburg, Sweden; https://www.dimva2019.org/ 6/24/19: GraMSec, International Workshop on Graphical Models for Security, Co-located with CSF 2019 Hoboken, NJ, USA; http://gramsec.uni.lu 7/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 7/ 8/19: CPSS, 5th ACM Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2019, Auckland, New Zealand; http://jianying.space/cpss/CPSS2019/ 7/14/19- 7/17/19: Blockchain, IEEE International Conference on Blockchain, Atlanta, GA, USA; http://www.blockchain-ieee.org/ 7/14/19- 7/17/19: TrustData, 10th International Workshop on Trust, Security and Privacy for Big Data, Atlanta, USA; http://www.spaccs.org/trustdata2019/ 7/15/19- 7/17/19: DBSec, 33rd Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Charleston, SC, USA; https://dbsec2019.cse.sc.edu/ 7/16/19- 7/20/19: PET, 19th Privacy Enhancing Technologies Symposium, Stockholm, Sweden; https://petsymposium.org/cfp19.php 8/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 8/ 9/19- 8/11/19: SciSec, 2nd International Conference on Science of Cyber Security, Nanjing, China; http://www.sci-cs.net 8/14/19- 8/16/19: USENIX-Security, 28th USENIX Security Symposium, Santa Clara, CA, USA; https://www.usenix.org/conference/usenixsecurity19 8/28/19- 8/30/19: IWSEC, 14th International Workshop on Security, Tokyo, Japan; https://www.iwsec.org/2019/ 9/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 9/ 1/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ Submissions are due 9/16/19- 9/18/19: ISC, 22nd Information Security Conference, New York, NY, USA; https://isc2019.cs.stonybrook.edu/ 9/23/19- 9/27/19: ESORICS, 24th European Symposium on Research in Computer Security, Luxembourg; https://esorics2019.uni.lu 9/23/19- 9/25/19: RAID, International Symposium on Research in Attacks, Intrusions and Defenses, Beijing, China; http://www.raid-2019.org/callForPapers.html 9/23/19- 9/25/19: CRITIS, 14th International Conference on Critical Information Infrastructures Security, Linkoping, Sweden; https://critis2019.on.liu.se/ 9/25/19- 9/27/19: SecDev, IEEE Secure Development Conference, McLean, VA, USA; https://secdev.ieee.org/ 10/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 10/23/19-10/25/19: SecureComm, 15th EAI International Conference on Security and Privacy in Communication Networks, Orlando, FL, USA; http://securecomm.org 11/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 11/11/19-11/15/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ 11/30/19: Springer Human-centric Computing and Information Sciences, Thematic Issue on Security, trust and privacy for Human-centric Internet of Things; https://toit.acm.org/pdf/ACM-ToIT-CfP-Decentralized_Blockchain_Applications.pdf Submissions are due 12/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 1/ 1/20: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 5/18/20- 5/20/20: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E87) ___________________________________________________________________ SP 2020 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 18-20, 2020. (Submissions due first day of each month) https://www.ieee-security.org/TC/SP2020/ Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been he premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control and authorization - Anonymity - Application security - Attacks and defenses - Authentication - Blockchains and distributed ledger security - Censorship resistance - Cloud security - Cyber physical systems security - Distributed systems security - Economics of security and privacy - Embedded systems security - Forensics - Hardware security - Intrusion detection and prevention - Malware and unwanted software - Mobile and Web security and privacy - Language-based security - Machine learning and AI security - Network and systems security - Privacy technologies and mechanisms - Protocol security - Secure information flow - Security and privacy for the Internet of Things - Security and privacy metrics - Security and privacy policies - Security architectures - Usable security and privacy - Trustworthy computing - Web security This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Systematization of Knowledge Papers As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate. Submissions will be distinguished by the prefix ÒSoK:Ó in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. Workshops The Symposium is also soliciting submissions for co-located workshops. Further details on submissions can be found at https://www.ieee-security.org/TC/SP2020/workshops.html. Ongoing Submissions To enhance the quality and timeliness of the scientific results presented as part of the Symposium, and to improve the quality of our reviewing process, IEEE S&P now accepts paper submissions 12 times a year, on the first of each month. The detailed process can be found at the conference call-for-papers page. ------------------------------------------------------------------------- RAID 2019 International Symposium on Research in Attacks, Intrusions and Defenses, Beijing, China, September 23-25, 2019. (Submissions due 26 March 2019) http://www.raid-2019.org/callForPapers.html Since its inception in 1997, the International Symposium on Research in Attacks, Intrusions and Defenses (RAID) has established itself as a venue where leading researchers and practitioners from academia, industry, and the government are given the opportunity to present novel research in a unique venue to an engaged and lively community. This year we are soliciting research papers on topics covering all well-motivated computer security problems. We care about techniques that identify new real-world threats, techniques to prevent them, to detect them, to mitigate them or to assess their prevalence and their consequences. Measurement papers are encouraged, as well as papers offering public access to new tools or datasets, or experience papers that clearly articulate important lessons learned. Specific topics of interest to RAID include, but are not limited to: - Authentication - Blockchain Platforms - Blockchain-based Applications - Cryptocurrency Analysis - Data and System Integrity - Data Protection - Database Security - Decentralized Application Development - Formal Method - Intrusion Detection - Smart Contracts - Trust and Privacy of Applications - Vulnerability Analysis ------------------------------------------------------------------------- AIBlock 2019 1st International Workshop on Application Intelligence and Blockchain Security, Held in Conjunction With ACNS 2019, Bogota, Colombia, Jun 5-7, 2019. (Submissions due 30 March 2019) http://aiblock2019.compute.dtu.dk/ This workshop attempts to provide a platform for professionals from academia and industry to discuss challenges and potential solutions in this direction. We seek submissions describing either theoretical or practical solutions in relation to application intelligence security and blockchain security. Topics of interest include, but are not limited to: - Authentication - Blockchain Platforms - Blockchain-based Applications - Cryptocurrency Analysis - Data and System Integrity - Data Protection - Database Security - Decentralized Application Development - Formal Method - Intrusion Detection - Smart Contracts - Trust and Privacy of Applications - Vulnerability Analysis ------------------------------------------------------------------------- CLOUDS&P 2019 1st Workshop on Cloud Security and Privacy, Bogota, Colombia, June 5-7, 2019. (Submissions due 30 March 2019) http://cloudsp2019.encs.concordia.ca Cloud computing is emerging as a promising IT solution for enabling ubiquitous, convenient, and on-demand accesses to a shared pool of configurable computing resources. However, the widespread adoption of cloud is still being hindered by various serious security and privacy concerns. CLOUD S&P aims to provide a platform for researchers and practitioners to present and discuss a wide-range of security and privacy issues and their solutions to ensure better protection in a cloud ecosystem. This workshop invites submissions on new attacks and solutions on various cloud-centric technologies, as well as short surveys and case studies that shed light on the security implications of clouds. ------------------------------------------------------------------------- TrustData 2019 10th International Workshop on Trust, Security and Privacy for Big Data, Atlanta, USA, July 14-17, 2019. (Submissions due 31 March 2019) http://www.spaccs.org/trustdata2019/ The proliferation of new technologies such as Internet of Things and cloud computing calls for innovative ideas to retrieve, filter, and integrate data from a large number of diverse data sources. Big Data is an emerging paradigm applied to datasets whose volume/velocity/variability is beyond the ability of commonly used software tools to manage and process the data within a tolerable period of time. More importantly, Big Data has to be of high value, and should be protected in an efficient way. Since Big Data involves a huge amount of data that is of high-dimensionality and inter-linkage, existing trust, security, and privacy measures for traditional databases and infrastructures cannot satisfy its requirements. Novel technologies for protecting Big Data are attracting researchers and practitioners with more and more attention. The 10th International Workshop on Trust, Security and Privacy for Big Data (TrustData 2019) aims to bring together people from both academia and industry to present their most recent work related to trust, security and privacy issues in Big Data, and exchange ideas and thoughts in order to identify emerging research topics and define the future of Big Data. ------------------------------------------------------------------------- Blockchain 2019 IEEE International Conference on Blockchain, Atlanta, GA, USA, July 14-17, 2019. (Submissions due 1 April 2019) http://www.blockchain-ieee.org/ The emergence and popularity of blockchain techniques will significantly change the way of digital and networking systems' operation and management. In the meantime, the application of blockchain will exhibit a variety of complicated problems and new requirements, which brings more open issues and challenges for research communities. The goal of this conference is to promote community-wide discussion identifying the advanced applications, technologies and theories for blockchain. We seek submissions of papers that invent novel techniques, investigate new applications, introduce advanced methodologies, propose promising research directions and discuss approaches for unsolved issues. ------------------------------------------------------------------------- IWSEC 2019 14th International Workshop on Security, Tokyo, Japan, August 28-30, 2019. (Submissions due 2 April 2019) https://www.iwsec.org/2019/ Original papers on the research and development of various security topics, as well as case studies and implementation experiences, are solicited for submission to IWSEC 2019. Topics of interest for IWSEC 2019 include all theory and practice of cryptography, information security, and network security, as in previous IWSEC workshops. ------------------------------------------------------------------------- ISC 2019 22nd Information Security Conference, New York, NY, USA, September 16-18, 2019. (Submissions due 5 April 2019) https://isc2019.cs.stonybrook.edu/ The Information Security Conference (ISC) is an annual international conference covering research in theory and applications of Information Security. ISC aims to attract high quality papers in all technical aspects of information security. This includes submissions from academia, industry and government on traditional as well as emerging topics and new paradigms in these areas, with a clear connection to real-world problems, systems, or applications. Papers on all technical aspects of information security and privacy are solicited for submission. ------------------------------------------------------------------------- GraMSec 2019 International Workshop on Graphical Models for Security, Co-located with CSF 2019 Hoboken, NJ, USA, June 24, 2019. (Submissions due 5 April 2019) http://gramsec.uni.lu The use of graphical security models to represent and analyse the security of systems has gained an increasing research attention over the last two decades. Formal methods and computer security researchers, as well as security professionals from the industry and government, have proposed various graphical security models, metrics, and measurements. Graphical models are used to capture different security facets and address a range of challenges including security assessment, automated defence, secure services composition, security policy validation, and verification. For example, attack graphs, attack trees, attack-defence trees, and attack countermeasure trees represent possible ways of attacking and defending a system while misuse cases and mal-activity diagrams capture threats and abusive behaviour of users. This year, we encourage excellent submissions related, but not restricted, to the following broad headings: - Graph representations: mathematical, conceptual, and implemented tools for describing and reasoning about security - Logical approaches: formal logical tools for representing and reasoning about graphs and their use as modelling tools in security - Machine learning: modelling and reasoning about the role of big data and machine learning in security operations - Networks in national security: terrorist networks, counter-terrorism networks; safety in national infrastructure (e.g., utilities and transportation) - Risk analysis and management: models of risk management in business and organizational architectures - Social networks: using and reasoning about social graphs, network analysis, network protocols, social mapping, sociometry. Preference will be given to papers likely to stimulate high-quality debate at the Workshop. ------------------------------------------------------------------------- SecDev 2019 IEEE Secure Development Conference, McLean, VA, USA, September 25-27, 2019. (Submissions due 8 April 2019) https://secdev.ieee.org/ SecDev is a venue for presenting ideas, research, and experience about how to develop secure systems. It focuses on theory, techniques, and tools to "build security in" to existing and new computing systems. SecDev aims to bridge the gap between constructive security research and practice and to enable real-world impact of security research in the long run. Developers have valuable experiences and ideas that can inform academic research, and researchers have concepts, studies, and even code and tools that could benefit developers. We solicit research papers, position papers, systematization of knowledge papers, and "best practice" papers. All submissions should present novel results, provide novel perspectives and insights, or present new evidence about existing insights or techniques. SecDev also seeks hands-on and interactive tutorials on processes, frameworks, languages, and tools for building security in as well as posters and tool demos, and abstracts from practitioners to share their practical experiences and challenges in secure development. Areas of interest include (but are not limited to): - Security-focused system designs (HW/SW/architecture) - Tools and methodology for secure code development - Risk management and testing strategies to improve security - Security engineering processes, from requirements to maintenance - Programming languages, development tools, and ecosystems supporting security - Static program analysis for software security - Dynamic analysis and runtime approaches for software security - Automation of programming, deployment, and maintenance tasks for security - Distributed systems design and implementation for security - Privacy by design - Human-centered design for systems security - Formal verification and other high-assurance methods for security - Code reviews, red teams, and other human-centered assurance ------------------------------------------------------------------------- Elsevier Internet of Things, Special Issue on Machine Learning for Security, Privacy and Trust in IoT, (Submissions due 15 April 2019) https://www.journals.elsevier.com/internet-of-things /call-for-papers/machine-learning-for-security-privacy-and-trust-in-iot Guest Editors: Abhishek Parakh (University of Nebraska at Omaha, USA) and Parvathi Chundi (University of Nebraska at Omaha, USA). Experts predict that there will be 3-4 billions of connected devices in use by consumers by the end of this year. Although these devices in smart TVs, microwave ovens, thermostats, etc., will probably make our lives more energy and cost efficient, they can also threaten the security of our homes. This is because the manufacturers of these devices are primarily interested in functionality and do not focus on securing the device against cyber-attacks, protecting the privacy of consumer information on the device, securing the communications from/to the device, etc. The massive scale and the variety of these devices also make it difficult for the manufacturers to design and implement manageable security and privacy solutions. Another challenge in the IoT world is the continuous collection of data from the devices that is analyzed to make conclusions about the environment being monitored by the IoT devices. The data analyses are also crucial to maintaining the security and privacy of the data being collected from the devices. The massive scale of next-generation IoT systems makes the data collection, analyses, transport, and fusion of the results at the system level seem daunting. Machine learning (ML) typically automates the creation of analytical models that allow adaptive algorithms to continuously learn from the generated data. The main goal of ML here is the generation of reliable actionable information that can be executed with minimal human intervention. ML powered programs typically monitor network traffic passively building normal patterns for users, devices and controller in the IoT system and then can make intelligent decisions about the threats and intrusion in the network. This special issue aims to promote discussions of research and relevant activities in the models and design of secure, privacy-preserving, or trust architectures, data analyses and fusion platforms, protocols, algorithms, services, and applications for next generation IoT systems. We especially encourage security and privacy solutions that employ innovative machine learning techniques to tackle the issues of data volume and variety problems that are systemic in IoT platform. ------------------------------------------------------------------------- SecureComm 2019 15th EAI International Conference on Security and Privacy in Communication Networks, Orlando, FL, USA, October 23-25, 2019. (Submissions due 16 April 2019) http://securecomm.org SecureComm seeks high-quality research contributions, which have not been previously published or in parallel submission to another conference or journal. Topics of interest encompass research advances in ALL areas of secure communications and networking. Topics in other areas (e.g., formal methods, database security, secure software, theoretical cryptography) will be considered only if a clear connection to private or secure communication/networking is demonstrated. ------------------------------------------------------------------------- ESORICS 2019 24th European Symposium on Research in Computer Security, Luxembourg, September 23-27, 2019. (Submissions due 22 April 2019) https://esorics2019.uni.lu ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the 2019 Symposium, to be held in Luxembourg. The primary focus is on original, high quality, unpublished research and implementation experiences. We encourage submissions of papers discussing industrial research and development. Topics of interest include, but are not limited to: - access control - accountability - ad hoc networks - anonymity - applied cryptography - authentication - biometrics - blockchain and finance security - data and computation integrity - database security - data protection - deep learning for attack and defense - digital content protection - digital forensics - distributed systems security - embedded systems security - inference control - information hiding - identity management - information flow control - information security governance and management - intrusion detection - formal security methods - language-based security - network security - phishing and spam prevention - privacy - privacy preserving data mining - risk analysis and management - secure electronic voting - security architectures - security economics - security metrics - security models - security and privacy for big data - security and privacy in cloud scenarios - security and privacy in complex systems - security and privacy in content centric networking - security and privacy in crowdsourcing - security and privacy in the IoT - security and privacy in location services - security and privacy for mobile code - security and privacy in pervasive / ubiquitous computing - security and privacy policies - security and privacy in social networks - security and privacy in web services - security and privacy in cyber-physical systems - security, privacy and resilience in critical infrastructures - security verification - software security - systems security - trust models and management - trustworthy user devices - usable security and privacy - web security - wireless security ------------------------------------------------------------------------- CRITIS 2019 14th International Conference on Critical Information Infrastructures Security, Linkoping, Sweden, September 23-25, 2019. (Submissions due 30 April 2019) https://critis2019.on.liu.se/ CRITIS 2019 aims at bringing together researchers, professionals from academia, critical (information) infrastructure operators, industry, defence sector and governmental organisations working in the field of the security of critical (information) infrastructure systems. Moreover, CRITIS aims to encourage and inspire early stage and open-minded researchers in this demanding multi-disciplinary field of research. Outstanding research performance demonstrated by young researchers may compete for the Young CRITIS Award (YCA). The Projects' Dissemination Session will be an opportunity of dissemination for ongoing European, multinational, and national projects, to share the experiences among scientist and experts working on different projects in the C(I)IP domain. ------------------------------------------------------------------------- SciSec 2019 2nd International Conference on Science of Cyber Security, Nanjing, China, August 9-11, 2019. (Submissions due 1 May 2019) http://www.sci-cs.net The conference solicits high-quality, original research papers that can justifiably help achieve the ultimate Science of Cyber Security. The conference is organized by the Nanjing University of Posts and Telecommunications. This new forum aims to catalyze the research collaborations between the relevant communities and disciplines that can work together to deepen our understanding of, and build a firm foundation for, the emerging Science of Cyber Security. Publications in this venue would distinguish themselves from others by taking or thinking from a holistic perspective about cyber security, rather than the building-block perspective. ------------------------------------------------------------------------- ACM-CCS 2019 26th ACM Conference on Computer and Communications Security, London, United Kingdom, November 11-15, 2019. (Submissions due 31 January 2019, 15 May 2019, 1 September 2019) http://www.sigsac.org/ccs/CCS2019/ The ACM Conference on Computer and Communications Security (CCS) is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM). The conference brings together information security researchers, practitioners, developers, and users from all over the world to explore cutting-edge ideas and results. It provides an environment to conduct intellectual discussions. From its inception, CCS has established itself as a high standard research conference in its area. The Conference on Computer and Communications Security (CCS) seeks submissions presenting novel contributions related to all real-world aspects of computer security and privacy. Theoretical papers must make a convincing case for the relevance of their results to practice. Authors are encouraged to write the abstract and introduction of their paper in a way that makes the results accessible and compelling to a general computer-security researcher. In particular, authors should bear in mind that anyone on the program committee may be asked to give an opinion about any paper. IMPORTANT: CCS will have three review cycles in 2019: the first with a submission deadline of January 31, the second with a submission deadline of May 15, and the third with a tentative submission deadline of September 1. The third review cycle is only for papers invited for resubmission from the first two cycles; no new submissions will be considered. Papers rejected from the first review cycle may not be submitted again (even in revised form) to the second review cycle. ------------------------------------------------------------------------- Springer Human-centric Computing and Information Sciences, Thematic Issue on Security, trust and privacy for Human-centric Internet of Things, (Submissions due 30 November 2019) https://toit.acm.org/pdf/ACM-ToIT-CfP-Decentralized_Blockchain_Applications.pdf Guest Editors: Kim-Kwang Raymond Choo (University of Texas at San Antonio, USA), Uttam Ghosh (Vanderbilt University, USA), Deepak Tosh (University of Texas El Paso, USA), Reza M. Parizi (Kennesaw State University, USA), and Ali Dehghantanha (University of Guelph, Canada). Cyber-physical system (CPS) integrates both cyber world and man-made physical world using sensors, actuators and other Internet of Things (IoT) devices, to achieve stability, security, reliability, robustness, and efficiency in a tightly coupled environment. Prevalence of such cyber-physical ecosystem (inherently of distributed nature) imposes exacting demands on architect models and necessitates the design of distributed solutions and other novel approaches. This is essential in order to suitably address the security and privacy concerns since CPS ecosystem involves humans as a part of its core. Blockchain technology offers a distributed and scalable solution to maintain a tamper-resistant ledger, which does not require a central authority. Thus, it can best fit the need of distributed solution to above mentioned security issues in CPS. However, the challenge in integrating Blockchain with CPS is yet to be addressed, which requires various cyber-physical nodes to work effectively and collaboratively in an asynchronous environment. The goal of this special issue is to bring together researchers from different sectors to focus on understanding security challenges and attack surfaces of modern cyber-physical systems, and architect innovative solutions with the help of cutting-edge blockchain related technologies. Potential topics include but are not limited to following: - Blockchain and mobile systems - Security of transportation system using blockchain - Use of blockchain to support mobile smart services and applications - Blockchain in edge and cloud computing - Blockchain schemes for decentralized secure transaction - Distributed ledger and consensus schemes for CPS - Performance optimization of blockchain and decentralized schemes - Energy aware protocols and blockchain applications - Fault tolerance and blockchain for CPS - Decentralized (mobile) processing, computing, and storage infrastructure - Blockchain for Software-defined networking based CPS - Cybersecurity, protection, integrity, trust and privacy issues for SDN-based CPS - Blockchain and smart contracts for CPS security ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sean Peisert Jason Li UC Davis and Intelligent Automation Lawrence Berkeley oakland18-chair@ieee-security.org National Laboratory speisert@ucdavis.edu Vice Chair: Treasurer: Ulfar Erlingsson Yong Guan Manager, Security Research 3219 Coover Hall Google Department of Electrical and Computer tcchair at ieee-security.org Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2019 Chair: TC Awards Chair: Mark Gondree Hilarie Orman Sonoma State University Purple Streak, Inc. oakland19-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year