Electronic CIPHER, Issue 149, May 31, 2019 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 149 May 31, 2019 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of "Rootkits and Bootkits - Reversing Modern Malware and Next Generation Threats" by Alex Matrosov, Eugene Rodionov, and Sergey Bratus o News Items - Phone Follies: The Midnight Data Dump - Roses are Red, Eternal is Blue. Thank NSA if Ransom is Due - Linux and the Second Stage Wasp's Nest - The Big Easy Public Key - Desperate Plea for Microsoft Hiring Interview? o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: I recently attended the Security and Privacy Symposium and enjoyed the technical program and the special presentations that marked the 40th meeting of the event. Well-known figures from the early meetings, particularly Dorothy Denning, Dick Kemmerer, Gustavus Simmons, Butler Lampson, Martin Abadi, and Cathy Meadows, were in attendance. The newly established "test of time" awards went to many luminaries, some of whom were in the audience. It was good to hear many familiar names and to see familiar faces. In 40 years, the field of computer security and privacy has changed quite a lot, but without reaching its original goals of faultless software and provably secure access controls. It is much more expansive, there are many more participants (nearly 650 registrants, an all-time high), and the topics are increasingly diverse. One major change is that attacks, which used to be considered contrary to the purpose of the field, are now a major part of the research. A surprising result this year was the demonstration of using a hard drive as a microphone. Another paper showed how to disrupt a touchscreen with a device hidden in a table top. As one of the researchers commented during a break, "Physics sucks." There were not only a record number of participants, there were a record number of papers, and for the first time, S&P went two-track. The two rooms were adjacent, which minimized the time for audience members to listen to a different track, but for those of us who were accustomed to hearing each paper, it was a difficult adjustment. The one-minute overview videos each morning were somewhat helpful for setting one's personal schedule, but the content of the videos varied from "all my slides in one minute" to cartoons (some with unintended humor) and music. Thursday was devoted to S&P Workshops, six of them this year. One was devoted to a fairly new topic, which was also the subject of some of the regular conference papers: security and deep learning. The processing of submitting and revising papers has itself been revised for next year and for the years following. PC members had been required to review papers every month (with the burden increasing as the "last chance for the next conference" day loomed). To cope with this, and rising tide of submissions, the PC will have more members and fewer deadlines. [Ed. If you have been trouble finding reviewers for security papers or articles, it might be due to the very large number of people serving on the PCs for major security conferences.] Sean Peisert, who has served 3/4 of his term as Technical Committee chair, will be succeeded by vice chair Ulfar Erlingson at the end of 2019. Brian Parno will then be the vice chair. Next year's conference general chair will be Gabriella Ciocarlie, and the program chairs will be Hovav Shacham and Alina Oprea. The Computer Society's support of the conference's logistics and publications has been crucial to the conference's growth and success. This year some of the CS staff members were able to attend the conference and to talk to organizers and attendees about planning for future evolution of the conference and workshops. Computer software is always broken. Somebody's always throwing hacks, Somebody's always heaving rootkits, Playing ugly Yahoo tricks. Computer software is always broken, Something or other is going wrong. Something is rotten -- I think, in Redmond*. End of the software security song. (with apologies to Vachel Lindsay) * Or Palo Alto, or Mountain View, or Ft. Meade, or ... Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich 05/31/19 ____________________________________________________________________ "Rootkits and Bootkits - Reversing Modern Malware and Next Generation Threats" by Alex Matrosov, Eugene Rodionov, and Sergey Bratus No Starch Press 2019. ISBN-13 978-1-59327-716-1 ISBN-10: 1-59327-716-4 450 pages Book review by Sven Dietrich May 31, 2019 As we consume our daily dose of Internet connected devices, we may sometimes forget one central concern: "Do I trust my device?" We entrust a lot of personal or proprietary information in our desktops, tablets, smartphones, especially the latter ones that accompany us in our everyday life. Could it have been subverted? And would we even notice? Alex Matrosov, Eugene Rodionov, and Sergey Bratus provide us with insights into the world of rootkits and bootkits, these nasty ways of achieving exactly that: for malware to stay mostly unnoticed while performing its evil tasks. While rootkits have been much more prevalent, bootkits are now the answer to our ongoing arms race for controlling the boot process, zooming in on the weak(er) spots in the system, and asking the question: "Who's on first?" and "Who's on second?" (and third, of course). The one that's "on first" will most likely control the hardware and any other sophisticated access control mechanism will face the challenge of dealing with a tainted or compromised environment. The book not only explains the basic boot processes down to the firmware and what can live down below there, but supplies the tools for us to inspect and analyze, to quench the thirst of curiosity for the question: "What happened here?" We tend to forget the complexity of the boot process that leads to the final presentation of an interface that we are familiar with: the operating system, known to us via the Graphical User Interface (GUI), the command line, or dedicated and proprietary hardware interfaces such as those used by Internet of Things (IoT) devices. The authors focus on educating the reader with the foundational knowledge required to grasp the intricacies of grabbing control of the system. Could (or would) one want to take control in a benign manner? Those of you who have jailbroken or rooted your phone may not have realized that you may have affected the boot process of your mobile device to bypass protection mechanisms that are there to protect you... and your device, more often than not via code signatures. A malicious attacker will want to do the same, bypassing the code integrity checks, the system profiling checks also known as secure boot. The book is divided into three parts: Part I covers Rootkits, Part II describes Bootkits, and Part III discusses Defense and Forensic Techniques. Each part is subdivided into chapters, for a total of 19 chapters altogether. An introduction gives the reader an overview for the best experience with the book, and a set of abbreviations allows the unfamiliar reader to quickly come up to speed. In Part I, the reader can explore Rootkits in three chapters. The first chapter is a case study of the TDL3 rootkit with a historical overview of its impact, the infection mechanism, the kernel hooks, how the hidden filesystem worked, and how it met its match. After this appetizer, the reader can continue on to the Festi Rootkit in chapter two, which covers a botnet with distributed denial-of-service and spam attacks, and learn about how this rootkit inserted itself into a system and managed to "fly under the radar" and resist analysis with anti-debugging and anti-virtualization techniques. Lastly, chapter three discusses a variety of techniques, mostly Windows-centric, for the rootkit to bypass detection or protection mechanisms by intercepting them. In Part II, the reader, primed by the first part, can delve into the depths of bootkits in thirteen chapters. From the history of the bootkit via the 1971 Creeper and the boot sector viruses of the MS-DOS days to more recent occurrences, the authors describe how the advent of the secure boot process (e.g. with the Unified Extensible Firmware Interface aka UEFI) and code signing policies have pushed malware developers to get closer and closer to the hardware for gaining control earlier, ideally first. In these chapters, the reader learns about the first bootkit as well as modern, more contemporary bootkits, how to analyze them statically using reverse engineering tools or even dynamically via emulation and virtualization, about case studies of bootkits, and about the difference between legacy boot modes (e.g. master boot record or volume boot record) and UEFI secure boot. This part is rounded off with descriptions of master boot record ransomware and UEFI vulnerabilities. In Part III, the authors describe defense and forensic techniques for dealing with rootkits and bootkits in three chapters. The first chapter here covers the UEFI secure boot process, explaining verified and measured boot processes. The second chapter in here is all about analyzing hidden filesystems that these rootkits/bootkits create. The last chapter in this part covers BIOS/UEFI forensics, and raises our paranoia as we progress the point of reading out firmware chips for doing forensics on that code. In the end, we realize that modifying firmware is a way to be "on first." The book uses a mix of text, command line examples, code snippets, and screenshots to keep the reader interested at multiple levels. While there is no classical bibliography, the book does have web links throughout for more background information. Alex Matrosov, Eugene Rodionov, and Sergey Bratus are experts in their field that have delivered a solid hands-on technical book. While enthralled with the stories from the trenches, I got flashbacks of my days of analyzing rootkits on SunOS and Solaris workstations about 20 years ago. It was a fun book to read. -------------------------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ---------------------------------------------------------------------------- Phone Follies: The Midnight Data Dump It's the middle of the night. Do you know who your iPhone is talking to? https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking/ The Washington Post By Geoffrey A. Fowler May 28, 2019 Summary: The technology columnist for the Washington Post decided to seek help in understanding the network traffic emanating from his iPhone during nighttime hours. He found that many of his apps had relationships with multiple third-parties to collect data from his phone. It is hard to believe, but he found 5400 trackers sending 1.5 gigabytes per month. Some of the companies behind the apps were surprised and vowed to remove the trackers, but others said that they employed tracking services to improve their apps and had no particular responsibility for the frequency of data collection or the totality of its eventual uses. The trackers are not limited to Apple devices, they also exist on Android phones. ---------------------------------------------------------------------------- Roses are Red, Eternal is Blue. Thank NSA if Ransom is Due NSA Hacking Tool Hits Baltimore https://www.nytimes.com/2019/05/25/ussa-hacking-tool-baltimore.html The New York Times By Nicole Perlroth and Scott Shane May 25, 2019 Summary: Some time ago NSA developed software to infiltrate Windows machines, and it was very successful, perhaps giving the US the ability to monitor the computers of terrorist organizations. With great power comes great responsibility, and somehow NSA blew it. The code was somehow released onto the Internet, and it became the basis for some serious ransomware. The city of Baltimore has been trying to re-establish its computer systems after being seriously damaged by a ransomware attack based on the NSA software. The exploit is effective against older versions of Windows that have not been patched. That includes many, many machines that prop up aging IT infrastructure in city, county, and state governments. An unpatched system that is attacked by the ransomware can cause harm to more modern machines that it communicates with. ------------------- GOT PATCHES? - Microsoft practically begs Windows users to fix wormable BlueKeep flaw With 1M computers still unpatched, company tries to prevent worldwide wormpocalypse. https://arstechnica.com/information-technology/2019/05/microsoft-says-its-confident-an-exploit-exists-for-wormable-bluekeep-flaw/ Ars Technica Dan Goodin 5/31/2019 Summary: The EternalBlue software mentioned above can be patched with free, downloadable software from Microsoft. Yet more than a million machines worldwide remain vulnerable, by some estimates. As a "public health" measure Microsoft strongly urges that Windows 2000 machines be patched immediately. ----------------------------------------------------------------------------- Linux and the Second Stage Wasp's Nest UNDER THE RADAR - Advanced Linux backdoor found in the wild escaped AV detection. Fully developed HiddenWasp gives attackers full control of infected machines. https://arstechnica.com/information-technology/2019/05/advanced-linux-backdoor-found-in-the-wild-escaped-av-detection/ Ars Technica by Dan Goodin 5/30/2019 Summary: A zero day exploit of Linux has been found embodied in active malware that evades most anti-virus detectors. Or, at least it did until it was revealed. Some think that the HiddenWasp malware is likely a later stage of software that gets served to targets of interest who have already been infected by an earlier stage. ----------------------------------------------------------------------------- The Big Easy Public Key RED FLAG - Website for storing digital currencies hosted code with a sneaky backdoor WalletGenerator.net and the mystery of the backdoored random number generator.https://arstechnica.com/information-technology/2019/05/website-for-storing-digital-currencies-hosted-code-with-a-sneaky-backdoor/ targets="_" > Ars Technica Dan Goodin 5/25/2019 Summary: So you need a way to protect your digital currencies and you find something on github that is just the ticket. There seem to be two links for downloading the software, so you choose the first one on the page. That has a new function, SecureRandomAdvanced, which is an update of the SecureRandom function that is obtained through the other link. SecureRandomAdvanced uses an insecure random number generator that depends on hidden data in downloaded images. Only 120 unique keys can be generated from an image; but there are different images on different sites. Why? Who? No one knows. The code has been reverted, but if you downloaded it late last summer, you might want to replace it. ----------------------------------------------------------------------------- Desperate Plea for Microsoft Hiring Interview? WORKING EXPLOIT - Serial publisher of Windows 0-days drops exploits for 2 more unfixed flaws SandboxEscaper has published 7 such exploits to date, 3 in the past 24 hours. https://arstechnica.com/information-technology/2019/05/serial-publisher-of-windows-0days-drops-exploits-for-3-more-unfixed-flaws/ Ars Technica Dan Goodin 5/22/2019 Summary: A working exploit against a fully patched Windows 10 system is a disturbing discovery, but someone has anonymously revealed 7 such hacks this year. The attacks are serious and allow privilege escalation in some cases. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Postings new since Cipher E148 Posted May 2019 Stony Brook Univeristy Computer Science and National Security Institute Stony Brook, NY, USA Two Senior Tenured Postions in both Cyber Security and Systems Closes May 2021 URL of position descriptions: https://www.cs.stonybrook.edu/about-us/career/facultypositions Posted May 2019 University of Twente The Netherlands Positions for Assistant/Associate/Full Professors in Security and Privacy Closes May 25, 2019 URL of position descriptions: https://www.utwente.nl/en/organization/careers/!/121825/assistantassociatefull-professors-in-computer-science Updated May 2019 Vrije Universiteit Amsterdam Netherlands PhD/Postdoc in systems security Job Highlights: https://www.vusec.net/join/ Information: vusec@vu.nl (mention VUseek in subject) Updated May 2019 Department of Computer Science, TU Darmstadt Darmstadt, Germany PostDoc Position in Cybersecurity: We will consider applications until the positions are filled. http://www.mais.informatik.tu-darmstadt.de/Positions.html ------------ Full list of positions: http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 6/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (rolling submission date) 6/ 3/19: GameSec, 10th Conference on Decision and Game Theory for Security, Stockholm, Sweden; http://www.gamesec-conf.org/index.php Submissions are due 6/ 4/19- 6/ 6/19: SACMAT, 24th ACM Symposium on Access Control Models and Technologies, Toronto, Canada; http://www.sacmat.org/ 6/ 5/19- 6/ 7/19: AIBlock, 1st International Workshop on Application Intelligence and Blockchain Security, Held in Conjunction With ACNS 2019, Bogota, Colombia; http://aiblock2019.compute.dtu.dk/ 6/ 5/19- 6/ 7/19: CLOUDS&P, 1st Workshop on Cloud Security and Privacy, Held in Conjunction With ACNS 2019, Bogota, Colombia; http://cloudsp2019.encs.concordia.ca 6/ 7/19: MLCS, 1st Workshop on Machine Learning for CyberSecurity, Co-located with the European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases (ECMLPKDD 2019), Wurzburg, Germany; http://mlcs.lasige.di.fc.ul.pt/ Submissions are due 6/ 8/19: ISPEC, 15th International Conference on Information Security Practice and Experience, Kuala Lumpur, Malaysia; http://ccs.research.utar.edu.my/ispec2019/ Submissions are due 6/10/19- 6/12/19: CNS, IEEE Conference on Communications and Network Security, Washington, D.C., USA; http://cns2019.ieee-cns.org/ 6/14/19: NDSS, Network and Distributed System Security Symposium, San Diego, CA, USA; https://www.ndss-symposium.org/ndss2020/call-for-papers/ Submissions are due 6/15/19: ETAA, 2nd International Workshop on Emerging Technologies for Authorization and Authentication, Held in conjunction with ESORICS 2019, Luxemburg; https://www.iit.cnr.it/etaa2019/index.html Submissions are due 6/16/19: SSIoT, 1st IEEE EuroS&P Workshop on Software Security for Internet of Things, Co-located with IEEE EuroS&P 2019, Stockholm, Sweden; http://www.cse.chalmers.se/~russo/ssiot19/ 6/17/19: DPM, 14th International Workshop on Data Privacy Management, Held in conjunction with ESORICS 2019, Luxemburg; http://deic.uab.cat/conferences/dpm/dpm2019/ Submissions are due 6/17/19- 6/19/19: EuroSP, 4th IEEE European Symposium on Security and Privacy, Stockholm, Sweden,; https://www.ieee-security.org/TC/EuroSP2019/cfp.php 6/19/19- 6/20/19: DIMVA, 16th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Gothenburg, Sweden; https://www.dimva2019.org/ 6/24/19: GraMSec, International Workshop on Graphical Models for Security, Co-located with CSF 2019 Hoboken, NJ, USA; http://gramsec.uni.lu 6/24/19: CyberICPS, 5th Workshop on the Security of Industrial Control Systems and of Cyber-Physical Systems, Luxembourg, Luxembourg; https://www.ds.unipi.gr/cybericps2019/ Submissions are due 6/30/19: ACM Transactions on Cyber-Physical Systems (TCPS), Special Issue on Security and Privacy for Connected Cyber-Physical Systems; https://tcps.acm.org/special_issue_security_privacy.cfm Submissions are due 6/30/19: IDSC, IEEE Conference on Dependable and Secure Computing, Hangzhou, China; https://conference.cs.cityu.edu.hk/dsc2019/ Submissions are due 7/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (rolling submission date) 7/ 8/19: CPSS, 5th ACM Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2019, Auckland, New Zealand; http://jianying.space/cpss/CPSS2019/ 7/12/19: ICISS, 15th International Conference on Information Systems Security, Hyderabad, India; http://idrbt.ac.in/ICISS-2019/ Submissions are due 7/14/19- 7/17/19: Blockchain, IEEE International Conference on Blockchain, Atlanta, GA, USA; http://www.blockchain-ieee.org/ 7/14/19- 7/17/19: TrustData, 10th International Workshop on Trust, Security and Privacy for Big Data, Atlanta, USA; http://www.spaccs.org/trustdata2019/ 7/15/19- 7/17/19: DBSec, 33rd Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Charleston, SC, USA; https://dbsec2019.cse.sc.edu/ 7/16/19- 7/20/19: PET, 19th Privacy Enhancing Technologies Symposium, Stockholm, Sweden; https://petsymposium.org/cfp19.php 8/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due 8/ 9/19- 8/11/19: SciSec, 2nd International Conference on Science of Cyber Security, Nanjing, China; http://www.sci-cs.net 8/14/19- 8/16/19: USENIX-Security, 28th USENIX Security Symposium, Santa Clara, CA, USA; https://www.usenix.org/conference/usenixsecurity19 8/23/19: USENIX-Security, 29th USENIX Security Symposium, Boston, MA, USA; https://www.usenix.org/conference/usenixsecurity20/call-for-papers Submissions are due 8/28/19- 8/30/19: IWSEC, 14th International Workshop on Security, Tokyo, Japan; https://www.iwsec.org/2019/ 9/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (rolling submission date) 9/ 1/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ Submissions are due 9/ 1/19: BlockSys, International Conference on Blockchain and Trustworthy Systems, Guangzhou, China; http://blocksys.info/ Submissions are due 9/13/19: NDSS, Network and Distributed System Security Symposium, San Diego, CA, USA; https://www.ndss-symposium.org/ndss2020/call-for-papers/ Submissions are due 9/15/19: IFIP11.9-DF, 16th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India; http://www.ifip119.org/ Submissions are due 9/16/19- 9/18/19: ISC, 22nd Information Security Conference, New York, NY, USA; https://isc2019.cs.stonybrook.edu/ 9/20/19: MLCS, 1st Workshop on Machine Learning for CyberSecurity, Co-located with the European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases (ECMLPKDD 2019), Wurzburg, Germany; http://mlcs.lasige.di.fc.ul.pt/ 9/23/19- 9/27/19: ESORICS, 24th European Symposium on Research in Computer Security, Luxembourg; https://esorics2019.uni.lu 9/23/19- 9/25/19: RAID, International Symposium on Research in Attacks, Intrusions and Defenses, Beijing, China; http://www.raid-2019.org/callForPapers.html 9/23/19- 9/25/19: CRITIS, 14th International Conference on Critical Information Infrastructures Security, Linkoping, Sweden; https://critis2019.on.liu.se/ 9/23/19- 9/27/19: ETAA, 2nd International Workshop on Emerging Technologies for Authorization and Authentication, Held in conjunction with ESORICS 2019, Luxemburg; https://www.iit.cnr.it/etaa2019/index.html 9/23/19- 9/27/19: CyberICPS, 5th Workshop on the Security of Industrial Control Systems and of Cyber-Physical Systems, Luxembourg, Luxembourg; https://www.ds.unipi.gr/cybericps2019/ 9/25/19- 9/27/19: SecDev, IEEE Secure Development Conference, McLean, VA, USA; https://secdev.ieee.org/ 9/26/19- 9/27/19: DPM, 14th International Workshop on Data Privacy Management, Held in conjunction with ESORICS 2019, Luxemburg; http://deic.uab.cat/conferences/dpm/dpm2019/ 10/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (rolling submission date) 10/23/19-10/25/19: SecureComm, 15th EAI International Conference on Security and Privacy in Communication Networks, Orlando, FL, USA; http://securecomm.org 10/30/19-11/ 1/19: GameSec, 10th Conference on Decision and Game Theory for Security, Stockholm, Sweden; http://www.gamesec-conf.org/index.php 11/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (rolling submission date) 11/11/19-11/15/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ 11/15/19: USENIX-Security, 29th USENIX Security Symposium, Boston, MA, USA; https://www.usenix.org/conference/usenixsecurity20/call-for-papers Submissions are due 11/18/19-11/20/19: IDSC, IEEE Conference on Dependable and Secure Computing, Hangzhou, China; https://conference.cs.cityu.edu.hk/dsc2019/ 11/26/19-11/28/19: ISPEC, 15th International Conference on Information Security Practice and Experience, Kuala Lumpur, Malaysia; http://ccs.research.utar.edu.my/ispec2019/ 11/30/19: Springer Human-centric Computing and Information Sciences, Thematic Issue on Security, trust and privacy for Human-centric Internet of Things; https://toit.acm.org/pdf/ACM-ToIT-CfP-Decentralized_Blockchain_Applications.pdf Submissions are due 12/ 1/19: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (rolling submission date) 12/ 7/19-12/ 8/19: BlockSys, International Conference on Blockchain and Trustworthy Systems, Guangzhou, China; http://blocksys.info/ 12/16/19-12/19/19: ICISS, 15th International Conference on Information Systems Security, Hyderabad, India; http://idrbt.ac.in/ICISS-2019/ 1/ 1/20: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ Submissions are due (rolling submission date) 1/ 6/20- 1/ 8/20: IFIP11.9-DF, 16th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India; http://www.ifip119.org/ 2/25/20: USENIX-Security, 29th USENIX Security Symposium, Boston, MA, USA; https://www.usenix.org/conference/usenixsecurity20/call-for-papers Submissions are due 2/23/20- 2/26/20: NDSS, Network and Distributed System Security Symposium, San Diego, CA, USA; https://www.ndss-symposium.org/ndss2020/call-for-papers/ 5/18/20- 5/20/20: SP, 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/ 8/12/20- 8/14/20: USENIX-Security, 29th USENIX Security Symposium, Boston, MA, USA; https://www.usenix.org/conference/usenixsecurity20/call-for-papers ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E149) ___________________________________________________________________ SP 2020 41st IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 18-20, 2020. (Submissions are due first day of each month) https://www.ieee-security.org/TC/SP2020/ Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been he premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control and authorization - Anonymity - Application security - Attacks and defenses - Authentication - Blockchains and distributed ledger security - Censorship resistance - Cloud security - Cyber physical systems security - Distributed systems security - Economics of security and privacy - Embedded systems security - Forensics - Hardware security - Intrusion detection and prevention - Malware and unwanted software - Mobile and Web security and privacy - Language-based security - Machine learning and AI security - Network and systems security - Privacy technologies and mechanisms - Protocol security - Secure information flow - Security and privacy for the Internet of Things - Security and privacy metrics - Security and privacy policies - Security architectures - Usable security and privacy - Trustworthy computing - Web security This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Systematization of Knowledge Papers As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate. Submissions will be distinguished by the prefix ÒSoK:Ó in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. Workshops The Symposium is also soliciting submissions for co-located workshops. Further details on submissions can be found at https://www.ieee-security.org/TC/SP2020/workshops.html. Ongoing Submissions To enhance the quality and timeliness of the scientific results presented as part of the Symposium, and to improve the quality of our reviewing process, IEEE S&P now accepts paper submissions 12 times a year, on the first of each month. The detailed process can be found at the conference call-for-papers page. ------------------------------------------------------------------------- GameSec 2019 10th Conference on Decision and Game Theory for Security, Stockholm, Sweden, October 30 - November 1, 2019. (Submissions are due 3 June 2019) http://www.gamesec-conf.org/index.php As we close the second decade of the 21st century, modern societies are becoming dependent on information, automation, and communication technologies more than ever. Managing security in the resulting systems, many of which are safety critical, poses significant challenges. The 10th Conference on Decision and Game Theory for Security focuses on protection of heterogeneous, large-scale and dynamic cyber-physical systems as well as managing security risks faced by critical infrastructures through rigorous and practically-relevant analytical methods. GameSec 2019 invites novel, high-quality theoretical and practically-relevant contributions, which apply decision and game theory, as well as related techniques such as optimization, machine learning, dynamic control and mechanism design, to build resilient, secure, and dependable networked systems. The goal of GameSec 2019 is to bring together academic and industrial researchers in an effort to identify and discuss the major technical challenges and recent results that highlight the connections between game theory, control, distributed optimization, machine learning, economic incentives and real-world security, reputation, trust and privacy problems. Topics of interest include: - Game theory, control, and mechanism design for security and privacy - Decision making for cybersecurity and security requirements engineering - Security and privacy for the Internet-of-Things, cyber-physical systems, cloud computing, resilient control systems, and critical infrastructure - Pricing, economic incentives, security investments, and cyber insurance for dependable and secure systems - Risk assessment and security risk management - Security and privacy of wireless and mobile communications, including user location privacy - Socio-technological and behavioral approaches to security - Empirical and experimental studies with game, control, or optimization theory-based analysis for security and privacy - Adversarial Machine Learning and the role of AI in system security ------------------------------------------------------------------------- MLCS 2019 1st Workshop on Machine Learning for CyberSecurity, Co-located with the European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases (ECMLPKDD 2019), Wurzburg, Germany, September 20, 2019. (Submissions are due 7 June 2019) http://mlcs.lasige.di.fc.ul.pt/ The last decade has been a critical one regarding cybersecurity, with studies estimating the cost of cybercrime to be up to 0.8 percent of the global GDP. The capability to detect, analyse, and defend against threats in (near) real-time conditions is not possible without employing machine learning techniques and big data infrastructures. This gives rise to cyberthreat intelligence and analytic solutions, such as (informed) machine learning on big data and open-source intelligence, to perceive, reason, learn, and act against cyber adversary techniques and actions. Moreover, organisations' security analysts have to manage and protect systems and deal with the privacy and security of all personal and institutional data under their control. The aim of this workshop is to provide researchers with a forum to exchange and discuss scientific contributions, open challenges and recent achievements in machine learning and their role in the development of secure systems. ------------------------------------------------------------------------- ISPEC 2019 15th International Conference on Information Security Practice and Experience, Kuala Lumpur, Malaysia, November 26-28, 2019. (Submissions are due 8 June 2019) http://ccs.research.utar.edu.my/ispec2019/ The main goal of the conference is to promote research on new information security technologies, including their applications and their integration with IT systems in various vertical sectors. Areas of interest for ISPEC 2019 include, but are not limited to: - Cryptology - Applied cryptography - Mobile security - Cloud security - Access control - Privacy enhanced technology - Viruses and malware - Software security - Database security - Web security - Operating system security - Intrusion detection - Big data security and privacy - Biometric Security - Implementation - Network security - Key management - Security and privacy in ubiquitous computing - Formal methods for security - Digital forensics - Security for critical infrastructures - Embedded systems security - Lightweight security - Smart grid security - Cyber security for urban transportation - Cyber-physical security - Cryptocurrency ------------------------------------------------------------------------- NDSS 2020 Network and Distributed System Security Symposium, San Diego, CA, USA, February 23-26, 2020. (Submissions are due 14 June 2019 and 13 September 2019) https://www.ndss-symposium.org/ndss2020/call-for-papers/ The Network and Distributed System Security Symposium (NDSS) is a top venue that fosters information exchange among researchers and practitioners of computer, network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of practical security technologies. Technical papers and panel proposals are solicited. Authors are encouraged to write the abstract and introduction of their paper in a way that makes the results accessible and compelling to a general computer-security researcher. All submissions will be reviewed by the Program Committee and accepted submissions will be published by the Internet Society in the Proceedings of NDSS 2020. The Proceedings will be made freely accessible from the Internet Society webpages. Furthermore, permission to freely reproduce all or parts of papers for noncommercial purposes is granted provided that copies bear the Internet Society notice included in the first page of the paper. The authors are therefore free to post the camera-ready versions of their papers on their personal pages and within their institutional repositories. Reproduction for commercial purposes is strictly prohibited and requires prior consent. Paper Submission Information: New Submission Model: NDSS will have two review cycles in 2020: the first (Summer) with a submission deadline of June 14, 2019, and the second (Fall) with a submission deadline of September 13, 2019. All submissions must be received by 11:59 PM AoE (UTC-12) on the day of the corresponding deadline. ------------------------------------------------------------------------- ETAA 2019 2nd International Workshop on Emerging Technologies for Authorization and Authentication, Held in conjunction with ESORICS 2019, Luxemburg, September 23-27, 2019. (Submissions are due 15 June 2019) https://www.iit.cnr.it/etaa2019/index.html IT devices are day-by-day becoming more pervasive in several application fields and in the everyday life. The major driving factors are the ever increasing coverage of the Internet connectivity, the extreme popularity and capillarity of smartphones, tablets and wearables, together with the consolidation of the Internet of Things (IoT) paradigm. As a matter of fact, interconnected devices directly control and take decisions on industrial processes, regulate infrastructures and services in smart-cities, and manage quality-of-life and safety in smart-homes, taking decisions with user interactions or even autonomously. The involvement of these devices in so many applications, unfortunately introduces a set of unavoidable security and safety implications, related to both the criticality of the aforementioned applications and to the privacy of sensitive information produced and exploited in the process. To address these and other related issues, there is an increasing need of instruments to control the access and the right to perform specific actions on devices or data. These instruments need to be able to cope with the high complexity of the considered applications and environments, being flexible and adaptable to different contexts and architectures, from centralized to fully-distributed, able to handle a high amount of information as well as taking into account non-conventional trust assumptions. The considered technologies should regulate the actions of both human users and autonomous devices, being effective in enforcing security policies, still without introducing noticeable overhead, both on the side of performance and user experience. Hence, the design of secure and efficient mechanisms for continuous authentication, requiring limited-to-no active interaction is solicited. The ETAA workshop aims at being a forum for researchers and practitioners of security active in the field of new technologies for authenticating users and devices, and enforce security policies in new and emerging applications related to mobile/wearable devices and IoT. ------------------------------------------------------------------------- DPM 2019 14th International Workshop on Data Privacy Management, Co-located with ESORICS 2019, Luxembourg, September 26-27, 2019. (Submissions are due 17 June 2019) http://deic.uab.cat/conferences/dpm/dpm2019/ DPM is an annual international workshop covering research in data privacy management. The aim of this workshop is to discuss and exchange the ideas related to data privacy management. We invite papers from researchers and practitioners working in privacy, security, trustworthy data systems and related areas to submit their original papers in this workshop. Submissions by PhD students as well as controversial ideas are encouraged. Case studies (successful or not) are also encouraged. ------------------------------------------------------------------------- CyberICPS 2019 5th Workshop on the Security of Industrial Control Systems and of Cyber-Physical Systems, Luxembourg, Luxembourg, September 23-27, 2019. (Submissions are due 24 June 2019) https://www.ds.unipi.gr/cybericps2019/ CyberICPS is the result of the merging of the CyberICS and WOS-CPS workshops that were held for the first time in conjunction with ESORICS 2015. Cyber-physical systems (CPS) are physical and engineered systems that interact with the physical environment, whose operations are monitored, coordinated, controlled and integrated by information and communication technologies. These systems exist everywhere around us, and range in size, complexity and criticality, from embedded systems used in smart vehicles, to SCADA systems in smart grids to control systems in water distribution systems, to smart transportation systems, to plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other Industrial Control Systems (ICS). These systems also include the emerging trend of Industrial Internet of Things (IIoT) that will be the central part of the fourth industrial revolution. As ICS and CPS proliferate, and increasingly interact with us and affect our life, their security becomes of paramount importance. CyberICPS intends to bring together researchers, engineers and governmental actors with an interest in the security of ICS and CPS in the context of their increasing exposure to cyber-space, by offering a forum for discussion on all issues related to their cyber security. ------------------------------------------------------------------------- ACM Transactions on Cyber-Physical Systems (TCPS), Special Issue on Security and Privacy for Connected Cyber-Physical Systems, (Submissions are due 30 June 2019) https://tcps.acm.org/special_issue_security_privacy.cfm Guest Editors: Moreno Ambrosin (Intel Labs, USA), Mauro Conti (University of Padua, Italy), Riccardo Lazzeretti (Sapienza University of Rome, Italy), and Chia-Mu Yu (National Chung Hsing University, Taiwan). This special issue focuses on security & privacy aspects of emerging trends and applications involving Machine-to-Machine Cyber Physical Systems (M2M CPSs) in both generic and specific domain of interests, such as, but not limited to, Safety-Critical Infrastructures, Autonomous Systems, Smart Cities, Intelligent Vehicles, Smart-Health, etc. We invite original research articles proposing innovative solutions to improve IoT security and privacy, taking in account the low resource characteristics of CPS components, the distributed nature of CPSs, and connectivity constraints of IoT devices. Special topics include, but are not limited to, the following: - Machine learning-enabled security solutions for M2M CPS - Blockchain-based privacy and security solutions for M2M CPS - Trusted and verifiable computation in CPS devices - Attestation of IoT devices and IoT swarms - M2M CPS digital forensic - Privacy preserving and Secure Multiparty Computation applications for M2M CPS - Lightweight secure protocol for CPS ------------------------------------------------------------------------- IDSC 2019 IEEE Conference on Dependable and Secure Computing, Hangzhou, China, November 18-20, 2019. (Submissions are due 30 June 2019) https://conference.cs.cityu.edu.hk/dsc2019/ The IEEE Conference on Dependable and Secure Computing (IDSC) solicits papers, posters, practices, and experiences for presenting innovative research results, problem solutions, and new challenges in the field of dependable and secure computing. The whole spectrum of IT systems and application areas, including hardware design and software systems, with stringent relevant to dependability and security concerns are of interest to IDSC. Authors are invited to submit original works on research and practice of creating, validating, deploying, and maintaining dependable and secure systems. The IDSC conference will also include a submission category for experience and practice papers on new findings in the aforementioned topics. The PC will evaluate a submission to the experience and practice track with the understanding that it predominantly contributes to design knowhow or the extension of the community's knowledge about how the security protection of known techniques fares in real-world operations. ------------------------------------------------------------------------- ICISS 2019 15th International Conference on Information Systems Security, Hyderabad, India, December 16-19, 2019. (Submissions are due 12 July 2019) http://idrbt.ac.in/ICISS-2019/ The International Conference on Information Systems Security (ICISS) is a 15-year old forum for the dissemination of research results related to all areas of computer security and privacy. The conference is held annually in India. ICISS solicits previously unpublished research in all areas of security and privacy including building, experimenting with and attacking secure systems, techniques and tools for security analysis and theoretical topics related to security. We encourage submissions from academia, industry and government. ------------------------------------------------------------------------- USENIX-Security 2020 29th USENIX Security Symposium, Boston, MA, USA, August 12-14, 2020. (Submissions are due 15 May 2019, 23 August 2019, 15 November, 2019, and 15 February 15 2020) https://www.usenix.org/conference/usenixsecurity20/call-for-papers The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security and privacy of computer systems and networks. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in computer security. The Symposium will span three days with a technical program including refereed papers, invited talks, posters, panel discussions, and Birds-of-a-Feather sessions. Co-located events will precede the Symposium on August 10 and 11. ------------------------------------------------------------------------- ACM-CCS 2019 26th ACM Conference on Computer and Communications Security, London, United Kingdom, November 11-15, 2019. (Submission Due 31 January 2019, 15 May 2019, 1 September 2019) http://www.sigsac.org/ccs/CCS2019/ The ACM Conference on Computer and Communications Security (CCS) is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM). The conference brings together information security researchers, practitioners, developers, and users from all over the world to explore cutting-edge ideas and results. It provides an environment to conduct intellectual discussions. From its inception, CCS has established itself as a high standard research conference in its area. The Conference on Computer and Communications Security (CCS) seeks submissions presenting novel contributions related to all real-world aspects of computer security and privacy. Theoretical papers must make a convincing case for the relevance of their results to practice. Authors are encouraged to write the abstract and introduction of their paper in a way that makes the results accessible and compelling to a general computer-security researcher. In particular, authors should bear in mind that anyone on the program committee may be asked to give an opinion about any paper. IMPORTANT: CCS will have three review cycles in 2019: the first with a submission deadline of January 31, the second with a submission deadline of May 15, and the third with a tentative submission deadline of September 1. The third review cycle is only for papers invited for resubmission from the first two cycles; no new submissions will be considered. Papers rejected from the first review cycle may not be submitted again (even in revised form) to the second review cycle. ------------------------------------------------------------------------- BlockSys 2019 International Conference on Blockchain and Trustworthy Systems, Guangzhou, China, December 7-8, 2019. (Submissions are due 1 September 2019) http://blocksys.info/ Blockchain has become a hot research area in academia and industry. The blockchain technology is transforming industries by enabling anonymous and trustful transactions in decentralized and trustless environments. As a result, blockchain technology and other technologies for developing trustworthy systems can be used to reduce system risks, mitigate financial fraud and cut down operational cost. Blockchain and trustworthy systems can be applied to many fields, such as financial services, social management and supply chain management. This conference provides scientists and engineers from both industry and academia a platform to present their ongoing work, relate their research outcomes and experiences, and discuss the best and most efficient techniques for the development of blockchain and trustworthy systems. ------------------------------------------------------------------------- IFIP11.9-DF 2020 16th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 6-8, 2020. (Submissions are due 15 September 2019) http://www.ifip119.org/ The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Sixteenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately 100 participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the sixteenth volume in the well-known Research Advances in Digital Forensics book series (Springer, Cham, Switzerland) during the summer of 2020. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Enterprise and cloud forensics - Embedded device forensics - Internet of Things forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- Springer Human-centric Computing and Information Sciences, Thematic Issue on Security, trust and privacy for Human-centric Internet of Things, (Submissions are due 30 November 2019) https://toit.acm.org/pdf/ACM-ToIT-CfP-Decentralized_Blockchain_Applications.pdf Guest Editors: Kim-Kwang Raymond Choo (University of Texas at San Antonio, USA), Uttam Ghosh (Vanderbilt University, USA), Deepak Tosh (University of Texas El Paso, USA), Reza M. Parizi (Kennesaw State University, USA), and Ali Dehghantanha (University of Guelph, Canada). Cyber-physical system (CPS) integrates both cyber world and man-made physical world using sensors, actuators and other Internet of Things (IoT) devices, to achieve stability, security, reliability, robustness, and efficiency in a tightly coupled environment. Prevalence of such cyber-physical ecosystem (inherently of distributed nature) imposes exacting demands on architect models and necessitates the design of distributed solutions and other novel approaches. This is essential in order to suitably address the security and privacy concerns since CPS ecosystem involves humans as a part of its core. Blockchain technology offers a distributed and scalable solution to maintain a tamper-resistant ledger, which does not require a central authority. Thus, it can best fit the need of distributed solution to above mentioned security issues in CPS. However, the challenge in integrating Blockchain with CPS is yet to be addressed, which requires various cyber-physical nodes to work effectively and collaboratively in an asynchronous environment. The goal of this special issue is to bring together researchers from different sectors to focus on understanding security challenges and attack surfaces of modern cyber-physical systems, and architect innovative solutions with the help of cutting-edge blockchain related technologies. Potential topics include but are not limited to following: - Blockchain and mobile systems - Security of transportation system using blockchain - Use of blockchain to support mobile smart services and applications - Blockchain in edge and cloud computing - Blockchain schemes for decentralized secure transaction - Distributed ledger and consensus schemes for CPS - Performance optimization of blockchain and decentralized schemes - Energy aware protocols and blockchain applications - Fault tolerance and blockchain for CPS - Decentralized (mobile) processing, computing, and storage infrastructure - Blockchain for Software-defined networking based CPS - Cybersecurity, protection, integrity, trust and privacy issues for SDN-based CPS - Blockchain and smart contracts for CPS security ------------------------------------------------------------------------- The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sean Peisert Jason Li UC Davis and Intelligent Automation Lawrence Berkeley oakland18-chair@ieee-security.org National Laboratory speisert@ucdavis.edu Vice Chair: Treasurer: Ulfar Erlingsson Yong Guan Manager, Security Research 3219 Coover Hall Google Department of Electrical and Computer tcchair at ieee-security.org Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor Security and Privacy Symposium, 2019 Chair: Hilarie Orman Mark Gondree Purple Streak, Inc. Sonoma State University 500 S. Maple Dr. oakland19-chair@ieee-security.org Woodland Hills, UT 84653 cipher-editor@ieee-security.org TC Awards Chair EJ Jung UCSF ejun2 @ usfca.edu https://www.usfca.edu/faculty/eunjin-ej-jung ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year