Electronic Issue (EI) #62,  September 19, 2004

Contents:

• Letter from the Editor 
   

• Jon Millen's review of the 17th Computer Security Foundations Workshop

• Robert Bruen's review of Cracking Uncovered: Protection against Unsanctioned CD Copying by Kris Kaspersky

• Robert Bruen's review of The Tao of Network Security Monitoring. Beyond Intrusion Detection by Richard Bejtlich

• Dawn Cappelli of CERT/CC's article about the CERT/CC Insider Threat Study

• News Items:  Announcements and correspondence from readers (please contribute!)

  • DHS Cyber Security Research Funding Opportunities
  • From Computerworld: DHS moves ahead with cybersecurity R&D efforts
  • Amazon's Search History Service
    
  • Privacy Complaint Against Airline Dismissed
    
  • Spycam May Be Watching You Work
    
  • ISP Telenor Cripples Zombie PC Network
    
  • Microsoft Security Bulletin MS04-028, JPEG Processing
    
• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      new calls or announcements added since Cipher E61 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • 9/20/04- 9/23/04: New Security Paradigms Workshop, NSPW, Nova Scotia, Canada
  • 9/20/04- 9/22/04: Workshop on Elliptic Curve Cryptography, ECC, University Bochum, Germany;
  • 9/20/04- 9/25/04: Specification and Automated Processing of Security Requirements, SAPS, Linz, Austria;
  • 9/20/04: Workshop on Safety, Reliability, and Security of Industrial Computer Systems, WSRS, University of Ulm, Germany
  • 9/23/04- 9/24/04: Workshop on Secure Knowledge Management, SKM, Amherst, NY; information shambhu@acsu.buffalo.edu
  • 9/27/04- 9/29/04: Information Security Conference, ISC, Palo Alto, CA
  • 9/30/04: Workshop on Issues in the Theory of Security, WITS, Long Beach, California;
  • 10/ 1/04: Workshop on Wireless Security, WiSe, Philadelphia, PA;
  • 10/22/04: Usenix Annual Techncial Conference, USENIX, Anaheim, CA, Submissions are due; usenix05chair@usenix.org;
  • 10/25/04-10/29/04: CCS-11, Washington DC, ACM Conference On Computer And Communications Security
  • 10/25/04: Security of Ad Hoc and Sensor Networks, SASN, Washington, DC;
  • 10/25/04: Deter Laboratory Experimenters' Workshop, DETER, Washington, DC
  • 10/27/04-10/29/04: International Conference on Information and Communications Security, ICICS, Malaga, Spain
  • 10/28/04: Workshop on Privacy in the Electronic Society, WPES, Washington, DC
  • 10/29/04: 4th Annual PKI R&D Workshop: Multiple Paths to Trust, NISTPKI, Gaithersburg, MD; submissions are due; pkichairs@internet2.edu
  • 11/ 1/04: Workshop on Privacy and Security Aspects of Data Mining (in conjunction with ICDM) ICDM-PSA, Brighton, UK
  • 11/ 1/04: Verification of Infinite State Systems with Application to Security, VISSAS, Timisoara, Romania
  • 11/ 4/04-11/ 5/04: Nordic Workshop on Secure IT Systems, Nordsec, Espoo, Finland;
  • 11/ 5/04: Oakland Snp, Berkeley/Oakland, CA; papers are due; srt@cs.unt.edu
  • 11/ 7/04: Trust, Security, and Reputation on the Semantic Web, TSRSW; Hiroshima, Japan;
  • 11/ 8/04: Information Assurance Workshop, IWIA, Washington, DC; conf website; Submissions are due; IWIA2005@IGD.FHG.DE
  • 11/14/04-11/19/04: Large Installation System Administration Conference, LISA, Atlanta, GA;
  • 11/16/04-11/18/04: Conference on Local Computer Networks, LCN, Tampa, Florida
  • 12/ 6/04-12/10/04: Annual Computer Security Applications Conference, 20th ACSAC, Tucson, Arizona
  • 12/10/04: Workshop on Policies, Policy, Stockholm, Sweden; submissions are due

  • Calls for Papers, new since Cipher 61

  • WITS'05 Workshop on Issues in the Theory of Security, Long Beach, California (co-located with POPL'05), January 10-11, 2005.
    (Submission due 30 September 2004)
    WITS is the official workshop organised by the IFIP WG 1.7 on "Theoretical Foundations of Security Analysis and Design", established to promote the investigation on the theoretical foundations of security, discovering and promoting new areas of application of theoretical techniques in computer security and supporting the systematic use of formal techniques in the development of security related applications. The members of WG hold their annual workshop as an open event to which all researchers working on the theory of computer security are invited. This is the fourth workshop of the series. We are seeking sponsorship from ACM SIGPLAN, and plan to be organized in cooperation with GI working group FoMSESS. Proceedings from of the workshop will be published in the ACM Digital Library. We are also planning a special issue of the Journal of Computer Security on the workshop.

    Suggested submission topics include:

    • formal definition and verification of the various aspects of security: confidentiality, privacy, integrity, authentication and availability;
    • new theoretically-based techniques for the formal analysis and design of cryptographic protocols and their manifold applications (e.g., electronic commerce);
    • information flow modelling and its application to the theory of confidentiality policies, composition of systems, and covert channel analysis
    • formal techniques for the analysis and verification of code security, including mobile code security;
    • formal analysis and design for prevention of denial of service.
    • security in real-time/probabilistic systems
    • language-based security
  • USENIX2005 USENIX Annual Technical Conference, Anaheim, CA, USA, April 10-15, 2005. (submissions due 22 October 2004) [posted here 9/13/04]
    The 2005 USENIX Annual Technical Conference General Session Program Committee seeks original and innovative papers about modern computing systems, emphasizing implementations with measured results.

    Specific topics of interest include, but are not limited to:

    • Benchmarking
    • Deployment experience
    • Distributed and parallel systems
    • Embedded systems
    • Energy/power management
    • File and storage systems
    • Networking and network services
    • Operating systems
    • Reliability and availability
    • Security, privacy, and trust
    • Self-managing systems
    • Usage studies and workload characterization
    • Virtual machines
    • Web technology
    • Wireless and mobile systems
    The FREENIX track also has a call on open source software. For more info, please see the USENIX page at: http://www.usenix.org/events/usenix05/cfp/freenix.html
  • PKI R&D Workshop 4th Annual PKI R&D Workshop - Multiple Paths to Trust, NIST, Gaithersburg, MD, USA, April 19-21, 2005. (submissions due 29 October 2004) [posted here 09/07/04]
    This workshop considers the full range of public key technology used for security decisions and supporting functionalities, including authentication, authorization, identity (syndication, federation, and aggregation), and trust. This year, the workshop has a particular interest in how PKI and emerging trust mechanisms will interact with each other at technical, policy and user levels to support trust models that lack a central authority. This workshop has three goals:

    1. Explore the current state of public key technology and emerging trust mechanisms in different domains including web services; grid technologies; authentication systems, et. al., in academia, research, government, and industry.

    2. Share & discuss lessons learned and scenarios from vendors and practitioners on current deployments.

    3. Provide a forum for leading security researchers to explore the issues relevant to PKI space in areas of security management, identity, trust, policy, authentication, and authorization.

  • ISPEC2005 The First Information Security Practice and Experience Conference, Singapore, April 11-14, 2005. (submissions due 1 November 2004) [posted here 7/19/04]
    ISPEC is intended to be an annual conference that brings together researchers and practitioners to provide a confluence of new information security technologies, their applications and their integration with IT systems in various vertical sectors. Authors are invited to submit full papers presenting new research results related to information security technologies and applications.

    Areas of interest include, but are not limited to:

    • Applications of cryptography
    • Critical infrastructure protection
    • Digital rights management
    • Economic incentives for deployment of information security systems
    • Information security in vertical applications
    • Legal and regulatory issues
    • Privacy and anonymity
    • Risk evaluation and security certification
    • Resilience and availability
    • Secure system architectures
    • Security policy
    • Security standards activities
    • Trust model and management
    • Usability aspects of information security systems
  • Oakland2005 The 2005 IEEE Symposium on Security and Privacy, The Claremont Resort, Berkeley/Oakland, California, USA, May 8-11, 2005. (Submissions due 5 November 2004) [posted here 9/7/04]
    Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for the presentation of developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. Previously unpublished papers offering novel research contributions in any aspect of computer security or electronic privacy are solicited for submission to the 2005 symposium. Papers may represent advances in the theory, design, implementation, analysis, or empirical evaluation of secure systems, either for general use or for specific application domains. Topics of interest include, but are not limited to, the following:
    • Access Control and Audit
    • Anonymity and Pseudonymity
    • Authentication
    • Automated Security Analysis
    • Biometrics
    • Data Integrity
    • Database Security
    • Denial of Service
    • Distributed Systems Security
    • Electronic Privacy
    • Forensics
    • Information Flow
    • Intrusion Detection and Defense
    • Language-Based Security
    • Mobile Code and Agent Security
    • Network Security
    • Secure Hardware and Smartcards
    • Security Engineering
    • Security in Heterogeneous and Large-scale Environments
    • Security of Mobile Ad-Hoc Networks
    • Security Protocols
    • Security Verification
    • Viruses, Worms, and Other Malicious Code

  • DSN2005 The International Conference on Dependable Systems and Networks, Pacific Convention Center (Pacifico), Yokohama, Japan, June 28 - July 1,2005. (Submission due 19 November 2004) [posted here 9/11/04]
    The International Conference on Dependable Systems and Networks 2005(DSN-2005) announces its Call for Contributions for full papers, practical experience reports, workshop proposals, tutorials, student forum, and fast abstracts. Full papers are due November 19th, 2004. Please see www.dsn.org for submission information. Contributions are invited in, but are not limited to:

    • Analytical and Simulation Techniques for Performance and Dependability Assessment
    • Architectures for Dependable Computer Systems
    • Dependability Benchmarking
    • Dependability of High-Speed Networks and Protocols
    • Dependability Modeling and Prediction
    • Dependability in VLSI
    • E-commerce Dependability
    • Fault Tolerance in Transaction Processing
    • Fault Tolerance in Distributed & Real-Time Systems
    • Fault Tolerance in Multimedia Systems
    • Fault Tolerance in Mobile Systems
    • Information Assurance and Survivability
    • Internet Dependability and Quality of Service
    • Intrusion Tolerant Systems
    • Measurement Techniques for Performance and Dependability Assessment
    • Safety-Critical Systems
    • Software Testing, Validation, and Verification
    • Software Reliability
    • Tools for Performance and Dependability Assessment

  • POLICY2005 6th IEEE International Workshop on Policies for Distributed Systems and Networks, Stockholm, Sweden, June 6-8, 2005. (submissions due 10 December 2004) [posted here 09/07/04]
    The policy workshop aims to bring together researchers and practitioners working on policy-based systems across a wide range of application areas including policy-based networking, security management, storage area networking, and enterprise systems. Policy 2005 is the 6th in a series of successful workshops which since 1999 have provided a forum for discussion and collaboration between researchers, developers and users of policy-based systems. This year, in addition to the latest research results from the communities working in the areas mentioned above, we encourage contributions on policy-based techniques in support of: On-demand computing/Utility Computing, SLA/Contract based Management, Virtualization and Policy-based collaboration.

    As in the previous three years the policy workshop will be co-located with SACMAT 2005.

  • 10th ACM Symposium on Access Control Models and Technologies, Scandic Hasselbacken, Stockholm, Sweden, June 1-3 , 2005. (submissions due 15 December 2004) [posted here 09/09/04]
    Papers offering novel research contributions in any aspect of access control are solicited for submission to the Tenth ACM symposium on access control models and technologies (SACMAT). SACMAT 2005 is the fifth of a successful series of symposiums that continue the tradition, first established by the ACM Workshop on Role-Based Access Control, of being the premier forum for presentation of research results and experience reports on leading edge issues of access control, including models, systems, applications, and theory. The missions of the symposium are to share novel access control solutions that fulfill the needs of heterogeneous applications and environments and to identify new directions for future research and development. SACMAT gives researchers and practitioners a unique opportunity to share their perspectives with others interested in the various aspects of access control.

    The SACMAT workshop will be co-located with POLICY 2005.

  • PET2005 5th Workshop on Privacy Enhancing Technologies, Dubrovnik, Croatia, May 30-June 1, 2005. (Submissions due 7 February 2005) [posted here 9/14/04]
    Privacy and anonymity are increasingly important in the online world. Corporations, governments, and other organizations are realizing and exploiting their power to track users and their behavior, and restrict the ability to publish or retrieve documents. Approaches to protecting individuals, groups, but also companies and governments from such profiling and censorship include decentralization, encryption, distributed trust, and automated policy disclosure.

    This 5th workshop addresses the design and realization of such privacy and anti-censorship services for the Internet and other communication networks by bringing together anonymity and privacy experts from around the world to discuss recent advances and new perspectives.

    The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of privacy technologies, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present their perspectives on technological issues.

    Suggested topics include but are not restricted to:

    • Anonymous communications and publishing systems
    • Censorship resistance
    • Pseudonyms, identity management, linkability, and reputation
    • Data protection technologies
    • Location privacy
    • Policy, law, and human rights relating to privacy
    • Privacy and anonymity in peer-to-peer architectures
    • Economics of privacy
    • Fielded systems and techniques for enhancing privacy in existing systems
    • Protocols that preserve anonymity/privacy
    • Privacy-enhanced access control or authentication/certification
    • Privacy threat models
    • Models for anonymity and unobservability
    • Attacks on anonymity systems
    • Traffic analysis
    • Profiling and data mining
    • Privacy vulnerabilities and their impact on phishing and identity theft
    • Deployment models for privacy infrastructures
    • Novel relations of payment mechanisms and anonymity
    • Usability issues and user interfaces for PETs
    • Reliability, robustness and abuse prevention in privacy systems

  • The State of the Art of Stream Ciphers, Novotel Brugge Centrum, Brugge, Belgium, October 14-15, 2004 [posted here 09/07/04]
    The cryptographic community is well served by a variety of efficient and trusted block ciphers. Yet there remains only a limited selection of trusted, non-proprietary, and royalty-free stream ciphers. SASC is a special workshop that aims to provide a more complete understanding of the current state of stream cipher design and analysis. Sponsored by the ECRYPT Network of Excellence (http://www.ecrypt.eu.org) SASC will consider the current state of stream cipher knowledge. In particular it is hoped to expose new and existing stream cipher proposals, cryptanalytic tools, and design criteria to the wider attention of the cryptographic community.
  • PSDM04, ICDM Workshop on Privacy and Security Aspects of Data Mining, November 1, 2004, Brighton, UK. [posted here 8/4/04]
    The goal of this workshop is to discuss issues of privacy and security in data mining, synergize different views of techniques and policies, and brainstorm future research directions. Although techniques, such as random perturbation, cryptographic-based methods, and database inference control have been developed, many of the key problems still remain open in this area. Especially, new privacy and security issues have been identified, and the scope of this problem has been expanded. In addition to these existing technologies, people attempt to explore new approaches to tackle the problem.

    Furthermore, special techniques may be needed to deal with some data mining applications, such as privacy-preserving mining of imbalanced data, bioinformatics data, streaming data, etc. It would be valuable to both the privacy and security community and the data mining community to examine the progress achieved in this area. Researchers with interest in the areas of privacy and security as well as data mining and machine learning are strongly encouraged to attend the workshop.

    Topics of Interest

    • Privacy and security protection during the phase of data collection, including privacy and security policies, data ownership, identity theft protection.
    • Access control techniques and secure data models.
    • Secure learning algorithms for randomized/perturbed data.
    • Privacy-Preserving multi-party data mining.
    • Trust management for data mining.
    • Learning from imbalanced data, streaming data, and bioinformatics data
    • Trust management for data mining.
    • Learning from imbalanced data, streaming data, and bioinformatics data while preserving data privacy.
    • Inference/disclosure related data mining.
    • Privacy protection in E-Commerce.
    • Privacy laws for fraud detection and for protecting personal data, medical data, and the public release of data.
    • Secure link analysis and social network analysis.
    • Data mining applications for terrorist detection.
    • Privacy enhancement technologies in web environments.
    • Privacy guarantees and usability of perturbation and randomization techniques.
    • Analysis of confidentiality control methods.

  • AISW2005 Australasian Information Security Workshop - Digital Rights Management, January 31-February 3, 2005, University of Newcastle, UK. [posted here 8/4/04]
    The workshop seeks submissions from academia and industry presenting novel research on theoretical and practical aspects of DRM, as well as experimental studie and fielded systems. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues. It is planned to publish accepted papers in the Conferences in Research and Practice in Information Technology series.
  • NDSS'05, The Internet Society 2005 Network and Distributed System Security Symposium, Catamaran Resort, San Diego, California, February 2-4, 2005. [posted here 7/19/04]
    This symposium will foster information exchange among researchers and practioners of network and distributed system security services. The intended audience includes those who are interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. A major goal of the symposium is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. The proceedings of the symposium will be published by the Internet Society. The Program Committee invites both technical papers and panel proposals. Submissions are solicited for, but are not limited to, the following topics:
    • Integrating security in Internet protocols: routing, naming, TCP/IP, multicast, network management, and the Web.
    • Intrusion avoidance, detection, and response: systems, experiences and architectures.
    • Privacy and anonymity technologies.
    • Network perimeter controls: firewalls, packet filters, application gateways.
    • Virtual private networks.
    • Public key infrastructure, key management, certification, and revocation.
    • Secure electronic commerce: e.g., payment, barter, EDI, notarization, timestamping, endorsement, and licensing.
    • Supporting security mechanisms and APIs; audit trails; accountability.
    • Implementation, deployment and management of network security policies.
    • Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management.
    • Fundamental services on network and distributed systems: authentication, data integrity, confidentiality, authorization, non-repudiation, and availability.
    • Integrating security services with system and application security facilities and protocols: e.g., message handling, file transport/access, directories, time synchronization, data base management, boot services, mobile computing.
    • Security for emerging technologies: sensor networks, specialized testbeds, wireless/mobile (and ad hoc) networks, personal communication systems, peer-to-peer and overlay network systems.
    • Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, reliability and cost.
    • Security for collaborative applications: teleconferencing and video-conferencing, electronic voting, groupwork, etc.
    • Software hardening: e.g., detecting and defending against software bugs (overflows, etc.)
  • TRECK-SAC2005 ACM Symposium on Applied Computing 2005 Trust, Recommendations, Evidence and other Collaboration Know-how (TRECK) Track, Santa Fe, New Mexico, USA, March 13-17, 2005 [posted here 7/19/04]
    The goal of the SAC 2005 TRECK track is to explore the set of applications that either benefit from the use of early trust-based mechanisms or could be enhanced by the integration of an advanced trust engine.

    The topics of interest include, but are not limited to:

    • Trust/risk-based security frameworks
    • Applications of trust management components
    • Improvement of recommender systems with adjunct trust/reputation
    • Trust-enhanced collaborative applications
    • Tangible guarantees given by formal models of trust and risk
    • Applications of formal models of trust and risk
    • Assessment and threat analysis of trust metrics
    • Pervasive computational trust and use of context-aware features
    • Trade-off between privacy and trust
    • Automated collaboration and trust negotiation
    • Integration of soft computing techniques in trust engines
    • Evidence gathering and management
    • Real world applications, running prototypes and advanced simulations
    • Applicability in large scale, open and decentralized environments
    • Representation, management and recognition of identities
    • Trust and reputation in virtual organizations
    • Legal and economic aspects related to the use of trust-based systems
    • User-studies of computational trust applications