Cipher Electronic Newsletter of the Technical Committe on Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) #63,  November 18, 2004 Hilarie Orman,  Editor Robert Bruen, Book Review Editor Sven Dietrich, Associate Editor Editor, Reader's Guide

Contents:

• Letter from the Editor 

• Commentary and Opinion

  • Robert Bruen's review of Steal This File Sharing Book. What They Won't Tell You About File Sharing by Wallace Wang

  • Robert Bruen's review of Security Sage's Guide to Hardening the Network Infrastructure by Steven Andres and Brian Kenyon

  • Robert Bruen's review of Open Source Security Tools. A Practical Guide to Security Applications by Tony Howlett

  • Terry Benzel's announcement of The DETER Network Security Testbed

  • Carrie Gate's announcement of The SiLK Suite of Netflow Tools

  • Sean Turner and Russ Housley's report on IETF Revises Cryptographic Message Syntax and Secure Multipurpose Internet Mail Extensions

  • Jason Holt's report on The Rise of Pairing-based Cryptography and Identity-Based Encryption

  • Book reviews from past Cipher issues

  • Conference Reports and Commentary from past Cipher issues

  • News items from past Cipher issues

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
    

    • 12/ 1/04: Cluster Security - The Paradigm Shift, Cardiff, UK; submissions are due, http://www.ncassr.org/projects/cluster-sec/ccgrid05/
    • 12/ 6/04-12/10/04: 20th Annual Computer Security Applications Conference Tucson, Arizona, http://www.acsac.org
    • 12/10/04: Workshop on Policies, Stockholm, Sweden; submissions are due; http://www.sics.se/policy2005/
    • 1/ 3/05- 1/ 6/05: HICSS-SSNS, Waikoloa, Hawaii http://www.hicss.hawaii.edu, information sprague@hawaii.edu
    • 1/ 5/05: Chapter proposals for Digital Crime book, submissions are due; http://cgi.di.uoa.gr/~nkolok/Idea.html
    • 1/ 7/05: Workshop on Trust, Security and Privacy for Ubiquitous Computing, Taormina, Italy, submissions are due, http://www.iit.cnr.it/TSPUC2005/>www.iit.cnr.it/TSPUC2005/
    • 1/10/05- 1/11/05: WITS, Long Beach, California; http://chacs.nrl.navy.mil/wits05 wits05chair@itd.nrl.navy.mil
    • 1/17/05: Information Hiding, Barcelona, Spain; http://kison.uoc.edu/IH05
    • 1/26/05: Applied Cryptography and Network Security, New York City, NY http://acns2005.cs.columbia.edu/cfp.html submissions are due
    • 1/28/05: Computer Security Foundations Workshop, Aix-en-Provence, France http://www.lif.univ-mrs.fr/CSFW18/ submissions are due; amadio@cmi.univ-mrs.fr
    • 1/31/05- 2/ 3/05: Australasian Information Security Workshop On Digital Rights Management, Newcastle, Australia http://www.cs.newcastle.edu.au/~acsw05
    • 2/ 3/05- 2/ 4/05: Network and Distributed System Security Symposium, San Diego, California; kseo@bbn.com http://
    • 2/ 3/05- 2/ 4/05: Workshop on Protocols for Fast Long-distance Networks. Lyon, France, http://www.ens-lyon.fr/LIP/RESO/pfldnet2005
    • 2/14/05- 2/18/05: RSA Conference, Cryptographers' Track, San Francisco, CA, http://www.rsasecurity.com/rsalabs/node.asp?id=2015
    • 2/25/05: Symposium on Usable Privacy and Security Pittsburgh, PA; http://cups.cs.cmu.edu/soups/ submissions are due
    • 2/25/05: Workshop on the Economics of Information Security, Cambridge, MA; http://www.infosecon.net/workshop/index.html
    • 2/28/05- 3/ 3/05: Financial Cryptography and Data Security Roseau, The Commonwealth Of Dominica; http://www.ifca.ai/fc05/
    • 3/13/05- 3/17/05: ACM SAC, Track on Trust, Recommendations, Evidence and other Collaboration Know-how; Santa Fe, NM; http://www.trustcomp.org/treck/, information sac.treck.info@trustcomp.org
    • 3/17/05- 3/22/05: Verification of Infinite State Systems with Application to Security Timisoara, Romania; http://vissas.ieat.ro/
    • 3/31/05- 4/ 1/05: Information Assurance Workshop, Washington, DC; http://iwia.org/2005/CfP_WS2005.html
    • 4/ 1/05: IEEE Internet Computing Special Issue on P2P and Ad Hoc Nets, submissions are due http://www.computer.org/internet/call4ppr.htm
    • 4/10/05- 4/15/05: Usenix Technical Conference. Anaheim, CA http://www.usenix.org/events/usenix05/cfp/general.html
    • 4/19/05- 4/21/05: 4th Annual PKI R&D Workshop: Multiple Paths to Trust Gaithersburg, MD; http://middleware.internet2.edu/pki05/
    • 5/ 8/05- 5/11/05: IEEE Symposium on Security and Privacy Berkeley/Oakland, CA; http://www.ieee-security.org/TC/SP-Index.html srt@cs.unt.edu
    • 5/10/05: Cluster Security - The Paradigm Shift, ClusterSec, Cardiff, UK, http://www.ncassr.org/projects/cluster-sec/ccgrid05/
    • 
      Calls for Papers, new since Cipher 62

    • IEEE Internet Computing, Special Security for P2P and Ad Hoc Networks Issue, November/December 2005. (Submission due 1 April 2005)
      Guest editors: Shiuhpyng Shieh (National Chiao Tung University) and Dan Wallach (Rice University)

      As the number of individual computing devices and the demand for mobility continue to grow, peer-to-peer (P2P) systems and ad hoc networks will become increasingly popular. Indeed, they are likely to become integral to the future computing and networking infrastructure.

      P2P systems create application-level virtual networks with their own routing mechanisms; they enable large numbers of computers to share information and resources directly, without dedicated central servers. Ad hoc networks allow mobile hosts, mobile devices, and sensor nodes to communicate when no fixed infrastructure is available.

      Although P2P systems and ad hoc networks make communication and resource sharing more convenient, however, they also introduce new security challenges due to inherent aspects such as dynamic topologies and membership, unreliability, severe resource constrains, and the absence of a trusted infrastructure.

      To explore these issues, IC invites contributions for a special issue on security for P2P and ad hoc networks. Appropriate topics include, but are not limited to:

      • key management,
      • authentication,
      • access control,
      • privacy and anonymity,
      • secure routing,
      • secure MAC protocols,
      • performance and security trade-offs,
      • intrusion detection and tolerance, and
      • denial of service.

      For more information, please see http://www.computer.org/internet/call4ppr.htm

    • Cluster-Sec2005 Cluster Security - The Paradigm Shift - Held in conjunction with the 5th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid) 2005, May 10/11, 2005. (Submissions due 1 December 2004)
      
      Prior to the Spring of 2004, clusters have been protected using enterprise computer network security techniques where cluster nodes where treated as a collection of individual computers. After the successful Internet attacks on HPC centers worldwide in the Spring of 2004, there needs to be a paradigm shift in cluster security strategies. Clusters can no longer be thought of as just a collection of individual computers but rather as an integrated single unit in which any breach may result in a "class break" compromise of the entire cluster. Furthermore, it has also been shown that clusters communicating via grids create dependent risks between clusters such that any cluster compromise may cascade to effect an entire grid.

      This workshop focuses on stimulating new ideas in order to reshape cluster protection strategies. Clearly cluster security is a complex, multi-dimensional problem with dynamics over time so a large variety of approaches may be appropriate including prevention, monitoring, measurements, mitigation, and recovery. Papers with demonstrated results will be given priority. Two categories of papers will be considered: Long Paper (12 pages) and Work-In-Progress/Short Paper (6 pages). A list of potential topics includes but is not limited to the following:

      • cluster security as an emergent property
      • analysis of cluster attacks
      • new techniques to protect clusters
      • visualizing cluster security
      • commercial grade cluster security
      • failover cluster security
      • cluster-specific intrusion detection
      • the relationship between cluster security and grid security
      • cluster security vulnerabilities
      • cluster security best practices
      • storage security on clusters
      • storage survivability on clusters

      More information can be found on the workshop web page at http://www.ncassr.org/projects/cluster-sec/ccgrid05/

    • IH2005 International Workshop on Information Security & Hiding, Singapore, May 9-12, 2005. (Submissions due 10 December 2004)

      The ISH-05 Workshop, held in conjunction with the International Conference on Computational Science & Its Applications (ICCSA '05), is intended as an international forum for researchers in all areas of information security and information hiding. Submissions of papers presenting a high-quality original research are invited for the Workshop tracks:

      • Cryptology (cryptography, cryptanalysis)
      • Security engineering (side-channel attacks, crypto implementations)
      • Steganology (steganography, steganalysis)
      • Digital Watermarking

      Topics of interest:

      • Side-channel analysis & countermeasures
      • Implementation of cryptographic algorithms,
      • Cryptographic hardware: factoring, cryptanalysis, random number generators, reconfigurable, processors,
      • Design & analysis of symmetric-key cryptosystems: block ciphers, stream ciphers, hash functions, MACs, modes of operation, backdoors
      • RFID & privacy
      • Public-key cryptography, Elliptic curve cryptosystems
      • Provable security
      • Trusted computing
      • Subliminal & covert channels
      • Steganography
      • Digital watermarking
      • Digital rights management
      • Links between cryptology and steganology

      More information can be found on the workshop web page at http://www.swinburne.edu.my/rphan/ISH05.htm

    • TSPUC2005 International Workshop on Trust, Security and Privacy for Ubiquitous Computing, Taormina, Sicily, Italy, June 13, 2005. (Submissions due 7 January 2005)

      This workshop aims at focussing the attention of the research community on the increasing complexity and relevance of trust, privacy and security issues in ubiquitous computing.

      Suggested submission topics include, but are not limited to the following ones in mobile (ad Hoc) networks, sensor networks, P2P systems, portable/embedded/weareable devices ...

      • Key establishment and distribution
      • Access control models, policies and mechanisms
      • Trust, reputation and reccomendation management
      • Privacy and identity management
      • Digital assets management
      • Context/location aware computation
      • Self-organizing networks/communities
      • Intrusion and anomaly detection
      • Secure user-device interfaces
      • Distributed consensus in the presence of active adversaries
      • Analysis/simulation/validation techniques
      • Handling emergent properties
      • Phishing - attacks and countermeasures
      • Case studies
      For more info, see http://www.iit.cnr.it/TSPUC2005/
    • IHW2005 7th Information Hiding Workshop, Barcelona, Spain, June 6-8, 2005. (Submissions due 17 January 2005) [posted here 11/14/04] Many researchers are interested in hiding information or, conversely, in preventing others from doing so or detecting and extracting the hidden data. Although the protection of digital intellectual property has recently motivated most of the research in this area, there are many other applications of increasing interest to both the academic and business communities. Current research topics include:
      • anonymous communications,
      • covert channels in computer systems,
      • detection of hidden information (steganalysis),
      • digital forensic,
      • information hiding aspects of privacy,
      • steganography,
      • subliminal channels in cryptographic protocols,
      • watermarking for protection of intellectual property,
      • other applications of watermarking.
      Continuing a series of successful workshops that brought together these closely-linked research areas, the 7th International Workshop on Information Hiding will be held in Barcelona, Spain. Authors can submit their papers online at http://kison.uoc.edu/IH05 where detailed instructions are provided.
    • DIMVA2005 Second GI SIG SIDAR Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Vienna, Austria, July 6-8, 2005. (Submissions due 21 January 2005)

      The special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) organizes DIMVA as an annual conference that brings together experts from throughout Europe to discuss the state of the art in the areas of intrusion detection, detection of malware, and assessment of vulnerabilities. DIMVA emphasizes the collaboration and exchange of ideas between industry, academia, law enforcement and government, and invites four types of submissions: full papers, industry papers, panel proposals, and tutorial proposals.

      For more info, please see http://www.dimva.org/dimva2005

    • CSFW 18 18th IEEE Computer Security Foundations Workshop, Aix-en-Provence, France, June 20-22, 2005. (Submission due 25 January 2005)

      This workshop series brings together researchers in computer science to examine foundational issues in computer security. For background information about the workshop, and an html version of this Call for Papers, see the CSFW home page www.csl.sri.com/csfw/index.html We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories. Both papers and panel proposals are welcome. Possible topics include, but are not limited to:

      • Access control
      • Authentication
      • Data and system integrity
      • Database security
      • Network security
      • Distributed systems security
      • Anonymity
      • Intrusion detection
      • Security for mobile computing
      • Security protocols
      • Security models
      • Decidability issues
      • Privacy
      • Executable content
      • Formal methods for security
      • Information flow
      • Language-based security
      This year's workshop will be held in Aix-en-Provence, France. Proceedings published by the IEEE Computer Society Press will be available at the workshop. Selected papers will be invited for submission to the Journal of Computer Security.
    • ACNS2005 3rd Applied Cryptography and Network Security Conference, Columbia University, New York, NY, USA, June 7-10, 2005. (Submission due 26 January 2005)

      Original research papers on all technical aspects of cryptology are solicited for submission to ACNS '05, the Third annual conference on Applied Cryptography and Network Security. There are two tracks for ACNS: a research track and an industrial track. The latter has an emphasis on practical applications. In addition, submissions to the industrial track may be talk proposals (rather than full papers). The PC will consider moving submissions between tracks if the PC feels that a submission is more appropriate for that track (with author permission). Topics of relevance include but are not limited to:

      • Applied Cryptography, cryptographic constructions
      • Cryptographic applications: e.g., payments, fair exchange, time-stamping, auctions, voting, polling, location services.
      • Economic incentives for collaboration
      • Security modeling and protocol design in the context of rational and malicious adversaries
      • Security of limited devices: e.g., adversarial modeling, light-weight cryptography, efficient protocols and implementations.
      • Integrating security in Internet protocols: routing, naming, TCP/IP, multicast, network management, and the Web.
      • Intrusion avoidance, detection, and response: systems, experiences and architectures.
      • Network perimeter controls: firewalls, packet filters, application gateways.
      • Virtual private networks.
      • Web security and supporting systems security, such as databases, operating systems, etc.
      • Denial of Service: attacks and countermeasures.
      • Securing critical infrastructure: e.g., routing protocols, the power grid, and emergency communication.
      • Public key infrastructure, key management, certification, and revocation.
      • Implementation, deployment and management of network security policies.
      • Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management.
      • Fundamental services on network and distributed systems: authentication, data integrity, confidentiality, authorization, non-repudiation, and availability.
      • Integrating security services with system and application security facilities and protocols: e.g., message handling, file transport/access, directories, time synchronization, database management, boot services, mobile computing.
      • Security and privacy for emerging technologies: sensor networks, wireless/mobile (and ad hoc) networks, Bluetooth, 802.11, and peer-to-peer systems.
      • Usable security.
      • Deployment incentives for security technology.
      • Web, chat, and email security, including topics such as spam prevention.
      For more info, please see: http://acns2005.cs.columbia.edu/cfp.html
    • Security-05 14th USENIX Security Symposium, Baltimore, MD, USA, August 1-5, 2005. (Submissions due 4 February 2005)

      The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in security of computer systems. The 14th USENIX Security Symposium will be held August 1-5, 2005, in Baltimore, MD.

      All researchers are encouraged to submit papers covering novel and scientifically significant practical works in security or applied cryptography. Submissions are due on February 4, 2005, 11:59 p.m. PST. The Symposium will span five days: a two-day training program will be followed by a two and one-half day technical program, which will include refereed papers, invited talks, Work-in-Progress reports, panel discussions, and Birds-of-a-Feather sessions.

      For further info, see http://www.usenix.org/events/sec05/cfp/

    • CRYPTO2005 Twenty-Fifth Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2005. (Submissions due 14 February 2005)

      The 25th International Cryptology Conference will be held at the University of California, Santa Barbara. The academic program covers all aspects of cryptology. Formal proceedings, published by Springer-Verlag, will be provided to registered attendees at the conference. Technical sessions will run from Monday morning to Thursday noon, with a non-technical activities half-day on Tuesday afternoon.

      For further info, see http://www.iacr.org/conferences/c2005/index.html

    • WEIS2005 Workshop on Economics and Information Security, Harvard University, Cambridge, MA, USA, June 2-4, 2005. (Submissions due 25 February 2005)

      Original Research Papers on all aspects of the Economics of Information Security are solicited for submission to the Fourth Workshop on the Economics of Information Security. Topics of interest include liability and other legal incentives, game theoretic models, economics of digital rights management, security in open source and free software, cyber-insurance, disaster recovery, trusted computing, reputation economics network effects in security and privacy, security in grid computing, return on security investment, security and privacy in pervasive computing, risk management, risk perception, economics of trust, virus models, vulnerabilities and incentives, economics of malicious code, identity including PKI, access control, economics of electronic voting security, and economic perspectives on spam.

      We invite talks emphasizing economic theory, mathematical modeling, or legal theory. Past notable work used the tools of economics to offer insights into computer security; offered mathematical models of computer security or economics; detailed potential regulatory solutions to computer security; or clarified the challenges of improving security as implemented in practice.

      For more information, please see http://www.infosecon.net/workshop/cfp.html

    • SOUPS2005 Symposium on Usable Privacy and Security, Carnegie Mellon University, Pittsburgh, PA, USA, July 6-8, 2005. (Submissions due 25 February 2005)

      The Symposium on Usable Privacy and Security (SOUPS) will be held July 6-8, 2004 at Carnegie Mellon University in Pittsburgh, PA. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and discussion sessions.

      We seek original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to, breakthrough models, innovative functionality and design, new applications of existing models or technology, usability testing of security features or security testing of usability features, and lessons learned from deploying and using usable privacy and security features. Papers should properly place the work within the field, cite related work, and clearly indicate the innovative aspects of the work or lessons learned as well as the contribution of the work to the field.

      Suggestions or proposals for panels, tutorials, or invited speakers should be sent to the general chair, lorrie AT acm.org, by February 25.

      For more information, please see http://cups.cs.cmu.edu/soups/

    • DIMACS Workshop on Security of Web Services and E-Commerce, Rutgers University, Piscataway, NJ, USA, May 5-6, 2005. (Optional submission due Spring 2005)

      The growth of Web Services, and in particular electronic commerce activities based on them, is quickly being followed by work on Web Services security protocols. While core XML security standards like XMLDSIG, XMLENC and WS-Security have been completed, they only provide the basic building blocks of authentication, integrity protection and confidentiality for Web Services. Additional Web Services standards and protocols are required to provide higher-order operations such as trust management, delegation, and federation. At the same time, the sharp rise in "phishing" attacks and other forms of on-line fraud simply confirms that all our work on security protocols is for naught if we cannot make it both possible and easy for the average user to discover when a security property has failed during a transaction. This workshop aims to explore these areas as well as other current and future security and privacy challenges for Web Services applications and e-commerce.

      The workshop will be open to the public (no submission is necessary to attend). If you'd like to give a presentation please send a title and abstract to commerce2005@farcaster.com as soon as possible. Submissions may describe ongoing or planned work related to the security of Web Services and electronic commerce, or they may discuss important research problems or propose a research agenda in this area. Also, we intend this to be a participatory and interactive meeting so we hope you will be able to contribute to the meeting even without giving an announced talk.

      Presented under the auspices of the Special Focus on Communication Security and Information Privacy.

    • CMS2005 9th IFIP Conference on Communications and Multimedia Security, Salzburg, Austria,September 19-21, 2005. (Submissions due 10 April 2005)

      The CMS conference attempts to be a forum for researchers working on all aspects of communications and multimedia security. This year the organizers especially encourage submissions on topics such as security of information hiding, combined encryption and watermarking schemes, XML security and network security. Papers should have practical relevance to the construction or evaluation of secure systems; theoretical papers should demonstrate their practical significance. The proceedings will be published by Springer in their Lecture Notes in Computer Science (LNCS) series.

      For details and submission instructions please refer to: http://cms2005.sbg.ac.at

    • CCS 2005 12th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, November 7-11, 2004. (Submission due 8 May 2005)

      Papers offering novel research contributions to any aspect of computer security are solicited for submission to the 12th ACM conference. The primary focus is on high-quality original unpublished research, case studies, and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make convincing arguments for the practical significance of the results. Theory must be justified by compelling examples illustrating its application.

      Topics of interest include:

      • access control
      • authentication
      • accounting and audit
      • database and system security
      • security for mobile code
      • applied ctyptography
      • data/system integrity
      • smart-cards and secure PDAs
      • cryptographic protocols
      • e-business/e-commerce
      • intrusion detection
      • inference/controlled disclosure
      • key management
      • privacy and anonymity
      • security management
      • intellectual property protection
      • information warfare
      • secure networking
      • security verification
      • commercial and indutry security
      See http:///www.acm.org/sigsac/ccs/ for details.
 

• Reader's guide to recent security and privacy literature
  (last updated March 15, 2002)

 

• Listing of academic positions available  by Cynthia Irvine
  

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org

   
• Interesting links  and reports available via FTP and WWW