Cipher Electronic Newsletter of the Technical Committe on Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 64,  January 17, 2005 Hilarie Orman,  Editor Robert Bruen, Book Review Editor Sven Dietrich, Associate Editor Editor, Reader's Guide

Contents:

• Letter from the Editor 
   

• Commentary and Opinion

  • Review of the 20th Annual Computer Security Applications Conference (Tucson, AZ, December 6-10, 2004) by Jeremy Epstein

  • Robert Bruen's review of The Digital Person Technology and Privacy in the Information Age by Daniel Solove

  • Ross Patel's review of Surviving Security by Amanda Andress and Mandy Andress

  • Robert Bruen's review of Privacy: What Developers and IT Professionals Should Know by J. C. Cannon

• NewsBits:  Announcements and correspondence from readers (please contribute!)

• UK Infosec Initiative contributed by Ross Patel

• PITAC Report Approved contributed by Gene Spafford

• CERIAS Hosts Email Lists for Information Assurance and Security contributed by Gene Spafford

• US Air Force Lab Chief Scientist contributed by Gene Spafford

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      Calendar (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • 1/17/05: Information Hiding, Barcelona, Spain; submissions are due
  • 1/25/05: Workshop on Security In Information Systems, Miami Beach, FL; Submissions are due; information: secretariat@iceis.org
  • 1/26/05: Applied Cryptography and Network Security, New York City, NY; submissions are due
  • 1/28/05: 18th Computer Security Foundations Workshop, Aix-en-Provence, France; submissions are due; information: amadio@cmi.univ-mrs.fr
  • 1/31/05- 2/ 3/05: Australasian Information Security Workshop On Digital Rights Management, Newcastle, Australia
  • 2/ 3/05- 2/ 4/05: Network and Distributed System Security Symposium, San Diego, California; information: kseo@bbn.com
  • 2/ 3/05- 2/ 4/05: Workshop on Protocols for Fast Long-distance Networks, Lyon, France
  • 2/11/05: Australasian Conference on Information Security and Privacy, Brisbane, Australia
  • 2/14/05- 2/18/05: RSA Conference, Cryptographers' Track, San Francisco, CA
  • 2/25/05: Symposium on Usable Privacy and Security, Pittsburgh, PA; submissions are due
  • 2/25/05: Workshop on the Economics of Information Security, Cambridge, MA
  • 2/28/05- 3/ 3/05: Financial Cryptography and Data Security, Roseau, The Commonwealth Of Dominica
  • 3/ 6/05: Information Assurance Workshop, West Point, NY Submissions are due; information: dodge@usma.edu
  • 3/ 8/05- 3/12/05: Pervasive Computing and Communications, Kauai, HI
  • 3/13/05- 3/17/05: ACM SAC, Track on Trust, Recommendations, Evidence and other Collaboration Know-how, Santa Fe, NM; information: sac.treck.info@trustcomp.org
  • 3/15/05: Conference on Email and Anti-spam, Palo Alto, CA; submissions are due; information: information@ceas.cc
  • 3/17/05- 3/22/05: Verification of Infinite State Systems with Application to Security, Timisoara, Romania
  • 3/22/05: Applications and Services in Wireless Networks, Paris, France
  • 3/23/05- 3/24/05: CERIAS Security Symposium
  • 3/31/05- 4/ 1/05: Information Assurance Workshop, Washington, DC
  • 3/31/05: Symposium on Recent Advances in Intrusion Detection, submissions are due; Seattle, Washington
  • 4/ 1/05: IEEE Internet Computing Special Issue on P2P and Ad Hoc Nets, submissions are due
  • 4/10/05- 4/15/05: USENIX, Anaheim, CA
  • 4/19/05- 4/21/05: NISTPKI, Gaithersburg, MD
  • 5/ 3/05- 5/ 5/05: Security and Protection of Information, Brno, Czech Republic
  • 5/ 8/05- 5/11/05: Symposium on Research in Security and Privacy, Berkeley/Oakland, CA; information srt@cs.unt.edu
  • 5/ 9/05- 5/12/05: Workshop on Information Security and Hiding, Singapore
  • 5/10/05: Cluster Security - The Paradigm Shift, Cardiff, UK
  • 5/23/05: Workshop on Security Issues in Concurrency, San Francisco, CA; Submissions are due, information: secco05-chairs-public@zurich.ibm.com
  • 5/24/05- 5/25/05: Workshop on Security In Information Systems, Miami Beach, FL
  • 6/ 2/05- 6/ 4/05: Workshop on the Economics of Information Security, Cambridge, MA
  • 6/ 6/05- 6/ 8/05: Workshop on Policies, Stockholm, Sweden
  • 6/ 6/05- 6/ 8/05: Information Hiding Workshop, Barcelona, Spain
  • 6/ 6/05- 6/ 9/05: Workshop on Security in Distributed Computing Systems, Columbus, OH
  • 6/ 7/05- 6/10/05: Applied Cryptography and Network Security, New York City, NY
  • 6/13/05: Workshop on Trust, Security and Privacy for Ubiquitous Computing; Taormina, Italy
  • 6/15/05- 6/17/05: Information Assurance Workshop, West Point, NY
  • 6/20/05- 6/22/05: 18th Computer Security Foundations Workshop, Aix-en-Provence, France
  • 6/29/05- 7/ 1/05: Applications and Services in Wireless Networks, Paris, France
  • 7/ 4/05- 7/ 6/05: Australasian Conference on Information Security and Privacy, Brisbane, Australia
  • 7/ 6/05- 7/ 8/05: Symposium on Usable Privacy and Security, Pittsburgh, PA
  • 7/21/05- 7/22/05: Conference on Email and Anti-spam, Palo Alto, CA
  • 8/21/05- 8/22/05: Workshop on Security Issues in Concurrency, San Francisco, CA
  • 9/ 7/05- 9/ 9/05: Symposium on Recent Advances in Intrusion Detection, Seattle, Washington
  • new calls or announcements added since Cipher E63

  • IEEE Journal on Selected Areas in Communications, High-speed Network Security -- Architecture, Algorithms, and Implementation, 4th Quarter 2006. (Submission due 1 September 2005)

    Guest editors: H. Jonathan Chao (Polytechnic University), Wing Cheong Lau (Qualcomm), Bin Liu (Tsinghua University), Peter Reiher (University of California at Los Angeles), and Rajesh Talpade (Telcordia Technologies)

    While the recent proliferation of broadband wireline and wireless networking technologies have substantially increased the available network capacity and enabled a wide-range of feature-rich high-speed communication services, security remains a major concern. Large-scale, high-profile system exploits and network attacks have become common recurring events that increasingly threaten the proper functioning and continual success of the communication infrastructure and services. One key aspect of mitigating such increasing threats is to develop new security/defense architectures, systems, methodologies and algorithms which can scale together with the communications infrastructure in terms of operating speed, operational simplicity and manageability, etc. The aim of this issue is to bring together the work done by researchers and practitioners in understanding the theoretical, architectural, system, and implementation issues related to all aspects of security in high-speed networks. We seek original, previously unpublished and completed contributions not currently under review by another journal. Areas of interest include but are not limited to the following topics related to high-speed network security:

    • High-speed Intrusion Detection, Prevention (IDS/IPS) Systems, and malicious behavior detection
    • High-speed Distributed Denial of Service (DDoS) attacks, prevention and defense systems
    • High-speed network monitoring, metering, traceback and pushback mechanisms
    • High-speed firewall, packet filtering and cross-layer defense coordination
    • Support of authentication, confidentiality, authorization, non-repudiation in high-speed networks
    • Security group communications/multicast
    • Secure and scalable content-delivery networks
    • Support for automated security policy configuration and realization
    • Forensic methodologies for high-speed networks
    • Automated attack characterization and containment in high-speed networks
    • Testbeds for high-speed network security

  • SDCS 2005 2nd International Workshop on Security in Distributed Computing Systems, Held in conjunction with the 25th International Conference on Distributed Computing Systems (ICDCS-2005), Columbus, OH, USA, June 6-9 , 2005. (Submissions due 10 January 2005) here 12/13/04]

    In recent years, interest has increased in the field of security of distributed computing systems, since securing a large-scale networked system becomes a great challenge. These include the control mechanisms, mobile code security, denial-of-service attacks, trust management, modeling of information flow and its application to confidentiality policies, system composition, and covert channel analysis. We will focus our program on issues related to important properties of system security, such as measurability, sustainability, affordability, and usability in distributed computing systems. Topics of interest include, but are not limited to:

    • Distributed Access Control and Trust Management
    • Key Management and Authentication
    • Privacy and Anonymity
    • Benchmark and Security Analysis
    • Security for Peer to Peer systems and Grid Computing Systems
    • Secure Multicast and Broadcast
    • Secure multiparty and two-party computations
    • Computer and Network Forensics
    • Denial-of-service Attacks and Countermeasures
    • Secure E-Commerce/E-Business
    • Security Verification
    • Distributed Database Security
    • Digital Rights Management
    • Secure Mobile Agents and Mobile Code
    • ntrusion detection
    • Viruses, Worms, and Other Malicious Code
    • Security in ad-hoc and sensor networks
    • World Wide Web Security

  • AusCERT2005 AusCERT2005 Refereed R&D Stream, Gold Coast, Australia, May 22-26, 2005. (Submissions due 21 January 2005)

    Original papers are solicited for submission to the refereed stream of AusCERT2005 - the AusCERT Asia Pacific Information Technology Security Conference. This stream will run within the regular conference program which is being organised by AusCERT. Full papers submitted to this stream will be refereed by members of the international program committee and published in the conference proceedings.

    Topics of interest include, but are not limited to:

    • Intrusion Detection
    • Network and Wireless Security
    • Attack Detection / Honeynets
    • Critical Infrastructure Protection
    • Legal and Regulatory Issues
    • Intrusion Forensics
    • Incident Response

  • WOSIS, Third International Workshop on Security In Information Systems, held in conjunction with the 7th International Conference on Enterprise Information Systems (ICEIS 2005), Miami Beach, FL, USA, May 24-25, 2005. (Submissions due 25 January 2005)

    Information Systems Security is one of the most pressing challenges facing all kind of organizations today. Although many companies have discovered how critical information is to the success of their business or operations, very few have managed to be effective in keeping their information safe, in avoiding unauthorized access, preventing intrusions, stopping secret information disclosure, etc. This workshop will serve as a forum to gather academics, researchers, practitioners and students in the field of security in information systems. The workshop will present new developments, lessons learned from real world cases, and would provide the exchange of ideas and discussion on specific areas. Topics of interest include, but are not limited to:

    • Methodologies for the development of security information system
    • Access control techniques
    • Personal data protection
    • Information systems risk management and analysis
    • Security in databases, datawarehouses and web information systems
    • Secure information systems architectures
    • Standards for information systems security
    • Metadata for Web and multimedia security
    • XML and RDF based metadata for security
    • Security Engineering
    • Assessment of security software/hardware
    • Study, validation and attacks on security protocols
    • Real world applications analysis
    • Cryptology: Cryptography and Cryptanalysis
    • Information hiding: Steganography & Steganalysis
    • Peer-to-Peer systems
    • Analysis and design of cryptographic algorithms
    • Electronic commerce
    • Wireless communications
    • RFID privacy and security implications
    • Anti-Spam techniques
    • Open source secure development
    • Emission security
    • Attacks on copyright marking systems
    • Reliability of security systems
    • Disaster recovery
    • Security of clinical information systems
    • Cyberterrorism
    • E-Laws and e-government
    • PKI technology
    • VPNs, IPSEC, IPv6
    • Economics aspects of security
    • Electronic Voting
    • Computer Forensics
    • Incident response
    • Privacy and freedom issues
    • Privacy-preserving Web-mining
    • Legal aspects of cyber security

  • CCCT 2005, 3rd International Conference on Computing, Communications and Control Technologies (CCCT '05), Austin, TX, USA, July 24-27, 2005. (Submissions due 9 February 2005)

    CCCT '05 is an International Conference that will bring together researchers, developers, practitioners, consultants and users of Computer, Communications and Control Technologies, with the aim to serve as a forum to present current and future work, solutions and problems in these fields, as well as in the relationships among them. Consequently, efforts will be done in order to promote and to foster the analogical thinking required by the Systems Approach for interdisciplinary cross-fertilization, "epistemic things" generation and "technical objects" production. Suggested topics in the area of Computing/Information Systems and Technologies include, but are not restricted to:

    • Databases
    • Models and Algorithms
    • Artificial Intelligence
    • Computer and Systems Security
    • Mathematical Computing
    • Programming Languages
    • Operating Systems
    • Computer Graphics

  • ACISP, 10th Australasian Conference on Information Security and Privacy, Brisbane, Australia, July 4-6, 2005. (Submissions due 11 February 2005)

    Original papers pertaining to all aspects of information security and privacy are solicited for submission to the 10th Australasian Conference on Information Security and Privacy (ACISP 2005). Papers may present theory, techniques, applications and practical experiences on a variety of topics including: Topics of interest include, but are not limited to:

    • Cryptology
    • Mobile communications security
    • Database security
    • Authentication and authorization
    • Secure operating systems
    • Intrusion detection
    • Access control
    • Security management
    • Security protocols
    • Network security
    • Secure commercial applications
    • Privacy Technologies
    • Smart cards
    • Key management and auditing
    • Mobile agent security
    • Risk assessment
    • Secure electronic commerce
    • Privacy and policy issues
    • Copyright protection
    • Security architectures and models
    • Evaluation and certification
    • Software protection and viruses
    • Computer forensics
    • Distributed system security
    • Identity management
    • Biometrics

  • ICALP 32nd International Colloquium on Automata, Languages and Programming, Lisboa, Portugal, July 11-15, 2005. (Submissions due 13 February 2005)

    ICALP'05 innovates on the structure of its traditional scientific program with the inauguration of a new special Track (C). The aim of Track C is to allow a deeper coverage of a particular topic, to be specifically selected for each year's edition of ICALP on the basis of its timeliness and relevance for the theoretical computer science community. This year, Track C subject is Security and Cryptography Foundations.
    Topics of interest for Track C include, but are not limited to:
    • Cryptographic Notions, Mechanisms, Systems and Protocols
    • Cryptographic Proof Techniques, Lower bounds, Impossibilities
    • Foundations of Secure Systems and Architectures
    • Logic and Semantics of Security Protocols
    • Number Theory and Algebraic Algorithms in Cryptography
    • Pseudorandomness, Randomness, and Complexity Issues
    • Secure Data Structures, Storage, Databases and Content
    • Security Modeling: Combinatorics, Graphs, Games, Economics
    • Specifications, Verifications and Secure Programming
    • Theory of Privacy and Anonymity
    • Theory of Security in Networks and Distributed Computing
    • Quantum Cryptography and Information Theory

  • IAW 2005 6th IEEE SMC Information Assurance Workshop, West Point, NY, USA, June 15-17, 2005 (Submissions due 6 March 2005)

    The workshop is designed to provide a forum for Information Assurance researchers and practitioners to share their research and experiences. Attendees hail from industry, government, and academia. The focus of this workshop is on innovative, new technologies designed to address important Information Assurance issues.

    Last year the IEEE IAW added a new track on Honeynet Technologies, sponsored by the Honeynet Project (www.honeynet.org). This will remain a specific focus of the IAW this year. New this year to the technical track are sessions on Security Data Visualization techniques and Biometrics. Other areas of particular interest at this workshop include, but are not limited to:

    • Innovative intrusion detection and response methodologies
    • Information warfare
    • Honeynet technologies (at least one session)
    • Visualization and data representation (at least one session)
    • Biometrics (at least one session)
    • Secure software technologies
    • Wireless security
    • Computer forensics
    • Data Protection
    • Educational curriculum
    • Best practices
    • Information Assurance education and professional development

  • RAID 2005 Eighth International Symposium on Recent Advances in Intrusion Detection, Seattle, Washington, USA, September 7-9, 2005 (Submissions due 31 March 2005)

    This symposium, the eighth in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss intrusion detection technologies and issues from the research and commercial perspectives. The RAID International Symposium series is intended to further advances in intrusion defense by promoting the exchange of ideas in a broad range of topics.

    For RAID 2005 we are expanding our historical scope from a focus on intrusion detection to the broader field of intrusion defense. Of particular interest are intrusion tolerant systems and systems for which detection triggers an adaptive response. As in 2004, we welcome papers that address issues related to intrusion defense, including information gathering and monitoring, as a part of a larger, not necessarily purely technical, perspective. We also invite papers on the following topics, as they bear on intrusion detection and the general problem of information security:

    • Risk assessment and risk management
    • Intrusion tolerance
    • Deception systems and honeypots
    • Vulnerability Analysis and Management
    • IDS Assessment
    • IDS Survivability
    • Privacy aspects
    • Data mining techniques
    • Visualization techniques
    • Cognitive approaches
    • Biological approaches
    • Self-learning
    • Case studies
    • Legal issues
    • Critical infrastructure protection (CIP)

  • ISC 2005 The 8th Information Security Conference, Singapore, 20-23 September 2005. (Submissions due 11 April 2005)

    ISC'05 will be held in Singapore on 20-23 September, 2005. Original papers on all technical aspects of information security are solicited for submission to ISC'05. Topics of interest include, but are not limited to, the following:

    • Access Control
    • Ad Hoc & Sensor Network Security
    • Applied Cryptography
    • Authentication and Non-repudiation
    • Cryptographic Protocols
    • Denial of Service
    • E-Commerce Security
    • Identity and Trust Management
    • Information Hiding
    • Insider Threats and Countermeasures
    • Intrusion Detection and Prevention
    • Network & Wireless Security
    • Peer-to-Peer Security
    • Privacy and Anonymity
    • Security Analysis Methodologies
    • Security in Software Outsourcing
    • Systems and Data Security
    • Ubiquitous Computing Security

  • FloCon 2005 Second Annual FloCon Workshop, New Orleans, Louisiana, USA, September 20-22, 2005. (Submissions due 15 April 2005)

    FloCon is an open workshop that provides a forum for researchers, operational analysts, and other parties interested in the security analysis of large volumes of traffic to develop the next generation of flow-based analysis. Flow is an abstraction of network traffic in which packets are grouped together by common attributes over time. In security, flow has been used to survey and analyze large networks and long periods of time, but the field is still in its infancy.

    FloCon 2005 will have an active workshop structure: our goal is to have presentations coupled with working breakout sessions on specific topics. Based on submissions and suggestions, we will develop a three-day track.

    Appropriate topics include, but are not limited to, the following:

    • Experience reports in flow analysis
    • Operational security analysis using flows
    • Advanced flow analysis techniques
    • Expanding the flow format for security needs
    • Integrating flows into other security analyses
    • Facilitating data sharing/public repositories
    • Flow collection technologies
    • Network traffic modeling for security
    • Alternative traffic abstracts for services

  • MADNES '05 Secure Mobile Ad-hoc Networks and Sensors workshop, Held in conjunction with the ISC '05 conference, September 20-22, 2005, Singapore. (Submissions due 2 May 2005)

    The MADNES workshop. co-sponsored by the SAIT Laboratory and the U.S. Army Research Office will feature information about security in mobile and ad-hoc networks. Proceedings will be published as Springer-Verlag, LNCS. Topics of interest include:

    • Security and fault tolerance
    • Privacy issues
    • Security & privacy applications of mobile agents and intelligent autonomous systems
    • Distributed denial of service attacks and defenses
    • Mobile code security and verification
    • Key management and trust infrastructures
    • Security, privacy and efficiency trade-offs
    • Secure distributed algorithms
    • Secure & private protocols for dynamic group applications
    • Secure location, discovery and authentication of neighbors
    • Secure timing and synchronization
    • Secure/private data collection and aggregation
    • Secure self-configuration
    • Secure routing
    • Analysis and simulation of security and privacy properties
    • Case Studies
    • Energy efficient cryptography

  • IWAP 2005 The 4th International Workshop for Applied PKI, 21-23 September 2005, Singapore. (Submissions due 16 June 2005)

    IWAP'05 will be held in Singapore on September 21-23, 2005. Original papers on all aspects of PKI are solicited for submission to IWAP'05. Topics of interest include, but are not limited to, the following:

    • Authentication and Verification
    • Bio-PKI and Mobile PKI
    • Case Studies
    • Certificates and its Revocation
    • Cross Certification
    • Design and Implementation
    • Interoperability and Standards
    • Key Management and Recovery
    • Legal Issues, Policies and Regulations
    • Modeling and Architecture
    • Privilege Management Infrastructure
    • Protocols and Applications
    • Reliability and Fault-Tolerance
    • Risk Management and Analysis
    • Security Analysis and Testing
    • Signature Validation
    • Time Stamping
    • Trust and Privacy

• Book reviews from past Cipher issues

• Conference Reports and Commentary from past Cipher issues

• News items from past Cipher issues

• Reader's guide to recent security and privacy literature
  (last updated March 15, 2002)

 

• Listing of academic positions available  by Cynthia Irvine
  

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org

• Interesting links  and reports available via FTP and WWW