Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 72,  May 26, 2006 Hilarie Orman,  Editor Robert Bruen, Book Review Editor Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Commentary and Opinion

  • Review of the Financial Cryptography 2006 (Anguilla, British West Indies, February 27 - March 2, 2006) by Sven Dietrich

  • Bob Bruen's review of How to Break Web Software by Andrews, Mike and James A. Whitaker

  • Bob Bruen's review of Preventing Web Attacks With Apache by Ryan Barnett

  • Book reviews from past Cipher issues

  • Conference Reports and Commentary from past Cipher issues

  • News items from past Cipher issues

• The Technical Committee on Security and Privacy

 

• Listing of academic positions available (nothing new this issue)  by Cynthia Irvine
  

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
    

  • Calendar
    • 5/29/06: ESAS 3rd European Workshop on Security and Privacy in Ad hoc and Sensor Networks, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2006), Hamburg, Germany; Submissions are due
    • 5/30/06- 6/ 3/06: USENIX, USENIX Annual Technical Conference, Boston, MA, USA
    • 5/31/06: WENS, Workshop on Enterprise Network Security, Held in conjunction with IEEE/CreateNet SecureComm 2006, Baltimore, MD, USA; Submissions are due
    • 6/ 5/06- 6/ 7/06: SUTC, IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Taichung, Taiwan
    • 6/ 6/06: VietCrypt, 1st International Conference on Cryptology in Vietnam, Hanoi, Vietnam; Submissions are due
    • 6/ 6/06- 6/ 9/06: ETRICS, International Conference on Emerging Trends in Information and Communication Security, Freiburg, Germany
    • 6/ 6/06- 6/ 9/06: MOSIDS, Workshop on Management of Security in Dynamic Systems, Held in conjunction with the International Conference on Emerging Trends in Information and Communication Security (ETRICS06), Freiburg, Germany;
    • 6/ 6/06- 6/ 9/06: ACNS, 4th International Conference on Applied Cryptography and Network Security, Singapore
    • 6/ 9/06: CERTSOFT, International Workshop on Software Certification, Ontario, Canada; Submissions are due
    • 6/10/06: NordSec, 11th Nordic Workshop on Secure IT-systems, Linkoping, Sweden; Submissions are due
    • 6/10/06: PLAS, ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottawa, Canada
    • 6/12/06: QOP, 2nd Workshop on Quality of Protection, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA; Submissions are due
    • 6/15/06: HICSS-HTC, 40th Annual Hawaii International Conference on System Sciences, Highly Trustworthy computing (HTC) mini-track, Waikoloa, Hawaii, USA; Submissions are due
    • 6/15/06: HICSS-SSADIA, 40th Annual Hawaii International Conference on System Sciences, Secure Software Architecture, Design, Implementation and Assurance (SSADIA) Minitrack, Waikoloa, Hawaii, USA; Submissions are due
    • 6/16/06: WSNS, 2nd International Workshop on Wireless and Sensor Networks Security, Held in conjunction with the 3rd IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2006), Vancouver, Canada; Submissions are due
    • 6/16/06: WORM, 4th Workshop on Recurring Malcode, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS-13), Fairfax, VA, USA; Submissions are due
    • 6/16/06: FMSE, 4th Workshop on Formal Methods in Security Engineering: From Specifications to Code, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS-13), Fairfax, VA, USA; Submissions are due
    • 6/19/06- 6/20/06: EUROPKI, 3rd European PKI workshop: theory and practice, Turin, Italy
    • 6/20/06: CANS, 5th International Conference on Cryptology and Network Security, Suzhou, China; Submissions are due
    • 6/20/06: WiSe, ACM Workshop on Wireless Security, Held in conjunction with ACM MobiCom 2006, Los Angeles, California, USA; Submissions are due
    • 6/20/06: STC, 1st Workshop on Scalable Trusted Computing, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; Submissions are due
    • 6/23/06: WPES, 5th Workshop on Privacy in the Electronic Society, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; Submissions are due
    • 6/23/06: DRM, 6th Workshop on Digital Rights Management, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; Submissions are due
    • 6/23/06: SASN, 4th ACM Workshop on Security of Ad Hoc and Sensor Networks, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; Submissions are due
    • 6/26/06: TSPUC, 2nd International Workshop on Trust, Security and Privacy for Ubiquitous Computing, Buffalo, NY, USA
    • 6/26/06- 6/28/06: WEIS, 5th Workshop on the Economics of Information Security, University of Cambridge, UK
    • 6/28/06- 6/30/06: PET, 6th Workshop on Privacy Enhancing Technologies, Robinson College, Cambridge, UK
    • 6/30/06: ICS, Workshop on Information and Computer Security, Held in conjunction with the 8th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC 2006), Timisoara, Romania; Submissions are due
    • 7/ 3/06: VizSEC, 3rd Workshop on Visualization for Computer Security, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; Submissions are due
    • 7/ 3/06- 7/ 5/06: ACISP, 11th Australasian Conference on Information Security and Privacy, Melbourne, Australia
    • 7/ 5/06- 7/ 7/06: CSFW, 19th IEEE Computer Security Foundations Workshop, Venice, Italy
    • 7/ 7/06: DIM, 2nd Workshop on Digital Identity Management, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; Submissions are due
    • 7/ 9/06: FCC, Workshop on Formal and Computational Cryptography, Venice, Italy
    • 7/10/06- 7/12/06: IHW, 8th Information Hiding Workshop, Alexandria, VA, USA
    • 7/12/06- 7/14/06: RFIDSec, Workshop on RFID Security, Graz, Austria
    • 7/13/06- 7/14/06: DIMVA, 3rd GI SIG SIDAR Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Berlin, Germany
    • 7/14/06: StorageSS, 2nd Workshop on Storage Security and Survivability, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; Submissions are due
    • 7/16/06- 7/21/06: CEC, IEEE CEC 2006 Special Session on Evolutionary Computation in Cryptology and Computer Security, Vancouver, BC, Canada
    • 7/18/06: SWS, 1st Workshop on Secure Web Services, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; Submissions are due
    • 7/25/06- 7/28/06: IFMIP, 5th International Forum on Multimedia and Image Processing, Special Sessions on Information Security and Hardware Implementations, Budapest, Hungary
    • 7/27/06- 7/28/06: CEAS, 3rd Conference on Email and Anti-Spam, Mountain View, CA, USA
    • 7/31/06- 8/ 2/06: DBSEC, 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Sophia Antipolis, France
    • 7/31/06- 8/ 4/06: USENIX Security, 15th USENIX Security Symposium, Vancouver, B.C., Canada
    • 8/ 1/06- 8/ 4/06: SecUbiq, 2nd International Workshop on Security in Ubiquitous Computing Systems, Seoul, Korea
    • 8/ 6/06: WESII, Workshop on the Economics of Securing the Information Infrastructure, Arlington, VA, USA; Submissions are due
    • 8/14/06- 8/18/06: DFRWS, 6th Annual Digital Forensic Research Workshop, Lafayette, IN, USA
    • 8/24/06- 8/25/06: NIST-CHW, 2nd Cryptographic Hash Workshop, Santa Barbara, CA, USA
    • 8/26/06- 8/27/06: CERTSOFT, International Workshop on Software Certification, Ontario, Canada
    • 8/28/06- 9/ 1/06: SBSEG, 6th Brazilian Symposium on Information and Computer Systems Security, Santos, Brazil
    • 8/30/06- 9/ 2/06: ISC, 9th Information Security Conference, Pythagoras, Greece
    • 9/ 1/06: WENS, Workshop on Enterprise Network Security, KHeld in conjunction with IEEE/CreateNet SecureComm 2006, Baltimore, MD, USA
    • 9/ 4/06- 9/ 8/06: TrustBus, 3rd International Conference on Trust, Privacy and Security of Digital Business, Krakow, Poland
    • 9/11/06: LSAD, ACM SIGCOMM workshop on Large Scale Attack Defense, Held in conjunction with ACM SIGCOMM 2006, Pisa, Italy
    • 9/11/06- 9/15/06: SecureComm, 2nd IEEE Communications Society/CreateNet International Conference on Security and Privacy for Emerging Areas in Communication Networks, Baltimore/Washington area, USA
    • 9/18/06- 9/20/06: ESORICS, 11th European Symposium On Research In Computer Security, Hamburg, Germany
    • 9/18/06- 9/21/06: NSPW, New Security Paradigms Workshop, Schloss Dagstuhl, Germany
    • 9/20/06- 9/21/06: ESAS, 3rd European Workshop on Security and Privacy in Ad hoc and Sensor Networks, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2006), Hamburg, Germany
    • 9/23/06: WiSe, ACM Workshop on Wireless Security, Held in conjunction with ACM MobiCom 2006, Los Angeles, California, USA
    • 9/25/06- 9/28/06: VietCrypt, 1st International Conference on Cryptology in Vietnam, Hanoi, Vietnam
    • 9/29/06- 9/30/06: ICS, Workshop on Information and Computer Security, Held in conjunction with the 8th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC 2006), Timisoara, Romania
    • 10/ 9/06-10/12/06: WSNS, 2nd International Workshop on Wireless and Sensor Networks Security, Held in conjunction with the 3rd IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2006), Vancouver, Canada
    • 10/19/06-10/20/06: NordSec, 11th Nordic Workshop on Secure IT-systems, Linkoping, Sweden
    • 10/23/06-10/24/06: IWSEC, 1st International Workshop on Security, Kyoto, Japan
    • 10/23/06-10/24/06: WESII, Workshop on the Economics of Securing the Information Infrastructure, Arlington, VA, USA
    • 10/30/06-11/ 3/06: CCS, 13th ACM Conference on Computer and Communications Security, Alexandria, VA, USA
    • 10/30/06: QOP, 2nd Workshop on Quality of Protection, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA
    • 10/30/06: WPES, 5th Workshop on Privacy in the Electronic Society, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA
    • 10/30/06: DRM, 6th Workshop on Digital Rights Management, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA
    • 10/30/06: SASN, 4th ACM Workshop on Security of Ad Hoc and Sensor Networks, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA
    • 10/30/06: StorageSS, 2nd Workshop on Storage Security and Survivability, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA
    • 11/ 3/06: WORM, 4th Workshop on Recurring Malcode, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA
    • 11/ 3/06: FMSE, 4th Workshop on Formal Methods in Security Engineering: From Specifications to Code, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA
    • 11/ 3/06: STC, 1st Workshop on Scalable Trusted Computing, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA
    • 11/ 3/06: VizSEC, 3rd Workshop on Visualization for Computer Security, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA
    • 11/ 3/06: DIM, 2nd Workshop on Digital Identity Management, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA
    • 11/ 3/06: SWS, 1st Workshop on Secure Web Services, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA
    • 12/ 8/06-12/10/06: CANS, 5th International Conference on Cryptology and Network Security, Suzhou, China
    • 12/17/06-12/21/06: ICISS, 2nd International Conference on Information Systems Security, Kolkata, India
    • 1/ 3/07- 1/ 7/07: HICSS-HTC, 40th Annual Hawaii International Conference on System Sciences, Highly Trustworthy computing (HTC) mini-track, Waikoloa, Hawaii, USA
    • 1/ 3/07- 1/ 7/07: HICSS-SSADIA, 40th Annual Hawaii International Conference on System Sciences, Secure Software Architecture, Design, Implementation and Assurance (SSADIA) Minitrack, Waikoloa, Hawaii, USA
    • 1/15/07: ASC, 6th Annual Security Conference, Las Vegas, Nevada, USA; Submissions are due
    • 4/11/07- 4/12/07: ASC, 6th Annual Security Conference, Las Vegas, Nevada, USA
  • new calls or announcements added since Cipher E71

  • ESAS 2006 3rd European Workshop on Security and Privacy in Ad hoc and Sensor Networks, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2006), Hamburg, Germany, September 20-21, 2006. (Submissions due 29 May 2006)

    The vision of ubiquitous computing has generated a lot of interest in wireless ad hoc and sensor networks. However, besides their potential advantages, these new generations of networks also raise some challenging problems with respect to security and privacy. The aim of this workshop is to bring together the network security, cryptography, and wireless networking communities in order to discuss these problems and to propose new solutions. The third ESAS workshop seeks submissions that present original research on all aspects of security and privacy in wireless ad hoc and sensor networks. Submission of papers based on work-in-progress is encouraged. Topics of interest include, but are not limited to the following:

    • Privacy and anonymity
    • Prevention of traffic analysis
    • Location privacy
    • Secure positioning and localization
    • Secure MAC protocols
    • Secure topology control
    • Secure routing
    • Secure context aware computing
    • Secure in-network processing
    • Attack resistant data aggregation
    • Cooperation and fairness
    • Key management
    • Trust establishment
    • Embedded security
    • Cryptography under resource constraints
    • Distributed intrusion detection

  • WENS 2006 Workshop on Enterprise Network Security, held in conjunction with IEEE Communications Society/CreateNet SecureComm 2006, Baltimore, MD, USA, September 1, 2006. (Submissions due 31 May 2006)

    The introduction of networking to the enterprise has introduced an explosion of new productivity. However, the connectivity offered by networking has also introduced significant security issues that can no longer be easily addressed by control of physical access. Specifically, management and monitoring of the security or health of internal LAN/MAN-side services on an enterprise network can often consume significant portions of the IT resource budget. The focus of this workshop is to provide a forum for the exploration of issues unique to the enterprise network. Topics for the workshop include but are not limited to:

    • Network risk assessment
    • Rogue device detection (wireless APs)
    • Trust inference
    • Security visualization
    • Security and grid computing
    • Obfuscation and privacy mechanisms over the grid
    • Intrusion dataset creation
    • Case studies
    • Security testbeds

  • VietCrypt 2006 1st International Conference on Cryptology in Vietnam, Hanoi, Vietnam, September 25-28, 2006. (Submissions due 6 June 2006)

    Cryptology, the science of information protection blending pure computing theory with practical aspects, has been a strongly expanding research area over the last few years. VietCrypt 2006 will provide an international forum on cryptology for the first time in Vietnam. It is an opportunity for scientists, researchers, entrepreneurs, government officers and implementers to exchange novel ideas, new results and practical experiences. Original papers on all technical aspects of cryptology are solicited for submission.

  • CERTSOFT 2006 International Workshop on Software Certification, Ontario, Canada, August 26-27, 2006. (Submissions due 9 June 2006)

    Software is currently used to control medical devices, automobiles, aircraft, manufacturing plants, nuclear generating stations, space exploration systems, elevators, electric motors, automated trains, banking transactions, telecommunications devices and a growing number of devices in industry and in our homes. Software is also mission critical for many organizations, even if the software does not control what happens. Clearly, many of these systems have the potential to cause physical harm if they malfunction. Even if they do not cause physical harm, their malfunctions are capable of causing financial and political chaos. Currently there is no consistent regulation of software, and society is starting to demand that software used in critical systems must meet minimum safety, security and reliability standards. Manufacturers of these systems are in the unenviable position of not having any clear guidelines as to what may be regarded as acceptable standards in these situations. Even where the systems are not mission critical, software producers and their customers are becoming interested in methods for assuring quality that may result in software supplied with guarantees. The purpose of the workshop is to discuss issues related to software certification. Possible topics include:

    • What is software certification, and what is its relation to system certification?
    • Methods, processes, and tools for developing certified software
    • Certifying safety-critical applications
    • Certifying embedded systems
    • Certifying non-critical but commercially significant applications
    • Certification of software components
    • Developing standards based on experimental analysis of methods
    • Formalization of Regulatory Requirements for Software
    • Repositories of assured/verified/validated software components
    • Using the Common Criteria for IT Security Evaluation as a model
    • Standardization of certification methods used in different industries
    • Evolutionary and incremental certification

  • NordSec 2006 11th Nordic Workshop on Secure IT-systems, Linköping, Sweden, October 19-20, 2006. (Submissions due 10 June 2006)

    The NordSec workshops started in 1996 with the aim of bringing together researchers and practitioners within computer security in the Nordic countries. The theme of the workshop has been applied security, i.e. all kinds of security issues that could encourage interchange and cooperation between the research community and the industrial/consumer community. Possible topics include, but are not limited to the following:

    • Anonymity and Privacy
    • Applied Cryptography
    • Computer Crime
    • Information Warfare
    • E-and M-Business Security
    • Inter/Intra/Extranet Security
    • Intrusion Detection
    • Language-Based Security
    • New Firewall Technologies
    • New Ideas and Paradigms for Security
    • Operating System Security
    • Phishing and Anti-Phishing
    • PKI and Key Escrow
    • Privacy-Preserving Data-Mining
    • Security Education and Training
    • Security Evaluations and Measurements
    • Security Management and Audit
    • Security of Commercial Products
    • Security Models
    • Security Protocols
    • Smart Card Applications
    • Software Security
    • Web Services Security
    • Wireless Communication Security
    • Trust and trust management

  • QOP 2006 2nd Workshop on Quality of Protection, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA, October 30, 2006. (Submissions due 12 June 2006)

    The QoP Workshop intends to discuss how security research can progress towards a notion of Quality of Protection in Security comparable to the notion of Quality of Service in Networking, Software Reliability, or Software Measurements and Metrics in Empirical Software Engineering. Original submissions are solicited from industry and academic experts to presents their work, plans and views related to Quality of Protection. The topics of interest include but are not limited to:

    • Case studies
    • Security Risk Analysis
    • Security Quality Assurance
    • Measurement-based decision making and risk management
    • Empirical assessment of security architectures and solutions
    • Mining data from attacks and vulnerabilities repositories
    • Security metrics
    • Measurement theory and formal theories of security metrics
    • Security measurement and monitoring
    • Experimental verification and validation of models
    • Simulation and statistical analysis, stochastic modelling
    • Reliability analysis

  • HICSS-HTC 2007 40th Annual Hawaii International Conference on System Sciences, Highly Trustworthy computing (HTC) mini-track, Waikoloa, Hawaii, USA, January 3-6, 2007. (Submissions due 15 June 2006)

    HICSS conferences are devoted to advances in the information, computer, and system sciences, and encompass developments in both theory and practice. Starting in HICSS 40, the Software Technology track has a cluster of complementary mini-tracks in the area of computer security. The Highly Trustworthy computing (HTC) mini-track focuses on both applied and fundamental research to support the protection of high value information, such that both the behavior of the system and the absence of contrary behavior can be ensured to a high degree. The use of formal methods, hardware-based security primitives, and rigorous development processes are some of the significant components in HTC. We are interested in papers describing new results in the application, theory and foundations of highly trustworthy computing. We invite papers that demonstrate results through mathematical techniques as well as those that provide convincing analysis and/or data regarding new concepts. The topics covered in this category include, but are not limited to the support of highly trustworthy computing through:

    • System development and verification techniques
    • System and network security architectures
    • Support for dynamic security policies
    • Relationship of dynamic security to multi-level security
    • Hardware-software co-design
    • System and network evaluation techniques
    • Formal models and other theoretical foundations

  • HICSS-SSADIA 2007 40th Annual Hawaii International Conference on System Sciences, Secure Software Architecture, Design, Implementation and Assurance (SSADIA) Minitrack, Waikoloa, Hawaii, USA, January 3-6, 2007. (Submissions due 15 June 2006)

    The Secure Software Architecture, Design, Implementation and Assurance minitrack focuses on the research and automation required to develop secure software systems that do not compromise other system properties such as performance or reliability. Current security engineering methods are demonstrably inadequate, as software vulnerabilities are currently being discovered at the rate of over 4,000 per year. These vulnerabilities are caused by software designs and implementations that do not adequately protect systems and by development practices that do not focus sufficiently on eliminating implementation defects that result in security flaws. An opportunity exists for systematic improvement that can lead to secure software architectures, designs, and implementations. The following topics are appropriate topics for research papers:

    • Static analysis tools and techniques for detecting security flaws and software vulnerabilities in source or binary code
    • Dynamic analysis tools for detecting security flaws and software vulnerabilities in source or binary code
    • Model checking tools for detecting security flaws and software vulnerabilities in software systems
    • Software architectures and designs for securing against denial-of-service attacks and other software exploits
    • Coding practices for improved security and secure library implementations
    • Computational security engineering
    • Other tools and techniques for reducing or eliminating vulnerabilities during development and maintenance

  • WSNS 2006 2nd International Workshop on Wireless and Sensor Networks Security, Held in conjunction with the 3rd IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2006), Vancouver, Canada, October 9-12, 2006. (Submissions due 16 June 2006)

    Wireless networks have experienced an explosive growth during the last few years. Nowadays, there is a large variety of networks spanning from the well-known cellular networks to non-infrastructure wireless networks such as mobile ad hoc networks and sensor networks. Security issue is a central concern for achieving secured communication in these networks. This one day workshop aims to bring together researchers and practitioners from wireless and sensor networking, security, cryptography, and distributed computing communities, with the goals of promoting discussions and collaborations. We are interested in novel research on all aspects of security in wireless and sensor networks and tradeoff between security and performance such as QoS, dependability, scalability, etc. Topics of interest include, but are not limited to:

    • Authentication and Access Control
    • Cryptographic Protocol
    • Experimental Studies
    • Key Management
    • Information Hiding
    • Intrusion Detection and Response
    • Privacy and Anonymity
    • Secure Localization and Synchronization
    • Security and Performance tradeoff
    • Security Policy and Enforcement Issues
    • Security Protocols Design, Analysis and Verification
    • Secure Routing/MAC
    • Surveillance and Monitoring
    • Trust Management

  • WORM 2006 4th Workshop on Recurring Malcode, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS-13), Fairfax, VA, USA, November 3, 2006. (Submissions due 16 June 2006)

    Internet-wide infectious epidemics have emerged as one of the leading threats to information security and service availability. Self-propagating threats, generally termed 'worms', exploit software weaknesses, hardware limitations, Internet topology, and the open Internet communication model to compromise large numbers of networked systems. Internet worms are increasingly being used as delivery mechanisms for malicious payloads such as spyware, phishing servers, spam relays, and information espionage. Unfortunately, current operational practices still face significant challenges in containing these threats as evidenced by the rise in automated botnet networks and the continued presence of worms released years ago. This workshop provides a forum for exchanging ideas, increasing understanding, and relating experiences on self-propagating malicious software from a wide range of communities, including academia, industry, and the government. We are soliciting papers from researchers and practitioners on subjects including, but not limited to:

    • Automatic worm detection and characterization
    • Reactive countermeasures
    • Proactive defenses
    • Detecting and disrupting botnets and malware command and control
    • Threat assessment
    • New threats and related challenges
    • Measurement studies
    • Testbeds & evaluation
    • Reverse engineering
    • Significant operational experiences
    • Analysis of worm/botnet construction, current & future
    • Modeling and analysis of propagation dynamics
    • Forensic methods of attribution

  • FMSE 2006 4th Workshop on Formal Methods in Security Engineering: From Specifications to Code, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS-13), Fairfax, VA, USA, November 3, 2006. (Submissions due 16 June 2006)

    Information security has become a crucial concern for the commercial deployment of almost all applications and middleware. Although this is commonly recognized, the incorporation of security requirements in the software development process is not yet well understood. The deployment of security mechanisms is often ad hoc, without a formal security specification or analysis, and practically always without a formal security validation of the final product. Progress is being made, but there remains a wide gap between high-level security models and actual code development. We seek original research papers addressing foundational issues in formal methods in security engineering. Topics covered include, but are not limited to:

    • security specification techniques
    • formal trust models
    • combination of formal techniques with semi-formal techniques such as UML
    • formal analyses of specific security properties relevant to software development
    • security-preserving composition and refinement of processes
    • symbolic and computational models of security protocols
    • integration of security aspects into formal development methods and tools
    • access control policies
    • information flow
    • risk management and network security
    • formal analysis of firewalls and intrusion detection systems
    • trusted computing
    • case studies

  • CANS 2006 5th International Conference on Cryptology and Network Security, Suzhou, China, December 8-10, 2006. (Submissions due 20 June 2006)

    The main goal of this conference is to promote research on all aspects of network security and cryptology. It is also the goal to build a bridge between research on cryptography and network security. So, we welcome scientific and academic papers that focus on this multidisciplinary area. Areas of interest for CANS '06 include, but are not limited to, the following topics:

    • Ad Hoc Network Security
    • Access Control for Networks
    • Anonymity and internet voting
    • Cryptology
    • Denial of Service
    • Fast Cryptographic Algorithms
    • Information Hiding
    • Intrusion Detection
    • IP Security
    • Multicast Security
    • PKI
    • Phishing
    • Router Security
    • Secure E-Mail
    • Secure protocols (SSH, SSL, ...)
    • Spam
    • Spyware
    • Scanning

  • WiSe 2006 ACM Workshop on Wireless Security, Held in conjunction with ACM MobiCom 2006, Los Angeles, California, USA, September, 2006. (Submissions due 20 June 2006)

    The objective of this workshop is to bring together researchers from research communities in wireless networking, security, applied cryptography, and dependability; with the goal of fostering interaction. With the proliferation of wireless networks, issues related to secure and dependable operation of such networks are gaining importance. Topics of interest include, but are not limited to:

    • Key management in wireless/mobile environments
    • Trust establishment
    • Computationally efficient primitives
    • Intrusion detection, detection of malicious behavior
    • Revocation of malicious parties
    • Secure PHY/MAC protocols
    • Denial of service
    • User privacy, location privacy
    • Anonymity, prevention of traffic analysis
    • Dependable wireless networking
    • Identity theft and phishing in mobile networks
    • Charging in wireless networks
    • Cooperation in wireless networks
    • Vulnerability modeling
    • Incentive-aware secure protocol design
    • Security in vehicular networks
    • Jamming
    • Cross-layer design for security
    • Monitoring and surveillance

  • STC 2006 1st Workshop on Scalable Trusted Computing, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA, November 3, 2006. (Submissions due 20 June 2006)

    In a society increasingly dependent on networked information systems, trusted computing plays a crucial role. Despite significant progress in trusted computing components, the issue of scalability in trusted computing and its impact on security are not well-understood. Consequently, there is a dearth of practical solutions for trusted computing in large-scale systems. Approaches suitable for small- or medium-scale trusted computing systems might not be applicable to larger-scale scenarios. This new workshop is focused on trusted computing in large-scale systems -- those involving (at the very least) many millions of users and thousands of third parties with varying degrees of trust. The workshop is intended to serve as a forum for researchers as well as practitioners to disseminate and discuss recent advances and emerging issues. Topics of interest to the workshop include the following:

    • models for trusted computing
    • principles of trusted computing
    • modeling of computing environments, threats, attacks and countermeasures
    • limitations, alternatives and tradeoffs regarding trusted computing
    • trust in authentications, users and computing services
    • hardware based trusted computing
    • software based trusted computing
    • pros and cons of hardware based approach
    • remote attestation of trusted devices
    • censorship-freeness in trusted computing
    • cryptographic support in trusted computing
    • case study in trusted computing
    • applications of trusted computing
    • intrusion resilience in trusted computing
    • access control for trusted computing
    • trust of computing systems
    • principles for handling scales

  • WPES 2006 5th Workshop on Privacy in the Electronic Society, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA, October 30, 2006. (Submissions due 23 June 2006)

    The need for privacy-aware policies, regulations, and techniques has been widely recognized. This workshop discusses the problems of privacy in the global interconnected societies and possible solutions. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of electronic privacy, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues. Topics of interest include, but are not limited to:

    • anonymity, pseudonymity, and unlinkability
    • data correlation and leakage attacks
    • electronic communication privacy
    • information dissemination control
    • privacy in health care and public administration
    • privacy and confidentiality management
    • personally identifiable information
    • privacy-aware access control
    • privacy in the digital business
    • privacy enhancing technologies
    • privacy policies
    • privacy and anonymity on the Web
    • privacy in the electronic records
    • public records and personal privacy
    • privacy and human rights
    • privacy threats
    • privacy and virtual identity
    • privacy policy enforcement
    • privacy and data mining
    • privacy vs. security
    • user profiling
    • wireless privacy
    • economics of privacy

  • DRM 2006 6th Workshop on Digital Rights Management, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA, October 30, 2006. (Submissions due 23 June 2006)

    Digital Rights Management (DRM) is an area of pressing interest, as the Internet has become the center of distribution for digital goods of all sorts. The business potential of digital content distribution is huge, as are its economic, legal and social implications. DRM, as a technical interdisciplinary field, is at the heart of controlling the digital content and assuring authorized, user friendly, safe, well-managed, automated, and fraud-free distribution. The field of DRM combines cryptographic technology, software and systems research, information and signal processing methods, legal, social and policy aspects, as well as business analysis and economics. Original papers on all aspects of Digital Rights Management are solicited for submission to DRM 2006, the Sixth ACM Workshop on Digital Rights Management. Topics of interest include but are not limited to:

    • anonymous publishing
    • architectures for DRM systems auditing
    • business models for online content distribution
    • computing environments and platforms for DRM systems
    • copyright-law issues, including but not limited to fair use
    • digital policy management
    • implementations and case studies
    • privacy and anonymity
    • risk management
    • robust identification of digital content
    • security issues, including but not limited to authorization, encryption, tamper resistance, and watermarking
    • software related issues
    • supporting cryptographic technology including but not limited to traitor tracing, broadcast encryption, obfuscation
    • threat and vulnerability assessment
    • concrete software patent cases
    • usability aspects of DRM systems
    • web services related to DRM systems

  • SASN 2006 4th ACM Workshop on Security of Ad Hoc and Sensor Networks, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA, October 30, 2006. (Submissions due 23 June 2006)

    Ad hoc and sensor networks are expected to become an integral part of the future computing landscape. However, these networks introduce new security challenges due to their dynamic topology, severe resource constraints, and absence of a trusted infrastructure. SASN 2006 seeks submissions from academia and industry presenting novel research on all aspects of security for ad hoc and sensor networks, as well as experimental studies of fielded systems. Topics of interest include, but are not limited to, the following as they relate to mobile ad hoc networks or sensor networks:

    • Security under resource constraints (e.g., energy, bandwidth, memory, and computation constraints)
    • Performance and security tradeoffs
    • Secure roaming across administrative domains
    • Key management
    • Cryptographic Protocols
    • Authentication and access control
    • Trust establishment, negotiation, and management
    • Intrusion detection and tolerance
    • Secure location services
    • Secure clock distribution
    • Privacy and anonymity
    • Secure routing
    • Secure MAC protocols
    • Denial of service
    • Prevention of traffic analysis

  • ICS 2006 Workshop on Information and Computer Security, Held in conjunction with the 8th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC 2006), Timisoara, Romania, September 29-30, 2006. (Submissions due 30 June 2006)

    The ICS 2006 Workshop is intended as an international forum for researchers in all areas of information and computer security. Submissions of papers presenting original research are invited for the following workshop tracks:
    

    • Decidability and complexity
    • Language-based security
    • Security models
    • Security protocols
    • Security verification
    • Authentication
    • Anonymity and privacy
    • Electronic voting
    • Information flow
    • Intrusion detection
    • Resource usage control
    • Security for mobile computing
    • Trust management Cryptology
    • Protocols that provide services in application fields such as e-government, and that are simple enough (or so precisely defined) as to serve as reasonable targets for formal analysis tools;
    • Cryptographic primitive implementations that can be formally analyzed;
    • Work on combinatorial optimization problems that arise in cryptographic applications and that can be approximately solved using techniques from formal modeling

  • VizSEC 2006 3rd Workshop on Visualization for Computer Security, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA, November 3, 2006. (Submissions due 3 July 2006)

    In many applications, visualization has proven to be very effective to understanding such high-dimensional data. Thus, there is a growing interest in the development of visualization methods as alternative or complementary solutions for pressing cybersecurity problems. Visualization represents high-dimensional security data in 2D/3D graphics and animations intended to facilitate quick inferences for situational awareness and/or focusing of attention on potential security events. In order to promote the highest intellectual exchange possible, we seek submissions in four different paper categories, specifically: (1) Tool Update (1-2 pages), (2) Short Paper (3-5 pages), (3) Long Paper (6-10 pages), and (4) Position Paper (2-5 pages). All accepted papers will be published in hardcopy ACM proceedings available the day of the workshop and as well as within the ACM Digital Library. A list of potential topics includes, but is not limited to, the following:

    • visualization support for Internet security situational awareness
    • visualization support for end user security
    • visualization for ISP management support (highlighting security)
    • visual authentication schemes (graphical passwords, biometrics)
    • visualization to enable secure E-commerce
    • visualization for secure transactions via web browsers
    • visualization support for secure programming
    • visualization support for security device management
    • visualizing intrusion detection system alarms (NIDS/HIDS)
    • visualizing worm/virus propagation
    • visualizing routing anomalies
    • feature selection
    • forensic visualization
    • visualizing network traffic for security
    • dynamic attack tree creation (graphic)
    • usability studies of security visualization tools
    • visualizing large volume computer network logs

  • DIM 2006 2nd Workshop on Digital Identity Management, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA, November 3, 2006. (Submissions due 7 July 2006)

    The Second Workshop on Digital Identity Management will explore the relevance of User Centric Identity Management as an organizing principle for digital identity. It is designed to bring together practitioners, corporate researchers and academics to explore the newly emerging "User Centric" for identity management. The goal of the workshop is to lay the foundation and agenda for further research and development in this area. Under the broad umbrella of user-centric identity, we are soliciting papers from researchers and practitioners on topics including, (but not limited to):

    • Basic principles - what makes an identity system user-centric?
    • Client-hosted identity
    • Consistent UI for identity transactions
    • Identity lifecycle management
    • Identity Metasystem
    • Identity theft prevention
    • Privacy-enhancing identity management
    • Private Credentials
    • Social networks
    • Strong authentication
    • Unlinkability of Transactions
    • URI-based identity systems

  • StorageSS 2006 2nd Workshop on Storage Security and Survivability, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA, October 30, 2006. (Submissions due 14 July 2006)

    There has been an evolution of protection solutions mirrored in both the security and survivability research communities: (1) from physical protection solutions targeting people, (2) to system protection solutions targeting networked-systems, (3) and now the new emerging paradigm of information-centric solutions targeting the data itself. This workshop will focus on stimulating new ideas in order to reshape storage protection strategies. Clearly, storage security and survivability is a complex, multi-dimensional problem that changes over time, so a large variety of approaches may be appropriate including prevention, monitoring, measurements, mitigation, and recovery. The StorageSS workshop aims to foster a greater exchange between computer protection researchers/professionals and computer storage researchers and professionals. A list of potential topics includes but is not limited to the following:

    • storage protection tradeoffs
    • storage protection deployment (including case studies)
    • smart storage for security/survivability
    • analysis of covert storage channels
    • storage leak analysis
    • mobile storage protection
    • novel backup protection techniques
    • storage versioning protection techniques
    • storage encryption techniques (both key mgmt and crypto algorithms)
    • tamper-evident storage protection techniques
    • immutable storage protection techniques; provenance
    • storage threat models
    • storage intrusion detection systems
    • storage area network (SAN) security/survivability
    • security/survivability for storage over a distance
    • security/survivability with Internet storage service providers
    • security for long-term / archival storage
    • storage security/survivability in an HPC environment
    • interaction of storage security/survivability and databases
    • privacy issues in remote/hosted storage

  • SWS 2006 1st Workshop on Secure Web Services, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA, November 3, 2006. (Submissions due 18 July 2006)

    Basic security protocols for Web Services, such as XML Security, the WS-* series of proposals, SAML, and XACML are the basic set of building blocks enabling Web Services and the nodes of GRID architectures to interoperate securely. While these building blocks are now firmly in place, a number of challenges are still to be met for Web services and GRID nodes to be fully secured and trusted, providing for secure communications between cross-platform and cross-language Web services. Also, the current trend toward representing Web services orchestration and choreography via advanced business process metadata is fostering a further evolution of current security models and languages, whose key issues include setting and managing security policies, inter-organizational (trusted partner) security issues and the implementation of high level business policies in a Web services environment. The SWS workshop explores these challenges, ranging from the advancement and best practices of building block technologies such as XML and Web services security protocols to higher level issues such as advanced metadata, general security policies, trust establishment, risk management, and service assurance. Topics of interest include, but are not limited to, the following:

    • Web services and GRID computing security
    • Authentication and authorization
    • Frameworks for managing, establishing and assessing inter-organizational trust relationships
    • Web services exploitation of Trusted Computing
    • Semantics-aware Web service security and Semantic Web Secure orchestration of Web services
    • Privacy and digital identities support

  • WESII 2006 The Workshop on the Economics of Securing the Information Infrastructure, Arlington, VA, USA, October 23-24, 2006. (Submissions due 6 August 2006)

    Our information infrastructure suffers from decades-old vulnerabilities, from the low-level algorithms that select communications routes to the application-level services on which we are becoming increasingly dependent. Are we investing enough to protect our infrastructure? How can we best overcome the inevitable bootstrapping problems that impede efforts to add security to this infrastructure? Who stands to benefit and who stands to lose as security features are integrated into these basic services? How can technology investment decisions best be presented to policymakers? We invite infrastructure providers, developers, social scientists, computer scientists, legal scholars, security engineers, and especially policymakers to help address these and other related questions. Suggested topics (not intended to be comprehensive):

    • The economics of deploying security into: The Domain Name System (DNS), BGP & routing infrastrucure, Email & spam prevention, Programming languages, Legacy code bases, User interfaces, and Operating systems
    • Measuring the cost of adding security
    • Models of deployment penetration
    • Empirical studies of deployment
    • Measuring/estimating damages
    • Code origin authentication
    • Establishing roots of trust
    • Identity management infrastructure
    • Data archival and warehousing infrastructure
    • Securing open source code libraries
    • Adding security to/over existing APIs
    • Liability and legal issues
    • Internet politics
    • Antitrust Issues
    • Privacy Issues

  • ASC 2007 6th Annual Security Conference, Las Vegas, Nevada, USA, April 11-12, 2007. (Submissions due 15 January 2007)

    With the development of more complex networking systems and the rapid transition to the e-world, information security has become a real concern for many individuals and organizations. Advanced safeguards are required to protect the information assets of not only large but also small and distributed enterprises. New approaches to information security management, such as policies and certifications, are now being required. The security of strategic corporate information has become the foremost concern of many organizations, and in order to assure this security, methods and techniques must be conceptualized for small enterprises both from a functional and technical viewpoint. Recommended topics (but not limited to) include:

    • E-Commerce security
    • Biometrics
    • Smart Cards
    • Secure small distribution applications
    • Security of intelligent tokens
    • Methodologies for security of small to medium size enterprises
    • Methodologies and techniques for certification and accreditation
    • Evaluation of Information Security in companies
    • Information security surveys and case studies
    • International standards for Information Security Management

   

---

IEEE Computer Society's Technical Committee on Security and Privacy

	TC home page	TC Officers
	How to join the TC	TC publications available online
	TC Publications for sale	Cipher past issues archive
	IEEE Computer Society	Cipher Privacy Policy




---