Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 73,  July 16, 2006 Hilarie Orman,  Editor Robert Bruen, Book Review Editor Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   
• Report of the Technical Committee Meeting, May 23, 2006

• Commentary and Opinion and News

  • Robert Bruen's review of The Governance of Privacy. Policy Instruments in a Global Perspective by Bennett, Colin and Charles Raab

  • Review of the IEEE Computer Society Security and Privacy Symposium (Berkeley, California, May 21-24, 2006) by Ganesha Bhaskara and Justin Zhan

  • Announcement of the open period for ACM SIGSAC nominations, by Pierangela Samarati

  • Article touts Vista OS Security

  • Announcement of NIST's timeline for new hash functions

  • Book reviews from past Cipher issues

  • Conference Reports and Commentary from past Cipher issues

  • News items from past Cipher issues

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
    

  • Calendar
    • 7/16/06: Workshop on Cryptography for Ad hoc Networks (WCAN), S. Servolo Island, Venice, Italy
    • 7/17/06- 7/28/06: Intensive Program on Information and Communication Security, Privacy Technology (IPICS), KU-Leuven, Belgium; info: George.Danezis esat kuleuven be)
    • 7/20/06- 7/23/06: Security Issues in Adaptive Distributed Systems (SIADS), a session at CITSA, Orlando, Florida; peer review, printed proceedings
    • 7/27/06- 7/28/06: Conference on Email and Anti-Spam (CEAS), Mountain View, CA;
    • 7/31/06: Hot Topics in Security (HotSec), Vancouver, B.C., Canada;
    • 7/31/06- 8/ 4/06: USENIX-Security, Vancouver, BC, Canada; info sec06chair@usenix.org
    • 7/31/06- 8/ 1/06: Workshop on Models for Cryptographic Protocols (MCP), Aarhus, Denmark;
    • 8/ 1/06: USENIX/ACCURATE Electronic Voting Technology Workshop (EVT), Vancouver, B.C., Canada;
    • 8/ 1/06- 8/ 4/06: Workshop on Security in Ubiquitous Computing Systems (SecUbiq), Seoul, Korea;
    • 8/ 4/06: Workshop on Trusted Collaboration(TrustCol), Atlanta, Georgia; Submissions are due;
    • 8/ 5/06: Deadline for ACM SIGSAC award nominations
    • 8/ 6/06: The Workshop on the Economics of Securing the Information Infrastructure (WESII), Arlington, VA; submissions are due;
    • 8/ 7/06- 8/10/06: Conference on Security and Cryptography (SECRYPT), Setubal, Portugal
    • 8/11/06: HotNets - Workshop on Hot Topics in Networks (HotNets), Irvine, California; Submissions are due
    • 8/13/06: Workshop on Advances in Trusted Computing 2006(WATC), Tokyo, Japan; Submissions are due; conf web page; info:
    • 8/14/06- 8/16/06: Digital Forensic Research Workshop (DFRWS), Lafayette, IN; conf web page; info dfrws2006 (at) dfrws (dot) org
    • 8/15/06- 8/16/06: Foundations of Computer Security (FCS), Seattle, Washington; info: fcs-arspa06 -at- lists.inf.ethz.ch
    • 8/20/06- 8/23/06: CRYPTO, Santa Barbara, CA
    • 8/21/06- 8/27/06: Symposium on formal methods (FM), Ontario, Canada;
    • 8/21/06- 8/22/06: Thread Verification) (TV), Seattle, Washington;
    • 8/24/06- 8/25/06: NIST Cryptographic Hash Workshop(NIST-CHW2), Santa Barbara, CA;
    • 8/26/06- 8/27/06: Workshop on Formal Aspects in Security & Trust (FAST), Hamilton, Ontario, Canada;
    • 8/27/06- 8/29/06: Internet Surveillance and Protection (ICISP); Cote d'Azur, France;
    • 8/28/06- 9/ 1/06: Workshop on the Value of Security through Collaboration (SECOVAL); Baltimore, MD;
    • 8/30/06- 9/ 2/06: Information Security Conference (ISC), Pythagoras, Greece;
    • 8/31/06: Handbook-Research-on-Information-Assurance-and-Security; Proposals are due; info: SSHARMA@bsu.edu;
    • 9/ 1/06: Workshop on Enterprise Network Security (WENS), Baltimore, MD;
    • 9/ 3/06- 9/ 8/06: School on Security for Wireless Networking (SWING), Bertinoro, Italy;
    • 9/ 8/06: Computer-aided Law and Advanced Technologies track of ACM Symposium on Applied Computing, SAC 2007 (CLAT) Seoul, Korea; Submissions are due; info: lavinia.egidi@mfn.unipmn.it;
    • 9/10/06- 9/16/06: School on Foundations of Security Analysis and Design (FOSAD); Bertinoro, Italy;
    • 9/10/06: Conference on Availability, Reliability and Security (AReS), Vienna University of Technology, Austria; Submissions are due; info: tho@ifs.tuwien.ac.at;
    • 9/11/06- 9/15/06: Security and Privacy for Emerging Areas in Communication Networks (SecureComm), Baltimore/Washington, USA;
    • 9/18/06- 9/21/06: New Security Paradigms Workshop (NSPW), Schloss Dagstuhl, Germany;
    • 9/18/06- 9/20/06: Workshop on Elliptic Curve Cryptography (ECC), Toronto, Canada
    • 9/18/06- 9/20/06: European Symposium On Research In Computer Security (ESORICS), Hamburg, Germany;
    • 9/20/06- 9/22/06: Recent Advances in Intrusion Detection (RAID), Hamburg, Germany;
    • 9/20/06- 9/21/06: Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS), Hamburg, Germany;
    • 9/20/06: Workshop on Security and Trust Mmanagement (STM), Hamburg,Germany;
    • 9/25/06- 9/28/06: Cryptology in Vietnam (VIETCRYPT); Hanoi, Vietnam;
    • 9/28/06- 9/29/06: Monitoring, Attack Detection and Mitigation (MonAM), Tuebingen, Germany; info: sloman@imperial.ac.uk
    • 9/28/06- 9/29/06: Secure Knowledge Management Workshop (SKM), Brooklyn, NY;
    • 9/25/06- 9/27/06: Workshop on Codes and Lattices in Cryptography (CLC), Darmstadt, Germany;
    • 9/29/06-10/ 1/06: Dependable Autonomic and Secure Computing (DASC), Indianapolis, IN;
    • 9/29/06- 9/30/06: Information and Computer Security (ICS), Timisoara, Romania;
    • 10/ 1/06: Symposium on InformAtion, Computer and Communications Security (ASIACCS), Singapore; Submissions are due;
    • 10/ 9/06-10/12/06: Wireless and Sensor Networks Security (WSNS), Vancouver, Canada;
    • 10/23/06-10/24/06: International Workshop on Security (IWSEC), Kyoto, Japan; info info@iwsec.org
    • 10/23/06-10/24/06: The Workshop on the Economics of Securing the Information Infrastructure (WESII), Arlington, VA;
    • 10/29/06-11/ 3/06: International Conference on Formal Engineering Methods (ICFEM), Macao SAR, China;
    • 10/30/06: Workshop on Storage Security and Survivability (StorageSS);
    • 10/30/05: Security of Ad Hoc and Sensor Networks (SASN), Alexandria, VA; info szhu (at) cse.psu.edu
    • 11/ 1/06-11/ 3/06: International Symposium on Computer and Information Sciences (ISCIS), Istanbul, Turkey; info iscis06@sabanciuniv.edu
    • 11/ 1/06-11/ 3/06: Embedded Networked Sensor Systems (SenSys), Boulder, Colorado;
    • 11/ 3/06: Workshop on Recurring Malcode (WORM), Fairfax, VA;
    • 11/ 3/06: Visualization for Computer Security (VizSEC), Fairfax, VA;
    • 11/13/06-11/15/06: Workshop on Hot Topics in Web Systems and Technologies (HotWeb), Boston, MA;
    • 11/17/06-11/20/06: Workshop on Trusted Collaboration (TrustCol), Atlanta, Georgia;
    • 11/29/06-11/30/06: HotNets - Workshop on Hot Topics in Networks (HotNets), Irvine, California;
    • 11/30/06-12/ 1/06: Workshop on Advances in Trusted Computing 2006 (WATC), Tokyo, Japan; conf web page; info:
    • 12/11/06-12/15/06: Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida;
    • 1/ 3/07- 1/ 6/07: HICSS Highly Trustworthy Computing Mini-Track (HICSS-HTC), Waikoloa, Hawaii; info: irvine@nps.edu
    • 1/ 3/07- 1/ 6/07: HICSS Mini-Track: Secure Software Architecture, Design, Implementation and Assurance (HICSS-SSADIA), Waikoloa, Hawaii;
    • 1/15/07: Security Conference (SecConf), Las Vegas, Nevada; Submissions are due;
    • 2/ 1/07: High Performance Computing, Networking, and Communication Systems (HPCNCS) in Orlando, FL; Submissions are due;
    • 2/13/07: Security in Storage Workshop (SISW), San Jose, California; info: jack.cole@ieee.org
    • 3/11/07- 3/15/07: Computer-aided Law and Advanced Technologies track of ACM Symposium on Applied Computing, SAC 2007 (CLAT), Seoul, Korea; info: lavinia.egidi@mfn.unipmn.it
    • 3/20/07- 3/22/07: Symposium on InformAtion, Computer and Communications Security (ASIACCS), Singapore;
    • 4/10/07- 4/13/07: Conference on Availability, Reliability and Security (AReS), Vienna University of Technology, Austria; info: tho@ifs.tuwien.ac.at;
    • 4/11/07- 4/12/07: Security Conference (SecConf), Las Vegas, Nevada;
    • 7/ 9/07- 7/12/07: High Performance Computing, Networking, and Communication Systems (HPCNCS), Orlando, FL;

  • Calls for Papers,   new calls or announcements added since Cipher E72 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

    • ICICS 2006 8th International Conference on Information and Communications Security, Raleigh, NC, USA, December 4-7, 2006. (Submissions due 24 July 2006)

      The 2006 International Conference on Information and Communications Security (ICICS '06) will be the eighth event in the ICICS conference series, started in 1997, that brings together researchers and scholars involved in multiple disciplines of Information and Communications Security in order to foster exchange of ideas. ICICS 2006 seeks submissions from academia and industry presenting novel research on all aspects of information and communications security, as well as experimental studies of fielded systems. Topics of interest include, but are not limited to, the following:

      • Access Control and Audit
      • Anonymity and Pseudonymity
      • Authentication
      • Automated and Large-Scale Attacks
      • Biometrics
      • Commercial and Industrial Security
      • Data Integrity
      • Database security
      • Denial of Service
      • Distributed Systems Security
      • Electronic Privacy
      • Information Flow
      • Intrusion Detection
      • Language-Based Security
      • Malicious Code
      • Mobile Code and Agent Security
      • Network Security
      • Peer-to-Peer Security
      • Secure Hardware and Smartcards
      • Security Protocols
      • Security Verification
      • Security of Emerging Networks (e.g., Ad-Hoc Networks)

    • SWS 2006 1st Workshop on Secure Web Services, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA, November 3, 2006. (Submissions due 25 July 2006)

      Basic security protocols for Web Services, such as XML Security, the WS-* series of proposals, SAML, and XACML are the basic set of building blocks enabling Web Services and the nodes of GRID architectures to interoperate securely. While these building blocks are now firmly in place, a number of challenges are still to be met for Web services and GRID nodes to be fully secured and trusted, providing for secure communications between cross-platform and cross-language Web services. Also, the current trend toward representing Web services orchestration and choreography via advanced business process metadata is fostering a further evolution of current security models and languages, whose key issues include setting and managing security policies, inter-organizational (trusted partner) security issues and the implementation of high level business policies in a Web services environment. The SWS workshop explores these challenges, ranging from the advancement and best practices of building block technologies such as XML and Web services security protocols to higher level issues such as advanced metadata, general security policies, trust establishment, risk management, and service assurance. Topics of interest include, but are not limited to, the following:

      • Web services and GRID computing security
      • Authentication and authorization
      • Frameworks for managing, establishing and assessing inter-organizational trust relationships
      • Web services exploitation of Trusted Computing
      • Semantics-aware Web service security and Semantic Web Secure orchestration of Web services
      • Privacy and digital identities support

    • WESII 2006 The Workshop on the Economics of Securing the Information Infrastructure, Arlington, VA, USA, October 23-24, 2006. (Submissions due 6 August 2006)

      Our information infrastructure suffers from decades-old vulnerabilities, from the low-level algorithms that select communications routes to the application-level services on which we are becoming increasingly dependent. Are we investing enough to protect our infrastructure? How can we best overcome the inevitable bootstrapping problems that impede efforts to add security to this infrastructure? Who stands to benefit and who stands to lose as security features are integrated into these basic services? How can technology investment decisions best be presented to policymakers? We invite infrastructure providers, developers, social scientists, computer scientists, legal scholars, security engineers, and especially policymakers to help address these and other related questions. Suggested topics (not intended to be comprehensive):

      • The economics of deploying security into: The Domain Name System (DNS), BGP & routing infrastrucure, Email & spam prevention, Programming languages, Legacy code bases, User interfaces, and Operating systems
      • Measuring the cost of adding security
      • Models of deployment penetration
      • Empirical studies of deployment
      • Measuring/estimating damages
      • Code origin authentication
      • Establishing roots of trust
      • Identity management infrastructure
      • Data archival and warehousing infrastructure
      • Securing open source code libraries
      • Adding security to/over existing APIs
      • Liability and legal issues
      • Internet politics
      • Antitrust Issues
      • Privacy Issues

    • WATC 2006 2nd Workshop on Advances in Trusted Computing, Tokyo, Japan, November 30 - December 1, 2006. (Submissions due 13 August 2006)

      Modern computer systems in large-scale, decentralized, and heterogeneous environments are now facing the diverse threats such as from viruses and other malware. Security research seeks to make computers safer and less vulnerable to those IT threats, and thus more dependable. The goal of Trusted Computing is to allow computers and servers to offer improved computer security relative to that what is currently available. The workshop solicits technical papers offering research contributions spanning from foundations, theory and tools of trusted computing to up-to-date issues. The workshop proceedings will be available at the workshop and via its website. Papers may present theory, applications, or practical experiences on topics including, but not limited to:

      • models and principles for trusted computing
      • formal models and verification
      • software- or hardware-based approaches
      • cryptographic approaches
      • remote attestation of trusted devices
      • standardization in trusted computing groups
      • issues in trusted platform modules
      • property-based and semantic attestation
      • theory and practice for trusted virtual domains
      • privacy and legal issues
      • applications and case studies
      • compliance and conformance
      • trust evaluations of computing systems
      • scalability
      • applications and use cases
      • system and platform architectures
      • access control and information flow control
      • communications
      • virtualization and trusted computing
      • trusted client architectures
      • integrity-evaluating architectures
      • integrity management infrastructures

    • TrustCol 2006 Workshop on Trusted Collaboration, Atlanta, GA, USA, November 17th - 20th, 2006. (Submissions due 18 August 2006)

      The ongoing, rapid developments in information systems technologies and networking have enabled significant opportunities for streamlining decision making processes and maximizing productivity through distributed collaborations that facilitate unprecedented levels of sharing of information and computational resources. Emerging collaborative environments need to provide efficient support for seamless integration of heterogeneous technologies such as mobile devices and infrastructures, web services, grid computing systems, various operating environments, and diverse COTS products. Such heterogeneity introduces, however, significant security and privacy challenges for distributed collaborative applications. Balancing the competing goals of collaboration and security is difficult because interaction in collaborative systems is targeted towards making people, information, and resources available to all who need it whereas information security seeks to ensure the availability, confidentiality, and integrity of these elements while providing it only to those with proper trustworthiness. The key goal of this workshop is to foster active interactions among diverse researchers and practitioners, and generate added momentum towards research in finding viable solutions to the security and privacy challenges faced by the current and future collaborative systems and infrastructures. Topics of interest include, but are not limited to:

      • Access control models and mechanisms for collaboration environments
      • Security frameworks and architectures for trusted collaboration
      • Privacy control in collaborative environments
      • Secure middleware for large scale collaborative infrastructures
      • Secure dynamic coalition environments
      • Secure workflows for collaborative computing
      • Secure interoperation in multidomain collaborative environments
      • Security and privacy issues in mobile collaborative applications
      • Trust models, trust negotiation/management for collaborative systems
      • Policy-based management of collaborative workspace
      • Secure distributed multimedia collaboration
      • Protection models and mechanisms for peer-to-peer collaborative environments
      • Delegation, accountability, and information flow control in collaborative applications
      • Intrusion detection, recovery and survivability of collaborative systems/infrastructures
      • Security of web services and grid technologies for supporting multidomain collaborative applications
      • Semantic web technologies for security collaborative infrastructures

    • SAC-TRECK 2007 22nd Annual ACM Symposium on Applied Computing, Trust, Recommendations, Evidence and other Collaboration Know-how (TRECK) Track, Seoul, Korea, March 11 - 15, 2007. (Submissions due 8 September 2006)

      Computational models of trust and online reputation mechanisms have been gaining momentum. One reason for this is that traditional security mechanisms are challenged by open, large scale and decentralised environments. The use of an explicit trust/reputation management component goes beyond security though. The goal of the ACM SAC 2007 TRECK track remains to review the set of applications that benefit from the use of computational trust and online reputation. Computational trust has been used in reputation systems, risk management, collaborative filtering, social/business networking services, dynamic coalitions and virtual organisations. In last year TRECK, a paper even described how computational trust and reputation could mitigate the privacy issues of trusted computing hardware modules. The TRECK track covers all computational trust applications, especially those used in real-world applications. The topics of interest include, but are not limited to:

      • Recommender and reputation systems
      • Trust-enhanced collaborative applications
      • Trusted computing, trusted platorm modules (TPM, TCG, TCPA, NGSCB...)
      • Trading privacy for trust and security
      • Tangible guarantees given by formal models of trust and risk
      • Trust metrics assessment and threat analysis
      • Pervasive computational trust and use of context-aware features
      • Trust/risk-based security frameworks
      • Automated collaboration and trust negotiation
      • Trust in peer-to-peer systems
      • Technical trust evaluation
      • Impacts of social networks on computational trust
      • Evidence gathering and management
      • Real-world applications, running prototypes and advanced simulations
      • Applicability in large-scale, open and decentralised environments
      • Legal and economic aspects related to the use of trust engines
      • User-studies and user interfaces of computational trust applications

    • ASIACCS 2007 ACM Symposium on InformAtion, Computer and Communications Security, Singapore, March 20-22, 2007. (Submissions due 1 October 2006)

      To build on the success of ACM Conference on Computer and Communications Security (CCS) and ACM Transactions on Information and System Security (TISSEC), the ACM Special Interest Group on Security, Audit, and Control (SIGSAC) formally established the annual ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS) in 2005. Papers representing original research in both the theory and practice concerning information, computer and communications security are solicited. Topics of interest include, but are not limited to:

      • Access control and authorization
      • Applied cryptography
      • Authentication, biometrics, smartcards
      • Data integrity and audit
      • Database security
      • Digital Rights Management
      • Distributed systems security
      • E-commerce and mobile e-commerce
      • Electronic privacy, anonymity
      • Formal verification and testing
      • Hardware design
      • High speed networks
      • Information flow
      • Intrusion detection and survivability
      • Mobile code and mobile agent security
      • P2P & ad hoc networks
      • RFID applications
      • Security protocols
      • Viruses and other malicious codes
      • Watermarking and data hiding
      • Wireless communications
      • Wireless sensor networks

    • ASC 2007 6th Annual Security Conference, Las Vegas, Nevada, USA, April 11-12, 2007. (Submissions due 15 January 2007)

      With the development of more complex networking systems and the rapid transition to the e-world, information security has become a real concern for many individuals and organizations. Advanced safeguards are required to protect the information assets of not only large but also small and distributed enterprises. New approaches to information security management, such as policies and certifications, are now being required. The security of strategic corporate information has become the foremost concern of many organizations, and in order to assure this security, methods and techniques must be conceptualized for small enterprises both from a functional and technical viewpoint. Recommended topics (but not limited to) include:

      • E-Commerce security
      • Biometrics
      • Smart Cards
      • Secure small distribution applications
      • Security of intelligent tokens
      • Methodologies for security of small to medium size enterprises
      • Methodologies and techniques for certification and accreditation
      • Evaluation of Information Security in companies
      • Information security surveys and case studies
      • International standards for Information Security Management

 

• The Technical Committee on Security and Privacy

 

• Listing of academic positions available  by Cynthia Irvine
  

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org

• Interesting links  and reports available via FTP and WWW