Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 79,  July 19, 2007 Hilarie Orman,  Editor Book Reviews Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Commentary and Opinion

  • Comments on the 5-Minute Talks at the Security and Privacy Symposium 2007 (Oakland/Berkeley, California, May 20-23, 2007) by Tom Hinke

  • Richard Austin's review of Security Metrics: Replacing Fear, Uncertainty and Doubt by Andrew Jacquith

  • NewsBits:  Announcements and correspondence from readers (please contribute!)

    • SIGSAC award nominations are open
    • NIST requests comments on three drafts related to cryptography
    • National Academies release cybersecurity report

  • Conference Reports and Commentary from past Cipher issues

  • Book Reviews from past Cipher issues

  • News items from past Cipher issues

 

• Listing of academic positions available  by Cynthia Irvine
  Doctoral position in cryptography

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • Calendar entries

  • 7/18/07- 7/20/07: Symposium On Usable Privacy and Security (SOUPS), Pittsburgh, PA
  • 7/18/07: Workshop on Usable IT Security Management (USM), Carnegie Mellon University in Pittsburgh, PA; no proceedings
  • 7/23/07: Nordic Workshop on Secure IT Systems (NordSec) Reykjavik, Iceland; Submissions are due
  • 7/27/07: Asian Computing Science Conference, Focusing on Computer and Network Security (ASIAN), Dohar, Qatar; Submissions are due; info: asian07@qatar.cmu.edu
  • 8/ 1/07- 8/ 3/07: Wireless Algorithms, Systems and Applications (WASA), Chicago, IL
  • 8/ 3/07: Trustworthy Global Computing (TGC), Sophia-Antipolis, France; Submissions are due
  • 8/ 6/07- 8/10/07: USENIX Security Symposium (USENIXSEC), Boston, MA; info: sec07chair@usenix.org
  • 8/ 6/07: USENIX/ACCURATE Electronic Voting Technology Workshop (EVT), Boston, Massachusetts; info: evt07chairs@usenix.org
  • 8/ 6/07- 8/ 7/07: DETER Expermentors' Workshop, Boston, MA
  • 8/12/07- 8/15/07: Symposium on the Principles of Distributed Computing (PODC), Portland, Oregon
  • 8/13/07- 8/15/07: Digital Forensic Research Workshop (DFRWS), Pittsburgh, PA
  • 8/22/07- 8/24/07: CHINACOM (CHINACOM), Shanghai, China
  • 8/19/07- 8/23/07: IACR CRYPTO (CRYPTO), Santa Barbara, CA
  • 8/26/07- 8/31/07: School for PhD and Researchers on Security for Wireless Networking (SWING), Bertinoro, Italy
  • 8/27/07- 8/31/07: ACM Special Interest Group on Communications (SIGCOMM), Kyoto, Japan; info: francis@cs.cornell.edu
  • 8/27/07- 8/29/07: Workshop on Information Security Applications (WISA), Jeju Island, Korea
  • 8/27/07- 8/28/07: Workshop on Digital Forensics and Incident Analysis (WDFIA), Samos, Greece; info: wdfia07@aegean.gr
  • 8/29/07- 8/31/07: Information Assurance and Security (IAS), Manchester, United Kingdom
  • 9/ 1/07: EURASIP Journal on Advances in Signal Processing, Special Issue on Advances in Signal Processing in Network Intrusion Detection Systems
  • 9/ 3/07- 9/ 7/07: Trust, Privacy, and Security in Digital Business (TrustBus), Regensburg, Germany; info: AMin@ifs.tuwien.ac.at
  • 9/ 3/07- 9/ 7/07: Workshop on Internet Communications Security (WICS), Regensburg, Germany
  • 9/ 3/07: Security Issues in Concurrency (SecCo), Lisboa, Portugal
  • 9/ 5/07- 9/ 7/07: Recent Advances in Intrusion Detection (RAID), Brisbane, Australia; info: g.mohay@qut.edu.au
  • 9/ 5/07- 9/ 7/07: Workshop on Elliptic Curve Cryptography (ECC), University College Dublin, Ireland; info: gary.mcguire@ucd.ie
  • 9/ 8/07: Symposium on Applied Computing, Track on Trust, Recommendations, Evidence and other Collaboration Know-how (SAC-TRECK), Ceará, Brazil; Submissions are due; info: pascal.paillier@gemalto.com
  • 9/13/07- 9/15/07: Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS), Petersburg, Russia; info: spiiran@mail.iias.spb.su
  • 9/15/07: Wireless Network Security (WiSec), Alexandria, VA; Submissions are due
  • 9/17/07- 9/21/07: Security and Privacy for Communication Networks (SecureComm), Nice, France
  • 9/18/07- 9/21/07: New Security Paradigms Workshop (NSPW), North Conway, New Hampshire
  • 9/20/07: Workshop on Network and System Security (NSS), Dalian, China; info: wanlei@deakin.edu.au
  • 9/25/07- 9/27/07: Dependable, Autonomic and Secure Computing (DASC), Columbia, MD; info: mike.hinchey@usa.net
  • 9/25/07: Financial Cryptography and Data Security (FC), Cozumel, Mexico; Submissions are due
  • 9/26/07: Workshop on Security and Trust Management (STM), Dresden, Germany; info: stm07 at item.ntnu.no
  • 10/ 4/07: Workshop on Embedded Systems Security (WESS), Salzburg, Austria
  • 10/ 4/07-10/ 5/07: Anti-Phishing Working Group (APWG), eCrime Researchers Summit (APWG), Pittsburgh, PA
  • 10/ 4/07-10/ 5/07: European Conference on Computer Network Defence (EC2ND), Crete, Greece
  • 10/ 8/07: Asynchronous Circuits and Systems (ASYNC), Newcastle upon Tyne, UK; Abstracts are due
  • 10/ 9/07-10/12/07: Information Security Conference (ISC), Valparaiso, Chile; info: info@isc07.cl
  • 10/11/07-10/12/07: Nordic Workshop on Secure IT Systems (NordSec), Reykjavik, Iceland
  • 10/15/07-10/17/07: Secure Information Systems (SIS), Wisla, Poland
  • 10/28/07-10/30/07: Autonomic Computing and Communication Systems (AUTONOMICS), Rome, Italy
  • 10/28/07: Workshop on Privacy Aspects of Data Mining (PADM), Omaha, NE; info: padm@cimic.rutgers.edu
  • 10/29/07-10/31/07: Workshop on Security (IWSEC), Nara, Japan; info: info@iwsec.org
  • 10/29/07: Quality of Protection (QoP), Alexandria, VA
  • 10/29/07-11/ 2/07: ACM Conference on Computer and Communications Security (CCS), Alexandria, VA
  • 10/29/07: ACM Digital Rights Management Workshop (DRM), Alexdrandria, VA
  • 10/29/07: Information and Communications Security Standards and Regulations (StaR_SEC), Alexandria, VA; info: StaR_SEC_2007@aegean.gr
  • 11/ 2/07: Digital Identity Management (DIM), Fairfax, VA; no proceedings
  • 11/ 2/07: Workshop on Recurring Malcode (WORM), George Mason University, VA
  • 11/ 2/07: Computer Security Architecture Workshop (CSAW), Fairfax, VA
  • 11/ 2/07: Workshop on Scalable Trusted Computing (STC), Alexandria, VA
  • 11/ 2/07: Formal Methods in Security Engineering: From Specifications to Code (FMSE), George Mason University, Fairfax, VA
  • 11/ 5/07-11/ 6/07: Trustworthy Global Computing (TGC), Sophia-Antipolis, France
  • 12/ 2/07-12/ 6/07: ASIACRYPT, Kuching, Sarawak, Malaysia; info: asiacrypt2007@iacr.org
  • 12/ 9/07-12/11/07: Asian Computing Science Conference, Focusing on Computer and Network Security (ASIAN), Dohar, Qatar; info: asian07@qatar.cmu.edu
  • 12/10/07-12/14/07: Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida
  • 12/16/07-12/20/07: Information Systems Security (ICISS), Delhi, India
  • 1/28/08- 1/31/08: Financial Cryptography and Data Security (FC), Cozumel, Mexico
  • 3/16/08- 3/20/08: Symposium on Applied Computing, Track on Trust, Recommendations, Evidence and other Collaboration Know-how (SAC-TRECK), Ceará, Brazil; info: Jean-Marc.Seigneur@trustcomp.org
  • 3/18/08- 3/20/08: Symposium on Information, Computer and Communications Security (ASIACCS), Tokyo, Japan
  • 3/31/08- 4/ 2/08: Wireless Network Security (WiSec), Alexandria, VA
  • 4/ 7/08- 4/11/08: Asynchronous Circuits and Systems (ASYNC), Newcastle upon Tyne, UK

  • Calls for Papers, new since Cipher E78

    • NordSec 2007 12th Nordic Workshop on Secure IT Systems, Reykjavik, Iceland, October 11-12, 2007. (Submissions due 23 July 2007)

      Since 1996, the NordSec workshops have brought together computer security researchers and practitioners from the Nordic countries, Northern Europe, and elsewhere. The workshop is focused on applied computer security and is intended to encourage interchange and cooperation between research and industry. Topics include, but are not limited to, the following areas of computer security:
      

      • Applied Cryptography
      • Commercial Security Policies and Enforcement
      • Communication and Network Security
      • Computer Crime and Information Warfare
      • Hardware and Smart Card Applications
      • Internet and Web Security
      • Intrusion Detection
      • Language-based Techniques for Security
      • New Ideas and Paradigms in Security
      • Operating System Security
      • PKI Systems and Key Escrow
      • Privacy and Anonymity
      • Security Education and Training
      • Security Evaluations and Measurements
      • Security Management and Audit
      • Security Models
      • Security Protocols
      • Social-Engineering and Phishing
      • Software Security, Attacks, and Defenses
      • Trust and Trust Management

    • ASIAN 2007 12th Annual Asian Computing Science Conference Focusing on Computer and Network Security, Carnegie Mellon University, Doha, Qatar, December 9-11, 2007. (Submissions due 27 July 2007)

      The ASIAN conference series provides a forum for researchers throughout Asia to present cutting-edge results in yearly-themed areas of Computer Science, to discuss advances in these fields, and to interact with researchers from other continents. The 2007 edition focuses on computer and network security. New results in the fields of computer and network security are welcome. Also welcome are more exploratory presentations, which may examine open questions and raise fundamental concerns about existing theories and practices. Topics of interest include, but are not limited to:
      

      • Access control
      • Database security
      • Privacy and Anonymity
      • Cryptographic protocols
      • Trust and trust management
      • Authentication
      • Digital rights management
      • Executable content
      • Language-based security
      • Formal methods for security
      • Data and system integrity
      • Distributed systems security
      • Security for mobile computing
      • Wireless network security
      • Denial-of-service and prevention
      • Intrusion detection and avoidance
      • Digital forensics
      • Vulnerabilities and risk management
      • Secure electronic commerce
      • Secure software engineering

    • TGC 2007 The Symposium on Trustworthy Global Computing, Sophia-Antipolis, France, November 5-6, 2007. (Submissions due 27 July 2007)

      The Symposium on Trustworthy Global Computing is an international annual venue dedicated to safe and reliable computation in global computers. It focuses on providing tools and frameworks for constructing well-behaved applications and for reasoning about their behaviour and properties in models of computation that incorporate code and data mobility over distributed networks with highly dynamic topologies and heterogeneous devices. We solicit paper in all areas of global computing, including (but not limited to):
      

      • theories, models and algorithms for global computing and service
      • oriented computing
      • language concepts and abstraction mechanisms
      • security through verifiable evidence
      • information flow and resource usage policies
      • verification of cryptographic protocols and their use
      • trust, access control and security enforcement mechanisms
      • self configuration, adaptation, and dynamic components management
      • software principles to support debugging and verification
      • test generators, symbolic interpreters, type checkers
      • model checkers, theorem provers
      • privacy, reliability and business integrity

    • ICICS 2007 9th International Conference on Information and Communications Security, Zhengzhou, Henan Province, China, December 12-15, 2007. (Submissions due 1 August 2007)

      The 2007 International Conference on Information and Communications Security will be the 9th event in the ICICS conference series, started in 1997, that brings together individuals involved in multiple disciplines of Information and Communications Security in order to foster exchange of ideas. Original papers on all aspects of information and communications security are solicited for submission to ICICS 2007. Areas of interests include but not limited to:
      

      • Access Control
      • Anti-Virus and Anti-Worms
      • Anonymity
      • Authentication and Authorization
      • Applied Cryptography
      • Biometric Security
      • Data and System Integrity
      • Database Security
      • Distributed Systems Security
      • Electronic Commerce Security
      • Fraud Control
      • Grid Security
      • Information Hiding and Watermarking
      • Intellectual Property Protection
      • Intrusion detection
      • Key Management and Key Recovery
      • Language-based Security
      • Operating System Security
      • Network Security
      • Risk Evaluation and Security Certification
      • Security for Mobile Computing
      • Security Models
      • Security Protocols
      • Trusted Computing

    • EURASIP Journal on Advances in Signal Processing Special issue on Signal Processing Applications in Network Intrusion Detection Systems March 2008. (Submission Due 1 September 2007)

      Guest editors: Chin-Tser Huang (University of South Carolina, USA), Rocky K. C. Chang (The Hong Kong Polytechnic University, Hong Kong), and Polly Huang (National Taiwan University, Taiwan)
      
      Signal processing techniques have found applications in NIDSs because of their ability to detect novel intrusions and attacks, which cannot be achieved by signature-based NIDS. It has been shown that network traffic possesses the property of self-similarity. Therefore, the objective of NIDS based on signal processing techniques is to profile the pattern of normal network traffic or application-level behavior and model intrusions or unwanted traffic as anomalies. Wavelets, entropy analysis, and data mining techniques are examples in this regard. However, the major challenges of the signal processing-based approaches lie in the adaptive modeling of normal network traffic and the high false alarm rate due to the inaccuracy of the modeled normal traffic pattern. The emergence of a variety of wireless networks and the mobility of nodes in such networks only add to the complexity of the problems. The goal of this special issue is to introduce state-of-the-art techniques and encourage research regarding various aspects in the application of signal processing techniques to network intrusion detection systems. In particular, the special issue encourages novel solutions that improve the accuracy and adaptivity of intrusion detection and addresses the automation of intrusion classification and correlation. Topics of interest include (but are not limited to):
      

      • Data-mining-based IDS
      • Multirate filtering and wavelets
      • Monte Carlo methods integration
      • Anomalous network traffic modeling
      • Anomalous application-level behavior modeling
      • Performance analysis and evaluation
      • Real-time analysis techniques
      • Intrusion correlation
      • Automated detection and classification of intrusions and anomalies
      • Clustering-based IDS
      • Sampling techniques in intrusion detection
      • Data streaming algorithms for traffic analysis
      • Adaptive detection techniques
      • Data fusion in distributed intrusion detection

    • SAC-TRECK 2008 23rd ACM Symposium on Applied Computing, Track: Trust, Recommendations, Evidence and other Collaboration Know-how, Fortaleza, Ceará, Brazil, March 16-20, 2008. (Submissions due 8 September 2007)

      Computational models of trust and online reputation mechanisms have been gaining momentum. The goal of the ACM SAC 2008 TRECK track remains to review the set of applications that benefit from the use of computational trust and online reputation. Computational trust has been used in reputation systems, risk management, collaborative filtering, social/business networking services, dynamic coalitions, virtual organisations and even combined with trusted computing hardware modules. The TRECK track covers all computational trust applications, especially those used in real-world applications. The topics of interest include, but are not limited to:
      

      • Recommender and reputation systems
      • Trust-enhanced collaborative applications
      • Trust and identity management
      • Combined computational trust and trusted computing
      • Tangible guarantees given by formal models of trust and risk
      • Trust metrics assessment and threat analysis
      • Pervasive computational trust and use of context-awareness
      • Autonomic and adaptive trust
      • Trade-off between privacy and trust
      • Trust/risk-based security frameworks
      • Automated collaboration and trust negotiation
      • Trust in peer-to-peer and open source systems
      • Technical trust evaluation and certification
      • Impacts of social networks on computational trust
      • Evidence gathering and management
      • Real-world applications, running prototypes and advanced simulations
      • Applicability in large-scale, open and decentralised environments
      • Legal and economic aspects related to the use of trust engines
      • User-studies and user interfaces of computational trust applications

    • WiSec 2008 1st ACM Conference on Wireless Network Security, Alexandria, Virginia, USA, March 31 - April 2, 2008. (Submissions due 15 September 2007)

      As wireless communications are becoming ubiquitous, their security is gaining in importance. The ACM Conference on Wireless Network Security (WiSec) aims at exploring attacks on wireless networks as well as techniques to thwart them. Topics of interest include, but are not limited to:
      

      • Naming and addressing vulnerabilities
      • Key management in wireless/mobile environments
      • Secure neighbor discovery
      • Secure PHY and MAC protocols
      • Trust establishment
      • Intrusion detection, detection of malicious behavior
      • Revocation of malicious parties
      • Denial of service
      • User privacy, location privacy
      • Anonymity, prevention of traffic analysis
      • Identity theft and phishing in mobile networks
      • Charging
      • Cooperation and prevention of non-cooperative behavior
      • Economics of wireless security
      • Vulnerability and attacker modeling
      • Incentive-aware secure protocol design
      • Jamming
      • Cross-layer design for security
      • Monitoring and surveillance
      • Computationally efficient cryptographic primitives

    • IFIP-DF 2008 4th Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto, Japan, January 27-30, 2008. (Submissions due 15 September 2007)

      The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in the emerging field of digital forensics. The Fourth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to:
      

      • Theories, techniques and tools for extracting, analyzing and preserving digital evidence
      • Network forensics
      • Portable electronic device forensics
      • Digital forensic proceses and workflow models
      • Digital forensic case studies
      • Legal, ethical and policy isues related to digital forensics

    • FC 2008 12th International Conference on Financial Cryptography and Data Security, Cozumel, Mexico, January 28-31, 2008. (Submissions due 25 September 2007)

      Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance in the context of finance and commerce. The conference covers all aspects of securing transactions and systems. Submissions focusing on both theoretical (fundamental) and applied real-world deployments are solicited. The goal of the conference is to bring security/cryptography researchers and practitioners together with economists, bankers, implementers, and policy-makers. Topics include (but are not limited to):
      

      • Anonymity and Privacy
      • Auctions and Audits
      • Authentication and Identification
      • Biometrics
      • Certification and Authorization
      • Commercial Applications
      • Transactions and Contracts
      • E-Cash and Payment Systems
      • Incentive and Loyalty Systems
      • Digital Rights Management
      • Regulation and Reporting
      • Fraud Detection
      • Game Theoretic Security
      • Identity Theft
      • Spam, Phishing
      • Social Engineering
      • Infrastructure Design
      • Legal and Regulatory Issues
      • Microfinance and Micro-payments
      • Monitoring, Management and Operations
      • Reputation Systems
      • RFID/Contact-less Payment Systems
      • Risk Assessment and Management
      • Secure Banking, Financial Web Services
      • Securing New Computation Paradigms
      • Security and Risk Perceptions
      • Security Economics
      • Smartcards and Secure Tokens
      • Trust Management
      • Underground-Market Economics
      • Virtual Economies
      • Voting systems

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org