Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 82,  January 21, 2008 Hilarie Orman,  Editor Book Reviews Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
     

• Listing of academic positions available  by Cynthia Irvine
  

 

• Commentary and Opinion

  • Richard Austin's review of Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz

  • NewsBits:  Announcements and correspondence from readers (please contribute!)

  • NIST Announces Publication of AES Mode Galois Counter Mode (GCM) 

  • NIST Requests Comments on RSA Prime Generation 

  • Obituary note: Bob Baldwin 

  • News items from past Cipher issues

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      new calls or announcements added since Cipher E81 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • Calendar of Events

    • 1/20/08: Workshop in Information Security Theory and Practices (WIST), Sevilla, Spain; Submissions are due; info: damien.sauveron@xlim.fr;
    • 1/24/08: Service, Security and its Data management technologies in Ubi-comp (SSDU), Kunming, China; Submissions are due;
    • 1/28/08- 1/31/08: Financial Cryptography and Data Security (FC), Cozumel, Mexico;
    • 1/30/08: USENIX Security Symposium (USENIXSec), San Jose, CA; Submissions are due; info: sec08chair@usenix.org
    • 2/ 1/08: Applications of Pairing-Based Cryptography: IBE and Beyond (NIST-IBE), Gaithersburg, MD; Submissions are due; info: ibe@nist.gov
    • 2/ 1/08: SADFE, Oakland, CA; info: guha@eecs.ucf.edu
    • 2/29/08: Symposium On Usable Privacy and Security (SOUPS), Carnegie Mellon University, Pittsburgh, PA; Submissions are due
    • 3/ 1/08: Workshop on the Economics of Information Security (WEIS), Hanover, New Hampshire; proceedings to attendees only (AO); Submissions are due
    • 3/ 1/08: W2SP Oakland, CA; Submissions are due
    • 3/ 4/08- 3/ 6/08: Symposium on Identity and Trust on the Internet (IDtrust), Gaithersburg, MD;
    • 3/ 4/08- 3/ 7/08: Advances in Policy Enforcement (APE), Barcelona, Catalonia; info: anjomshoaa@ifs.tuwien.ac.at;
    • 3/ 4/08- 3/ 7/08: Privacy and Security by means of Artificial Intelligence (PSAI), Barcelona, Catalonia, Spain;
    • 3/ 4/08- 3/ 7/08: Secure Software Engineering (SecSE), Barcelona, Catalonia; info SecSE08 "replace with at-character" gmail.com
    • 3/16/08- 3/20/08: Symposium on Applied Computing, Track on Trust, Recommendations, Evidence and other Collaboration Know-how (SAC-TRECK), Ceará, Brazil; info: Jean-Marc.Seigneur@trustcomp.org
    • 3/17/08: Digital Forensic Research Workshop (DFRWS), Baltimore, MD; Submissions are due
    • 3/18/08- 3/20/08: Symposium on Information, Computer and Communications Security (ASIACCS), Tokyo, Japan;
    • 3/31/08- 4/ 2/08: Wireless Network Security (WiSec), Alexandria, VA;
    • 3/31/08: European Symposium on Research in Computer Security (ESORICS), Malaga, Spain; Submissions are due
    • 4/ 4/08: Recent Advances in Intrusion Detection (RAID), Cambridge, MA; Submissions are due; info: rkc@ll.mit.edu
    • 4/ 7/08- 4/11/08: Asynchronous Circuits and Systems (ASYNC), Newcastle upon Tyne, UK;
    • 4/11/08: New Security Paradigms Workshop (NSPW), Squaw Valley, CA; Submissions are due
    • 4/14/08: Usability, Psychology, and Security (UPSEC), San Francisco, CA; info: upsec08chairs@usenix.org;
    • 4/14/08: Conference on Embedded Networked Sensor Systems (SenSys), Raleigh, NC; Submissions are due
    • 4/18/08: Workshop on Security (IWSEC), Kagawa, Japan;
    • 4/25/08: International Conference on Network Protocols (ICNP), Orlando, Florida; Submissions are due; proceedings to attendees only (AO); info: icnp2008@cs.purdue.edu
    • 5/13/08- 5/16/08: Workshop in Information Security Theory and Practices (WIST), Sevilla, Spain; info: damien.sauveron@xlim.fr;
    • 5/18/08- 5/21/08: Symposium on Security and Privacy (IEEE S&P), Berkeley/Oakland, CA; info: oakland08-generalchair @ ieee-security.org
    • 5/22/08: SADFE, Oakland, CA; info: guha@eecs.ucf.edu;
    • 6/ 3/08- 6/ 4/08: Applications of Pairing-Based Cryptography: IBE and Beyond (NIST-IBE), Gaithersburg, MD; info: ibe@nist.gov;
    • 6/ 4/08- 6/ 5/08: Symposium on Information Assurance (IASymp), Albany, NY; proceedings to attendees only
    • 6/20/08: Workshop on Wireless Security and Privacy (WISP), Beijing, China; info: zjiang@wcupa.edu;
    • 6/22/08- 6/27/08: USENIX Annual Technical Conference (USENIX), Boston MA; info: conference@usenix.org;
    • 6/23/08- 6/25/08: Computer Security Foundations Symposium (CSF), Pittsburgh, PA;
    • 6/25/08- 6/27/08: Workshop on the Economics of Information Security (WEIS), Hanover, New Hampshire; proceedings to attendees only (AO),
    • 7/ 8/08- 7/18/08: Human Aspects of Information Security & Assurance (HAISA), Plymouth, UK; info: info@haisa.org;
    • 7/10/08- 7/11/08: Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Paris, France;
    • 7/14/08- 7/16/08: Australasian Conference on Information Security and Privacy (ACISP), Wollongong, Australia;
    • 7/23/08- 7/25/08: Symposium On Usable Privacy and Security (SOUPS), Carnegie Mellon University, Pittsburgh, PA;
    • 7/28/08- 8/ 1/08: USENIX Security Symposium (USENIXSec), San Jose, CA; info: sec08chair@usenix.org;
    • 8/11/08- 8/13/08: Digital Forensic Research Workshop (DFRWS), Baltimore, MD;
    • 9/ 8/08- 9/10/08: Information Security Conference (SEC), Milan, Italy,
    • 9/15/08- 9/17/08: Recent Advances in Intrusion Detection (RAID), Cambridge, MA; info: rkc@ll.mit.edu;
    • 9/22/08- 9/25/08: New Security Paradigms Workshop (NSPW), Squaw Valley, CA;
    • 10/ 6/08-10/ 8/08: European Symposium on Research in Computer Security (ESORICS), Malaga, Spain;
    • 10/19/08-10/22/08: International Conference on Network Protocols (ICNP), Orlando, Florida; proceedings to attendees only (AO); info: icnp2008@cs.purdue.edu;
    • 10/31/08: NIST SHA3 Hash Function Competition (NIST-SHA3); info: bstein@nist.gov; Submissions are due;
    • 11/ 5/08-11/ 7/08: Conference on Embedded Networked Sensor Systems (SenSys), Raleigh, NC;
    • 11/25/08-11/27/08: Workshop on Security (IWSEC), Kagawa, Japan;
  • new calls or announcements added since Cipher E81

  • UPSEC 2008 Workshop on Usability, Psychology, and Security, Co-located with the 5th USENIX Symposium on Networked Systems Design & Implementation (NSDI 2008), San Francisco, California, USA, April 14, 2008. (Submissions due 18 January 2008)

    Information security involves both technology and people. To design and deploy secure systems, we require an understanding of how users of those systems perceive, understand, and act on security risks and threats. This one-day workshop will bring together an interdisciplinary group of researchers, systems designers, and developers to discuss how the fields of human computer interaction, applied psychology, and computer security can be brought together to inform innovations in secure systems design. We seek to deepen the conversation about usable security to go beyond the user interface, toward developing useful and usable systems of humans and technology. Topics include but are not limited to:

    • Error detection and recovery
    • Human perception and cognitive information processing
    • Identity and impression management
    • Individual and cultural differences
    • Information seeking and evaluation
    • Judgment and decision-making
    • Learning, training, and experience
    • Mental models
    • Models of privacy, sharing, and trust
    • Organizational, group, and individual behavior
    • Risk perception, risk analysis, and risk communication
    • Security behavior study methodology
    • Social engineering
    • Social influence and persuasion
    • System proposals and design approaches
    • Threat evaluation
    • Usability
    • User motivation and incentives for secure behavior

  • ATC 2008 5th International Conference on Autonomic and Trusted Computing, Oslo, Norway, June 23-25, 2008. (Submissions due 19 January 2008)

    Computing systems including hardware, software, communication and networks are growing dramatically in both scale and heterogeneity, becoming overly complex. Such complexity is getting even more critical with the ubiquitous permeation of embedded devices and other pervasive systems. To cope with the growing and ubiquitous complexity, Autonomic Computing (AC) focuses on self-manageable computing and communication systems that exhibit self-awareness, self-configuration, self-optimization, self-healing, self-protection and other self-x operations to the maximum extent possible without human intervention or guidance. Organic Computing (OC) additionally emphasizes natural-analogue concepts like self-organization and controlled emergence. Trusted/Trustworthy Computing (TC) aims at making computing and communication systems as well as services available, predictable, traceable, controllable, assessable, sustainable, dependable, persist-able, security/privacy protect-able, etc. ATC-08 addresses the most innovative research and development in these challenging areas and includes all technical aspects related to autonomic/organic computing (AC/OC) and trusted computing (TC). Topics of interest include, but are not limited to:

    • AC/OC Theory and Models ( Nervous/organic models, negotiation, cooperation, competition, self-organization, emergence, etc.)
    • AC/OC Architectures and Systems (Autonomic elements & their relationship, frameworks, middleware, observer/controller architectures, etc.)
    • AC/OC Components and Modules (Memory, storage, database, device, server, proxy, software, OS, I/O, etc.)
    • AC/OC Communication and Services (Networks, self-organized net, web service, grid, P2P, semantics, agent, transaction, etc.)
    • AC/OC Tools and Interfaces (Tools/interfaces for AC/OC system development, test, monitoring, assessment, supervision, etc.)
    • Trust Models and Specifications (Models and semantics of trust, distrust, mistrust, over-trust, cheat, risk, reputation, reliability, etc.)
    • Trust-related Security and Privacy (Trust-related secure architecture, framework, policy, intrusion detection/awareness, protocols, etc.)
    • Trusted Reliable and Dependable Systems (Fault-tolerant systems, hardware redundancy, robustness, survivable systems, failure recovery, etc.)
    • Trustworthy Services and Applications (Trustworthy Internet/web/grid/P2P e-services, secured mobile services, novel applications, etc.)
    • Trust Standards and Non-Technical Issues (Trust standards and issues related to personality, ethics, sociology, culture, psychology, economy, etc.)

  • WISTP 2008 Workshop in Information Security Theory and Practices 2008: Smart Devices, Convergence and Next Generation Networks, Sevilla, Spain, May 13-16, 2008. (Submissions due 20 January 2008)

    With the rapid technological development of information technologies and with the transition from the common to the next generation networks, computer systems and especially embedded systems are becoming more mobile and ubiquitous, increasingly interfacing with the physical world. Ensuring the security of these complex and yet, resource constraint systems has emerged as one of the most pressing challenges. Another important challenge is related to the convergence of these new technologies. The aim of this second workshop is to bring together researchers and practitioners in related areas and to encourage interchange and cooperation between the research community and the industrial/consumer community. Topics of interest include, but are not limited to:
    Smart Devices
    

    • Biometrics, National ID cards
    • Embedded Systems Security and TPMs
    • Interplay of TPMs and Smart Cards
    • Mobile Codes Security
    • Mobile Devices Security
    • New Applications for Secure RFID Systems
    • RFID Systems Security
    • Smart Card Security
    • Smart Devices Applications
    • Wireless Sensor Node Security
    Convergence: Security Architectures, Protocols, Policies and Management for Mobility
    
    • Critical Infrastructure (e.g. for Medical or Military Applications) Security
    • Digital Rights Management (DRM)
    • Distributed Systems and Grid Computing Security
    • Industrial and Multimedia Applications
    • Information Assurance and Trust Management
    • Intrusion Detection and Information Filtering
    • Localization Systems Security (Tracking of People and Goods)
    • M2M (Machine to Machine), H2M (Human to Machine) and M2H (Machine to Human) Security
    • Mobile Commerce Security
    • Public Administration and Governmental Services
    • Privacy Enhancing Technologies
    • Security Models and Architecture
    • Security Policies (Human-Computer Interaction and Human Behavior Impact)
    • Security Protocols (for Identification and Authentication, Confidentiality and Privacy, and Integrity)
    • Security Measurements
    Next Generation Networks
    
    • Ad Hoc Networks Security
    • Delay-Tolerant Network Security
    • Domestic Network Security
    • Peer-to-Peer Networks Security
    • Security Issues in Mobile and Ubiquitous Networks
    • Security of GSM/GPRS/UMTS Systems
    • Sensor Networks Security
    • Vehicular Network Security
    • Wireless Communication Security: Bluetooth, NFC, WiFi, WiMAX, WiMedia, others

  • SSDU 2008 2nd International Symposium on Service, Security and its Data management technologies in Ubi-comp, Held in conjunction with the 3rd International Conference on Grid and Pervasive Computing (GPC 2008), Kunming, China, May 25-28, 2008. (Submissions due 24 January 2008)

    Ubiquitous Computing (Ubi-comp) is emerging rapidly as an exciting new paradigm with user-centric environment to provide computing and communication services at any time and anywhere. In order to realize their advantages, it requires integrating security, services and data management to be suitable for Ubi-com. However, there are still many problems and major challenges awaiting for us to solve such as the security risks in ubiquitous resource sharing, which could be occurred when data resources are connected and accessed by anyone in Ubi-com. Therefore, it will be needed to explore more secure and intelligent mechanism in Ubi-com. Topics include:

    • Context-Awareness and its Data mining for Ubi-com service
    • Human-Computer Interface and Interaction for Ubi-com
    • Smart Homes and its business model for Ubi-com service
    • Intelligent Multimedia Service and its Data management for Ubi-com
    • USN / RF-ID for Ubi-com service
    • Network security issues, protocols, data security in Ubi-com
    • Database protection for Ubi-com
    • Privacy Protection and Forensic in Ubi-com
    • Multimedia Security in Ubi-com
    • Authentication and Access control for data protection in Ubi-com
    • Service, Security and its Data management for U-commerce
    • New novel mechanism and Applications for Ubi-com

  • CSF 2008 21st IEEE Computer Security Foundations Symposium, Pittsburgh, PA, USA, June 23-25, 2008. (Submissions due 29 January 2008)

    The IEEE Computer Security Foundations (CSF) series brings together researchers in computer science to examine foundational issues in computer security. Over the past two decades, many seminal papers and techniques have been presented first at CSF. The CiteSeer Impact page (http://citeseer.ist.psu.edu/impact.html ) lists CSF as 38th out of more than 1200 computer science venues, top 3.11% in impact based on citation frequency. New theoretical results in computer security are welcome. Also welcome are more exploratory presentations, which may examine open questions and raise fundamental concerns about existing theories. Panel proposals are sought as well as papers. Possible topics include, but are not limited to:

    • Access control
    • Anonymity and Privacy
    • Authentication
    • Data and system integrity
    • Database security
    • Decidability and complexity
    • Distributed systems security
    • Electronic voting
    • Executable content
    • Formal methods for security
    • Information flow
    • Intrusion detection
    • Language-based security
    • Network security
    • Resource usage control
    • Security for mobile computing
    • Security models
    • Security protocols
    • Trust and trust management

  • Elsevier Computer Standards and Interfaces, Special issue on Information and Communications Security, Privacy and Trust: Standards and Regulations, Summer 2008. (Submission Due 30 January 2008)

    Guest editors: Bhavani Thuraisingham (University of Texas at Dallas, USA) and Stefanos Gritzalis (niversity of the Aegean, Greece)
    
    Most of the research and development work carried out by universities, research centers and private companies today, is based, in some way or another, on international standards or pre-standards that have been produced under the auspices of recognized standardization bodies. On top of that, many market sectors have recognized standardization as a prerequisite for the provision of high quality services and products, thus triggering a large number of multi-sectoral voluntary standards. For many years the Security field was somehow isolated in the Information and Communications Technology arena. Inevitably this isolation has been inherited to the standards governing the security, privacy, and trust techniques and mechanisms that are currently employed. It is therefore important to inform the scientific community about these problems and facilitate better collaboration on the security, privacy, and trust aspects of international standards and regulations.
    
    We welcome the submission of papers that: provide information about activities and progress of security, privacy, and trust standardization work; focus on critical comments on standards and standardization activities; discuss actual projects results; disseminate experiences and case studies in the application and exploitation of established and emerging standards, methods and interfaces. The areas of interest may include, but not limited, to:
    

    • Access Control and Authorization
    • Assurance Services
    • Auditing and Forensic Information Management
    • Authentication, Authorization, and Accounting
    • Business Services
    • Confidentiality and Privacy Services
    • Digital Rights Management
    • eBusiness, eCommerce, eGovernment Security: Establishing Trust and Confidence of Citizens in eTransactions and eServices
    • eHealth Security
    • Lawful Interception Architectures and Functions
    • Legal and Regulation Issues
    • Network Defense Services
    • Privacy and Identity Management
    • Securing Critical Information and Communication Infrastructures
    • Security Challenges to the use and deployment of Disruptive Technologies (Trusted Computing, VoIP, WiMAX, RFID, IPv6)
    • Security issues in Network Event Logging
    • Standardization Aspects of Electronic Signatures
    • Trust Services
    • Wireless, Mobile, Ad hoc and Sensors Networks Security, Privacy, and Trust

  • USENIX-Security 2008 17th USENIX Security Symposium, San Jose, California, USA, July 28-August 1, 2008. (Submissions due 30 January 2008)

    On behalf of the 17th USENIX Security Symposium (USENIX Security '08) program committee, we are inviting you to submit high-quality papers in all areas relating to systems and network security. Please note that the USENIX Security Symposium is primarily a systems security conference. Papers whose contributions are primarily new cryptographic algorithms or protocols, cryptanalysis, electronic commerce primitives, etc., may not be appropriate for this conference. Refereed paper submissions are solicited in all areas relating to systems and network security, including:

    • Adaptive security and system management
    • Analysis of network and security protocols
    • Applications of cryptographic techniques
    • Attacks against networks and machines
    • Authentication and authorization of users, systems, and applications
    • Automated tools for source code analysis
    • Botnets
    • Cryptographic implementation analysis and construction
    • Denial-of-service attacks and countermeasures
    • File and filesystem security
    • Firewall technologies
    • Forensics and diagnostics for security
    • Intrusion and anomaly detection and prevention
    • Malicious code analysis, anti-virus, anti-spyware
    • Network infrastructure security
    • Operating system security
    • Privacy-preserving (and -compromising) systems
    • Public key infrastructure
    • Rights management and copyright protection
    • Security architectures
    • Security in heterogeneous and large-scale environments
    • Security policy
    • Self-protecting and healing systems
    • Techniques for developing secure systems
    • Technologies for trustworthy computing
    • Usability and security
    • Voting systems analysis and security
    • Wireless and pervasive/ubiquitous computing security
    • Web security

  • NYS-IA 2008 3rd Annual Symposium on Information Assurance, Albany, NY, USA, June 4-5, 2008. (Submissions due 31 January 2008)

    Authors are invited to submit original and unpublished papers to the 3rd Annual Symposium on Information Assurance, which will be jointly held with the 11th Annual NYS Cyber Security Conference. This two day event attracts practitioners, researchers, and vendors providing opportunities for business and intellectual engagement among attendees. The conference program will be organized into topics not limited to:

    • Security Policy Implementation & Compliance
    • Computer & Network Forensics
    • Information Security Risk Management
    • Network Security and Intrusion Detection
    • Economics of Information Security
    • Reverse Engineering of Viruses and Worms
    • Security Metrics for Evaluating Security
    • Botnet Detection and Prevention
    • Computer Crime Data Analytics
    • Security in Wireless and Ad hoc Networks
    • Internet-based Terrorism and Espionage
    • Adaptive & Resilient Security Models
    • Digital Rights Management
    • Biological Models of Security
    • Privacy & Security
    • Distributed Systems Security
    • Security Glossaries and Ontologies
    • Database Security and Data Integrity
    • Trust Modeling and Management
    • Curriculum Development in Information Security

  • SADFE 2008 3rd International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the 2008 IEEE Symposium on Security and Privacy (SP 2008), The Claremont Resort, Oakland, CA, USA, May 22, 2008. (Submissions due 1 February 2008)

    The SADFE (Systematic Approaches to Digital Forensic Engineering) International Workshop promotes systematic approaches to cyber crime investigation, by furthering the advancement of digital forensic engineering as a disciplined practice. Digital forensic engineering is characterized by the application of scientific and mathematical principles to the investigation and establishment of facts or evidence, either for use within a court of law or to aid understanding of cyber crimes or cyber-enabled crimes. To advance the state of the art, SADFE 2008 solicits broad-based, innovative digital forensic engineering technology, techno-legal and practice-related submissions in the following four areas:

    • Digital Data and Evidence Management: advanced digital evidence discovery, collection, and storage.
    • Principle-based Digital Forensic Processes: systematic engineering processes supporting digital evidence management which are sound on scientific, technical and legal grounds.
    • Digital Evidence Analytics: advanced digital evidence analysis, correlation, and presentation.
    • Forensic-support technologies: forensic-enabled and proactive monitoring/response.

  • DIMVA 2008 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Paris, France, July 10-11, 2008. (Submissions due 4 February 2008)

    The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year DIMVA brings together international experts from academia, industry and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group Security - Intrusion Detection and Response of the German Informatics Society (GI). DIMVA's scope includes, but is not restricted to the following areas:
    Intrusion Detection
    

    • Approaches
    • Implementations
    • Prevention and response
    • Result correlation
    • Evaluation
    • Potentials and limitations
    • Operational experiences
    • Evasion and other attacks
    • Legal and social aspects
    Malware
    
    • Techniques
    • Detection
    • Prevention and containment
    • Evaluation
    • Trends and upcoming risks
    • Forensics and recovery
    Vulnerability Assessment
    
    • Vulnerabilities
    • Vulnerability detection
    • Vulnerability prevention
    • Classification and evaluation

  • PODC 2008 27th Annual ACM SIGACT-SIGOPS Symposium on the Principles of Distributed Computing, Toronto, Canada, August 18-21, 2008. (Submissions due 4 February 2008)

    PODC solicits papers on all areas of distributed systems. We encourage submissions dealing with any aspect of distributed computing from the theoretical or experimental viewpoints. The common goal is to improve understanding of principles underlying distributed computing. Topics of interest include the following subjects in distributed systems:

    • distributed algorithms: design and analysis
    • communication networks: architectures, services, protocols, applications
    • multiprocessor and multi-core architectures and algorithms
    • shared and transactional memory, synchronization protocols, concurrent programming
    • fault-tolerance, reliability, availability, self organization
    • Internet applications, social networks, recommender systems
    • distributed operating systems, middleware platforms, databases
    • distributed computing with selfish agents
    • peer-to-peer systems, overlay networks, distributed data management
    • high-performance, cluster, and grid computing
    • mobile computing, autonomous agents, location- and context-aware distributed systems
    • security in distributed computing, cryptographic protocols
    • sensor, mesh, and ad hoc networks
    • specification, semantics, verification, and testing of distributed systems

  • ICIMP 2008 3rd International Conference on Internet Monitoring and Protection, Bucharest, Romania, June 29 - July 5, 2008. (Submissions due 5 February 2008)

    The International Conference on Internet Monitoring and Protection (ICIMP 2008) initiates a series of special events targeting security, performance, vulnerabilities in Internet, as well as disaster prevention and recovery. Dedicated events focus on measurement, monitoring and lessons learnt in protecting the user. ICIMP 2008 Tracks include:

    • TRASI: Internet traffic surveillance and interception
    • IPERF: Internet performance
    • RTSEC: Security for Internet-based real-time systems
    • DISAS: Disaster prevention and recovery
    • EMERG: Networks and applications emergency services
    • MONIT: End-to-end sampling, measurement, and monitoring
    • REPORT: Experiences & lessons learnt in securing networks and applications
    • USSAF: User safety, privacy, and protection over Internet
    • SYVUL: Systems vulnerabilities
    • SYDIA: Systems diagnosis
    • CYBER-FRAUD: Cyber fraud
    • BUSINESS: Business continuity
    • RISK: Risk assessment
    • TRUST: Privacy and trust in pervasive communications
    • RIGHT: Digital rights management
    • BIOTEC: Biometric techniques

  • Wiley InterScience Security and Communication Networks Journal, Special Issue on Clinical Information Systems (CIS) Security, July/August 2008. (Submission Due 10 February 2008)

    Guest editors: Theodore Stergiou (KPMG Kyriacou Advisors AE, Greece), Dimitrios Delivasilis (Incrypto Ltd., Greece), Mark S Leeson (University of Warwick, UK), and Ray Yueh-Min Huang (National Cheng-Kung University, Taiwan, R.O.C.)
    
    Managing records of patient care has become an increasingly complex issue with the widespread use of advanced technologies. The vast amount of information for every routine care must be securely processed over different data bases. Clinical Information Systems (CIS) address the need for a computerized approach in managing personal health information. Hospitals and public or private health insurance organizations are continuously upgrading their database and data management systems to more sophisticated architectures. The possible support of the large patient archives and the flexibility of a CIS in providing up-to-date patient information and worldwide doctors’ collaboration, have leveraged the research on CIS both in academic and government domains. At the same time, it has become apparent that patients require more control over their clinical data, either being results of clinical examinations or medical history. Due to the large amount of information that can be found on the Internet and the free access to medical practitioners and hospitals worldwide, patients may choose to communicate their information so as to obtain several expert opinions regarding their conditions. Given the sensitive nature of the information stored and inevitably in transit, security has become an issue of outmost necessity. Numerous EU and US research projects have been launched to address security in CIS (e.g. EUROMED, ISHTAR, RESHEN), whereas regulatory compliance to acts such as the HIPAA has become an obligation for centers moving to CIS. This Special Issue will serve as a venue for both academia and industry individuals and groups working in this fast-growing research area to share their experiences and state-of-the-art work with the readers. The topics of interest in this Special Issue include, but are not limited to:
    

    • Authentication techniques for CIS
    • Authorization mechanisms and approaches for patient-centric data
    • Public Key Infrastructures to support diverse clinical information environments and networks
    • Cryptographic protocols for use to secure patient-centric data
    • Secure communication protocols for the communication of clinical data
    • Wireless sensor networks security
    • Body sensor networks security
    • CIS Database security
    • Interoperability across diverse CIS environments (national and multilateral)
    • Government and international regulatory and compliance requirements

  • ACISP 2008 13th Australasian Conference on Information Security and Privacy, Wollongong, Australia, July 14-16, 2008. (Submissions due 11 February 2008)

    ACISP 2008 is the main computer security and cryptography conference organized in Australia that provides an avenue for discussion and exchange of ideas for researchers from academia and industry. Original papers pertaining to all aspects of information security and privacy are solicited for submission to the ACISP 2008. Papers may present theory, techniques, applications and practical experiences on a variety of topics. Topics of interest include, but are not limited to:

    • access control
    • authentication and identi?cation
    • authorization
    • biometrics
    • computer forensics
    • copyright protection
    • cryptography
    • database security
    • electronic surveillance
    • evaluation and certification
    • intrusion detection
    • key management
    • key establishment protocols
    • legal and privacy issues
    • mobile system security
    • network and communication security
    • secure electronic commerce
    • secure operating systems
    • secure protocols
    • smart cards
    • malware and viruses

  • CARDIS 2008 8th Smart Card Research and Advanced Application Conference, Royal Holloway, University of London, Egham, Surrey, UK, September 8-11, 2008. (Submissions due 15 February 2008)

    Since 1994, CARDIS has been the foremost international conference dedicated to smart card research and applications. Submissions across a broad range of smart card development phases are encouraged, from exploratory research and proof-of-concept studies to practical applications and deployment of smart card technology. As a response to the growing development of contactless applications and RFID systems, a special interest is also devoted to low cost cryptographic mechanisms and physical security of constrained devices. Topics of interest include, but are not limited to:

    • From smart cards to smart devices (hardware, form factor, display)
    • Software environments for smart cards and devices (OS, VM, API)
    • Smart cards and devices networking and high-level data models
    • Smart cards and devices applications, development and deployment
    • Person representation and biometrics using smart technologies
    • Identity, privacy and trust issues for smart technologies
    • High-speed, small-footprint implementations of cryptographic algorithms
    • Attacks and countermeasures in hardware and software
    • Cryptographic protocols for smart cards and devices
    • Biometrics and smart cards
    • Formal modeling of environments and applications
    • Interplay of TPMs and smart cards
    • Security of RFID systems

  • EUROSEC 2008 European Workshop on System Security, Held in conjunction with the Annual ACM SIGOPS EuroSys conference (EUROSYS 2008), Glasgow, Scotland, March 31, 2008. (Submissions due 15 February 2008)

    The workshop aims to bring together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The focus of the workshop is on novel, practical, systems-oriented work. EuroSec seeks contributions on all aspects of systems security. Topics of interest include (but are not limited to):

    • new attacks, evasion techniques, and defenses
    • operating system security
    • hardware architectures
    • "trusted computing" and its applications
    • identity management, anonymity
    • small trusted computing bases
    • mobile systems security
    • measuring security
    • malicious code analysis and detection
    • web security
    • systems-based forensics
    • systems work on fighting spam/phishing

  • IFIP-DAS 2008 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, London, UK, July 13-16, 2008. (Submissions due 20 February 2008)

    The 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in data and applications security. Papers and panel proposals are also solicited. Proceedings will be published by Springer as the next volume in the Research Advances in Database and Information Systems Security series. Papers may present theory, techniques, applications, or practical experience on topics of relevance to IFIP WG 11.3:

    • Access Control
    • Applied cryptography in data security
    • Identity theft and countermeasures
    • Integrity maintenance
    • Intrusion detection
    • Knowledge discovery and privacy
    • Organizational security
    • Privacy and privacy-preserving data management
    • Secure transaction processing
    • Secure information integration
    • Secure Semantic Web
    • Secure sensor monitoring
    • Secure Web Services
    • Threats, vulnerabilities, and risk management
    • Trust management

  • SHPCS 2008 Workshop on Security and High Performance Computing Systems, Held in conjunction with the 2008 International Conference on High Performance Computing & Simulation (HPCS 2008) and the 22nd European Conference on Modelling and Simulation (ECMS 2008), Nicosia, Cyprus, June 3-6, 2008. (Submissions due 21 February 2008)

    This workshop addresses relationships between security and high performance systems in three directions. First, it considers how to add security properties (authentication, confidentiality, integrity, non-repudiation, access control) to high performance computing systems. Second, it covers how to use high performance computing systems to solve security problems. Third, it investigates the tradeoffs between maintaining high performance and achieving security in computing systems and solutions to balance the two objectives. In all these directions, various performance analyses or monitoring techniques can be conducted to show the efficiency of a security infrastructure. This workshop covers (but is not limited to) the following topics:

    • Access Control
    • Accounting and Audit
    • Anonymity
    • Applied Cryptography
    • Authentication
    • Commercial and Industry Security
    • Cryptographic Protocols
    • Data and Application Security
    • Data/System Integrity
    • Database Security
    • Digital Rights Management
    • Formal Verification of Secure Systems
    • Identity Management
    • Inference/Controlled Disclosure
    • Information Warfare
    • Intellectual Property Protection
    • Intrusion and Attack Detection
    • Intrusion and Attack Response
    • Key Management
    • Privacy-Enhancing Technology
    • Secure Networking
    • Secure System Design
    • Security Management
    • Security for Mobile Code
    • Security for Specific Domains (e.g., E-Government, E-Business, P2P)
    • Security in IT Outsourcing
    • Security in Mobile and Wireless Networks
    • Security in Operating Systems
    • Security Location Services
    • Security of Grid and Cluster Architectures
    • Smartcards
    • Trust Management Policies
    • Trust Models

  • SOUPS 2008 Symposium On Usable Privacy and Security, Carnegie Mellon University, Pittsburgh, PA, USA, July 23-25, 2008. (Submissions due 29 February 2008)

    The 2008 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, discussion sessions, and in-depth sessions (workshops and tutorials). We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to:

    • innovative security or privacy functionality and design
    • new applications of existing models or technology
    • field studies of security or privacy technology
    • usability evaluations of security or privacy features or security testing of usability features
    • lessons learned from deploying and using usable privacy and security features

  • W2SP 2008 2nd Workshop on Web 2.0 Security and Privacy, Held in conjunction with the 2008 IEEE Symposium on Security and Privacy (SP 2008), The Claremont Resort, Oakland, CA, USA, May 22, 2008. (Submissions due 1 March 2008)

    The goal of this one day workshop is to bring together researchers and practitioners from academia and industry to focus on understanding Web 2.0 security and privacy issues, and establishing new collaborations in these areas. Web 2.0 is about connecting people and amplifying the power of working together. The mixing of technology and social interaction is occurring in the context of a wave of technologies supporting rapid development of these interpersonal and business interactions. Many of the new web technologies rely on the composition of content and services from multiple sources, resulting in complex technology compositions (mash-ups). The content composition trend is likely to continue. The lure of these technologies is the promise of simpler ways to compose software service and content, at lower cost. However, there are issues with respect to management of identities, reputation, privacy, anonymity, transient and long term relationships, and composition of function and content, both on the server side and at the client (web browser). While the security and privacy issues are not new, these issues are increasingly becoming acute as the technologies are adopted and adapted to appeal to wider audiences. Some of these technologies deliberately bypass existing security mechanisms. This workshop is intended to discuss the limitations of the current technologies and explore alternatives. The scope of W2SP 2008 includes, but is not limited to:

    • Identity, privacy, reputation and anonymity
    • End-to-end security architectures
    • Security of content composition
    • Security and privacy policy definition and modeling of content composition
    • Provenance and governance
    • Usable security and privacy models
    • Static and dynamic analysis for security
    • Security as a service
    • Click fraud
    • Software as a service
    • Web services/feeds/mashups
    • Next generation browser technology

  • ISC 2008 Information Security Conference, Taipei, Taiwan, September 15-18, 2008. (Submissions due 1 March 2008)

    ISC aims to attract high quality papers in all technical aspects of information security. The topics of interest of ISC include, but are not limited to, the following:

    • Access Control
    • Accounting and Audit
    • Anonymity and Pseudonymity
    • Applied Cryptography
    • Attacks and Prevention of Online Fraud
    • Authentication and Non-repudiation
    • Biometrics
    • Cryptographic Protocols and Functions
    • Database and System Security
    • Design and Analysis of Cryptographic Algorithms
    • Digital Rights Management
    • Economics of Security and Privacy
    • Formal Methods in Security
    • Foundations of Computer Security
    • Identity and Trust Management
    • Information Hiding and Watermarking
    • Infrastructure Security
    • Intrusion Detection, Tolerance and Prevention
    • Mobile, Ad Hoc and Sensor Network Security
    • Network and Wireless Network Security
    • Peer-to-Peer Network Security
    • PKI and PMI
    • Private Searches
    • Security and Privacy in Pervasive/Ubiquitous Computing
    • Security in Information Flow
    • Security for Mobile Code
    • Security of Grid Computing
    • Security of eCommerce, eBusiness and eGovernment
    • Security Modeling and Architectures
    • Security Models for Ambient Intelligence environments
    • Trusted Computing
    • Usable Security
    • Special Session on AES

  • IWSSE 2008 2nd International Workshop on Security in Software Engineering, Held in conjunction with the IEEE COMPSAC 2008, Turku, July 28 – August 1, 2008. (Submissions due 1 March 2008)

    Secure software engineering has become an emerging interdisciplinary area across software engineering, programming languages, and security engineering. Secure software engineering focuses on developing secure software and understanding the security risks and managing these risks throughout the life-cycle of software. The purpose of the workshop is to bring together researchers and practitioners who work closely in this area to create a forum for reporting and discussing recent advances in improving security in software engineering and inspiring collaborations and innovations on new methods and techniques to advance software security in our practices. Researchers and practitioners worldwide are invited to present their research expertise and experience, and discuss the issues and challenges in security from software engineering perspective. Submissions of quality papers in the following non-exhaustive list of topics are invited:

    • Management of software security in industrial practice
    • Security requirements and policies
    • Abuse cases and threat modeling
    • Architecture and design for security
    • Model-based security
    • Language-based security
    • Malicious code prevention and code safety
    • Security risk analysis
    • Security taxonomy and metrics
    • Testing for security
    • Application security: detection and protection
    • Software piracy and protection

  • Globecom-CCNS 2008 Computer and Communications Network Security Symposium, Held in conjunction with the IEEE Global Communications Conference (GLOBECOM 2008), New Orleans, LA, USA, November 30 - December 4, 2008. (Submissions due 15 March 2008)

    The Computer and Communications Network Security Symposium will address all aspects of the modelling, design, implementation,deployment, and management of computer/network security algorithms, protocols,architectures, and systems. Furthermore, contributions devoted to the evaluation, optimization, or enhancement of security mechanisms for current technologies as well as devising efficient security and privacy solutions for emerging technologies are solicited. Topics of interest include:

    • Secure PHY, MAC, Routing and Upper Layer Protocols
    • Secure Cross Layer Design
    • Authentication Protocols and Services Authorization
    • Confidentiality
    • Data and System Integrity
    • Availability of Secure Services
    • Key Distribution and Management
    • PKI and Security Management
    • Trust Models and Trust Establishment
    • Identity Management and Access Control
    • Deployment and Management of Computer/Network Security Policies
    • Monitoring Design for Security
    • Distributed Intrusion Detection Systems and Countermeasures
    • Traffic Filtering and Firewalling
    • IPv6 security, IPSec
    • Virtual Private Networks (VPNs)
    • Prevention, Detection and Reaction Design
    • Revocation of Malicious Parties
    • Light-Weight Cryptography
    • Quantum Cryptography and QKD
    • Applications of Cryptography and Cryptanalysis in communications security
    • Security and Mobility
    • Mobile Code Security
    • Network traffic Analysis Techniques
    • Secure Naming and Addressing (Privacy and Anonymity)
    • Application/Network Penetration Testing
    • Advanced Cryptographic Testbeds
    • Network Security Metrics and Performance Evaluation
    • Operating System(OS) Security and Log Analysis Tools
    • Security Modelling and Protocol Design
    • Security Specification Techniques
    • Self-Healing Networks
    • Smart Cards and Secure Hardware
    • Biometric Security: Technologies, Risks and Vulnerabilities
    • Information Hiding and Watermarking
    • Vulnerability, Exploitation Tools, and Virus/Worm Analysis
    • Distributed Denial-Of-Service (DDOS) Attacks and Countermeasures
    • DNS Spoofing and Security
    • Critical infrastructure Security
    • Single- and Multi-Source Intrusion Detection and Response (Automation)
    • Web, E-commerce, M-commerce, and E-mail Security
    • New Design for Unknown Attacks Detection

  • Pairing 2008 2nd International Conference on Pairing-based Cryptography, Egham, UK, September 1-3, 2008. (Submissions due 16 March 2008)

    Pairing-based cryptography is an extremely active area of research which has allowed elegant solutions to a number of long-standing open problems in cryptography (such as efficient identity-based encryption). New developments continue to be made at a rapid pace. The aim of "Pairing" conference is thus to bring together leading researchers and practitioners from academia and industry, all concerned with problems related to pairing-based cryptography. Authors are invited to submit papers describing their original research on all aspects of pairing-based cryptography, including, but not limited to the following topics:
    Area I: Novel cryptographic protocols
    

    • ID-based and certificateless cryptosystems
    • Broadcast encryption, signcryption etc
    • Short/multi/aggregate/group/ring/threshold/blind signatures
    • Designed confirmer or undeniable signatures
    • Identification/authentication schemes
    • Key agreement
    Area II: Mathematical foundations
    
    • Weil, Tate, Eta, and Ate pairings
    • Security consideration of pairings
    • Other pairings and applications of pairings in mathematics
    • Generation of pairing friendly curves
    • (Hyper-) Elliptic curve cryptosystems
    • Number theoretic algorithms
    • Addition algorithms in divisor groups
    Area III: SW/HW implementation
    
    • Secure operating systems
    • Efficient software implementation
    • FPGA or ASIC implementation
    • Smart card implementation
    • RFID security
    • Middleware security
    • - Side channel and fault attacks
    Area IV: Applied security
    
    • Novel security applications
    • Secure ubiquitous computing
    • Security management
    • PKI models
    • Application to network security
    • Grid computing
    • Internet and web security
    • E-business or E-commerce security

  • DFRWS 2008 8th Annual Digital Forensic Research Workshop, Baltimore, MD, USA, August 11-13, 2008. (Submissions due 17 March 2008)

    DFRWS brings together leading researchers, developers, practitioners, and educators interested in advancing the state of the art in digital forensics from around the world. As the most established venue in the field, DFRWS is the preferred place to present both cutting-edge research and perspectives on best practices for all aspects of digital forensics. As an independent organization, we promote open community discussions and disseminate the results of our work to the widest audience. We invite original contributions as research papers, panel proposals, Work-in-Progress talks, and demo proposals. All papers are evaluated through a double-blind peer-review process, and those accepted will be published in printed proceedings by Elsevier. Topics of Interest include:

    • Incident response and live analysis
    • Network-based forensics, including network traffic analysis, traceback and attribution
    • Event reconstruction methods and tools
    • File system and memory analysis
    • Application analysis
    • Embedded systems
    • Small scale and mobile devices
    • Large-scale investigations
    • Digital evidence storage and preservation
    • Data mining and information discovery
    • Data hiding and recovery
    • File extraction from data blocks (“file carving”)
    • Multimedia analysis
    • Tool testing and development
    • Digital evidence and the law
    • Anti-forensics and anti-anti-forensics
    • Case studies and trend reports
    • Non-traditional approaches to forensic analysis

  • ICITS 2008 International Conference on Information Theoretic Security, Calgary, Canada, August 10-13, 2008. (Submissions due 23 March 2008)

    This is the second conference in a series of conferences that is aimed to bring together the leading researchers in the area of information and quantum theoretic security. This series of conferences is a successor to the 2005 IEEE Information Theory Workshop on Theory and Practice in Information-Theoretic Security (ITW 2005). The first ICITS conference was held in Madrid, after Eurocrypt 2007. Conference proceedings will be published by Springer Verlag in the Lecture Notes in Computer Science. The topics of interest are on work on any aspect of information theoretical security, this means security based on information theory. This includes, but is not limited to the following topics:

    • Information theoretic analysis of security
    • Private and Reliable Networks
    • Anonymity
    • Public Key Cryptosystems using Codes
    • Authentication Codes
    • Quantum Cryptography
    • Conventional Cryptography using Codes
    • Quantum Information Theory
    • Fingerprinting
    • Randomness extraction
    • Ideal Ciphers
    • Secret Sharing
    • Information Hiding
    • Secure Multiparty Computation
    • Key Distribution
    • Traitor Tracing
    • Oblivious Transfer
    • Data hiding and Watermarking

  • ESORICS 2008 13th European Symposium on Research in Computer Security, Malaga, Spain, October 6-8, 2008. (Submissions due 31 March 2008)

    Papers offering novel research contributions in any aspect of computer security are solicited for submission to the Thirteenth European Symposium on Research in Computer Security (ESORICS 2008). Organized in a series of European countries, ESORICS is confirmed as the European research event in computer security. The symposium started in 1990 and has been held on alternate years in different European countries and attracts an international audience from both the academic and industrial communities. From 2002 it has been held yearly. The Symposium has established itself as one of the premiere, international gatherings on Information Assurance. Papers may present theory, technique, applications, or practical experience on topics including:

    • Access control
    • Anonymity
    • Authentication
    • Authorization and delegation
    • Cryptographic protocols
    • Data integrity
    • Dependability
    • Information flow control
    • Smartcards
    • System security
    • Digital right management
    • Accountability
    • Applied cryptography
    • Covert channels
    • Cybercrime
    • Denial of service attacks
    • Formal methods in security
    • Inference control
    • Information warfare
    • Steganography
    • Transaction management
    • Data and application security
    • Intellectual property protection
    • Intrusion tolerance
    • Peer-to-peer security
    • Language-based security
    • Network security
    • Non-interference
    • Privacy-enhancing technology
    • Pseudonymity
    • Subliminal channels
    • Trustworthy user devices
    • Identity management
    • Security as quality of service
    • Secure electronic commerce
    • Security administration
    • Security evaluation
    • Security management
    • Security models
    • Security requirements engineering
    • Security verification
    • Survivability
    • Information dissemination control
    • Trust models and trust management policies

  • RAID 2008 11th International Symposium on Recent Advances in Intrusion Detection, Cambridge, Massachusetts, USA, September 15-17, 2008. (Submissions due 4 April 2008)

    This symposium, the 11th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series furthers advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following:

    • Network and host intrusion detection and prevention
    • Anomaly and specification-based approaches
    • IDS cooperation and event correlation
    • Malware prevention, detection, analysis and containment
    • Web application security
    • Insider attack detection
    • Intrusion response, tolerance, and self protection
    • Operational experience and limitations of current approaches
    • Intrusion detection assessment and benchmarking
    • Attacks against IDS including DoS, evasion, and IDS discovery
    • Formal models, analysis, and standards
    • Deception systems and honeypots
    • Vulnerability analysis, risk assessment, and forensics
    • Adversarial machine learning for security
    • Visualization techniques
    • Special environments, including mobile and sensor networks
    • High-performance intrusion detection
    • Legal, social, and privacy issues
    • Network exfiltration detection
    • Botnet analysis, detection, and mitigation

  • NSPW 2008 New Security Paradigm Workshop, Olympic Valley, CA, USA, September 22-25, 2008. (Submissions due 11 April 2008)

    The computers of the world are under siege. Denial of service attacks plague commercial sites, large and small. Major companies are hacked for consumer credit card numbers. Phishing attacks for personal information are commonplace, and million-machine botnets are a reality. Our tools for combating these threats-cryptography, firewalls, access controls, vulnerability scanners, malware and intrusion detectors--are insufficient. We need radical new solutions, but most security researchers propose only incremental improvements. Since 1992, the New Security Paradigm Workshop (NSPW) has been a home for research that addresses the fundamental limitations of current work in information security. NSPW welcomes papers that present a significant shift in thinking about difficult security issues, build on such a recent shift, offer a contrarian view of accepted practice or policy, or address non-technological aspects of security. Our program committee particularly looks for new approaches to information security, early thinking on new topics, innovative solutions to long-time problems, and controversial issues which might not be accepted at other conferences but merit a hearing. We discourage papers that represent completed or established works, or offer incremental improvements to well-established models. NSPW expects a high level of scholarship from contributors, including awareness of prior work produced before the World Wide Web.

  • IWSEC 2008 3rd International Workshop on Security, Kagawa, Japan, November 25-27, 2008. (Submissions due 18 April 2008)

    The aim of IWSEC2008 is to contribute to security research and development addressing the topics from traditional theory and tools on security to other up-to-date issues. Topics include but are not limited to:

    • Cryptography
    • Authorization and Access Control
    • Biometrics
    • Information Hiding
    • Quantum Security
    • Network and Distributed Systems Security
    • Privacy Enhancing Technology
    • Security Issues in Ubiquitous/Pervasive Computing
    • Security Management
    • Software and System Security
    • Protection of Critical Infrastructure
    • Digital Forensics
    • Economics and Other Scientific Approaches for Security

 

• The Technical Committee on Security and Privacy

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org