Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 92,  September 15, 2009 Hilarie Orman,  Editor Book Reviews Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Commentary and Opinion

  • Richard Austin's review of Beautiful Security: Leading Security Experts Explain How They Think by Andy Oram and Jon Viega, Eds.

  • Review of the ARO Workshop on Digital Forensics (Arlington, VA, September 10-11, 2009) by Yong Guan

  • NIST Publication on Key Establishment, from Elaine Barker

  • NIST Report on the Cryptographic Key Management Workshop, from Sarah Caswell

  • NIST SP 800-81 Rev. 1 DRAFT Secure Domain Name System (DNS) Deployment Guide

  • News Bits:  Announcements and correspondence from readers (please contribute!)

  • Book reviews from past Cipher issues

  • Conference Reports and Commentary from past Cipher issues

  • News items from past Cipher issues

 
• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      Calendar (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • 9/14/09- 9/18/09: SECURECOMM, 5th International ICST Conference on Security and Privacy for Communication Networks, Athens, Greece
  • 9/15/09: EC2ND, 5th European Conference on Computer Network Defence, Politecnico di Milano, Milano, Italy; Submissions are due
  • 9/15/09: FC, Financial Cryptography and Data Security, Tenerife, Canary Islands, Spain; Submissions are due
  • 9/21/09: WiSec, 3rd ACM Conference on Wireless Network Security, Stevens Institute of Technology, Hoboken, NJ, USA; Submissions are due
  • 9/21/09- 9/25/09: ESORICS, 14th European Symposium on Research in Computer Security, Saint Malo, France
  • 9/24/09: DPM, 4th International Workshop on Data Privacy Management, Saint Malo, Britany, France
  • 9/24/09- 9/25/09: SETOP, International Workshop on Autonomous and Spontaneous Security, Held in conjunction with ESORICS 2009, Saint Malo, Britany, France
  • 9/24/09- 9/25/09: STM, 5th International Workshop on Security and Trust Management, Held in conjunction with ESORICS 2009, Saint Malo, France
  • 9/27/09- 9/30/09: SRDS, 28th International Symposium on Reliable Distributed Systems, Niagara Falls, New York, USA
  • 9/28/09: ASIACCS, 5th ACM Symposium on Information, Computer and Communications Security, Beijing, China; Submissions are due
  • 9/30/09: ESSoS, 2nd International Symposium on Engineering Secure Software and Systems, Pisa, Italy; Submissions are due
  • 9/30/09: SecSE, 4th International Workshop on Secure Software Engineering, Held in conjunction with the 5th International Conference on Availability, Reliability and Security (ARES 2010), Krakow, Poland; Submissions are due
  • 9/30/09-10/ 2/09: ICDF2C, International Conference on Digital Forensics & Cyber Crime, Albany, NY, USA
  • 10/ 1/09: SPattern, 4th International Workshop on Secure systems methodologies using patterns, Held in conjunction with the 5th International Conference on Availability, Reliability and Security (ARES 2010), Krakow, Poland; Submissions are due
  • 10/ 6/09-10/10/09: SIN, 2nd ACM International Conference on Security of Information and Networks, Eastern Mediterranean University, Gazimagusa, TRNC, North Cyprus
  • 10/ 9/09: RFIDsec, The 2010 Workshop on RFID Security, Singapore; Submissions are due
  • 10/11/09: VizSec, Workshop on Visualization for Cyber Security, Atlantic City, NJ, USA
  • 10/12/09: SecPri-WiMob, International Workshop on Security and Privacy in Wireless and Mobile Computing, Networking and Communications, Held in the 5th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob 2009), Marrakech, Morocco
  • 10/12/09-10/14/09: TSP, IEEE International Symposium on Trust, Security and Privacy for Pervasive Applications, Held in conjunction with the IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2009), Macau SAR, China
  • 10/14/09: MetriSec, 5th International Workshop on Security Measurements and Metrics, Held in conjunction with the International Symposium on Empirical Software Engineering and Measurement (ESEM 2009), Lake Buena Vista, Florida, USA
  • 10/15/09: Journal of System Architecture, Special Issue on Security and Dependability Assurance of Software Architectures; Submissions are due
  • 10/15/09: WECSR, Workshop on Ethics in Computer Security Research, Held in conjunction with the 14th International Conference on Financial Cryptography and Data Security (FC 2010), Tenerife, Canary Islands, Spain; Submissions are due
  • 10/18/09: SESOC, International Workshop on SECurity and SOCial Networking, Mannheim, Germany; Submissions are due
  • 10/19/09-10/21/09: NSS, 3rd International Conference on Network & System Security, Gold Coast, Australia
  • 10/19/09-10/21/09: DMM, 1st International Workshop on Denial of service Modelling and Mitigation, Held in conjunction with 3rd International Conference on Network & System Security (NSS 2009), Gold Coast, Australia
  • 10/28/09-10/30/09: IWSEC, 4th International Workshop on Security, Toyama, Japan
  • 10/31/09: Springer Requirements Engineering journal, Special Issue on Digital Privacy: Theory, Policies and Technologies; Submissions are due
  • 11/ 1/09: Elsevier Computer Communications, Special Issue on Multimedia Networking and Security in Convergent Networks; Submissions are due
  • 11/ 1/09-11/ 6/09: LISA, 23rd USENIX Large Installation System Administration Conference, Baltimore, MD, USA
  • 11/ 1/09-11/ 6/09: IS, 4th International Symposium on Information Security, Vilamoura, Algarve-Portugal
  • 11/ 5/09-11/ 6/09: FAST, 6th International Workshop on Formal Aspects in Security and Trust, Eindhoven, the Netherlands
  • 11/ 9/09-11/10/09: EC2ND, 5th European Conference on Computer Network Defence, Politecnico di Milano, Milano, Italy
  • 11/ 9/09-11/13/09: CCS, 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA
  • 11/13/09: STC, 4th Annual Workshop on Scalable Trusted Computing, Held in conjunction with the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, USA
  • 11/13/09: SWS, ACM Workshop on Secure Web Services, Held in conjunction with the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, USA
  • 11/13/09: SPIMACS, ACM Workshop on Security and Privacy in Medical and Home-Care Systems, Held in conjunction with the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, USA
  • 11/13/09: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, USA
  • 11/15/09: IEEE Security & Privacy, Special Issue on Privacy-Preserving Sharing of Sensitive Information; Submissions are due
  • 11/18/09: SP, 31st IEEE Symposium on Security and Privacy, The Claremont Resort, Oakland, CA, USA; Submissions are due
  • 11/18/09-11/20/09: IWNS, International Workshop on Network Steganography, Held in conjunction with the International Conference on Multimedia Information Networking and Security (MINES 2009), Wuhan, Hubei, China
  • 11/18/09-11/20/099: SECMCS, Workshop on Secure Multimedia Communication and Services, Held in conjunction with the 2009 International Conference on Multimedia Information Networking and Security (MINES 2009), Wuhan, China
  • 11/30/09: MidSec, 2nd Workshop on Middleware Security, Held in conjunction with the 10th ACM/IFIP/USENIX International Middleware Conference (MIDDLEWARE 2009), Urbana Champaign, Illinois, USA
  • 12/ 6/09-12/ 9/09: WIFS, 1st IEEE International Workshop on Information Forensics and Security, London, UK
  • 12/ 6/09-12/10/09: ASIACRYPT, 15th Annual International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan
  • 12/ 7/09-12/11/09: ACSAC, 25th Annual Computer Security Applications Conference, Honolulu, Hawaii, USA
  • 12/ 8/09-12/11/09: ICPADS, 15th IEEE International Conference on Parallel and Distributed Systems, Shenzhen, China
  • 12/ 9/09-12/11/09: ReConFig, International Conference on ReConFigurable Computing and FPGAs, Special Track on Reconfigurable Computing for Security and Cryptography, Cancun, Mexico
  • 12/10/09-12/12/09: F2GC, 2nd International Workshop on Forensics for Future Generation Communication environments, Jeju, Korea
  • 12/10/09-12/12/09: MPIS, 2nd International Workshop on Multimedia, Information Privacy and Intelligent Computing Systems, Jeju, Korea
  • 12/12/09-12/14/09: CANS, 8th International Conference on Cryptography and Network Security, Kanazawa, Ishikawa, Japan
  • 12/12/09-12/14/09: UbiSafe, 2nd IEEE International Symposium on Ubisafe Computing, Chengdu, China
  • 12/12/09-12/14/09: SCC, Workshop on Security in Cloud Computing, Chengdu, China
  • 12/12/09-12/15/09: Inscrypt, 5th China International Conference on Information Security and Cryptology, Beijing China
  • 12/14/09: TaPP, 2nd Workshop on the Theory and Practice of Provenance, Held in conjunction with the 8th USENIX Conference on File and Storage Technologies (FAST 2010), San Jose, CA, USA; Submissions are due
  • 12/14/09-12/18/09: ICISS, 5th International Conference on Information Systems Security, Kolkata, India
  • 12/17/09-12/19/09: INTRUST, The International Conference on Trusted Systems, Beijing, P. R. China
  • 12/19/09: IFIP-TM, 4th IFIP International Conference on Trust Management, Morioka, Japan; Submissions are due
  • 12/31/09: IFIP-CIP, 4th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Fort McNair, Washington, DC, USA; Submissions are due
  • 1/ 3/10- 1/ 6/10: IFIP-DF, 6th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Hong Kong, Hong Kong
  • 1/ 5/10- 1/ 8/10: HICSS-DF, 43rd Hawaii International Conference on System Sciences, Digital Forensics Minitrack, Koloa, Kauai, Hawaii
  • 1/25/10- 1/28/10: FC, Financial Cryptography and Data Security, Tenerife, Canary Islands, Spain
  • 1/28/10- 1/29/10: WECSR, Workshop on Ethics in Computer Security Research, Held in conjunction with the 14th International Conference on Financial Cryptography and Data Security (FC 2010), Tenerife, Canary Islands, Spain
  • 2/ 3/10- 2/4/10: ESSoS, 2nd International Symposium on Engineering Secure Software and Systems, Pisa, Italy
  • 2/ 5/10: ACNS, 8th International Conference on Applied Cryptography and Network Security, Beijing, China; Submissions are due
  • 2/15/10- 2/18/10: SecSE, 4th International Workshop on Secure Software Engineering, Held in conjunction with the 5th International Conference on Availability, Reliability and Security (ARES 2010), Krakow, Poland
  • 2/15/10- 2/18/10: SPattern, 4th International Workshop on Secure systems methodologies using patterns, Held in conjunction with the 5th International Conference on Availability, Reliability and Security (ARES 2010), Krakow, Poland
  • 2/17/10- 2/19/10: SNDS, 18th Euromicro International Conference on Parallel, Distributed and network-based Processing, Special Session on Security in Networked and Distributed Systems, Pisa, Italy
  • 2/22/10- 2/23/10: RFIDsec, The 2010 Workshop on RFID Security, Singapore
  • 2/22/10: TaPP, 2nd Workshop on the Theory and Practice of Provenance, Held in conjunction with the 8th USENIX Conference on File and Storage Technologies (FAST 2010), San Jose, CA, USA
  • 2/28/10- 3/ 3/10: NDSS, 17th Annual Network & Distributed System Security Symposium, San Diego, CA, USA
  • 3/14/10- 3/17/10: IFIP-CIP, 4th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Fort McNair, Washington, DC, USA
  • 3/22/10- 3/24/10: WiSec, 3rd ACM Conference on Wireless Network Security, Stevens Institute of Technology, Hoboken, NJ, USA
  • 3/22/10- 3/26/10: SAC-CF, 25th ACM Symposium on Applied Computing, Computer Forensics Track, Sierre, Switzerland
  • 3/22/10- 3/26/10: SAC-TRECK, 25th ACM Symposium on Applied Computing, Trust, Reputation, Evidence and other Collaboration Know-how Track, Sierre, Switzerland
  • 3/22/10- 3/26/10: SAC-ISRA, 25th ACM Symposium on Applied Computing, Information Security Research and Applications Track, Sierre, Switzerland
  • 3/22/10- 3/26/10: SAC-SEC, 25th ACM Symposium on Applied Computing, Computer Security Track, Sierre, Switzerland
  • 3/29/10- 4/ 2/10: SESOC, International Workshop on SECurity and SOCial Networking, Mannheim, Germany
  • 4/13/10- 4/16/10: ASIACCS, 5th ACM Symposium on Information, Computer and Communications Security, Beijing, China
  • 5/16/10- 5/19/10: SP, 31st IEEE Symposium on Security and Privacy, The Claremont Resort, Oakland, CA, USA
  • 6/16/10- 6/18/10: IFIP-TM, 4th IFIP International Conference on Trust Management, Morioka, Japan
  • 6/22/10- 6/25/10: ACNS, 8th International Conference on Applied Cryptography and Network Security, Beijing, China
  
  
  • new calls or announcements added since Cipher E91

  • FC 2010 Financial Cryptography and Data Security, Tenerife, Canary Islands, Spain, January 25-28, 2010. (Submissions due 15 September 2009) )

    Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance, with a specific focus on commercial contexts. The conference covers all aspects of securing transactions and systems. Original works focusing on both fundamental and applied real-world deployments on all aspects surrounding commerce security are solicited. Submissions need not be exclusively concerned with cryptography. Systems security and inter-disciplinary efforts are particularly encouraged.

  • EC2ND 2009 5th European Conference on Computer Network Defence, Politecnico di Milano, Milano, Italy, November 12-13, 2009. (Submissions due 15 September 2009)

    The theme of the conference is the protection of computer networks. The conference will draw participants from academia and industry in Europe and beyond to discuss hot topics in applied network and systems security. EC2ND invites submissions presenting novel ideas at an early stage with the intention to act as a discussion forum and feedback channel for promising, innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results. Topics include but are not limited to:

    • Intrusion Detection
    • Denial-of-Service
    • Privacy Protection
    • Security Policy
    • Peer-to-Peer and Grid Security
    • Network Monitoring
    • Web Security
    • Vulnerability Management and Tracking
    • Network Forensics
    • Wireless and Mobile Security
    • Cryptography
    • Network Discovery and Mapping
    • Incident Response and Management
    • Malicious Software
    • Web Services Security
    • Legal and Ethical Issues

  • WiSec 2010 3rd ACM Conference on Wireless Network Security, Stevens Institute of Technology, Hoboken, NJ, USA, March 22-24, 2010. (Submissions due 21 September 2009)

    As wireless networks become ubiquitous, their security gains in importance. The ACM Conference on Wireless Network Security (WiSec) aims at exploring attacks on wireless networks as well as techniques to thwart them. The considered networks encompass cellular, metropolitan, local area, vehicular, ad hoc, satellite, underwater, cognitive radio, and sensor networks, as well as RFID. Topics of interest include, but are not limited to:

    • Naming and addressing vulnerabilities
    • Key management in wireless/mobile environments
    • Secure neighbor discovery / Secure localization
    • Secure PHY and MAC protocols
    • Trust establishment
    • Intrusion detection, detection of malicious behavior
    • Revocation of malicious parties
    • Denial of service
    • User privacy, location privacy
    • Anonymity, prevention of traffic analysis
    • Identity theft and phishing in mobile networks
    • Charging
    • Cooperation and prevention of non-cooperative behavior
    • Economics of wireless security
    • Vulnerability and attack modeling
    • Incentive-aware secure protocol design
    • Jamming/Anti-jamming communication
    • Cross-layer design for security
    • Monitoring and surveillance
    • Cryptographic primitives for wireless communication
    • Formal methods for wireless security
    • Mobile platform and systems (OS and application) security

  • ASIACCS 2010 5th ACM Symposium on Information, Computer and Communications Security, Beijing, China, April 13-16, 2010. (Submissions due 28 September 2009)

    ASIACCS is a major international forum for information security researchers, practitioners, developers, and users to explore and exchange the latest cyber-security ideas, breakthroughs, findings, techniques, tools, and experiences. We invite submissions from academia, government, and industry presenting novel research on all theoretical and practical aspects of computer and network security. Topics of interest include, but are not limited to:

    • anonymity
    • access control
    • secure networking
    • accounting and audit
    • key management
    • intrusion detection
    • authentication
    • smartcards
    • data and application security
    • Malware and botnets
    • privacy-enhancing technology
    • software security
    • inference/controlled disclosure
    • intellectual-property protection
    • digital-rights management
    • trusted computing
    • phishing and countermeasures
    • commercial and industry security
    • security management
    • web security
    • applied cryptography
    • mobile-computing security
    • cryptographic protocols
    • data/system integrity
    • information warfare
    • formal methods for security
    • identity management
    • security in ubiquitous computing, e.g., RFIDs
    • security and privacy for emerging technologies, e.g., VoIP, peer-to-peer and overlay network systems, Web 2.0

  • ESSoS 2010 2nd International Symposium on Engineering Secure Software and Systems, Pisa, Italy, February 3-4, 2010. (Submissions due 30 September 2009)

    The goal of this symposium is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The symposium will feature two days of technical program as well as one day of tutorials. The technical program includes an experience track for which the submission of highly informative case studies describing (un)successful secure software project experiences and lessons learned is explicitly encouraged. Topics of interest include, but are not limited to:

    • scalable techniques for threat modeling and analysis of vulnerabilities
    • specification and management of security requirements and policies
    • security architecture and design for software and systems
    • model checking for security
    • specification formalisms for security artifacts
    • verification techniques for security properties
    • systematic support for security best practices
    • security testing
    • security assurance cases
    • programming paradigms, models and DLS's for security
    • program rewriting techniques
    • processes for the development of secure software and systems
    • security-oriented software reconfiguration and evolution
    • security measurement
    • automated development
    • trade-off between security and other non-functional requirements
    • support for assurance, certification and accreditation

  • SecSE 2010 4th International Workshop on Secure Software Engineering, Held in conjunction with ARES 2010, Krakow, Poland, February 15-18, 2010. (Submissions due 30 September 2009)

    Software is an integral part of everyday life, and we expect and depend upon software systems to perform correctly. Software security is about ensuring that systems continue to function correctly also under malicious attack. As most systems now are web-enabled, the number of attackers with access to the system increases dramatically and thus the threat scenario changes. The traditional approach to secure a system includes putting up defence mechanisms like IDS and firewalls, but such measures are no longer sufficient by themselves. We need to be able to build better, more robust and more secure systems. Even more importantly, however, we should strive to achieve these qualities in all software systems, not just the ones that need special protection. This workshop will focus on techniques, experiences and lessons learned for building secure and dependable software. Suggested topics include, but are not limited to:

    • Secure architecture and design
    • Security in agile software development
    • Aspect-oriented software development for secure software
    • Security requirements
    • Risk management in software projects
    • Secure implementation
    • Secure deployment
    • Testing for security
    • Quantitative measurement of security properties
    • Static and dynamic analysis for security
    • Verification and assurance techniques for security properties
    • Lessons learned
    • Security and usability
    • Teaching secure software development
    • Experience reports on successfully attuning developers to secure software engineering

  • SPattern 2010 4th International Workshop on Secure systems methodologies using patterns, Held in conjunction with the 5th International Conference on Availability, Reliability and Security (ARES 2010), Krakow, Poland, February 15-18, 2010. (Submissions due 1 October 2009)

    Security patterns have arrived to a stage where there are a significant number of them, two books about them have been published, and industry is starting to accept and use them. Analysis and design patterns have been around for about ten years and have found practical use in many projects. They have been incorporated into several software development methodologies where less experienced developers can use them to receive the advice and knowledge of experts. The situation is not so clear for security patterns because no accepted methodology exists for their use.
    
    Catalogs of security patterns are a good step, but they are not enough. Building secure systems is a difficult process where security aspects are interlaced with the satisfaction of functional requirements. Developers are typically experts on a language or a development methodology but know little about security, which results in them not knowing what security mechanisms make sense at which moments. We need methodologies that guide a designer at each stage of the development cycle. A few of them have appeared, but none of them has been tested in production applications.
    
    This workshop focuses on secure software methodologies. We seek papers describing individual security patterns, new methodologies, new aspects of existing methodologies, pattern languages to use in the methodologies, reference architectures, blueprints, and related aspects. Experiences in applying the methodologies to real situations are especially welcome.
    
    

  • RFIDsec 2010 The 2010 Workshop on RFID Security, Singapore, February 22-23, 2010. (Submissions due 9 October 2009)

    RFIDSec aims to provide a major forum to address the fundamental issues in theory and practice related to security and privacy issues, designs, standards, and case studies in the development of RFID systems and EPCglobal network. Papers representing original research in both the theory and practice concerning RFID security are solicited. Topics of interest include, but are not limited to:

    • New applications for secure RFID systems
    • Data protection and privacy-enhancing techniques for RFID
    • Cryptographic protocols for RFID
    • Authentication protocols
    • Key update mechanisms
    • Scalability issues
    • Integration of secure RFID systems
    • Middleware and security
    • Public-key infrastructures
    • Resource-efficient implementation of cryptography
    • Small-footprint hardware
    • Low-power architectures
    • Attacks on RFID systems such as RFID malwares
    • RFID security hardware such as RFID with PUF
    • Trust model, data protection and sharing for EPCglobal Network

  • Journal of System Architecture, Special Issue on Security and Dependability Assurance of Software Architectures, Spring 2010. (Submission Due 15 October 2009)

    Guest editor: Ernesto Damiani (Università degli Studi di Milano, Italy), Sigrid Gürgens (Fraunhofer Institute for Secure Information Technology, Germany), Antonio Maña (Universidad de Málaga, Spain), George Spanoudakis (City University, London, UK), and Claudio A. Ardagna (Università degli Studi di Milano, Italy)
    
    The JSA special issue will focus in particular on context, methodologies, techniques, and tools for V&V of software architectures, with particular focus on supporting assurance and compliance, as well as security and dependability certification, for evolving and long-lived systems. Authors are invited to submit papers on a variety of topics, including but not limited to:

    • foundations and new perspectives of V&V mechanisms and security certifications
    • solutions, tools, frameworks for S&D assurance and certification
    • new and/or existing certification processes and tools suitable for challenging contexts (e.g., telecommunications, mobile, real time, process control, and embedded systems), and/or experience with them
    • new and/or existing modelling techniques which are particularly suited to evolving systems, and/or experience with them
    • tools and case studies that integrate techniques from different areas, such as V&V mechanisms, including static verification, dynamic verification, testing, product and process certification, empirical software engineering, modeling of evolving and distributed systems

  • WECSR 2010 Workshop on Ethics in Computer Security Research, Held in conjunction with the 14th International Conference on Financial Cryptography and Data Security (FC 2010), Tenerife, Canary Islands, Spain, January 28-29, 2010. (Submissions due 15 October 2009)

    Computer security often leads to discovering interesting new problems and challenges. The challenge still remains to follow a path acceptable for Institutional Review Boards at academic institutions, as well as compatible with ethical guidelines for professional societies or government institutions. However, no exact guidelines exist for computer security research yet. This workshop will bring together computer security researchers, practitioners, policy makers, and legal experts. This workshop solicits submissions describing or suggesting ethical and responsible conduct in computer security research. While we focus on setting standards and sharing prior experiences and experiments in computer security research, successful or not, we tap into research behavior in network security, computer security, applied cryptography, privacy, anonymity, and security economics. This workshop will favor discussions among participants, in order to shape the future of ethical standards in the field.

  • SESOC 2010 International Workshop on SECurity and SOCial Networking, Mannheim, Germany, March 29 - April 2 2010. (Submissions due 18 October 2009)

    Future pervasive communication systems aim at supporting social and collaborative communications: the evolving topologies are expected to resemble the actual social networks of the communicating users and information on their characteristics can be a powerful aid for any network operation. New emerging technologies that use information on the social characteristics of their participants raise entirely new privacy concerns and require new reflections on security problems such as trust establishment, cooperation enforcement or key management. The aim of this workshop is to encompass research advances in all areas of security, trust and privacy in pervasive communication systems, integrating the social structure of the network as well. Topics of interest include:

    • new aspects of trust
    • privacy concerns
    • availability and resilience
    • community based secure communication
    • data confidentiality, data integrity
    • anonymity, pseudonymity
    • key management
    • secure bootstrapping
    • security issues in forwarding, routing
    • security aspects regarding cooperation
    • new reputation systems
    • new attack paradigms
    • new requirements for software security
    • malware

  • Springer Requirements Engineering journal, Special Issue on Digital Privacy: Theory, Policies and Technologies, Summer 2010. (Submission Due 31 October 2009)

    Guest editor: Annie I. Anton (North Carolina State University, USA), Travis D. Breaux (Institute for Defense Analyses, USA), Stefanos Gritzalis (University of the Aegean, Greece), and John Mylopoulos (University of Trento, Italy)
    
    This special issue of the Requirements Engineering journal aims at providing researchers and professionals with insights on the state-of-the-art in Digital Privacy from the views of Theory, Policies and Technologies. Topics of interest may include one or more of the following (but are not limited to) themes:

    • Compliance of system policies to privacy requirements
    • Methods, tools and techniques for realizing privacy requirements
    • Alignment of system policies to privacy requirements
    • Alignment of privacy requirements to privacy laws, regulations and standards
    • Agent-oriented privacy engineering
    • Verification and validation of privacy requirements
    • Integrating privacy requirements in system engineering
    • Formal methods on privacy
    • Privacy policies and human rights
    • Privacy policy enforcement
    • Privacy policies for companies engaging in eCommerce
    • Privacy policies in the digital business
    • Privacy enhancing technologies and systems

  • Elsevier Computer Communications, Special Issue on Multimedia Networking and Security in Convergent Networks, Summer 2010. (Submission Due 1 November 2009)

    Guest editor: Chang Wen Chen (University at Buffalo, USA), Stefanos Gritzalis (University of the Aegean, Greece), Pascal Lorenz (University of Haute Alsace, France), and Shiguo Lian (France Telecom R&D Beijing, China)
    
    Authors are invited to submit detailed technical manuscripts reporting recent developments in the topics related to the special issue. Note the special emphasis on convergent and heterogeneous networks – this special issue is devoted to exploring the challenges and solutions for multimedia communication and security in convergent network environments. The new challenge in network management is to deal with heterogeneous client capabilities as well as dynamic end-to-end resources availability, and to ensure satisfactory service quality for every client. The new challenge in secure communication is to solve the privacy and security issues becoming increasingly important topics in network convergence. Some suggested topics include but are not limited to:

    • Heterogeneous multimedia networking
    • Cross-layer multimedia adaptation
    • Inter-network multimedia adaptation
    • QoS control in network convergence
    • Interactive Mobile TV based on network convergence
    • Mobile community based on network convergence
    • Smart home networks based on network convergence
    • Telematics systems based on network convergence
    • E-healthcare systems based on network convergence
    • Privacy preserving in network convergence
    • Multimedia content security in network convergence
    • Digital rights management in network convergence
    • Content tracking and filtering in network convergence
    • Intrusion detection and prevention in network convergence
    • Other networking or security issues in network convergence

  • IEEE Security & Privacy, Special Issue on Privacy-Preserving Sharing of Sensitive Information, July/August 2010. (Submission Due 15 November 2009)

    Guest editor: Sal Stolfo (Columbia University, USA) and Gene Tsudik (UC Irvine, USA)
    
    Privacy-Preserving Sharing of Sensitive Information (PPSSI) is motivated by the increasing need for organizations or people who don't fully trust each other to share sensitive information. Many types of organizations must often collect, analyze, and disseminate data rapidly and accurately without exposing sensitive information to wrong or untrusted parties. For example, census-takers collect private data with the understanding that it won't be released in a form traceable to the individual who provided it. Companies might be willing to divulge sensitive financial data to organizations that release only aggregate data for an industry sector. A hospital might share patient information with a state health agency but only to allow the latter to determine the number (and not the identities) of uninsured patients. While statistical methods for protecting data have been in use for decades, they're not foolproof and they generally involve a trusted third party to produce privacy-preserving statistical digests. More recently, techniques employing secure multi-party function evaluation, encrypted keywords, and private information retrieval have been studied and, in a few cases, deployed, However there are no practical tools and technologies to guarantee data privacy, especially, whenever organizations have certain common goals and require exchanges of data. To this end, the objective of PPSSI technology is to enable multiple entities to cooperate and share information without exposing more than what is necessary to complete a common task. Potential submission topics include (but are not limited to) the following:

    • PPSSI requirements and policy enforcement; prospective policies governing PPSSI, including formal models and policy languages as well as trust models.
    • Data “cleaning” and obfuscation techniques.
    • Cryptographic protocols; innovative constructs, their performance and implementation issues, for example, private information retrieval, searching over encrypted data and private set operations.
    • Data management; storage and data management issues arising in PPSSI settings.
    • Secure hardware; architectures and technologies in support of PPSSI

  • SP 2010 31st IEEE Symposium on Security and Privacy, The Claremont Resort, Oakland, CA, USA, May 16–19, 2010. (Submissions due 18 November 2009)

    Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of computer security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation of secure systems. S&P is interested in all aspects of computer security and privacy. P apers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.
    
    *Systematization of Knowledge Papers*: In addition to the standard research papers, we are also soliciting papers focused on systematization of knowledge. The goal of this call is to encourage work that evaluates, systematizes, and contextualizes existing knowledge. These papers will provide a high value to our community but would otherwise not be accepted because they lack novel research contributions. Suitable papers include survey papers that provide useful perspectives on major research areas, papers that support or challenge long-held beliefs with compelling evidence, or papers that provide an extensive and realistic evaluation of competing approaches to solving specific problems. Submissions will be distinguished by a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, except instead of emphasizing novel research contributions the emphasis will be on value to the community. Accepted papers will be presented at the symposium and included in the proceedings.
    
    *Workshops*:
    The Symposium is also soliciting submissions for colocated workshops. Workshop proposals should be sent by Friday, 21 August 2009 by email to Carrie Gates (carrie.gates@ca.com). Workshops may be half-day or full-day in length. Submissions should include the workshop title, a short description of the topic of the workshop, and biographies of the organizers.

  • TaPP 2010 2nd Workshop on the Theory and Practice of Provenance, Held in conjunction with the 8th USENIX Conference on File and Storage Technologies (FAST 2010), San Jose, CA, USA, February 22, 2010. (Submissions due 14 December 2009)

    Provenance, or meta-information about computations, computer systems, database queries, scientific workflows, and so on, is emerging as a central issue in a number of disciplines. The TaPP workshop series builds upon a set of workshops on Principles of Provenance organized in 2007-2009, which helped raise the profile of this area within diverse research communities, such as databases, security, and programming languages. We hope to attract serious cross-disciplinary, foundational, and highly speculative research and to facilitate needed interaction with the broader systems community and with industry. We invite submissions addressing research problems involving provenance in any area of computer science, including but not limited to:

    • Databases (Data provenance and lineage, Uncertainty/probabilistic databases, Curated databases, Data quality/integration/cleaning, Privacy/anonymity, Data forensics)
    • Programming languages and software engineering (Bi-directional, adaptive, and self-adjusting computation, Traceability, Source code management/version control/configuration management, Model-driven design and analysis)
    • Systems and security (Provenance aware/versioned file systems, Provenance and audit/integrity/information flow security, Trusted computing, Traces and reflective/adaptive/self-adjusting systems, Digital libraries)
    • Workflows/scientific computation (Efficient/incremental recomputation, Scientific data exploration and visualization, Workflow provenance querying, User interfaces)

  • IFIP-TM 2010 4th IFIP International Conference on Trust Management, Morioka, Japan, June 16-18, 2010. (Submissions due 19 December 2009)

    The mission of the IFIPTM 2010 Conference is to share research solutions to problems of Trust and Trust management, including related Security and Privacy issues, and to identify new issues and directions for future research and development work. IFIPTM 2010 invites submissions presenting novel research on all topics related to Trust, Security and Privacy, including but not limited to those listed below:

    • Trust models, formalization, specification, analysis and reasoning
    • Reputation systems and architectures
    • Engineering of trustworthy and secure software
    • Ethics, sociology and psychology of trust
    • Security management and usability issues including security configuration
    • Trust management frameworks for secure collaborations
    • Language security
    • Security, trust and privacy for service oriented architectures and composite applications
    • Security, trust and privacy for software as a service (SaaS)
    • Security, trust and privacy for Web 2.0 Mashups
    • Security, privacy, and trust as a service
    • Legal issues related to the management of trust
    • Semantically-aware security management
    • Adaptive security policy management
    • Mobile security
    • Anonymity and privacy vs. accountability
    • Critical infrastructure protection, public safety and emergency management
    • Privacy and identity management in e-services
    • Biometrics, national ID cards, identity theft
    • Robustness of trust and reputation systems
    • Distributed trust and reputation management systems
    • Human computer interaction aspects of privacy, security & trust
    • Applications of trust and reputation management in e-services
    • Trusted platforms and trustworthy systems

  • IFIP-CIP 2010 4th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Fort McNair, Washington, DC, USA, March 14–17, 2010. (Submissions due 31 December 2009)

    The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Following the success of the first three conferences, the Fourth Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection will again provide a forum for presenting original, unpublished research results and innovative ideas related to all aspects of critical infrastructure protection. Papers are solicited in all areas of critical infrastructure protection. Areas of interest include, but are not limited to:

    • Infrastructure vulnerabilities, threats and risks
    • Security challenges, solutions and implementation issues
    • Infrastructure sector interdependencies and security implications
    • Risk analysis and risk assessment methodologies
    • Modeling and simulation of critical infrastructures
    • Legal, economic and policy issues
    • Secure information sharing
    • Infrastructure protection case studies
    • Distributed control systems/SCADA security
    • Telecommunications network security

  • ACNS 2010 8th International Conference on Applied Cryptography and Network Security, Beijing, China, June 22-25, 2010. (Submissions due 5 February 2010)

    Original papers on all aspects of applied cryptography and network security are solicited for submission to ACNS '10. Topics of relevance include but are not limited to:

    • Applied cryptography and provably-secure cryptographic protocols
    • Design and analysis of efficient cryptographic primitives: public-key and symmetric-key cryptosystems, block ciphers, and hash functions
    • Network security protocols
    • Techniques for anonymity; trade-offs between anonymity and utility
    • Integrating security into the next-generation Internet: DNS security, routing, naming, denial-of-service attacks, TCP/IP, secure multicast
    • Economic fraud on the Internet: phishing, pharming, spam, and click fraud
    • Email and web security
    • Public key infrastructure, key management, certification, and revocation
    • Security and privacy for emerging technologies: sensor networks, mobile (ad hoc) networks, peer-to-peer networks, bluetooth, 802.11, RFID
    • Trust metrics and robust trust inference in distributed systems
    • Security and usability
    • Intellectual property protection and digital rights management
    • Modeling and protocol design for rational and malicious adversaries
    • Automated analysis of protocols

• The Technical Committee on Security and Privacy

 

• Listing of academic positions available  by Cynthia Irvine
  

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org