Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 97,  July 25, 2010 Hilarie Orman,  Editor Book Reviews Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Commentary and Opinion

  • Review of the Web 2.0 Security and Privacy Workshop (Claremont Hotel, Berkeley, CA, May 20, 2010) by Sruthi Bandhavkavi

  • Review of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (Bonn, Germany, July 8-9, 2010) by Asia Slowinska and Johannes Hoffmann

  • Richard Austin's review of The Failure of Risk Management: Why Its Broken and How to Fix It by Douglas Hubbard

  • News:

    • New website offers resources for hardware security research
    • NIST DRAFT Recommendation for Password-Based Key Derivation - Part 1: Storage Applications.
    • The DNS Root Zone: Signed and Delivered

  • Book reviews from past Cipher issues

  • Conference Reports and Commentary from past Cipher issues

  • News items from past Cipher issues

 

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • Calendar of Events
    (you can get calendar updates on Twitter; follow "ciphernews")

    • 7/26/10: WESS, 5th Workshop on Embedded Systems Security, Scottsdale, AZ, USA; Submissions are due
    • 7/26/10- 7/28/10: SECRYPT, 5th International Conference on Security and Cryptography, Athens, Greece
    • 8/ 1/10: Journal of Network and Computer Applications, Special Issue on Trusted Computing and Communications; Submissions are due
    • 8/ 1/10: IEEE Software, Special Issue on Software Protection; Submissions are due
    • 8/ 1/10: INTRUST, International Conference on Trusted Systems, Beijing, China; Submissions are due
    • 8/ 6/10: NDSS, Network & Distributed System Security Symposium, San Diego, California, USA; Submissions are due
    • 8/ 9/10: CSET, 3rd Workshop on Cyber Security Experimentation and Test, Washington, DC, USA
    • 8/ 9/10: WOOT, 4th USENIX Workshop on Offensive Technologies, Washington, DC, USA
    • 8/ 9/10- 8/13/10: LIS, Workshop on Logics in Security, Copenhagen, Denmark
    • 8/10/10: HealthSec, 1st USENIX Workshop on Health Security and Privacy, Washington, DC, USA
    • 8/10/10: HotSec, 5th USENIX Workshop on Hot Topics in Security, Washington DC, USA
    • 8/11/10- 8/13/10: USENIX-Security, 19th USENIX Security Symposium, Washington, DC, USA
    • 8/17/10- 8/19/10: PST, 8th International Conference on Privacy, Security and Trust, Ottawa, Canada
    • 8/20/10: CPSRT, International Workshop on Cloud Privacy, Security, Risk & Trust, Held in conjunction with the 2nd IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2010), Indianapolis, IN, USA; Submissions are due
    • 8/20/10: CT-RSA, RSA Conference, The Cryptographers' Track, San Francisco, CA, USA; Submissions are due
    • 8/21/10: FTDC, 7th Workshop on Fault Diagnosis and Tolerance in Cryptography, Held in conjunction with the CHES 2010, Santa Barbara, CA, USA
    • 8/24/10: SAC-TRECK, 26th ACM Symposium on Applied Computing, Track: Trust, Reputation, Evidence and other Collaboration Know-how (TRECK), TaiChung, Taiwan; Submissions are due
    • 8/30/10- 9/ 3/10: TrustBus, 7th International Conference on Trust, Privacy & Security in Digital Business, Bilbao, Spain
    • 8/31/10: Wiley Security and Communication Networks (SCN), Special Issue on Defending Against Insider Threats and Internal Data Leakage; Submissions are due
    • 9/ 1/10: IEEE Internet Computing, Special Issue on Security and Privacy in Social Networks; Submissions are due
    • 9/ 1/10: In-Bio-We-Trust, International Workshop on Bio-Inspired Trust Management for Information Systems, Held in conjunction with the Bionetics 2010, Boston, MA, USA; Submissions are due
    • 9/ 6/10- 9/ 9/10: MMM-ACNS, 5th International Conference on Mathematical Methods, Models, and Architectures for Computer Networks Security, St. Petersburg, Russia
    • 9/ 7/10- 9/10/10: SECURECOMM, 6th International Conference on Security and Privacy in Communication Networks, Singapore
    • 9/ 7/10- 9/11/10: SIN, 3rd International Conference on Security of Information and Networks, Taganrog, Rostov-on-Don, Russia;
    • 9/ 9/10: SA&PS4CS, 1st International Workshop on Scientific Analysis and Policy Support for Cyber Security, Held in conjunction with the 5th International Conference on Mathematical Methods, Models, and Architectures for Computer Networks Security (MMM-ACNS 2010), St. Petersburg, Russia
    • 9/10/10: SecIoT, 1st Workshop on the Security of the Internet of Things, Held in conjunction with the Internet of Things 2010, Tokyo, Japan; Submissions are due
    • 9/13/10: ESSoS, International Symposium on Engineering Secure Software and Systems, Madrid, Spain; Submissions are due
    • 9/13/10- 9/14/10: NeFX, 2nd Annual ACM Northeast Digital Forensics Exchange, Washington, DC, USA
    • 9/13/10- 9/15/10: SCN, 7th Conference on Security and Cryptography for Networks, Amalfi, Italy
    • 9/13/10- 9/16/10: SCC, 2nd International Workshop on Security in Cloud Computing, Held in Conjunction with ICPP 2010, San Diego, California, USA
    • 9/14/10: VizSec, 7th International Symposium on Visualization for Cyber Security, Ottawa, Ontario, Canada
    • 9/15/10: IEEE Transactions on Information Forensics and Security, Special Issue on Using the Physical Layer for Securing the Next Generation of Communication Systems; Submissions are due
    • 9/15/10: CODASPY, 1st ACM Conference on Data and Application Security and Privacy, San Antonio, TX, USA; Submissions are due
    • 9/15/10: MetriSec, 6th International Workshop on Security Measurements and Metrics, Held in conjunction with the International Symposium on Empirical Software Engineering and Measurement (ESEM 2010), Bolzano-Bozen, Italy
    • 9/15/10- 9/17/10: RAID, 13th International Symposium on Recent Advances in Intrusion Detection, Ottawa, Canada
    • 9/16/10- 9/17/10: FAST, 7th International Workshop on Formal Aspects of Security & Trust, Pisa, Italy
    • 9/20/10- 9/22/10: ESORICS, 15th European Symposium on Research in Computer Security, Athens, Greece
    • 9/20/10- 9/23/10: IFIP-TC9-HCC9, IFIP TC-9 HCC-9 Stream on Privacy and Surveillance, Held in conjunction with the IFIP World Computer Congress 2010, Brisbane, Australia
    • 9/20/10- 9/24/10: ADBIS, 14th East-European Conference on Advances in Databases and Information Systems, Track on Personal Identifiable Information: Privacy, Ethics, and Security, Novi Sad
    • 9/21/10: PRITS, Workshop on Pattern Recognition for IT Security, Held in conjunction with DAGM 2010, Darmstadt, Germany
    • 9/23/10: DPM, International Workshop on Data Privacy Management, Held in conjunction with the ESORICS 2010, Athens, Greece
    • 9/23/10: SETOP, 3rd International Workshop on Autonomous and Spontaneous Security, Held in conjunction with the ESORICS 2010, Athens, Greece
    • 9/23/10- 9/24/10: STM, 6th International Workshop on Security and Trust Management, Athens, Greece
    • 9/24/10: PSDML, ECML/PKDD Workshop on Privacy and Security issues in Data Mining and Machine Learning, Barcelona, Spain
    • 10/ 1/10: FC, 15th International Conference on Financial Cryptography and Data Security, Bay Gardens Beach Resort, St. Lucia; Submissions are due
    • 10/ 4/10: SafeConfig, 2nd Workshop on Assurable & Usable Security Configuration, Held in conjunction with ACM CCS 2010, Chicago, Illinois, USA
    • 10/ 4/10: STC, 5th Annual Workshop on Scalable Trusted Computing, Held in conjunction with ACM CCS 2010, Chicago, Illinois, USA
    • 10/ 4/10-10/ 8/10: ACM-CCS, 17th ACM Conference on Computer and Communications Security, Chicago, IL, USA
    • 10/ 5/10: NPSec, 6th Workshop on Secure Network Protocols, Held in conjunction with ICNP 2010, Kyoto, Japan
    • 10/ 9/10: TrustCol, 5th International Workshop on Trusted Collaboration, Held in conjunction with the CollaborateCom 2010, Chicago, Illinois, USA
    • 10/15/10: IFIP-DF, 7th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; Submissions are due
    • 10/18/10-10/20/10: ICTCI, 4th International Conference on Trusted Cloud Infrastructure, Shanghai, China
    • 10/18/10-10/20/10: eCRS, eCrime Researchers Summit, Dallas, Texas, USA
    • 10/20/10-10/21/10: Malware, 5th IEEE International Conference on Malicious and Unwanted Software, Nancy, France
    • 10/24/10: WESS, 5th Workshop on Embedded Systems Security, Scottsdale, AZ, USA
    • 10/25/10-10/28/10: ISC, 13th Information Security Conference, Boca Raton, Florida, USA
    • 10/28/10-10/29/10: EC2ND, 6th European Conference on Computer Network Defense, Berlin, Germany
    • 10/31/10: SESOC, 3rd International Workshop on Security and Social Networking, Held in conjunction with the PerCom 2011, Seattle, WA, USA; Submissions are due
    • 11/ 4/10-11/ 6/10: SIDEUS, 1st International Workshop on Securing Information in Distributed Environments and Ubiquitous Systems, Fukuoka, Japan
    • 11/ 4/10-11/ 6/10: CWECS, 1st International Workshop on Cloud, Wireless and e-Commerce Security, Fukuoka, Japan
    • 11/ 8/10-11/10/10: HST, 10th IEEE International Conference on Technologies for Homeland Security, Waltham, MA, USA
    • 11/15/10: IEEE Network, Special Issue on Network Traffic Monitoring and Analysis; Submissions are due
    • 11/19/10-11/19/10: IDMAN, 2nd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, Oslo, Norway
    • 11/22/10-11/23/10: GameSec, The Inaugural Conference on Decision and Game Theory for Security, Berlin, Germany
    • 11/29/10: SecIoT, 1st Workshop on the Security of the Internet of Things, Held in conjunction with the Internet of Things 2010, Tokyo, Japan
    • 11/30/10-12/ 3/10: CPSRT, International Workshop on Cloud Privacy, Security, Risk & Trust, Held in conjunction with the 2nd IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2010), Indianapolis, IN, USA
    • 12/ 1/10-12/ 3/10: In-Bio-We-Trust, International Workshop on Bio-Inspired Trust Management for Information Systems, Held in conjunction with the Bionetics 2010, Boston, MA, USA; Submissions are due
    • 12/ 6/10-12/10/10: ACSAC, 26th Annual Computer Security Applications Conference, Austin, Texas, USA
    • 12/11/10-12/13/10: TrustCom, IEEE/IFIP International Symposium on Trusted Computing and Communications, Hong Kong SAR, China
    • 12/12/10-12/15/10: WIFS, International Workshop on Information Forensics & Security, Seattle, WA, USA
    • 12/13/10-12/15/10: Pairing, 4th International Conference on Pairing-based Cryptography, Yamanaka Hot Spring, Japan
    • 12/13/10-12/15/10: INTRUST, International Conference on Trusted Systems, Beijing, China
    • 12/15/10-12/19/10: ICISS, 6th International Conference on Information Systems Security, Gandhinagar, India
    • 1/30/11- 2/ 2/11: IFIP-DF, 7th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA
    • 2/ 6/11- 2/ 9/11: NDSS, Network & Distributed System Security Symposium, San Diego, California, USA
    • 2/ 9/11- 2/10/11: ESSoS, International Symposium on Engineering Secure Software and Systems, Madrid, Spain
    • 2/14/11- 2/18/11: CT-RSA, RSA Conference, The Cryptographers' Track, San Francisco, CA, USA
    • 2/21/11- 2/23/11: CODASPY, 1st ACM Conference on Data and Application Security and Privacy, San Antonio, TX, USA
    • 2/28/11- 3/ 4/11: FC, 15th International Conference on Financial Cryptography and Data Security, Bay Gardens Beach Resort, St. Lucia
    • 3/21/10: SESOC, 3rd International Workshop on Security and Social Networking, Held in conjunction with the PerCom 2011, Seattle, WA, USA
    • 3/21/11- 3/25/11: SAC-TRECK, 26th ACM Symposium on Applied Computing, Track: Trust, Reputation, Evidence and other Collaboration Know-how (TRECK), TaiChung, Taiwan
    
    
    
  • Calls for Papers, new calls or announcements added since Cipher E96

  • WESS 2010 5th Workshop on Embedded Systems Security, Scottsdale, AZ, USA, October 24, 2010. (Submissions due 26 July 2010)

    Embedded computing systems are widely found in application areas ranging from safety-critical systems to vital information management. This introduces a large number of security issues. Embedded systems are vulnerable to remote intrusion, local intrusion, fault-based and power/timing-based attacks, intellectual-property theft, subversion, hijacking and more. Due to their strong link to software engineering and hardware engineering, these security issues are different from the traditional security problems found on personal computers. For example, embedded devices are resource-constrained in power and performance, which requires them to use computationally efficient solutions. They have a very weak physical trust boundary, which enables many different implementation-oriented attacks. They use an intimate connection between hardware and software, often without the shielding of an operating system. This workshop provides a forum for researchers to present novel ideas on addressing security issues that arise in the design, the operation, and the testing of secure embedded systems. Of particular interest are security topics that are unique to embedded systems. Topics of Interest:

    • Trust models for secure embedded hardware and software
    • Isolation techniques for secure embedded hardware, hyperware, and software
    • System architectures for secure embedded systems
    • Metrics for secure design of embedded hardware and software
    • Security concerns for medical and other applications of embedded systems
    • Support for intellectual property protection and anti-counterfeiting
    • Specialized components for authentication, key storage and key generation
    • Support for secure debugging and troubleshooting
    • Implementation attacks and countermeasures
    • Design tools for secure embedded hardware and software
    • Hardware/software codesign for secure embedded systems
    • Specialized hardware support for security protocols

  • Journal of Network and Computer Applications, Special Issue on Trusted Computing and Communications, 2nd Quarter, 2011. (Submission Due 1 August 2010)

    Guest editor: Laurence T. Yang (St. Francis Xavier University, Canada) and Guojun Wang (Central South University, China)
    
    With the rapid development and the increasing complexity of computer and communications systems and networks, traditional security technologies and measures can not meet the demand for integrated and dynamic security solutions. As a challenging and innovative research field, trusted computing and communications target computer and communications systems and networks that are available, secure, reliable, controllable, dependable, and so on. In a word, they must be trustworthy. If we view the traditional security as identity trust, the broader field of trusted computing and communications also includes behavior trust of systems and networks. In fact, trusted computing and communications have become essential components of various distributed services, applications, and systems, including self-organizing networks, social networks, semantic webs, e-commence, and e-government. Research areas of relevance would therefore include, but not only limited to, the following topics:

    • Trusted computing platform and paradigm
    • Trusted systems and architectures
    • Trusted operating systems
    • Trusted software
    • Trusted database
    • Trusted services and applications
    • Trust in e-commerce and e-government
    • Trust in mobile and wireless networks
    • Trusted communications and networking
    • Reliable and fault-tolerant computer systems/networks
    • Survivable computer systems/networks
    • Autonomic and dependable computer systems/networks

  • IEEE Software, Special Issue on Software Protection, March, 2011. (Submission Due 1 August 2010)

    Guest editor: Paolo Falcarin (University of East London, UK), Christian Collberg (University of Arizona, USA), Mikhail Atallah (Purdue University, USA), and Mariusz Jakubowski (Microsoft Research)
    
    Software protection is an area of growing importance in software engineering and security: leading-edge researchers have developed several pioneering approaches for preventing or resisting software piracy and tampering, building a heterogeneous body of knowledge spanning different topics: obfuscation, information hiding, reverse engineering, source/binary code transformation, operating systems, networking, encryption, and trusted computing. IEEE Software seeks submissions for a special issue on software protection. We seek articles that present proven mechanisms and strategies to mitigate one or more of the problems faced by software protection. These strategies should offer practitioners appropriate methods, approaches, techniques, guidelines, and tools to support evaluation and integration of software protection techniques into their software products. Possible topics include:

    • Analysis of legal, ethical, and usability aspects of software protection
    • Best practices and lesson learned while dealing with different relevant threats
    • Case studies on success and/or failure in applying software protections
    • Code obfuscation and reverse-engineering complexity
    • Computing with encrypted functions and data
    • Protection of authorship: watermarking and fingerprinting
    • Remote attestations and network-based approaches
    • Security evaluation of software protection's effectiveness
    • Software protection methods used by malware (viruses, rootkits, worms, and botnets)
    • Source and binary code protections
    • Tamper-resistant software: mobile, self-checking, and self-modifying code
    • Tools to implement or defeat software protections
    • Trusted computing or other hardware-assisted protection
    • Virtualization and protections based on operating systems

  • INTRUST 2010 International Conference on Trusted Systems, Beijing, China, December 13-15, 2010. (Submissions due 1 August 2010)

    INTRUST 2010 conference focuses on the theory, technologies and applications of trusted systems. It is devoted to all aspects of trusted computing systems, including trusted modules, platforms, networks, services and applications, from their fundamental features and functionalities to design principles, architecture and implementation technologies. The goal of the conference is to bring academic and industrial researchers, designers, and implementers together with end-users of trusted systems, in order to foster the exchange of ideas in this challenging and fruitful area. INTRUST 2010 solicits original papers on any aspect of the theory, advanced development and applications of trusted computing, trustworthy systems and general trust issues in modern computing systems. The conference will have an academic track and an industrial track. This call for papers is for contributions to both of the tracks. Submissions to the academic track should emphasize theoretical and practical research contributions to general trusted system technologies, while submissions to the industrial track may focus on experiences in the implementation and deployment of real-world systems.

  • NDSS 2011 Network & Distributed System Security Symposium, San Diego, California, USA, February 6-9, 2011. (Submissions due 6 August 2010)

    The Network and Distributed System Security Symposium fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available network and distributed systems security technology. Special emphasis will be made to accept papers in the core theme of network and distributed systems security. Consequently, papers that cover networking protocols and distributed systems algorithms are especially invited to be submitted. Moreover, practical papers in these areas are also very welcome. Submissions are solicited in, but not limited to, the following areas:

    • Integrating security in Internet protocols: routing, naming, network management
    • High-availability wired and wireless networks
    • Security for Cloud Computing
    • Future Internet architecture and design
    • Security of Web-based applications and services
    • Anti-malware techniques: detection, analysis, and prevention
    • Security for future home networks, Internet of Things, body-area networks
    • Intrusion prevention, detection, and response
    • Combating cyber-crime: anti-phishing, anti-spam, anti-fraud techniques
    • Privacy and anonymity technologies
    • Security for emerging technologies: sensor networks, wireless/mobile (and ad hoc) networks, and personal communication systems
    • Security for Vehicular Ad-hoc Networks (VANETs)
    • Security for peer-to-peer and overlay network systems
    • Security for electronic commerce: e.g., payment, barter, EDI, notarization, timestamping, endorsement, and licensing
    • Implementation, deployment and management of network security policies
    • Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management
    • Public key infrastructures, key management, certification, and revocation
    • Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, reliability and cost
    • Security for collaborative applications: teleconferencing and video-conferencing
    • Security for large-scale systems and critical infrastructures (e.g., electronic voting, smart grid)
    • Applying Trustworthy Computing mechanisms to secure network protocols and distributed systems

  • CPSRT 2010 International Workshop on Cloud Privacy, Security, Risk & Trust, Held in conjunction with the 2nd IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2010), Indianapolis, IN, USA, November 30 - December 3, 2010. (Submissions due 20 August 2010)

    Cloud computing has emerged to address an explosive growth of web-connected devices, and handle massive amounts of data. It is defined and characterized by massive scalability and new Internet-driven economics. Yet, privacy, security, and trust for cloud computing applications are lacking in many instances and risks need to be better understood. Privacy in cloud computing may appear straightforward, since one may conclude that as long as personal information is protected, it shouldn't matter whether the processing is in a cloud or not. However, there may be hidden obstacles such as conflicting privacy laws between the location of processing and the location of data origin. Cloud computing can exacerbate the problem of reconciling these locations if needed, since the geographic location of processing can be extremely difficult to find out, due to cloud computing's dynamic nature. Another issue is user-centric control, which can be a legal requirement and also something consumers want. However, in cloud computing, the consumers' data is processed in the cloud, on machines they don't own or control, and there is a threat of theft, misuse or unauthorized resale. Thus, it may even be necessary in some cases to provide adequate trust for consumers to switch to cloud services. In the case of security, some cloud computing applications simply lack adequate security protection such as fine-grained access control and user authentication (e.g. Hadoop). Since enterprises are attracted to cloud computing due to potential savings in IT outlay and management, it is necessary to understand the business risks involved. If cloud computing is to be successful, it is essential that it is trusted by its users. Therefore, we also need studies on cloud-related trust topics, such as what are the components of such trust and how can trust be achieved, for security as well as for privacy. The CPSRT workshop will bring together a diverse group of academics as well as government and industry practitioners in an integrated state-of-the-art analysis of privacy, security, risk, and trust in the cloud. The workshop will address cloud issues specifically related to (but not limited to) the following topics of interest:

    • Access control and key management
    • Security and privacy policy management
    • Identity management
    • Remote data integrity protection
    • Secure computation outsourcing
    • Secure data management within and across data centers
    • Secure distributed data storage
    • Secure resource allocation and indexing
    • Intrusion detection/prevention
    • Denial-of-Service (DoS) attacks and defense
    • Web service security, privacy, and trust
    • User requirements for privacy
    • Legal requirements for privacy
    • Privacy enhancing technologies
    • Privacy aware map-reduce framework
    • Risk or threat identification and analysis
    • Risk or threat management
    • Trust enhancing technologies
    • Trust management

  • CT-RSA 2011 RSA Conference, The Cryptographers' Track, San Francisco, CA, USA, February 14-18, 2011. (Submissions due 20 August 2010)

    The RSA Conference is the largest annual computer security event, with over 350 vendors, and thousands of attendees. The Cryptographers' Track (CT-RSA) is a research conference within the RSA Conference. CT- RSA has begun in 2002, and has become an established venue for presenting cryptographic research papers. Original research papers pertaining to all aspects of cryptography are solicited. Submissions may present applications, techniques, theory, and practical experience on topics including, but not limited to:

    • public-key encryption
    • symmetric-key encryption
    • cryptanalysis
    • digital signatures
    • hash functions
    • cryptographic protocols
    • tamper-resistance
    • fast implementations
    • elliptic-curve cryptography
    • lattice-based cryptography
    • quantum cryptography
    • formal security models
    • network security
    • hardware security
    • e-commerce

  • SAC-TRECK 2011 26th ACM Symposium on Applied Computing, Track: Trust, Reputation, Evidence and other Collaboration Know-how (TRECK), TaiChung, Taiwan, March 21-25, 2011. (Submissions due 24 August 2010)

    The goal of the ACM SAC 2011 TRECK track remains to review the set of applications that benefit from the use of computational trust and online reputation. Computational trust has been used in reputation systems, risk management, collaborative filtering, social/business networking services, dynamic coalitions, virtual organisations and even combined with trusted computing hardware modules. The TRECK track covers all computational trust/reputation applications, especially those used in real-world applications. The topics of interest include, but are not limited to:

    • Trust management, reputation management and identity management
    • Pervasive computational trust and use of context-awareness
    • Mobile trust, context-aware trust
    • Web 2.0 reputation and trust
    • Trust-based collaborative applications
    • Automated collaboration and trust negotiation
    • Trade-off between privacy and trust
    • Trust/risk-based security frameworks
    • Combined computational trust and trusted computing
    • Tangible guarantees given by formal models of trust and risk
    • Trust metrics assessment and threat analysis
    • Trust in peer-to-peer and open source systems
    • Technical trust evaluation and certification
    • Impacts of social networks on computational trust
    • Evidence gathering and management
    • Real-world applications, running prototypes and advanced simulations
    • Applicability in large-scale, open and decentralised environments
    • Legal and economic aspects related to the use of trust and reputation engines
    • User-studies and user interfaces of computational trust and online reputation applications

  • Wiley Security and Communication Networks (SCN), Special Issue on Defending Against Insider Threats and Internal Data Leakage, 2011. (Submission Due 31 August 2010)

    Guest editor: Elisa Bertino (Purdue university, USA), Gabriele Lenzini (SnT-Univ. of Luxembourg, Luxembourg), Marek R. Ogiela (AGH University of Science & Technology, Poland), and Ilsun You (Korean Bible University, Korea)
    
    This special issue collects scientific studies and works reporting on the most recent challenges and advances in security technologies and management systems about protecting an organization's information from corporate malicious activities. It aims to be the showcase for researchers that address the problems on how to prevent the leakage of organizations' information caused by insiders. The contributions to this special issue can conduct state-of-the-art surveys and case-analyses of practical significance, which, we wish, will support and foster further research and technology improvements related to this important subject. Papers on practical as well as on theoretical topics are invited. Topics include (but are not limited to):

    • Theoretical foundations and algorithms for addressing insider threats
    • Insider threat assessment and modeling
    • Security technologies to prevent, detect and avoid insider threats
    • Validating the trustworthiness of staff
    • Post-insider threat incident analysis
    • Data breach modeling and mitigation techniques
    • Authentication and identification
    • Certification and authorization
    • Database security
    • Device control system
    • Digital forensic system
    • Digital right management system
    • Fraud detection
    • Network access control system
    • Intrusion detection
    • Keyboard information security
    • Information security governance
    • Information security management systems
    • Risk assessment and management
    • Log collection and analysis
    • Trust management
    • Secure information splitting and sharing algorithms
    • Steganography and subliminal channels
    • IT compliance (audit)
    • Continuous auditing
    • Socio-Technical Engineering Attack to Security and Privacy

  • IEEE Internet Computing, Special Issue on Security and Privacy in Social Networks, May/June 2011. (Submission Due 1 September 2010)

    Guest editor: Gail-Joon Ahn (Arizona State University, USA), Mohamed Shehab (UNC Charlotte, USA), and Anna Squicciarini (Penn State University, USA)
    
    Social networks where people exchange personal and public information have enabled users to connect with their friends, coworkers, colleagues, family and even with strangers. Several social networking sites have developed to facilitate such social interactions and sharing activities on the Internet over the past several years. The popularity of social networking sites on the Internet introduces the use of mediated­communication into the relationship development process. Also, online social networks have recently emerged as a promising area of research with a vast reach and application space. Users post information on their profiles to share and interact with their other friends in the social network. Social networks are not limited to simple entertaining applications; instead several critical businesses have adopted social networks to attract new customer spaces and to provide new services. The current trends of social networks are indirectly requiring users to become system and policy administrators for protecting their content in this social setting. This is further complicated by the rapid growth rate of social networks and by the continuous adoption of new services on social networks. Furthermore, the use of personal information in social networks raises entirely new privacy concerns and requires new insights on security problems. Several studies and recent news have highlighted the increasing risk of misuse of personal data processed by online social networking applications and the lack of awareness among the user population. The security needs of social networks are still not well understood and are not fully defined. Nevertheless it is clear these will be quite different from classic security requirements. It is important to bring a depth of security experience from multiple security domains and technologies to this field as well as depth and breadth of knowledge about social networks. The aim of this special issue is to encompass research advances in all areas of security and privacy in social networks. We welcome contributions relating to novel technologies and methodologies for securely building and managing social networks and relevant secure applications as well as to cross-cutting issues. Topics of interest include but are not limited to:

    • Access control and identity management
    • Delegation and secure collaboration
    • Information flow, diffusion and auditing
    • Malware analysis in social networks
    • Privacy challenges and mechanism
    • Risk assessment and management
    • Secure social-network application development and methodologies
    • Secure object tagging, bookmarking and annotations
    • Trust and reputation management
    • Usability driven security mechanisms

  • In-Bio-We-Trust 2010 International Workshop on Bio-Inspired Trust Management for Information Systems, Held in conjunction with the Bionetics 2010, Boston, MA, USA, December 1-3, 2010. (Submissions due 1 September 2010)

    Traditional security mechanisms fall short of what new information systems need. To fix this problem, two research communities have recently proposed new security mechanisms. One of those communities is called "bio-inspired systems" and is increasingly borrowing ideas from nature to make information systems more effective and robust. The other is called "trust management systems" and has been proposing and scrutinizing algorithms for information systems that mimic how people manage trust in society. Increasingly the two communities are working on similar research problems but, alas, they are doing so separately. Although there is an enormous number of potentially useful bio-inspired mechanisms that can be exploited in trust management, it comes as a surprise that bio-inspired trust management has not received any attention at all. Clearly,the dialog between researchers in bio-inspired systems and in trust management should widen. The workshop seeks to bring together the world's experts in both communities, and to stimulate and disseminate interesting research ideas and results. Contributions are solicited in all aspects of bio-inspired and trust management systems, including:

    • Bio-inspired models for managing trust in any information systems: virtual organizations, grid and cloud computing, mobile-ad-hoc/opportunistic/delay-tolerant networks, service oriented architectures, self-organizing networks and communities, mobile cooperative systems, mobile platforms, recommender systems.
    • Fixed and mobile architectures and protocols for distributed trust management.
    • Identity management in trust models.
    • Security attacks to trust systems and adaptive bio-inspired defenses.
    • Incorporation of bio-inspired algorithms into security communication protocols and computing architectures.
    • Descriptions of pilot programs, case studies, applications, work-in-progress, surveys, and experiments integrating biological designs or trust and security aspects into information systems.

  • SecIoT 2010 1st Workshop on the Security of the Internet of Things, Held in conjunction with the Internet of Things 2010, Tokyo, Japan, November 29, 2010. (Submissions due 10 September 2010)

    While there are many definitions of the Internet of Things (IoT), all of them revolve around the same central concept: a world-wide network of interconnected objects. These objets will make use of multiple technological building blocks, such as wireless communication, sensors, actuators, and RFID, in order to allow people and things to be connected anytime anyplace, with anything and anyone. However, before this new vision takes its first steps, it is essential to consider the security implications of billions of intelligent things cooperating with other real and virtual entities over the Internet. SecIoT'10 wants to bring together researchers and professionals from universities, private companies and Public Administrations interested or involved in all security-related heterogeneous aspects of the Internet of Things. We invite research papers, work-in-progress reports, R&D projects results, surveying works and industrial experiences describing significant security advances in the following (non-exclusive) areas of the Internet of Things:

    • New security problems in the context of the IoT
    • Privacy risks and data management problems
    • Identifying, authenticating, and authorizing entities
    • Development of trust frameworks for secure collaboration
    • New cryptographic primitives for constrained "things"
    • Connecting heterogeneous ecosystems and technologies
    • Legal Challenges and Governance Issues
    • Resilience to external and internal attacks
    • Context-Aware security
    • Providing protection to an IP-connected IoT
    • Web services security and other application-layer issues

  • ESSoS 2011 International Symposium on Engineering Secure Software and Systems, Madrid, Spain, February 9-10, 2011. (Submissions due 13 September 2010)

    Trustworthy, secure software is a core ingredient of the modern world. Unfortunately, the Internet is too. Hostile, networked environments, like the Internet, can allow vulnerabilities in software to be exploited from anywhere. To address this, high-quality security building blocks (e.g., cryptographic components) are necessary, but insufficient. Indeed, the construction of secure software is challenging because of the complexity of modern applications, the growing sophistication of security requirements, the multitude of available software technologies and the progress of attack vectors. Clearly, a strong need exists for engineering techniques that scale well and that demonstrably improve the software's security properties. The Symposium seeks submissions on subjects related to its goals. This includes a diversity of topics including (but not limited to):

    • scalable techniques for threat modeling and analysis of vulnerabilities
    • specification and management of security requirements and policies
    • security architecture and design for software and systems
    • model checking for security
    • specification formalisms for security artifacts
    • verification techniques for security properties
    • systematic support for security best practices
    • security testing
    • security assurance cases
    • programming paradigms, models and DLS's for security
    • program rewriting techniques
    • processes for the development of secure software and systems
    • security-oriented software reconfiguration and evolution
    • security measurement
    • automated development
    • trade-off between security and other non-functional requirements
    • support for assurance, certification and accreditation

  • IEEE Transactions on Information Forensics and Security, Special Issue on Using the Physical Layer for Securing the Next Generation of Communication Systems, June 1, 2011. (Submission Due 15 September 2010)

    Guest editor: Vincent Poor (Princeton University, USA), Wade Trappe (Rutgers University, USA), Aylin Yener (Pennsylvania State University,USA), Hisato Iwai (Doshisha University, Japan), Joao Barros (University of Porto, Portugal), and Paul Prucnal (Princeton University, USA)
    
    Communication technologies are undergoing a renaissance as there is a movement to explore new, clean slate approaches for building communication networks. Although future Internet efforts promise to bring new perspectives on protocol designs for high-bandwidth, access-anything from anywhere services, ensuring that these new communication systems are secure will also require a re-examination of how we build secure communication infrastructures. Traditional approaches to building and securing networks are tied tightly to the concept of protocol layer separation. For network design, routing is typically considered separately from link layer functions, which are considered independently of transport layer phenomena or even the applications that utilize such functions. Similarly, in the security arena, MAC-layer security solutions (e.g. WPA2 for 802.11 devices) are typically considered as point-solutions to address threats facing the link layer, while routing and transport layer security issues are dealt with in distinct, non-integrated protocols like IPSEC and TLS. The inherent protocol separation involved in security solutions is only further highlighted by the fact that the physical layer is generally absent from consideration. This special issue seeks to provide a venue for ongoing research area in physical layer security across all variety of communication media, ranging from wireless networks at the edge to optical backbones at the core of the network. The scope of this special issue will be interdisciplinary, involving contributions from experts in the areas of cryptography, computer security, information theory, signal processing, communications theory, and propagation theory. In particular, the areas of interest include, but are not limited to, the following:

    • Information-theoretic formulations for confidentiality and authentication
    • Generalizations of Wyner's wiretap problem to wireless and optical systems
    • Physical layer techniques for disseminating information
    • Techniques to extract secret keys from channel state information
    • Secrecy of MIMO and multiple-access channels
    • Physical layer methods for detecting and thwarting spoofing and Sybil attacks
    • Techniques to achieve covert or stealthy communication at the physical layer
    • Quantum cryptography
    • Modulation recognition and forensics
    • Security and trustworthiness in cooperative communication
    • Fast encryption using physical layer properties
    • Attacks and threat analyses targeted at subverting physical layer communications

  • CODASPY 2011 1st ACM Conference on Data and Application Security and Privacy, San Antonio, TX, USA, February 21-23, 2011. (Submissions due 15 September 2010)

    Data and the applications that manipulate data are the crucial assets in today's information age. With the increasing drive towards availability of data and services anytime anywhere, security and privacy risks have increased. New applications such as social networking and social computing provide value by aggregating input from numerous individual users and/or the mobile devices they carry with them and computing new information of value to society and individuals. Data and applications security and privacy has rapidly expanded as a research field with many important challenges to be addressed. The goal of the conference is to discuss novel exciting research topics in data and application security and privacy and to lay out directions for further research and development in this area. The conference seeks submissions from diverse communities, including corporate and academic researchers, open-source projects, standardization bodies, governments, system and security administrators, software engineers and application domain experts.

  • FC 2011 15th International Conference on Financial Cryptography and Data Security, Bay Gardens Beach Resort, St. Lucia, February 28 - March 4, 2011. (Submissions due 1 October 2010)

    Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance, with a specific focus on commercial contexts. The conference covers all aspects of securing transactions and systems. Original works focusing on both fundamental and applied real-world deployments on all aspects surrounding commerce security are solicited. Submissions need not be exclusively concerned with cryptography. Systems security and inter-disciplinary efforts are particularly encouraged.

  • IFIP-DF 2011 7th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 30 - February 2, 2011. (Submissions due 15 October 2010)

    The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in the emerging field of digital forensics. The Seventh Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the seventh in the series entitled Research Advances in Digital Forensics (Springer) in the summer of 2011. Revised and/or extended versions of selected papers from the conference will be published in special issues of one or more international journals. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to:

    • Theories, techniques and tools for extracting, analyzing and preserving digital evidence
    • Network forensics
    • Portable electronic device forensics
    • Digital forensic processes and workflow models
    • Digital forensic case studies
    • Legal, ethical and policy issues related to digital forensics

  • SESOC 2011 3rd International Workshop on Security and Social Networking, Held in conjunction with the PerCom 2011, Seattle, WA, USA, March 21, 2011. (Submissions due 31 October 2010)

    Future pervasive communication systems aim at supporting social and collaborative communications: the evolving topologies are expected to resemble the actual social networks of the communicating users and information on their characteristics can be a powerful aid for any network operation. New emerging technologies that use information on the social characteristics of their participants raise entirely new privacy concerns and require new reflections on security problems such as trust establishment, cooperation enforcement or key management. The aim of this workshop is to encompass research advances in all areas of security, trust and privacy in pervasive communication systems, integrating the social structure of the network as well. Topics of Interest include:

    • all types of emerging privacy concerns
    • new aspects of trust
    • decentralized social networking services
    • availability and resilience
    • community based secure communication
    • data confidentiality, data integrity
    • anonymity, pseudonymity
    • new key management approaches
    • secure bootstrapping
    • security issues in forwarding, routing
    • security aspects regarding cooperation
    • new approaches to reputation
    • new attack paradigms
    • social engineering, and phishing
    • new requirements for software security
    • malware

  • IEEE Network, Special Issue on Network Traffic Monitoring and Analysis, May 2011. (Submission Due 15 November 2010)

    Guest editor: Wei Wang (University of Luxembourg, Luxembourg), Xiangliang Zhang (University of Paris-sud 11, France), Wenchang Shi (Renmin University of China, China), Shiguo Lian (France Telecom R&D Beijing, China), and Dengguo Feng (Chinese Academy of Sciences, China)
    
    Modern computer networks are increasingly complex and ever-evolving. Understanding and measuring such a network is a difficult yet vital task for network management and diagnosis. Network traffic monitoring, analysis and anomaly detection provides useful tools in understanding network behavior and in determining network performance and reliability so as to effectively troubleshoot and resolve the issues in practice. Network traffic monitoring and anomaly detection also provides a basis for prevention and reaction in network security, as intrusions, attacks, worms, and other kinds of malicious behaviors can be detected by traffic analysis and anomaly detection. This special issue seeks original articles examining the state of the art, open issues, research results, tool evaluation, and future research directions in network monitoring, analysis and anomaly detection. Possible topics include:

    • Network traffic analysis and classification
    • Traffic sampling and signal processing methods
    • Network performance measurements
    • Network anomaly detection and troubleshooting
    • Network security threats and countermeasures
    • Network monitoring and traffic measurement systems
    • Real environment experiments and testbeds

 

• The Technical Committee on Security and Privacy

 

• Listing of academic positions available  by Cynthia Irvine
  

  Posted June 2010
  George Mason University
  Department of Applied Information Technology
  Fairfax, VA
  Review of applications will continue until positions are filled
  http://jobs.gmu.edu, Position number F9379z

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org