Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 100,  January 19, 2011 Hilarie Orman,  Editor Book Reviews Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Commentary and Opinion

  • Richard Austin's review of SQL Injection Attacks and Defense by Justin Clarke

  • Book announcement of Surveillance or Security?: The Risks Posed by New Wiretapping Technologies by Susan Landau

  • News Items
    Announcements and correspondence from readers (please contribute!)

    • Stuxnet and Its Centrifuge Rampage, January 16, 2011, New York Times
    • Why the Stuxnet worm could be Conficker's cousin, January 19, 2011, USA Today

  • Book reviews from past Cipher issues

  • Conference Reports and Commentary from past Cipher issues

  • News items from past Cipher issues

 

• The Technical Committee on Security and Privacy

 

• Listing of academic positions available  by Cynthia Irvine
  

  • Posted January 2011
    California State University, Fullerton
    Fullerton, California
    Assistant Professor, tenure-track
    Application review will commence on January 17, 2011 and continue until filled
    http://diversity.fullerton.edu
  • Posted January 2011
    Polytechnic Institute of NYU
    Brooklyn, New York
    Asst. Assoc or Full Professor
    Position open until filled
    http://www.poly.edu/academics/departments/computer/faculty-search/cybersecurity
  • Posted December 2010
    Internetworked Systems Security Network (NSERC ISSNet)
    Location: One of eight cities across Canada
    Postdoctoral Fellowships
    Accepting applications in 2011 until positions are filled
    https://www.issnet.ca/call_for_post-doc_fellows
  • Posted October 2010 (updated December 2010)
    Rutgers University
    Management Science and Information Systems Department
    Piscataway, New Jersey
    Tenure-track Assistant/Associate professor
    Applications received by February 1, 2011 are given full consideration
    http://www.business.rutgers.edu/files/msis_communications_of_the_acm.pdf
 

• Staying in touch....

  • Information for Subscribers and Contributors

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      Calendar (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 
      Cipher calendar announcements are on Twitter; follow "ciphernews"
    
    

  • 1/17/11: CSC, Workshop on Cryptography and Security in Clouds, Zurich, Switzerland; Submissions are due
  • 1/19/11: HOST, 4th IEEE International Sympoium on Hardware-Oriented Security and Trust, San Diego, CA, USA; Submissions are due
  • 1/21/11: ACNS, 9th International Conference on Applied Cryptography and Network Security, Nerja, Malaga, Spain; Submissions are due
  • 1/21/11: DIMVA, 8th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Amsterdam, The Netherlands; Submissions are due
  • 1/25/11: LEET, 4th USENIX Workshop on Large-Scale Exploits and Emergent Threats, Boston, MA, USA; Submissions are due
  • 1/30/11- 2/ 2/11: IFIP-DF, 7th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA
  • 1/31/11: IH, 13th Information Hiding Conference, Prague, Czech Republic; Submissions are due
  • 2/ 4/11: D-SPAN, 2nd IEEE International Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with IEEE WoWMoM 2011, Lucca, Italy; Submissions are due
  • 2/ 6/11- 2/ 9/11: NDSS, Network & Distributed System Security Symposium, San Diego, California, USA
  • 2/ 9/11: CSF, 24th IEEE Computer Security Foundations Symposium, Domaine de l'Abbaye des Vaux-de-Cernay, France; Submissions are due
  • 2/ 9/11- 2/10/11: ESSoS, International Symposium on Engineering Secure Software and Systems, Madrid, Spain
  • 2/10/11: USENIX Security, 20th USENIX Security Symposium, San Francisco, CA, USA; Submissions are due
  • 2/14/11: SAR/SSI, International Conference on Network and Information Systems Security, La Rochelle, France; Submissions are due
  • 2/14/11: DBSec, 25th Annual WG 11.3 Conference on Data and Applications Security and Privacy, Richmond, Virginia, USA; Submissions are due
  • 2/14/11- 2/16/11: FSE, 18th International Workshop on Fast Software Encryption, Lyngby, Denmark
  • 2/14/11- 2/18/11: CT-RSA, RSA Conference, The Cryptographers' Track, San Francisco, CA, USA
  • 2/15/11: TRUST, 4th International Conference on Trust and Trustworthy Computing, Pittsburgh, PA, USA; Submissions are due
  • 2/15/11: ID, ACM/Springer International Workshop on Identity: Security, Management & Applications, Kochi, Kerala, India; Submissions are due
  • 2/18/11: SADFE, International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA; Submissions are due
  • 2/21/11- 2/23/11: CODASPY, 1st ACM Conference on Data and Application Security and Privacy, San Antonio, TX, USA
  • 2/23/11: IEEE Security and Privacy Magazine, Special Issue on Living with Insecurity; Submissions are due
  • 2/27/11: DFRWS, 11th Digital Forensics Research Conference, New Orleans, LA, USA; Submissions are due
  • 2/27/11: SAFECOMP, 30th International Conference on Computer Safety, Reliability and Security, Naples, Italy; Submissions are due
  • 2/28/11: PETS, 11th Privacy Enhancing Technologies Symposium, Waterloo, ON, Canada; Submissions are due
  • 2/28/11- 3/ 4/11: FC, 15th International Conference on Financial Cryptography and Data Security, Bay Gardens Beach Resort, St. Lucia
  • 3/ 4/11: WECSR, 2nd Workshop on Ethics in Computer Security Research, Bay Gardens Beach Resort, St. Lucia
  • 3/ 7/11: International Journal of Secure Software Engineering, Special Issue on Lessons Learned in Engineering Secure & Dependable Web Applications; Submissions are due
  • 3/14/11- 3/15/11: LightSec, Workshop on Lightweight Security & Privacy: Devices, Protocols, and Applications, Istanbul, Turkey
  • 3/15/11- 3/16/11: CSC, Workshop on Cryptography and Security in Clouds, Zurich, Switzerland
  • 3/20/10: PST, 9th International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada; Submissions are due
  • 3/21/10: ESORICS, 16th European Symposium on Research in Computer Security, Leuven, Belgium; Submissions are due
  • 3/21/10: SESOC, 3rd International Workshop on Security and Social Networking, Held in conjunction with the PerCom 2011, Seattle, WA, USA
  • 3/21/11- 3/25/11: SAC-TRECK, 26th ACM Symposium on Applied Computing, Track: Trust, Reputation, Evidence and other Collaboration Know-how (TRECK), TaiChung, Taiwan
  • 3/23/11- 3/25/11: IFIP-CIP, 5th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA
  • 3/29/10: FCS, Workshop on Foundations of Computer Security, Held in conjunction with LICS 2011, Toronto, Ontario, Canada; Submissions are due
  • 3/25/10: W2SP, Web 2.0 Security and Privacy 2011 Workshop, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA; Submissions are due
  • 3/29/11: LEET, 4th USENIX Workshop on Large-Scale Exploits and Emergent Threats, Boston, MA, USA
  • 3/31/10: RAID, 14th International Symposium on Recent Advances in Intrusion Detection, Menlo Park, CA, USA; Submissions are due
  • 4/ 6/11- 4/ 8/11: RFIDsec-Asia, Workshop on RFID Security, Wuxi, China
  • 5/18/11- 5/20/11: IH 2011 13th Information Hiding Conference, Prague, Czech Republic
  • 5/18/11- 5/21/11: SAR/SSI, International Conference on Network and Information Systems Security, La Rochelle, France
  • 5/22/11- 5/25/11: SP, 32nd IEEE Symposium on Security & Privacy, The Claremont Resort, Berkeley/Oakland, California, USA
  • 5/26/11: SADFE, International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA
  • 5/26/10: W2SP, Web 2.0 Security and Privacy 2011 Workshop, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA
  • 5/30/11- 6/ 1/11: ISPEC, 7th Information Security Practice and Experience Conference, Guangzhou, China
  • 6/ 1/11- 6/ 3/11: WISTP, 5th Workshop in Information Security Theory and Practice, Heraklion, Crete, Greece
  • 6/ 5/11- 6/ 6/11: HOST, 4th IEEE International Symposium on Hardware-Oriented Security and Trust, San Diego, CA, USA
  • 6/ 5/11- 6/ 9/11: ICC-CISS, IEEE ICC 2011, Communication and Information Systems Security Symposium, Kyoto, Japan
  • 6/ 6/11- 6/ 8/11: POLICY, 12th IEEE International Symposium on Policies for Distributed Systems and Networks, Pisa, Italy
  • 6/ 7/11- 6/ 9/11: IFIP-SEC, 26th IFIP TC-11 International Information Security Conference, Luzern, Switzerland
  • 6/ 7/11- 6/10/11: ACNS, 9th International Conference on Applied Cryptography and Network Security, Nerja, Malaga, Spain
  • 6/14/11- 6/17/11: WiSec, 4th ACM Conference on Wireless Network Security, Hamburg, Germany
  • 6/15/11- 6/17/11: SACMAT, 16th ACM Symposium on Access Control Models and Technologies, Innsbruck, Austria
  • 6/20/11: D-SPAN, 2nd IEEE International Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with IEEE WoWMoM 2011, Lucca, Italy
  • 6/20/11: FCS, Workshop on Foundations of Computer Security, Held in conjunction with LICS 2011, Toronto, Ontario, Canada
  • 6/22/11- 6/24/11: TRUST, 4th International Conference on Trust and Trustworthy Computing, Pittsburgh, PA, USA
  • 6/27/11- 6/29/11: CSF, 24th IEEE Computer Security Foundations Symposium, Domaine de l'Abbaye des Vaux-de-Cernay, France
  • 6/29/11- 7/ 1/11: IFIPTM, 5th IFIP International Conference on Trust Management, Copenhagen, Denmark
  • 7/ 7/11- 7/ 8/11: DIMVA, 8th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Amsterdam, The Netherlands
  • 7/11/11- 7/13/11: DBSec, 25th Annual WG 11.3 Conference on Data and Applications Security and Privacy, Richmond, Virginia, USA
  • 7/19/11- 7/21/11: PST, 9th International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada
  • 7/22/11- 7/24/11: ID, ACM/Springer International Workshop on Identity: Security, Management & Applications, Kochi, Kerala, India
  • 7/27/11- 7/29/11: PETS, 11th Privacy Enhancing Technologies Symposium, Waterloo, ON, Canada
  • 8/ 1/11- 8/ 3/11: DFRWS, 11th Digital Forensics Research Conference, New Orleans, LA, USA
  • 8/10/11- 8/12/11: USENIX Security, 20th USENIX Security Symposium, San Francisco, CA, USA
  • 9/12/11- 9/14/11: ESORICS, 16th European Symposium on Research in Computer Security, Leuven, Belgium
  • 9/19/11- 9/21/11: SAFECOMP, 30th International Conference on Computer Safety, Reliability and Security, Naples, Italy
  • 9/20/11- 9/21/11: RAID, 14th International Symposium on Recent Advances in Intrusion Detection, Menlo Park, CA, USA
  • new calls or announcements added since Cipher E99

  • CSC 2011 Workshop on Cryptography and Security in Clouds, Zurich, Switzerland, March 15-16, 2011. (Abstract Submissions due 17 January 2011)

    The cloud computing model offers cheap access to a variety of standardized services, but comes with concerns about the correctness, privacy, and integrity of remote data and computations. Cryptographic mechanisms can reduce such trust by allowing the user to protect its data and computations, as well as to verify aspects of remote computation. The aim of this workshop is to bring together researchers and practitioners working in cryptography and security, from academia and industry, who are interested in the security of current and future cloud computing technology. The workshop considers the viewpoint of cloud-service providers as well as the concerns of cloud users. The goal is to create a dialogue about common goals and to discuss solutions for security problems in cloud computing, with emphasis on cryptographic methods. Topics of interest include:

    • Data privacy and integrity
    • Proofs of storage
    • Remote attestation and verification
    • Secure outsourcing of computation
    • Verification of outsourced computation
    • Storage integrity
    • Private remote storage
    • Obfuscation of programs and data
    • Identity management in cloud computing
    • Robust generation of cryptographic random bits
    • Cryptosystems with conditional decryption (such as searchable encryption or functional encryption)
    • Trusted computing
    • Virtualization security

  • HOST 2011 4th IEEE International Sympoium on Hardware-Oriented Security and Trust, San Diego, CA, June 5-6, 2011. (Submissions due 19 January 2011)

    A wide range of applications, from secure RFID tagging to high-end trusted computing, relies on dedicated and trusted hardware platforms. The security and trustworthiness of such hardware designs are critical to their successful deployment and operation. Recent advances in tampering and reverse engineering show that important challenges lie ahead. For example, secure electronic designs may be affected by malicious circuits, Trojans that alter system operation. Furthermore, dedicated secure hardware implementations are susceptible to novel forms of attack that exploit side-channel leakage and faults. Third, the globalized, horizontal semiconductor business model raises concerns of trust and intellectual-property protection. HOST 2011 is a forum for novel solutions to address these challenges. Innovative test mechanisms may reveal Trojans in a design before they are able to do harm. Implementation attacks may be thwarted using side-channel resistant design or fault-tolerant designs. New security-aware design tools can assist a designer in implementing critical and trusted functionality, quickly and efficiently. HOST 2011 seeks contributions based on, but not limited to, the following topics:

    • Trojan detection and isolation
    • Implementation Attacks and Countermeasures
    • Side channel Analysis and Fault Analysis
    • Intellectual Property Protection and Metering
    • Tools and Methodologies for Secure Hardware Design
    • Hardware Architectures for Cryptography
    • Hardware Security Primitives: PUFs and TRNGs
    • Applications of Secure Hardware
    • Interaction of Secure Hardware and Software

  • ACNS 2011 9th International Conference on Applied Cryptography and Network Security, Nerja, Malaga, Spain, June 7-10, 2011. (Submissions due 21 January 2011)

    Original papers on all aspects of applied cryptography as well as computer/network security and privacy are solicited. Topics of interest include, but are not limited to:

    • Applied cryptography and cryptographic protocols
    • Cryptographic primitives, e.g., cryptosystems, ciphers and hash functions
    • Network security protocols
    • Privacy, anonymity and untraceability
    • Security for the next-generation Internet
    • Internet fraud, e.g., phishing, pharming, spam, and click fraud
    • Email and web security
    • Public key infrastructures, key management, certification and revocation
    • Trust and its metrics
    • Usable security and cryptography
    • Intellectual property protection and digital rights management
    • Modeling and protocol design
    • Automated protocols analysis
    • Secure virtualization and security in cloud computing
    • Security and privacy in sensor, mobile, ad hoc and delay-tolerant networks, p2p systems, as well as wireless (e.g., RFID, Bluetooth) communications

  • DIMVA 2011 8th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Amsterdam, The Netherlands, July 7-8, 2011. (Submissions due 21 January 2011)

    The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. DIMVA's scope includes, but is not restricted to the following areas:
    Intrusion Detection
    

    • Novel approaches & new environments
    • Insider detection
    • Prevention & response
    • Data leakage
    • Result correlation & cooperation
    • Evasion attacks
    • Potentials & limitations
    • Operational experiences
    • Privacy, legal & social aspects
    Malware Detection
    
    • Automated analysis, reversing & execution tracing
    • Containment & sandboxed operation
    • Acquisition of specimen
    • Infiltration
    • Behavioral models
    • Prevention & containment
    • Trends & upcoming risks
    • Forensics & recovery
    • Economic aspects
    Vulnerability Assessment
    
    • Vulnerability detection & analysis
    • Vulnerability prevention
    • Web application security
    • Fuzzing techniques
    • Classification & evaluation
    • Situational awareness

  • LEET 2011 4th USENIX Workshop on Large-Scale Exploits and Emergent Threats, Boston, MA, USA, March 29, 2011. (Submissions due 25 January 2011)

    Now in its fourth year, LEET continues to provide a unique forum for the discussion of threats to the confidentiality of our data, the integrity of digital transactions, and the dependability of the technologies we increasingly rely on. We encourage submissions of papers that focus on the malicious activities themselves (e.g., reconnaissance, exploitation, privilege escalation, rootkit installation, attack), our responses as defenders (e.g., prevention, detection, and mitigation), or the social, political, and economic goals driving these malicious activities and the legal and ethical codes guiding our defensive responses. Topics of interest include but are not limited to:

    • Infection vectors for malware (worms, viruses, etc.)
    • Botnets, command and control channels
    • Spyware
    • Operational experience
    • Forensics
    • Click fraud
    • Measurement studies
    • New threats and related challenges
    • Boutique and targeted malware
    • Phishing
    • Spam
    • Underground economy
    • Miscreant counterintelligence
    • Carding and identity theft
    • Denial-of-service attacks
    • Hardware vulnerabilities
    • Legal issues
    • The arms race (rootkits, anti-anti-virus, etc.)
    • New platforms (cellular networks, wireless networks, mobile devices)
    • Camouflage and detection
    • Reverse engineering
    • Vulnerability markets and zero-day economics
    • Online money laundering
    • Understanding the enemy
    • Data collection challenges

  • IH 2011 13th Information Hiding Conference, Prague, Czech Republic, May 18-20, 2011. (Submissions due 31 January 2011)

    For many years, Information Hiding has captured the imagination of researchers. Digital watermarking and steganography protect information, conceal secrets or are used as core primitives in digital rights management schemes. Steganalysis and forensics pose important challenges to investigators; and privacy techniques try to hide relational information such as the actors' identities in anonymous communication systems. These and other topic share the notion that security is defined by the difficulty to make (or avoid) inference on certain properties of host data, which therefore has to be well understood and modeled. Current research themes include:

    • Anonymity and privacy
    • Covert/subliminal channels
    • Digital rights management
    • Fingerprinting and embedding codes
    • Multimedia and document security
    • Multimedia forensics and counter forensics
    • Novel applications of information hiding
    • Other data hiding domains (e.g. text, software, etc.)
    • Security metrics for information hiding
    • Steganography and steganalysis
    • Theoretical aspects of information hiding and detection
    • Watermarking (algorithms, security, attacks)

  • D-SPAN 2011 2nd IEEE International Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with IEEE WoWMoM 2011, Lucca, Italy, June 20, 2011. (Submissions due 4 February 2011)

    D-SPAN 2011, the Second International Workshop on Data Security and PrivAcy in wireless Networks (D-SPAN), is focused on defining new problems and developing novel techniques for data security and privacy issues in wireless and mobile networks. With the emergence of data-intensive wireless networks such as wireless sensor networks and data-centric mobile applications such as location-based services, the traditional boundaries between these three disciplines are blurring. This workshop solicits papers from two main categories: (1) papers that consider the security and privacy of data collection, transmission, storage, publishing, and sharing in wireless networks broadly defined, e.g., MANET, cellular, vehicular, ad hoc, cognitive, as well as sensor networks, and (2) papers that use data analytics techniques to address security and privacy problems in wireless networks. The workshop provides a venue for researchers to present new ideas with impact on three communities: wireless networks, databases, and security. The list of topics includes, but not limited to:

    • Foundations in wireless security & privacy (game theory, information theory, belief models, etc)
    • Location privacy in wireless networks
    • Secure data collection and aggregation for wireless sensor networks
    • Secure data collection in body-area networks
    • Secure data processing in mobile ad-hoc networks (MANET)
    • Secure query processing over wireless sensor networks
    • Security and privacy of RFID systems
    • Security and privacy for data streaming
    • Security for cognitive radio networks
    • Tradeoffs between Security and Communication Performance

  • CSF 2011 24th IEEE Computer Security Foundations Symposium, Domaine de l'Abbaye des Vaux-de-Cernay, France, June 27-29, 2011. (Submissions due 9 February 2011)

    New theoretical results in computer security are welcome. Also welcome are more exploratory presentations, which may examine open questions and raise fundamental concerns about existing theories. Panel proposals are sought as well as papers. Possible topics include, but are not limited to:

    • Access control
    • Distributed systems security
    • Language-based security
    • Anonymity and Privacy
    • Electronic voting
    • Network security
    • Authentication
    • Executable content
    • Resource usage control
    • Data and system integrity
    • Formal methods for security
    • Security for mobile computing
    • Database security
    • Information flow
    • Security models
    • Data provenance
    • Intrusion detection
    • Security protocols
    • Decidability and complexity
    • Hardware-based security
    • Trust and trust management

  • USENIX Security 2011 20th USENIX Security Symposium, San Francisco, CA, USA, August 10-12, 2011. (Submissions due 10 February 2011)

    The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. Refereed paper submissions are solicited in all areas relating to systems and network security, including:

    • Adaptive security and system management
    • Analysis of network and security protocols
    • Applications of cryptographic techniques
    • Attacks against networks and machines
    • Authentication and authorization of users, systems, and applications
    • Automated tools for source code analysis
    • Botnets
    • Cryptographic implementation analysis and construction
    • Denial-of-service attacks and countermeasures
    • File and filesystem security
    • Firewall technologies
    • Forensics and diagnostics for security
    • Hardware security
    • Intrusion and anomaly detection and prevention
    • Malicious code analysis, anti-virus, anti-spyware
    • Network infrastructure security
    • Operating system security
    • Privacy-preserving (and compromising) systems
    • Public key infrastructure
    • Rights management and copyright protection
    • Security architectures
    • Security in heterogeneous and large-scale environments
    • Security policy
    • Self-protecting and -healing systems
    • Techniques for developing secure systems
    • Technologies for trustworthy computing
    • Usability and security
    • Voting systems analysis and security
    • Wireless and pervasive/ubiquitous computing security
    • Web security, including client-side and server-side security

  • SAR/SSI 2011 International Conference on Network and Information Systems Security, La Rochelle, France, May 18-21, 2011. (Submissions due 14 February 2011)

    The SAR-SSI conference series provides a forum for presenting novel research results, practical experiences and innovative ideas in network and information systems security. The goal of SAR-SSI-2011 is fostering exchanges among academic researchers, industry and a wider audience interested in network and information system security. The conference will offer a broad area of events, ranging from panels, tutorials, technical presentations and informal meetings. Prospective authors are encouraged to submit papers describing novel research contributions as well as proposals for tutorials and panels.

  • DBSec 2011 25th Annual WG 11.3 Conference on Data and Applications Security and Privacy, Richmond, Virginia, USA, July 11-13, 2011. (Submissions due 14 February 2011)

    The 25th Annual WG 11.3 Conference on Data and Applications Security and Privacy provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in data and applications security. Both research papers and panel proposals are solicited. Papers may present theory, techniques, applications, or practical experience on topics of relevance to IFIP WG 11.3:

    • Access control
    • Applied cryptography in data security and privacy
    • Identity theft and countermeasures
    • Integrity maintenance
    • Intrusion detection
    • Knowledge discovery and privacy
    • Organizational security
    • Privacy and privacy-preserving data management
    • Secure transaction processing
    • Secure information integration
    • Secure semantic web
    • Secure sensor monitoring
    • Secure web services
    • Threats, vulnerabilities, and risk management
    • Trust management

  • TRUST 2011 4th International Conference on Trust and Trustworthy Computing, Pittsburgh, PA, USA, June 22-24, 2011. (Submissions due 15 February 2011)

    This conference focuses on trusted and trustworthy computing, both from the technical and social perspectives. The conference itself has two main strands, one devoted to technical aspects and one devoted to socio-economic aspects of trusted computing. The conference solicits original papers on any aspect (technical or social and economic) of the design, application and usage of trusted and trustworthy computing, which concerns a broad range of concepts including trustworthy infrastructures, cloud computing, services, hardware, software and protocols. Topics of interest include, but are not limited to:
    Technical Strand
    

    • Architecture and implementation technologies for trusted platforms and trustworthy infrastructures
    • Trust, Security and Privacy in embedded systems
    • Trust, Security and Privacy in social networks
    • Trusted mobile platforms and mobile phone security
    • Implementations of trusted computing (hardware and software)
    • Applications of trusted computing
    • Trustworthy infrastructures and services for cloud computing (including resilience)
    • Attestation and integrity verification
    • Cryptographic aspects of trusted and trustworthy computing
    • Design, implementation and analysis of security hardware, i.e., hardware with cryptographic and security functions, physically unclonable functions (PUFs)
    • Intrusion resilience in trusted computing
    • Virtualization for trusted platforms
    • Secure storage
    • Security policy and management of trusted computing
    • Access control for trusted platforms
    • Privacy aspects of trusted computing
    • Verification of trusted computing architectures
    • Usability and end-user interactions with trusted platforms
    • Limitations of trusted computing
    Socio-economic Strand
    
    • Usability and user perceptions of trustworthy systems and risks
    • Effects of trustworthy systems upon user, corporate, and governmental behavior
    • Economic drivers for trustworthy systems in corporate environment
    • The impact of trustworthy systems in enhancing trust in cloud-like infrastructures
    • The adequacy of guarantees provided by trustworthy systems for systems critically dependent upon trust, such as elections and government oversight
    • The impact of trustworthy systems upon digital forensics, police investigations and court proceedings
    • Game theoretical approaches to modeling or designing trustworthy systems
    • Approaches to model and simulate scenarios of how trustworthy systems would be used in corporate environments and in personal space
    • Experimental economics studies of trustworthiness
    • The interplay between privacy, privacy enhancing technologies and trustworthy systems
    • Critiques of trustworthy systems

  • ID 2011 ACM/Springer International Workshop on Identity: Security, Management & Applications, Kochi, Kerala, India, July 22-24, 2011. (Submissions due 15 February 2011)

    2011 ACM/Springer International Workshop on Identity ID 2011: Security, Management & Applications, is designated to meet with researchers, engineers and practitioners from academia, service providers, industry and government working on Identity-based Internet & infrastructure systems. ID 2011 aims to bring to forefront the recent trends in most significant technology topics such as Identity Management (IdM), Cloud Computing, Internet of Things (IoT), Service Oriented Architecture (SoA), Security & Privacy Systems, Access Management, Risk Management, and Role and Policy Management, etc in software, hardware and firmware applications running on private and public networks.

  • SADFE 2011 International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA, May 26, 2011. (Submissions due 18 February 2011)

    The SADFE (Systematic Approaches to Digital Forensic Engineering) International Workshop promotes systematic approaches to cyber crime investigations, by furthering the advancement of digital forensic engineering as a disciplined science and practice. Today's digital artifacts permeate our lives and are part of every crime and every case of digital discovery. The field of digital forensics faces many challenges, including scale, scope and presentation of highly technical information in legal venues to nontechnical audiences. Digital evidence may be extant for only nanoseconds or for years; they may consist of a single modified bit, or huge volumes of data; they may be found locally or spread globally throughout a complex digital infrastructure on public or private systems. Following the success of previous SADFE workshops, cyber crime investigations and digital forensics tools will continue to be the key topics of the meeting. We also welcome a broader range of digital forensics papers that do not necessarily involve either crime or digital forensics tools. General attack analysis, the insider threat, insurance and compliance investigations, similar forms of retrospective analysis, and digital discovery are all viable topics. Past speakers and attendees of SADFE have included computer and information scientists, social scientists, digital forensic practitioners, IT professionals, law enforcement, lawyers, and judges. The synthesis of science with practice and the law with technology form the foundation of this conference. SADFE addresses the gap between today's practice and the establishment of digital forensics as a science. To advance the field, SADFE-2011 solicits broad-based, innovative approaches to digital forensic engineering in the following four areas:

    • Digital Data and Evidence Management: advanced digital evidence discovery, collection, and storage
    • Scientific Principle-based Digital Forensic Processes: systematic engineering processes supporting digital evidence management which are sound on scientific, technical and legal grounds
    • Digital Evidence Analytics: advanced digital evidence analysis, correlation, and presentation
    • Forensic-support technologies: forensic-enabled and proactive monitoring/response
    To honor the outstanding work in digital forensics, the SADFE will provide awards for the highest overall quality papers and posters from the accepted program, as measured by scientific contribution, depth, and impact. A student must be the first author to be eligible for the best student paper award.

  • IEEE Security and Privacy Magazine, Special Issue on Living with Insecurity, November/December 2011, (Submission Due 23 February 2011)

    Editor: Deborah A. Frincke (PNNL, USA) and Bill Arbaugh (University of Maryland, USA)

    Many approaches to security start with the assumption that there is a trustworthy and secure base on which one can build, perhaps based on some provably correct hardware platform. In contrast, this issue seeks papers that start with the opposite assumption. While a computing environment in which all of our devices are reliable and secure sounds appealing, that is not the world in which we live. For the foreseeable future, we will be living and working in an environment of vulnerable, unreliable systems, where we still wrestle with definitions of what it even means to be secure. This special edition focuses on how we can live with insecurity, how our devices and systems can support users at home and at work, when the underlying base is potentially compromised and users themselves may be untrustworthy or unfocused on security. In this themed issue we are particularly interested in papers that address the implications of building software and hardware upon an admittedly untrustworthy basis, across the full spectrum of design, development, testing, use, and maintenance of digitally based systems. We are also interested in policy and regulatory issues related to our topic. Potential topics and questions related to living with security include:

    • effects on system design, development, testing, maintenance, procurement
    • organizational implications for business risk, organization
    • liability, privacy support
    • ways to assist the home user in determining the risk
    • factors within a particular computing environment implications for user interfaces and user behavior
    • means for synthesizing trustworthy islands or subspaces within untrustworthy environments
    • implications for assessing business risk or corporate liability when systems are acknowledged to be potentially compromised
    • parallels with other domains in which some desired attribute is acknowledged to be unattainable in practice that could assist us with living with insecurity
    • methods for distinguishing relatively dangerous neighborhoods in cyberspace from relatively benign ones

  • DFRWS 2011 11th Digital Forensics Research Conference, New Orleans, LA, USA, August 1-3, 2011. (Submissions due 27 February 2010)

    DFRWS brings together leading researchers, developers, practitioners, and educators interested in advancing the state of the art in digital forensics from around the world. As the most established venue in the field, DFRWS is the preferred place to present both cutting-edge research and perspectives on best practices for all aspects of digital forensics. As an independent organization, we promote open community discussions and disseminate the results of our work to the widest audience. We invite original contributions as research papers, panel proposals, Work-in-Progress talks, workshop proposals, and demo proposals. Topics of Interest:

    • Forensic analysis
    • Incident response and live analysis
    • Network-based forensics, including network traffic analysis, traceback and attribution
    • Event reconstruction methods and tools
    • File system and memory analysis
    • Application analysis
    • Embedded systems
    • Small scale and mobile devices
    • Large-scale investigations
    • Digital evidence storage and preservation
    • Data mining and information discovery
    • Data hiding and recovery
    • Data extraction and reconstruction
    • Multimedia analysis
    • Database forensics
    • Tool testing and development
    • Digital evidence and the law
    • Anti-forensics and anti-anti-forensics
    • Case studies and trend reports
    • Malware forensics
    • Data visualization in forensic analysis
    • Forensics of virtual and cloud environments
    • Investigation of insider attacks
    • Error rates of forensic methods
    • Interpersonal communications and social network analysis
    • Non-traditional approaches to forensic analysis

  • SAFECOMP 2011 30th International Conference on Computer Safety, Reliability and Security, Naples, Italy, September 19-21, 2011. (Submissions due 27 February 2011)

    SAFECOMP is an annual event covering the state-of-the-art, experience and trends in the areas of safety, security and reliability of critical computer applications. The 2011 Key theme is "Safety and security of computer-based systems and infrastructures: from risk assessment to threat mitigation". Papers are invited in application and industrial sectors as well as research areas. Especially papers on industrial experience and practice are encouraged.

  • PETS 2011 11th Privacy Enhancing Technologies Symposium, Waterloo, ON, Canada, July 27-29, 2011. (Submissions due 28 February 2011)

    Privacy and anonymity are increasingly important in the online world. Corporations, governments, and other organizations are realizing and exploiting their power to track users and their behavior. Approaches to protecting individuals, groups, but also companies and governments, from profiling and censorship include decentralization, encryption, distributed trust, and automated policy disclosure. The 11th Privacy Enhancing Technologies Symposium addresses the design and realization of such privacy services for the Internet and other data systems and communication networks by bringing together anonymity and privacy experts from around the world to discuss recent advances and new perspectives. The symposium seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of privacy technologies, as well as experimental studies of fielded systems. We encourage submissions with novel technical contributions from other communities such as law, business, and data protection authorities, that present their perspectives on technological issues. Suggested topics include but are not restricted to:

    • Anonymous communications and publishing systems
    • Attacks on privacy and privacy technologies
    • Censorship resistance
    • Data protection technologies
    • Economics of privacy and PETs
    • Fielded systems and techniques for enhancing privacy in existing systems
    • Location privacy
    • Privacy and anonymity in Peer-to-Peer, Cloud, and Ubiquitous Computing Environments
    • Privacy and inference control in databases
    • Privacy-enhanced access control or authentication/certification
    • Privacy-friendly payment mechanisms for PETs and other services
    • Privacy in Online Social Networks
    • Privacy policy languages and tools
    • Privacy threat models
    • Profiling and data mining
    • Pseudonyms, identity management, linkability, and reputation
    • Reliability, robustness and abuse prevention in privacy systems
    • Traffic analysis
    • Transparency enhancing tools
    • Usability issues and user interfaces for PETs

  • International Journal of Secure Software Engineering, Special Issue on Lessons Learned in Engineering Secure & Dependable Web Applications, January/February 2012, (Submission Due 7 March 2011)

    Editor: Martin Gilje Jaatun (SINTEF ICT, Norway), Edgar Weippl (SBA Research, Austria), and Riccardo Scandariato (KU Leuven, Belgium)

    Software is an integral part of everyday life, and we expect and depend upon software systems to perform correctly. Software security is about ensuring that systems continue to function correctly also under malicious attack. As most systems now are web-enabled, the number of attackers with access to the system increases dramatically and thus the threat scenario changes. The traditional approach to secure a system includes putting up defense mechanisms such as Intrusion Detection Systems and firewalls, but such measures are no longer sufficient by themselves. We need to be able to build better, more robust and thus more secure systems. Even more importantly, however, we should strive to achieve these qualities in all software systems, not just the ones that need special protection. This special issue will focus on techniques, experiences and lessons learned for engineering secure and dependable software for the web. Suggested topics include, but are not limited to:

    • Secure architecture and design
    • Security in agile software development
    • Aspect-oriented software development for secure software
    • Security requirements
    • Risk management in software projects
    • Secure implementation
    • Secure deployment
    • Testing for security
    • Quantitative measurement of security properties
    • Static and dynamic analysis for security
    • Verification and assurance techniques for security properties
    • Lessons learned
    • Security and usability
    • Teaching secure software development
    • Experience reports on successfully attuning developers to secure software engineering

  • PST 2011 9th International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada, July 19-21, 2011. (Submissions due 20 March 2011)

    PST2011 provides a forum for researchers world-wide to unveil their latest work in privacy, security and trust and to show how this research can be used to enable innovation. PST2011 will include an Innovation Day featuring workshops and tutorials followed by two days of high-quality research papers whose topics include, but are NOT limited to, the following:

    • Privacy Preserving / Enhancing Technologies
    • Critical Infrastructure Protection
    • Network and Wireless Security
    • Operating Systems Security
    • Intrusion Detection Technologies
    • Secure Software Development and Architecture
    • PST Challenges in e-Services, e.g. e-Health, e-Government, e Commerce
    • Network Enabled Operations
    • Digital forensics
    • Information Filtering, Data Mining and Knowledge from Data
    • National Security and Public Safety
    • Security Metrics
    • Recommendation, Reputation and Delivery Technologies
    • Continuous Authentication
    • Trust Technologies, Technologies for Building Trust in e-Business Strategy
    • Observations of PST in Practice, Society, Policy and Legislation
    • Digital Rights Management
    • Identity and Trust management
    • PST and Cloud Computing
    • Human Computer Interaction and PST
    • Implications of, and Technologies for, Lawful Surveillance
    • Biometrics, National ID Cards, Identity Theft
    • PST and Web Services / SOA
    • Privacy, Traceability, and Anonymity
    • Trust and Reputation in Self-Organizing Environments
    • Anonymity and Privacy vs. Accountability
    • Access Control and Capability Delegation
    • Representations and Formalizations of Trust in Electronic and Physical Social Systems

  • ESORICS 2011 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12-14, 2011. (Submissions due 21 March 2011)

    ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. We encourage submissions of papers discussing industrial research and development. Suggested topics include but are not restricted to:

    • Access Control
    • Accountability
    • Ad hoc Networks
    • Anonymity
    • Applied Cryptography
    • Attacks and Viral Software
    • Authentication and Delegation
    • Biometrics
    • Database Security
    • Digital Content Protection
    • Distributed Systems Security
    • Electronic Payments
    • Embedded Systems Security
    • Inference Control
    • Information Hiding
    • Identity Management
    • Information Flow Control
    • Integrity
    • Intrusion Detection
    • Formal Security Methods
    • Language-Based Security
    • Network Security
    • Phishing and Spam Prevention
    • Privacy
    • Risk Analysis and Management
    • Secure Electronic Voting
    • Security Architectures
    • Security Economics
    • Security and Privacy Policies
    • Security for Mobile Code
    • Security in Location Services
    • Security in Social Networks
    • Security Models
    • Security Verification
    • Software Security
    • Steganography
    • Systems Security
    • Trust Models and Management
    • Trustworthy User Devices
    • Web Security
    • Wireless Security

  • W2SP 2011 Web 2.0 Security and Privacy 2011 Workshop, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2011), Berkeley, CA, USA, May 26, 2011. (Submissions due 25 March 2011)

    W2SP brings together researchers, practitioners, web programmers, policy makers, and others interested in the latest understanding and advances in the security and privacy of the web, browsers and their eco-system. We have had four years of successful W2SP workshops. This year, we will additionally invite selected papers to a special issue of the journal. We are seeking both short position papers (2-4 pages) and longer papers (a maximum of 10 pages). The scope of W2SP 2011 includes, but is not limited to:

    • Trustworthy cloud-based services
    • Privacy and reputation in social networks
    • Security and privacy as a service
    • Usable security and privacy
    • Security for the mobile web
    • Identity management and psuedonymity
    • Web services/feeds/mashups
    • Provenance and governance
    • Security and privacy policies for composible content
    • Next-generation browser technology
    • Secure extensions and plug-ins
    • Advertisement and affiliate fraud
    • Measurement study for understanding web security and privacy

  • FCS 2011 Workshop on Foundations of Computer Security, Held in conjunction with LICS 2011, Toronto, Ontario, Canada, June 20, 2011. (Submissions due 29 March 2011)

    Computer security is an established field of computer science of both theoretical and practical significance. In recent years, there has been increasing interest in logic-based foundations for various methods in computer security, including the formal specification, analysis and design of security protocols and their applications, the formal definition of various aspects of security such as access control mechanisms, mobile code security and denial-of-service attacks, and the modeling of information flow and its application to confidentiality policies, system composition, and covert channel analysis. The aim of the workshop FCS'11 is to provide a forum for continued activity in different areas of computer security, bringing computer security researchers in closer contact with the LICS community and giving LICS attendees an opportunity to talk to experts in computer security, on the one hand, and contribute to bridging the gap between logical methods and computer security foundations, on the other. We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories, as well as in new results on developing and applying automated reasoning techniques and tools for the formal specification and analysis of security protocols.

  • RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection, Menlo Park, CA, USA, September 20-21, 2011. (Submissions due 31 March 2011)

    This symposium, the 14th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series furthers advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following:

    • Network and host intrusion detection and prevention
    • Anomaly and specification-based approaches
    • IDS cooperation and event correlation
    • Malware prevention, detection, analysis, containment
    • Web application security
    • Insider attack detection
    • Intrusion response, tolerance, and self-protection
    • Operational experiences with current approaches
    • Intrusion detection assessment and benchmarking
    • Attacks against intrusion detection systems
    • Formal models, analysis, and standards
    • Deception systems and honeypots
    • Vulnerability analysis and forensics
    • Adversarial machine learning for security
    • Visualization techniques
    • High-performance intrusion detection
    • Legal, social, and privacy issues
    • Network exfiltration detection
    • Botnet analysis, detection, and mitigation
    • Cyber-physical systems

 

---

IEEE Computer Society's Technical Committee on Security and Privacy

	TC home page	TC Officers
	How to join the TC	TC publications available online
	TC Publications for sale	Cipher past issues archive
	IEEE Computer Society	Cipher Privacy Policy




---