Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 107,  March 18, 2012 Hilarie Orman,  Editor Book Reviews Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Commentary and Opinion

  • Review of the Financial Cryptography and Data Security (Bonaire, Dutch Antilles, Feb 26-Mar 3, 2012) by Benjamin Mood

  • Recent News Items
    • Secrets in the Fingers
    • NSA in the Rockies
    • Admistration Pushes for Greater Authority Over Cybersecurity in Private Firms
    • When Keys Go Bad
    • Linked In To ... Insecurity?
    • Afraid to Flash?
    • Stux Redux

  • Conference Reports and Commentary from past Cipher issues

  • NewsBits:  Announcements and correspondence from readers (please contribute!)

  • Book reviews from past Cipher issues

 

• Listing of academic positions available  by Cynthia Irvine
  

 

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      Cipher calendar announcements are on Twitter; follow "ciphernews"
      new calls or announcements added since Cipher E106 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • The Calendar
    • 3/19/12: SECRYPT, 9th International Conference on Security and Cryptography, Rome, Italy; Submissions are due
    • 3/19/12- 3/21/12: IFIP-CIP, 6th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, National Defense University, Fort McNair, Washington, DC, USA
    • 3/21/12: eGSSN, International Workshop on Trust, Security and Privacy in e-Government, e-Systems & Social Networking, Held in conjunction with the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2012), Liverpool, UK; Submissions are due
    • 3/24/12- 4/ 1/12: POST, 1st Conference on Principles of Security and Trust, Tallinn, Estonia
    • 3/26/12: LASER, Workshop on Learning from Authoritative Security Experiment Results, Arlington, VA, USA; Submissions are due
    • 3/26/12: SRDS, 31st International Symposium on Reliable Distributed Systems, Irvine, California, USA; Submissions are due
    • 3/30/12: SecSE, 6th International Workshop on Secure Software Engineering, Held in conjunction with ARES 2012, Prague, Czech Republic; Submissions are due
    • 3/30/12: WSDF, 5th International Workshop on Digital Forensics, Held in conjunction with ARES 2012, Prague, Czech Republic; Submissions are due
    • 3/30/12: SAPSE, 4th IEEE International Workshop on Security Aspects of Process and Services Engineering, Held in conjunction with the IEEE Signature Conference on Computers, Software, and Applications (COMPSAC 2012), Izmir, Turkey; Submissions are due
    • 3/31/12: MoCrySEn, 1st International Workshop on Modern Cryptography and Security Engineering, Held in conjunction with ARES 2012, Prague, Czech Republic; Submissions are due
    • 4/ 2/12: Mobisec, 4th International Conference on Security and Privacy in Mobile Information and Communication Systems, Frankfurt, Germany; Submissions are due
    • 4/ 6/12: TrustBus, 9th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with DEXA 2012, Vienna University of Technology, Austria; Submissions are due
    • 4/10/12: HealthSec, 3rd USENIX Workshop on Health Security and Privacy, Bellevue, WA, USA; Submissions are due
    • 4/15/12: CloudSec, 4th International Workshop on Security in Cloud Computing, Held in conjunction with the 41st ICPP, Pittsburgh, PA, USA; Submissions are due
    • 4/15/12: STAST, 2nd International Workshop on Socio-Technical Aspects of Security and Trust, Co-located with Computer Security Foundation Symposium (CSF 2012), Harvard University, Cambridge, MA, USA; Submissions are due
    • 4/15/12: IEEE Signal Processing Magazine, Special Issue on Signal Processing in the Encrypted Domain: when Cryptography Meets Signal Processing; Submissions are due
    • 4/16/12: SSS, 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Toronto, Canada; Submissions are due
    • 4/16/12- 4/18/12: WiSec, ACM Conference on Wireless Network Security, Tucson, Arizona, USA
    • 4/16/12- 4/20/12: PSOSM, Workshop on Privacy and Security in Online Social Media, Held in conjunction with the 21st International World Wide Web Conference (WWW 2012), Lyon, France
    • 4/19/12: CSET, 5th Workshop on Cyber Security Experimentation and Test, Bellevue, WA, USA; Submissions are due
    • 4/20/12: ProvSec, 6th International Conference on Provable Security, Chengdu, China; Submissions are due
    • 4/24/12: LEET, 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats, Co-located with NSDI 2012, San Jose, CA, USA
    • 5/ 1/12- 5/ 3/12: ASIACCS, 7th ACM Symposium on Information, Computer and Communications Security, Seoul, Republic of Korea
    • 5/ 3/12- 5/ 4/12: COSADE, 3rd International Workshop on Constructive Side-Channel Analysis and Secure Design, Darmstadt, Germany
    • 5/ 4/12: ACM-CCS, 19th ACM Conference on Computer and Communications Security, Raleigh, North Carolina, USA; Submissions are due
    • 5/12/12: LCN-SICK, Workshop on Security in Communications Networks, Held in Conjunction with IEEE LCN 2012, Clearwater, FL, USA; Submissions are due
    • 5/15/12: CRITIS, 7th International Workshop on Critical Information Infrastructures Security, Radisson Blu Lillehammer Hotel, Turisthotellveien 6, 2609 Lillehammer, Norway; Submissions are due
    • 5/17/12: LISA, 26th Large Installation System Administration Conference, San Diego, CA, USA; Submissions are due
    • 5/20/12- 5/23/12: SP, 33rd IEEE Symposium on Security and Privacy, San Francisco Bay Area, California, USA
    • 5/24/12: WSCS, Workshop on Semantic Computing and Security, Co-located with the IEEE Security and Privacy Symposium 2012, The Westin Hotel, San Francisco, CA, USA
    • 5/24/12: MoST, Mobile Security Technologies Workshop, Co-located with IEEE Symposium on Security and Privacy 2012, The Westin St. Francis Hotel, San Francisco, CA, USA
    • 5/24/12: W2SP, Web 2.0 Security & Privacy Workshop, Co-located with IEEE Symposium on Security and Privacy 2012, The Westin St. Francis Hotel, San Francisco, CA, USA
    • 5/31/12: IEEE Transactions on Information Forensics and Security, Special Issue on Privacy and Trust Management in Cloud and Distributed Systems; Submissions are due
    • 6/ 1/12: IEEE Network Magazine, Special Issue on Cyber Security of Networked Critical Infrastructures; Submissions are due
    • 6/ 4/12: Nordsec, 17th Nordic Conference in Secure IT Systems, Karlskrona, Sweden; Submissions are due
    • 6/ 4/12- 6/ 6/12: SEC, 27th IFIP International Information Security and Privacy Conference, Creta Maris Hotel, Heraklion, Crete, Greece
    • 6/ 6/12- 6/ 8/12: HAISA, 6th International Symposium on Human Aspects of Information Security and Assurance, Hersonissos, Crete, Greece
    • 6/ 6/12- 6/ 8/12: WDFIA, 7th International Workshop on Digital Forensics and Incident Analysis, Hersonissos, Crete, Greece
    • 6/10/12- 6/15/12: SFCS, 1st IEEE International Workshop on Security and Forensics in Communication Systems, Held in conjunction with IEEE ICC 2012, Ottawa, Canada
    • 6/15/12: NSS, 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China; Submissions are due
    • 6/18/12- 6/21/12: ICDCS-NFSP, 1st International Workshop on Network Forensics, Security and Privacy, Held in conjunction with ICDCS 2012, Macau, China
    • 6/18/12- 6/21/12: ICDCS-SPCC, 3rd International Workshop on Security and Privacy in Cloud Computing, Held in conjunction with ICDCS 2012, Macau, China
    • 6/19/12- 6/22/12: WISTP, 6th Workshop on Information Security Theory and Practice, London, UK
    • 6/20/12- 6/22/12: SACMAT, 17th ACM Symposium on Access Control Models and Technologies, Newark, NJ, USA
    • 6/25/12: DSPAN, 3rd IEEE Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with The Thirteenth International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2012), San Francisco, CA, USA
    • 6/25/12- 6/27/12: Mobisec, 4th International Conference on Security and Privacy in Mobile Information and Communication Systems, Frankfurt, Germany
    • 6/25/12- 6/27/12: eGSSN, International Workshop on Trust, Security and Privacy in e-Government, e-Systems & Social Networking, Held in conjunction with the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2012), Liverpool, UK
    • 6/26/12- 6/28/12: DFIS, 6th International Symposium on Digital Forensics and Information Security, Vancouver, Canada
    • 6/26/12- 6/29/12: ACNS, 10th International Conference on Applied Cryptography and Network Security, Singapore
    • 6/29/12: STAST, 2nd International Workshop on Socio-Technical Aspects of Security and Trust, Co-located with Computer Security Foundation Symposium (CSF 2012), Harvard University, Cambridge, MA, USA
    • 7/11/12- 7/13/12: PETS, 12th Privacy Enhancing Technologies Symposium, Vigo, Spain
    • 7/15/11- 7/15/12: IEEE Internet Computing, Track Articles on Computer Crime; Submissions are due
    • 7/16/12- 7/20/12: SAPSE, 4th IEEE International Workshop on Security Aspects of Process and Services Engineering, Held in conjunction with the IEEE Signature Conference on Computers, Software, and Applications (COMPSAC 2012), Izmir, Turkey
    • 7/18/12- 7/19/12: LASER, Workshop on Learning from Authoritative Security Experiment Results, Arlington, VA, USA
    • 7/24/11- 7/27/12: SECRYPT, 9th International Conference on Security and Cryptography, Rome, Italy
    • 7/30/11- 8/ 2/12: SecIoT, Workshop on the Security of the Internet of Things, Munich, Germany
    • 8/ 6/12: CSET, 5th Workshop on Cyber Security Experimentation and Test, Bellevue, WA, USA
    • 8/ 6/12- 8/ 7/12: HealthSec, 3rd USENIX Workshop on Health Security and Privacy, Bellevue, WA, USA
    • 8/ 8/12- 8/10/12: USENIX-Security, 21st USENIX Security Symposium, Bellevue, WA, USA
    • 8/20/12- 8/24/12: SecSE, 6th International Workshop on Secure Software Engineering, Held in conjunction with ARES 2012, Prague, Czech Republic
    • 8/20/12- 8/24/12: WSDF, 5th International Workshop on Digital Forensics, Held in conjunction with ARES 2012, Prague, Czech Republic
    • 8/20/12- 8/24/12: MoCrySEn, 1st International Workshop on Modern Cryptography and Security Engineering, Held in conjunction with ARES 2012, Prague, Czech Republic
    • 9/ 3/12- 9/ 7/12: TrustBus, 9th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with DEXA 2012, Vienna University of Technology, Austria
    • 9/ 9/12- 9/12/12: CHES, IACR Workshop on Cryptographic Hardware and Embedded Systems, Leuven, Belgium
    • 9/12/12: CloudSec, 4th International Workshop on Security in Cloud Computing, Held in conjunction with the 41st ICPP, Pittsburgh, PA, USA
    • 9/17/12- 9/18/12: CRITIS, 7th International Workshop on Critical Information Infrastructures Security, Radisson Blu Lillehammer Hotel, Turisthotellveien 6, 2609 Lillehammer, Norway
    • 9/19/12- 9/21/12: NSPW, New Security Paradigms Workshop, Bertinoro, Italy
    • 9/26/12- 9/28/12: ProvSec, 6th International Conference on Provable Security, Chengdu, China
    • 10/ 1/12-10/ 4/12: SSS, 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Toronto, Canada
    • 10/ 8/12-10/11/12: SRDS, 31st International Symposium on Reliable Distributed Systems, Irvine, California, USA
    • 10/16/12-10/18/12: ACM-CCS, 19th ACM Conference on Computer and Communications Security, Raleigh, North Carolina, USA
    • 10/22/12-10/25/12: LCN-SICK, Workshop on Security in Communications Networks, Held in Conjunction with IEEE LCN 2012, Clearwater, FL, USA
    • 10/31/12-11/ 2/12: Nordsec, 17th Nordic Conference in Secure IT Systems, Karlskrona, Sweden
    • 11/21/12-11/23/12: NSS, 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China
    • 12/ 9/12-12/14/12: LISA, 26th Large Installation System Administration Conference, San Diego, CA, USA
    
    
  • new calls or announcements added since Cipher E106

  • SECRYPT 2012 9th International Conference on Security and Cryptography, Rome, Italy, July 24-27, 2012. (Submissions due 19 March 2012)

    SECRYPT is an annual international conference covering research in information and communication security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, security, and cryptography. Papers describing the application of security technology, the implementation of systems, and lessons learned are also encouraged.

  • eGSSN 2012 International Workshop on Trust, Security and Privacy in e-Government, e-Systems & Social Networking, Held in conjunction with the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2012), Liverpool, UK, June 25-27, 2012. (Submissions due 21 March 2012)

    Electronic systems (e-systems) have increased tremendously in recent years. Clear examples of e-systems include e-commerce, e-payment systems, e-government systems and social networks. The incredibly amount of people using these systems make them more vulnerable to receive a great diversity of attacks such as denial of service, hijacking, spoofing, man in the middle, etc. Moreover, the information sensible usually managed in e-systems is another reason for receiving attacks intensively. This workshop aims to identify and explore different issues and challenges related to security aspects in e-systems in general and specially in e-government and social networking. Questions like "how to preserve privacy and anonymity in social network? How to provide a secure authentication for e-government? What is a suitable trust model for e-systems? How to federate social networks? How e-government may manage risk?" are those waiting for answers. This workshop provides an ideal vehicle for bringing together researchers, scientists, engineers, academics and students all around the world to share the latest updates on new security technologies that would shape the next generation of mobile and wireless systems and technology platforms. We are interested in the following topics, but are not limited to:

    • Trust Management in e-Government, e-Systems or Social Networks
    • Reputation Management in e-Government, e-Systems or Social Networks
    • Authentication schemes in e-Government, e-Systems or Social Networks
    • Authorization Models in e-Government, e-Systems or Social Networks
    • Privacy of e-Government, e-Systems or Social Networks
    • Risk Management in e-Government, e-Systems or Social Networks
    • Policy-based Management for e-Government, e-Systems or Social Networks
    • Security Models for e-Government, e-Systems or Social Networks
    • Service Level Agreements about Security in e-Government, e-Systems or Social Networks
    • Identity Management in e-Government, e-Systems or Social Networks
    • Federation Management in e-Government, e-Systems or Social Networks
    • Anonymity in e-Government, e-Systems or Social Networks
    • Accounting in e-Government, e-Systems or Social Networks

  • LASER 2012 Workshop on Learning from Authoritative Security Experiment Results, Results, Arlington, VA, USA, July 18-19, 2012. (Submissions due 26 March 2012)

    The goal of this workshop is to provide an outlet for publication of unexpected research results in security -- to encourage people to share not only what works, but also what doesn't. This doesn't mean bad research -- it means research that had a valid hypothesis and methods, but the result was negative. Given the increased importance of computer security, the security community needs to quickly identify and learn from both success and failure.
    
    Journal papers and conferences typically contain papers that report successful experiments that extend our knowledge of the science of security, or assess whether an engineering project has performed as anticipated. Some of these results have high impact; others do not. Unfortunately, papers reporting on experiments with unanticipated results that the experimenters cannot explain, or experiments that are not statistically significant, or engineering efforts that fail to produce the expected results, are frequently not considered publishable, because they do not appear to extend our knowledge. Yet, some of these "failures" may actually provide clues to even more significant results than the original experimenter had intended. The research is useful, even though the results are unexpected.
    
    Useful research includes a well-reasoned hypothesis, a well-defined method for testing that hypothesis, and results that either disprove or fail to prove the hypothesis. It also includes a methodology documented sufficiently so that others can follow the same path. When framed in this way, "unsuccessful" research furthers our knowledge of a hypothesis and testing method. Others can reproduce the experiment itself, vary the methods, and change the hypothesis; the original result provides a place to begin.
    
    As an example, consider an experiment assessing a protocol utilizing biometric authentication as part of the process to provide access to a computer system. The null hypothesis might be that the biometric technology does not distinguish between two different people; in other words, that the biometric element of the protocol makes the approach vulnerable to a masquerade attack. Suppose the null hypothesis is verified. It would still be worth publishing this result. First, it might prevent others from trying the same biometric method. Second, it might lead them to further develop the technology - to determine whether a different style of biometrics would improve matters, or if the environment in which authentication is being attempted makes a difference. For example, a retinal scan may be a failure in recognizing people in a crowd, but successful where the users present themselves one at a time to an admission device with controlled lighting, or when multiple "tries" are included. Third, it might lead to modifying the encompassing protocol so as to make masquerading more difficult for some other reason.
    
    Equally important is research designed to reproduce the results of earlier work. Reproducibility is key to science, to validate or uncover errors or problems in earlier work. Failure to reproduce the results leads to a deeper understanding of the phenomena that the earlier work uncovers.
    
    The workshop focuses on research that has a valid hypothesis and reproducible experimental methodology, but where the results were unexpected or did not validate the hypotheses, where the methodology addressed difficult and/or unexpected issues, or that identified previously unsuspected confounding issues. We solicit research and position papers addressing these issues, especially (but not exclusively) on the following topics:

    • Unexpected research results in experimental security
    • Methods, statistical analyses, and designs for security experiments
    • Experimental confounds, mistakes, mitigations
    • Successes and failures in reproducing the experimental techniques and/or results of earlier work

  • SRDS 2012 31st International Symposium on Reliable Distributed Systems, Irvine, California, USA, October 8-11, 2012. (Submissions due 26 March 2012)

    The Symposium on Reliable Distributed Systems is a forum for researchers and practitioners interested in distributed systems design, development and evaluation, with emphasis on reliability, availability, safety, security, trust and real time. We welcome original research papers as well as practical experience reports that deal with design, development and experimental results of operational systems. The major areas of interest include, but are not limited to, the following topics:

    • Cloud computing and virtualization
    • Autonomic, pervasive, and ubiquitous computing
    • Secure and trusted storage systems
    • Secure and dependable web services
    • High-confidence and Safety-critical systems
    • Parallel and distributed operating systems
    • Distributed objects and middleware systems
    • Fault-tolerant and secure sensor networks
    • Event-based processing and peer-to-peer infrastructures
    • Distributed databases and transaction processing
    • Distributed measurement, monitoring, and predictions
    • Wireless ad hoc networks
    • Electronic commerce and enabling technologies
    • Formal methods and foundations for dependable distributed computing
    • Analytical or experimental evaluations of dependable distributed systems
    • Internet-based systems and applications
    • Scalable systems design
    • QoS control and assessment
    • Trust and scalable system design in social networks
    • Social media and privacy issues

  • SecSE 2012 6th International Workshop on Secure Software Engineering, Held in conjunction with ARES 2012, Prague, Czech Republic, August 20-24, 2012. (Submissions due 30 March 2012)

    Software security is about protecting information and ensuring that systems continue to function correctly even when under malicious attack. The traditional approach of securing a system has been to create defensive walls such as intrusion detection systems and firewalls around it, but there are always cracks in these walls, and thus such measures are no longer sufficient by themselves. We need to be able to build better, more robust and more "inherently secure" systems, and we should strive to achieve these qualities in all software systems, not just in the ones that "obviously" need special protection. This workshop will focus on techniques, experiences and lessons learned for building secure and dependable software. Suggested topics include, but are not limited to:

    • Secure architecture and design
    • Security in agile software development
    • Aspect-oriented software development for secure software
    • Security requirements
    • Risk management in software projects
    • Secure implementation
    • Secure deployment
    • Testing for security
    • Quantitative measurement of security properties
    • Static/dynamic analysis for security
    • Verification and assurance techniques for security properties
    • Security and usability
    • Design and deployment of secure services
    • Secure composition and adaptation of services
    • Teaching secure software development
    • Experience reports on successfully attuning developers to secure software engineering
    • Lessons learned

  • WSDF 2012 5th International Workshop on Digital Forensics, Held in conjunction with ARES 2012, Prague, Czech Republic, August 20-24, 2012. (Submissions due 30 March 2012)

    Digital forensics is a rapidly evolving field primarily focused on the extraction, preservation and analysis of digital evidence obtained from electronic devices in a manner that is legally acceptable. Research into new methodologies tools and techniques within this domain is necessitated by an ever-increasing dependency on tightly interconnected, complex and pervasive computer systems and networks. The ubiquitous nature of our digital lifestyle presents many avenues for the potential misuse of electronic devices in crimes that directly involve, or are facilitated by, these technologies. The aim of digital forensics is to produce outputs that can help investigators ascertain the overall state of a system. This includes any events that have occurred within the system and entities that have interacted with that system. Due care has to be taken in the identification, collection, archiving, maintenance, handling and analysis of digital evidence in order to prevent damage to data integrity. Such issues combined with the constant evolution of technology provide a large scope of digital forensic research. WSDF aims to bring together experts from academia, industry, government and law enforcement who are interested in advancing the state of the art in digital forensics by exchanging their knowledge, results, ideas and experiences. The aim of the workshop is to provide a relaxed atmosphere that promotes discussion and free exchange of ideas while providing a sound academic backing. The focus of this workshop is not only restricted to digital forensics in the investigation of crime. It also addresses security applications such as automated log analysis, forensic aspects of fraud prevention and investigation, policy and governance.

  • SAPSE 2012 4th IEEE International Workshop on Security Aspects of Process and Services Engineering, Held in conjunction with the IEEE Signature Conference on Computers, Software, and Applications (COMPSAC 2012), Izmir, Turkey, July 16-20, 2012. (Submissions due 30 March 2012)

    The workshop aims to foster cooperation among software practitioners and researchers in order to exchange the latest industrial experience and research ideas on services and processes engineering. Complex software systems are at the core of most business transactions, making the area of processes and services engineering a very attractive field for innovative research and for facing new challenges. Research is devoted to the software engineering of service-oriented applications with the goal of providing effective solutions to the development, deployment and management of the resulting applications. In this scenario, security pla+ys a fundamental role, since the resulting software system is expected to function correctly and resist also to malicious attacks under different changing threat scenarios. New techniques and methodologies are needed to be able to build better, more robust and more trusted systems, where security is taken into account and integrated in the whole design process since the very first stages.

  • MoCrySEn 2012 1st International Workshop on Modern Cryptography and Security Engineering, Held in conjunction with ARES 2012, Prague, Czech Republic, August 20-24, 2012. (Submissions due 31 March 2012)

    MoCrySEn aims to bring together researchers working in theoretical aspects of modern cryptography (including but not restricted to design and analysis of symmetric-key primitives and cryptosystems, block and stream ciphers, hash functions and MAC algorithms, efficient implementations and analysis of code-based cryptosystems, threshold schemes) with professionals working on applied aspects of security engineering, particularly people involved in standardization and in industrial deployment of cryptography (encryption schemes for databases and related security, cryptography in wireless applications, hardware for cryptanalysis, FPGA and smart cards security). The main goal of the workshop is to strengthen the dialogue between these two groups, which is currently perceived to be weak. Ultimately, we aim to make a start on bridging the gap between what academic cryptographers believe should be the goals of cryptographic design and what is actually implemented in the real world. MoCrySEn intends to provide a better understanding of real-world cryptographic issues to the theoretical community, helping to inform their research and set new research challenges for the theoretical community and enable practitioners to develop a clearer view of the current state-of-the-art in cryptographic research and what it offers to practitioners.

  • Mobisec 2012 4th International Conference on Security and Privacy in Mobile Information and Communication Systems, Frankfurt, Germany, June 25-27, 2012. (Submissions due 2 April 2012)

    MobiSec's focus is the convergence of information and communication technology in mobile scenarios. This convergence is realised in intelligent mobile devices, accompanied by the advent of next-generation communication networks. Privacy and security aspects need to be covered at all layers of mobile networks, from mobile devices, to privacy respecting credentials and mobile identity management, up to machine-to-machine communications. In particular, mobile devices such as Smartphones and Internet Tablets have been very successful in commercialization. However, their security mechanisms are not always able to deal with the growing trend of information-stealing attacks. As mobile communication and information processing becomes a commodity, economy and society require protection of this precious resource. Mobility and trust in networking go hand in hand for future generations of users, who need privacy and security at all layers of technology. In addition, the introduction of new data collection practices and data-flows (e.g. sensing data) from the mobile device makes it more difficult to understand the new security and privacy threats introduced. MobiSec strives to bring together the leading-edge of academia and industry in mobile systems security, as well as practitioners, standards developers and policymakers. Contributions may range from architecture designs and implementations to cryptographic solutions for mobile and resource-constrained devices.

  • TrustBus 2012 9th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with DEXA 2012, Vienna University of Technology, Austria, September 3-7, 2012. (Submissions due 6 April 2012)

    The advances in the Information and Communication Technologies (ICT) have raised new opportunities for the implementation of novel applications and the provision of high quality services over global networks. The aim is to utilize this information society era?for improving the quality of life for all citizens, disseminating knowledge, strengthening social cohesion, generating earnings and finally ensuring that organizations and public bodies remain competitive in the global electronic marketplace. Unfortunately, such a rapid technological evolution cannot be problem-free. Concerns are raised regarding the lack of trust?in electronic procedures and the extent to which information security?and user privacy?can be ensured. In answer to these concerns, the 9th International Conference on Trust, Privacy and Security in Digital Business (TrustBus?2) will provide an international forum for researchers and practitioners to exchange information regarding advancements in the state of the art and practice of trust and privacy in digital business. TrustBus?2 will bring together researchers from different disciplines, developers, and users all interested in the critical success factors of digital business systems. We are interested in papers, work-in-progress reports, and industrial experiences describing advances in all areas of digital business applications related to trust and privacy, including, but not limited to:

    • Anonymity and pseudonymity in business transactions
    • Business architectures and underlying infrastructures
    • Common practice, legal and regulatory issues
    • Cryptographic protocols
    • Delivery technologies and scheduling protocols
    • Design of business models with security requirements
    • Economics of Information Systems Security
    • Electronic cash, wallets and pay-per-view systems
    • Enterprise management and consumer protection
    • Identity and Trust Management
    • Intellectual property and digital rights management
    • Intrusion detection and information filtering
    • Languages for description of services and contracts
    • Management of privacy & confidentiality
    • Models for access control and authentication
    • Multimedia web services
    • New cryptographic building-blocks for e-business applications
    • Online transaction processing
    • PKI & PMI
    • Public administration, governmental services
    • P2P transactions and scenarios
    • Real-time Internet E-Services
    • Reliability and security of content and data
    • Reliable auction, e-procurement and negotiation technology
    • Reputation in services provision
    • Secure process integration and management
    • Security and Privacy models for Pervasive Information Systems
    • Security Policies
    • Shopping, trading, and contract management tools
    • Smartcard technology
    • Transactional Models
    • Trust and privacy issues in mobile commerce environments
    • Usability of security technologies and services
    • Trust and privacy issues in the cloud

  • NSPW 2012 New Security Paradigms Workshop, Bertinoro, Italy, September 19-21, 2012. (Submissions due 6 April 2012)

    The New Security Paradigms Workshop (NSPW) invites papers that address the current limitations of information security. Today's security risks are diverse and plentiful - botnets, database breaches, phishing attacks, targeted cyber attacks - and yet present tools for combating them are insufficient. To address these limitations, NSPW welcomes unconventional, promising approaches to important security problems and innovative critiques of current security theory and practice. We are particularly interested in perspectives from outside computer security, both from other areas of computer science (such as operating systems, human-computer interaction, databases, programming lan- guages, algorithms) and other sciences that study adversarial relationships such as biology and economics. We discourage papers that offer incremental improvements to security and mature work that is appropriate for standard information security venues. To facilitate research interactions, NSPW features informal paper presentations, extended discussions, shared activities, and group meals, all in the spectacular setting of Bertinoro, Italy. By encouraging researchers to think "outside the box" and giving them an opportunity to communicate with open-minded peers, NSPW seeks to foster paradigm shifts in the field of information security.

  • HealthSec 2012 3rd USENIX Workshop on Health Security and Privacy, Bellevue, WA, USA, August 6-7, 2012. (Submissions due 10 April 2012)

    The focus of HealthSec '12 will be on the development of new techniques and policies to ensure the privacy and security of next-generation healthcare systems and devices. HealthSec is intended as a forum for lively discussion of aggressively innovative and potentially disruptive ideas on all aspects of medical and health security and privacy. We strongly encourage cross-disciplinary interactions between fields, including, but not limited to, technology, medicine, and policy.

  • CloudSec 2012 4th International Workshop on Security in Cloud Computing, Held in conjunction with the 41st ICPP, Pittsburgh, PA, USA, September 12, 2012. (Submissions due 15 April 2012)

    Cloud Computing has generated interest from both industry and academia since 2007. As an extension of Grid Computing and Distributed Computing, Cloud Computing aims to provide users with flexible services in a transparent manner. Services are allocated in a cloud, which is a collection of devices and resources connected through the Internet. Before this paradigm can be widely accepted, the security, privacy and reliability provided by the services in the cloud must be well established. CloudSec 2012 will bring researchers and experts together to present and discuss the latest developments and technical solutions concerning various aspects of security issues in Cloud Computing. CloudSec 2012 seeks original unpublished papers focusing on theoretical analysis, emerging applications, novel system architecture construction and design, experimental studies, and social impacts of Cloud Computing. Both review/survey papers and technical papers are encouraged. CloudSec 2012 also welcomes short papers related to Security in Cloud Computing, which summarize speculative breakthroughs, work-in-progress, industry featured projects, open problems, new application challenges, visionary ideas, and preliminary studies. The topics include but are not limited to:

    • Emerging threats to Cloud-based services
    • Security model for new services
    • Security in Cloud-aware web service
    • Information hiding/encryption in Cloud Computing
    • Copyright protection in the Cloud
    • Securing distributed data storage in cloud
    • Privacy and security in Cloud Computing
    • Forensics in Cloud environments
    • Robust network architecture
    • Cloud Infrastructure Security
    • Intrusion detection/prevention
    • Denial-of-Service (DoS) attacks and defense
    • Robust job scheduling
    • Secure resource allocation and indexing
    • Secure payment for Cloud-aware services
    • User authentication in Cloud-aware services
    • Non-Repudiation solutions in the Cloud
    • Security for emerging Cloud programming models
    • Performance evaluation for security solutions
    • Testbed/Simulators for Cloud security research
    • Security hardware, i.e. hardware for encryption, etc.
    • Detection and prevention of hardware Trojans

  • STAST 2012 2nd International Workshop on Socio-Technical Aspects of Security and Trust, Co-located with Computer Security Foundation Symposium (CSF 2012), Harvard University, Cambridge, MA, USA, June 29, 2012. (Submissions due 15 April 2012)

    The workshop intends to foster an interdisciplinary discussion on how to model and analyse the socio-technical aspects of modern security systems and on how to protect such systems from socio-technical threats and attacks. We welcome experts in computer science, in social and behavioural sciences, philosophy and psychology. Relevant topics include but are not limited to:

    • Usability Analysis
    • System-User Interfaces
    • Psychology of Deception
    • Socio-Technical Attacks and Defences
    • User Perception of Security and Trust
    • Design of Socio-Technical Secure Systems
    • Cognitive Aspect in Human Computer Interaction
    • Human Practice
    • Behavioural Models
    • Social Engineering
    • Modelling and Analysis of Security
    • Ceremonies and Workflows
    • Game Theoretical Approaches to Security
    • Cyber Crime Science
    • Security Properties Specification and Verification
    • Threat and Adversary Models
    • Social Informatics and Networks
    • Effects of Technology on Trust Building Behaviour
    • Experiences and Test Cases

  • IEEE Signal Processing Magazine, Special Issue on Signal Processing in the Encrypted Domain: when Cryptography Meets Signal Processing, March, 2013, (Submission Due 15 April 2012)

    Editors: M. Barni (University of Siena, Italy), T. Kalker (Huawei, USA), and S. Katzenbeisser (Techn. Universität Darmstadt, Germany)

    Computing with signals that are encrypted or otherwise hidden (often referred to as S.P.E.D. for signal processing in the encrypted domain) is a fascinating challenge that has caught the attention of a large number of researchers. In the last 5 years theoretical and practical advances in this field have been impressive, thus contributing to bring S.P.E.D. technology closer to real life requirements. As a matter of fact, the usage of S.P.E.D. techniques in real-world applications starts being viable, at least in cases where a suitable trade-off between efficiency and security is possible. The goal of this special issue is to introduce the readers of the Signal Processing Magazine to this new exciting and challenging discipline, providing them with the basic primitives S.P.E.D. relies on, and presenting the latest developments in the field, with particular attention to the role that the signal processing community may play in this field. Tutorial and survey papers, as well as papers illustrating the applications of S.P.E.D. techniques in in selected scenarios are solicited.

  • SSS 2012 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Toronto, Canada, October 1-4, 2012. (Submissions due 16 April 2012)

    The SSS symposium is a prestigious international forum for researchers and practitioners in the design and development of fault-tolerant distributed systems with self-* properties, such as self-stabilizing, self-configuring, self-organizing, self-managing, self-repairing, self-healing, self-optimizing, self-adaptive, and self-protecting systems. Research in distributed systems is now at a crucial point in its evolution, marked by the importance of dynamic systems such as cloud networks, social networks, peer-to-peer networks, large-scale wireless sensor networks, mobile ad hoc networks, etc., and many new applications such as grid and web services, banking and e-commerce, e-health and robotics, aerospace and avionics, automotive, industrial process control, etc. have joined the traditional applications of distributed systems.

  • CSET 2012 5th Workshop on Cyber Security Experimentation and Test, Bellevue, WA, USA, August 6, 2012. (Submissions due 19 April 2012)

    The science of cyber security is challenging for a number of reasons. Meeting these challenges requires transformational advances, including understanding of the relationship between scientific method and cyber security evaluation, advancing capabilities of underlying experimental infrastructure, and improving data usability. CSET invites submissions on the science of cyber security evaluation, as well as experimentation, measurement, metrics, data, and simulations as those subjects relate to computer and network security.

  • ProvSec 2012 6th International Conference on Provable Security, Chengdu, China, September 26-28, 2012. (Submissions due 20 April 2012)

    Provable security is an important research area in modern cryptography. Cryptographic primitives or protocols without a rigorous proof cannot be regarded as secure even in practice. In fact, there are many schemes that were originally thought as secure but eventually broken, which clearly indicates the need of formal security assurance. With provable security, we are confident in using cryptographic schemes and protocols in various real-world applications. Meanwhile, schemes with provable security sometimes give only theoretical feasibility rather than a practical construction, and correctness of the proofs may be difficult to verify. ProvSec conference thus provides a platform for researchers, scholars and practitioners to exchange new ideas for solving these problems in the provable security area. Topics include all aspects of provable security for cryptographic primitives or protocols, and include but are not limited to the following areas:

    • Cryptographic primitives
    • Digital signatures
    • Formal security model
    • Lattice-based security reductions
    • Pairing-based provably secure cryptography
    • Privacy and anonymity technologies
    • Provable secure block ciphers and hash functions
    • Secure cryptographic protocols and applications
    • Security notions, approaches, and paradigms
    • Steganography and steganalysis

  • ACM-CCS 2012 19th ACM Conference on Computer and Communications Security, Raleigh, North Carolina, USA, October 16-18, 2012. (Submissions due 4 May 2012)

    The annual ACM Computer and Communications Security Conference is a leading international forum for information security researchers, practitioners, developers, and users to explore cutting-edge ideas and results, and to exchange techniques, tools, and experiences. The conference seeks submissions from academia, government, and industry presenting novel research on all practical and theoretical aspects of computer and communications security. Papers should have relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make a convincing argument for the practical significance of the results. All topic areas related to computer and communications security are of interest and in scope. Accepted papers will be published by ACM Press in the conference proceedings. Outstanding papers will be invited for possible publication in a special issue of the ACM Transactions on Information and System Security.

  • LCN-SICK 2012 Workshop on Security in Communications Networks, Held in Conjunction with IEEE LCN 2012, Clearwater, FL, USA, October 22-25, 2012. (Submissions due 12 May 2012)

    Recent years have seen growth in the number of services and applications that enable groups of people and/or devices to communicate and collaborate in real-time. Often times, these groups are spontaneously formed based on a common interest or objective, have a limited life span and use one or more network technologies to connect group members with available resources and each other. Examples range from multi-player online games and video conferencing to the coordination of first responders at a crime scene or troops in a battlefield. Secure group communication is a difficult problem that needs to be addressed to guarantee the confidentiality, integrity, and availability of these applications. Challenges include user mobility, device heterogeneity, lack of infrastructure, cross domain interactions, as well as dynamic memberships without pre-configuration. The main purpose of this workshop is to promote further research interests and activities on Secure Group Communication. This workshop aims to increase the synergy between academic and industrial researchers working in this area. We are interested in experimental, systems-related, and work-in-progress papers in all aspects of Secure Group Communications.

  • CRITIS 2012 7th International Workshop on Critical Information Infrastructures Security, Radisson Blu Lillehammer Hotel, Turisthotellveien 6, 2609 Lillehammer, Norway, September 17-18, 2012. (Submissions due 15 May 2012)

    Critical key sectors of modern economies depend highly on Information and Communication Technologies (ICT). Disruption, disturbance or loss of information flowing through and processed by ICT infrastructures can, as well as incidents in the sector infrastructure itself, lead to various damages such as high economical, material, or ecological impact, loss of vital societal functions and social well-being of people, and in the most unfortunate cases loss of human lives. As a consequence the security, reliability and resilience of these infrastructures are critical for the society. The topic of Critical (Information) Infrastructure Protection (C(I)IP) is therefore a major objective for governments, companies and the research community of the major industrial countries worldwide. The CRITIS'12 conference is the well-established continuation of the series and aims to explore the new challenges posed by C(I)IP bringing together researchers and professionals from academia, industry and governmental agencies interested in all different aspects of C(I)IP. Especially promoted by CRITIS'12 are multi-disciplinary approaches within the scientific communities at national, European and global level. Authors are solicited to contribute to the conference by submitting research papers, work-in-progress reports, R&D project results, surveying works and industrial experiences describing significant advances in C(I)IP.

  • LISA 2012 26th Large Installation System Administration Conference, San Diego, CA, USA, December 9-14, 2012. (Submissions due 17 May 2012)

    The annual LISA conference is the meeting place of choice for system and network administrators and engineers; it is the crossroads of Web operations, DevOps, enterprise computing, educational computing, and research computing. The conference serves as a venue for a lively, diverse, and rich mix of technologists of all specialties and levels of expertise. LISA is the place to teach and learn new skills, debate current issues, and meet industry gurus, colleagues, and friends.

  • IEEE Transactions on Information Forensics and Security, Special Issue on Privacy and Trust Management in Cloud and Distributed Systems, June 1, 2013, (Submission Due 31 May 2012)

    Editors: Karl Aberer (École Polytechnique F&eactue;dérale de Lausanne, Switzerland), Sen-ching Samson Cheung (University of Kentucky, USA), Jayant Haritsa (Indian Institute of Science, India), Bill Horne (Hewlett-Packard Laboratories, USA), Kai Hwang (University of Southern California, USA), and Yan (Lindsay) Sun (University of Rhode Island, USA)

    With the increasing drive towards availability of data and services anytime anywhere, privacy risks have significantly increased. Unauthorized disclosure, modification, usage, or uncontrolled access to privacy-sensitive data may result in high human and financial costs. In the distributed computing environments, trust plays a crucial role in mitigating the privacy risk by guaranteeing meaningful interactions, data sharing, and communications. Trust management is a key enabling technology for security and privacy enhancement. While privacy preservation and trust management are already challenging problems, it is imperative to explore how privacy-oriented and trust-oriented approaches can integrate to bring new solutions in safeguarding information sharing and protecting critical cyber-infrastructure. Furthermore, there are questions about whether existing trust models and privacy preserving schemes are robust against attacks. This Call for Papers invites researchers to contribute original articles that cover a broad range of topics related to privacy preservation and trust management in cloud and distributed systems, with a focus on emerging networking contexts such as social media, cloud computing, and power grid systems. Example topics include but are not limited to:

    • Privacy Enhanced Technology: privacy preserving data mining, publishing, and disclosure; access control, anonymity, audit, and authentication; applied cryptography, cryptanalysis, and digital signatures in PET; abuse cases and threat modeling; theoretical models and formal methods; application of physical security for privacy enhancement.
    • Trust and Reputation Management: trust management architectures and trust models; quantitative metrics and computation; security of trust management protocols/systems; evaluation and test bed; trust related privacy enhancement solutions.
    • Privacy and Trust in Emerging Complex Systems including: social networking; cloud computing; power grid systems; sensor networks; Internet of Things; multimedia surveillance networks.
    • Other Related Topics such as trust and privacy policies; human factors and usability; censorship; economics of trust and privacy; behavior modeling.

  • IEEE Network Magazine, Special Issue on Cyber Security of Networked Critical Infrastructures, January 2013, (Submission Due 1 June 2012)

    Editors: Saeed Abu-Nimeh (Damballa Inc., USA), Ernest Foo (Queensland University of Technology Australia, Australia), Igor Nai Fovino (Global Cyber Security Center, Italy), Manimaran Govindarasu (Iowa State University, USA), and Tommy Morris (Mississippi State University, USA)

    The daily lives of millions of people depend on processing information and material through a network of critical infrastructures. Critical infrastructures include agriculture and food, water, public health, emergency services, government, the defense industrial base, information and telecommunications, energy, transportation and shipping, banking and finance, chemical industry and hazardous materials, post, national monuments and icons, and critical manufacturing. Disruption or disturbance of critical infrastructures can lead to economical and human losses. Additionally, the control network of most critical installations is integrated with broader information and communication systems, including the company business network. Most maintenance services on process control equipment are performed remotely. Further, the cyber security of critical infrastructure systems has come into focus recently as more of these systems are exposed to the Internet. Therefore, Critical Infrastructure Protection (CIP) has become a topic of interest for academics, industries, governments, and researchers in the recent years. A common theme among critical infrastructure is the dependence upon secure cyber systems for command and control. This special issue will focus on network aspects that impact the cyber security of Critical Infrastructure Protection and Resilience. Tutorial based manuscripts which cover recent advances in one or more of the topic areas below are requested. Topics may include (but are not limited to):

    • Security of supervisory control and data acquisition (SCADA) systems
    • Security of the smart grid
    • Cyber security of industrial control systems
    • Security of complex and distributed critical infrastructures
    • DNS and Internet Security (as critical infrastructures)
    • Security metrics, benchmarks, and data sets
    • Attack modeling, prevention, mitigation, and defense
    • Early warning and intrusion detection systems
    • Self-healing and self-protection systems
    • Advanced forensic methodologies
    • Cyber-physical systems security approaches and algorithms
    • Critical infrastructure security policies, standards and regulations
    • Vulnerability and risk assessment methodologies for distributed critical infrastructures
    • Simulation and testbeds for the security evaluation of critical infrastructures

  • Nordsec 2012 17th Nordic Conference in Secure IT Systems, Karlskrona, Sweden, October 31 - November 2, 2012. (Submissions due 4 June 2012)

    Since 1996, the NordSec conferences have brought together computer security researchers and practitioners from around the world, particular from the Nordic countries and Northern Europe. The conference focuses on applied IT security and is intended to encourage interaction between academic and industrial research. Contributions should reflect original research, developments, studies and practical experience within all areas of IT security. NordSec 2012 welcomes contributions over a broad range of topics in IT security, including, but not limited to, the following areas:

    • Applied Cryptography
    • Information Warfare & Cyber Security
    • Communication & Network Security
    • Wireless and Mobile Security
    • Computer Crime and Forensics
    • Hardware Security
    • Virtual Platform Security
    • Web and Cloud Security
    • Identity Management
    • Authentication and Biometrics
    • Firewalls and Intrusion Detection
    • New Ideas and Paradigms in Security
    • Operating System Security
    • PKI Systems and Key Escrow
    • Privacy & Anonymity
    • Security Education and Training
    • Security Evaluations and Assurance
    • Security Management and Audit
    • Social-Engineering and Phishing
    • Software and Application Security
    • Trust and Reputation Management

  • NSS 2012 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China, November 21-23, 2012. (Submissions due 15 June 2012)

    NSS is an annual international conference covering research in network and system security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of network security, privacy, applications security, and system security. Papers describing case studies, implementation experiences, and lessons learned are also encouraged. Topics of interest include but are not limited to:

    • Active Defense Systems
    • Hardware Security
    • Security in P2P systems
    • Adaptive Defense SystemsAnalysis
    • Benchmark of Security Systems
    • Identity Management
    • Intelligent Defense Systems
    • Security in Cloud and Grid Systems
    • Security in E-Commerce
    • Applied Cryptography
    • Authentication
    • Insider Threats
    • Intellectual Property Rights Protection
    • Security in Pervasive/Ubiquitous Computing
    • Security and Privacy in Smart Grid
    • Biometric Security
    • Complex Systems Security
    • Internet and Network Forensics
    • Intrusion Detection and Prevention
    • Secure Mobile Agents and Mobile Code
    • Security and Privacy in Wireless Networks
    • Database and System Security
    • Data Protection Key Distribution and Management
    • Large-scale Attacks and Defense Security Policy
    • Security Protocols
    • Data/System Integrity
    • Distributed Access Control
    • Malware
    • Network Resiliency
    • Security Simulation and Tools
    • Security Theory and Tools
    • Distributed Attack Systems
    • Network Security
    • Standards and Assurance Methods
    • Denial-of-Service
    • RFID Security and Privacy
    • Trusted Computing
    • High Performance
    • Network Virtualization
    • Security Architectures
    • Trust Management
    • High Performance Security Systems
    • Security for Critical Infrastructures
    • World Wide Web Security

  • IEEE Internet Computing, Track Articles on Computer Crime, 2012, (Submission will be accepted for this track from 15 July 2011 to 15 July 2012)

    Editors: Nasir Memon (New York University, USA) and Oliver Spatscheck (AT&T, USA)
    
    As the Internet has grown and extended its reach into every part of people's lives, it shouldn't be surprising that criminals have seized the opportunity to expand their activities into this new realm. This has been fostered in particular by the fact that the Internet was designed as an open and trusting environment. Unfortunately many of these architectural choices are fundamental to the Internet's success and current architecture and are therefore hard to overcome. Computer crime ranges from rather simple crimes such as theft of intellectual property or computer and network resources to complex cooperate espionage or even cyber terrorism. This special track for Internet Computing seeks original articles that cover computer crime as it relates to the Internet. Appropriate topics include:

    • trends and classification of criminal activities on the Internet;
    • computer crime prevention, including approaches implemented in user interfaces, end user systems, networks, or server infrastructure;
    • case studies of criminal activities;
    • computer forensics;
    • impact assessments of criminal activities on the Internet; and
    • new architectures to prevent Internet crime
    Track articles run one per issue for a single calendar year. Articles will be run in the order in which they are accepted for publication.

 

• The Technical Committee on Security and Privacy

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org