Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 108,  June 10, 2012 Hilarie Orman,  Editor Book Reviews Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Commentary and Opinion

  • Richard Austin's review of Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig

  • NewsBits:  Announcements and correspondence from readers (please contribute!)

    • NIST requests comments on Cryptographic Key Management System Design
    • NSA publication discusses a "science of cybersecurity"
    • Pentagon contractors and cybersecurity measure
    • International espionage against US computer networks
    • Stuxnet, Obama, and Iran
    • Flame Finds the Weak Link in Microsoft's Certificate Chain
    • Debugging Code May Weaken FPGA Security
    • Utah Leaks Personal Data of Patients
    • LinkedIn Passwords "A-Salted"
    • Cybercrime Wave: What's the Cost?

  • Book reviews from past Cipher issues

  • Conference Reports and Commentary from past Cipher issues

  • News items from past Cipher issues

  • Past Cipher issues

 

• Listing of academic positions available  by Cynthia Irvine
  

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      Calendar (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • 5/31/12: IEEE Transactions on Information Forensics and Security, Special Issue on Privacy and Trust Management in Cloud and Distributed Systems; Submissions are due
  • 6/ 1/12: IEEE Network Magazine, Special Issue on Cyber Security of Networked Critical Infrastructures; Submissions are due
  • 6/ 4/12: Nordsec, 17th Nordic Conference in Secure IT Systems, Karlskrona, Sweden; Submissions are due
  • 6/ 4/12- 6/ 6/12: SEC, 27th IFIP International Information Security and Privacy Conference, Creta Maris Hotel, Heraklion, Crete, Greece
  • 6/ 6/12- 6/ 8/12: HAISA, 6th International Symposium on Human Aspects of Information Security and Assurance, Hersonissos, Crete, Greece
  • 6/ 6/12- 6/ 8/12: WDFIA, 7th International Workshop on Digital Forensics and Incident Analysis, Hersonissos, Crete, Greece
  • 6/10/12- 6/15/12: SFCS, 1st IEEE International Workshop on Security and Forensics in Communication Systems, Held in conjunction with IEEE ICC 2012, Ottawa, Canada
  • 6/15/12: NSS, 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China; Submissions are due
  • 6/15/12: HICSS-CSS, 46th HAWAII International Conference on System Sciences, Internet and the Digital Economy Track, Cybercrime and Security Strategy Mini-track, Grand Wailea, Maui, Hawaii, USA; Submissions are due
  • 6/18/12- 6/21/12: ICDCS-NFSP, 1st International Workshop on Network Forensics, Security and Privacy, Held in conjunction with ICDCS 2012, Macau, China
  • 6/18/12- 6/21/12: ICDCS-SPCC, 3rd International Workshop on Security and Privacy in Cloud Computing, Held in conjunction with ICDCS 2012, Macau, China
  • 6/19/12- 6/22/12: WISTP, 6th Workshop on Information Security Theory and Practice, London, UK
  • 6/20/12- 6/22/12: SACMAT, 17th ACM Symposium on Access Control Models and Technologies, Newark, NJ, USA
  • 6/22/12: GameSec, 3rd Conference on Decision and Game Theory for Security, Budapest, Hungary; Submissions are due
  • 6/24/12: WIFS, IEEE International Workshop on Information Forensics and Security, Tenerife, Spain; Submissions are due
  • 6/25/12: DSPAN, 3rd IEEE Workshop on Data Security and PrivAcy in wireless Networks, Held in conjunction with The Thirteenth International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2012), San Francisco, CA, USA
  • 6/25/12- 6/27/12: Mobisec, 4th International Conference on Security and Privacy in Mobile Information and Communication Systems, Frankfurt, Germany
  • 6/25/12- 6/27/12: eGSSN, International Workshop on Trust, Security and Privacy in e-Government, e-Systems & Social Networking, Held in conjunction with the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2012), Liverpool, UK
  • 6/26/12- 6/28/12: DFIS, 6th International Symposium on Digital Forensics and Information Security, Vancouver, Canada
  • 6/26/12- 6/29/12: ACNS, 10th International Conference on Applied Cryptography and Network Security, Singapore
  • 6/29/12: STAST, 2nd International Workshop on Socio-Technical Aspects of Security and Trust, Co-located with Computer Security Foundation Symposium (CSF 2012), Harvard University, Cambridge, MA, USA
  • 7/ 2/12: NPSec, 7th Workshop on Secure Network Protocols, Austin, Texas, USA; Submissions are due
  • 7/ 4/12: SAEPOG, Secure Autonomous Electric Power Grids Workshop, Co-located with the Sixth IEEE International Conference on Self-Adaptive and Self-Organizing Systems (SASO 2012), Lyon, France; Submissions are due
  • 7/ 9/12: RFIDsec-Asia, Workshop on RFID and IoT Security, Taipei, Taiwan; Submissions are due
  • 7/11/12- 7/13/12: PETS, 12th Privacy Enhancing Technologies Symposium, Vigo, Spain
  • 7/13/12: ICISS, 8th International Conference on Information Systems Security, Guwahati, India; Submissions are due
  • 7/15/11- 7/15/12: IEEE Internet Computing, Track Articles on Computer Crime; Submissions are due
  • 7/16/12: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; Submissions are due
  • 7/16/12: STC, 7th ACM Workshop on Scalable Trusted Computing, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; Submissions are due
  • 7/16/12: AISec, 5th ACM Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; Submissions are due
  • 7/16/12: BADGERS, ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; Submissions are due
  • 7/16/12- 7/20/12: SAPSE, 4th IEEE International Workshop on Security Aspects of Process and Services Engineering, Held in conjunction with the IEEE Signature Conference on Computers, Software, and Applications (COMPSAC 2012), Izmir, Turkey
  • 7/18/12- 7/19/12: LASER, Workshop on Learning from Authoritative Security Experiment Results, Arlington, VA, USA
  • 7/24/11- 7/27/12: SECRYPT, 9th International Conference on Security and Cryptography, Rome, Italy
  • 7/30/11- 8/ 2/12: SecIoT, Workshop on the Security of the Internet of Things, Munich, Germany
  • 8/ 1/12: NDSS, 20th Annual Network and Distributed System Security Symposium, Catamaran Resort Hotel and Spa San Diego, California, USA; Submissions are due
  • 8/ 3/12: eCrime-Summit, 7th IEEE eCrime Researchers Summit, Held in conjunction with the 2012 APWG General Meeting, Las Croabas, Puerto Rico; Submissions are due
  • 8/ 6/12: CSET, 5th Workshop on Cyber Security Experimentation and Test, Bellevue, WA, USA
  • 8/ 6/12- 8/ 7/12: HealthSec, 3rd USENIX Workshop on Health Security and Privacy, Bellevue, WA, USA
  • 8/ 8/12- 8/10/12: USENIX-Security, 21st USENIX Security Symposium, Bellevue, WA, USA
  • 8/20/12- 8/24/12: SecSE, 6th International Workshop on Secure Software Engineering, Held in conjunction with ARES 2012, Prague, Czech Republic
  • 8/20/12- 8/24/12: WSDF, 5th International Workshop on Digital Forensics, Held in conjunction with ARES 2012, Prague, Czech Republic
  • 8/20/12- 8/24/12: MoCrySEn, 1st International Workshop on Modern Cryptography and Security Engineering, Held in conjunction with ARES 2012, Prague, Czech Republic
  • 9/ 3/12- 9/ 7/12: TrustBus, 9th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with DEXA 2012, Vienna University of Technology, Austria
  • 9/ 9/12- 9/12/12: CHES, IACR Workshop on Cryptographic Hardware and Embedded Systems, Leuven, Belgium
  • 9/10/12: SAEPOG, Secure Autonomous Electric Power Grids Workshop, Co-located with the Sixth IEEE International Conference on Self-Adaptive and Self-Organizing Systems (SASO 2012), Lyon, France
  • 9/12/12: CloudSec, 4th International Workshop on Security in Cloud Computing, Held in conjunction with the 41st ICPP, Pittsburgh, PA, USA
  • 9/17/12- 9/18/12: CRITIS, 7th International Workshop on Critical Information Infrastructures Security, Radisson Blu Lillehammer Hotel, Turisthotellveien 6, 2609 Lillehammer, Norway
  • 9/19/12- 9/21/12: NSPW, New Security Paradigms Workshop, Bertinoro, Italy
  • 9/26/12- 9/28/12: ProvSec, 6th International Conference on Provable Security, Chengdu, China
  • 9/30/12: ESSoS, 5th International Symposium on Engineering Secure Software and Systems, Paris, France; Submissions are due
  • 10/ 1/12: IEEE Network Magazine, Special Issue on Security in Cognitive Radio Networks; Submissions are due
  • 10/ 1/12-10/ 4/12: SSS, 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Toronto, Canada
  • 10/ 8/12-10/11/12: SRDS, 31st International Symposium on Reliable Distributed Systems, Irvine, California, USA
  • 10/13/12: FC, 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan; Submissions are due
  • 10/15/12: BADGERS, ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA
  • 10/16/12-10/18/12: ACM-CCS, 19th ACM Conference on Computer and Communications Security, Raleigh, North Carolina, USA
  • 10/19/12: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA
  • 10/19/12: STC, 7th ACM Workshop on Scalable Trusted Computing, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA
  • 10/19/12: AISec, 5th ACM Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA
  • 10/22/12-10/25/12: LCN-SICK, Workshop on Security in Communications Networks, Held in Conjunction with IEEE LCN 2012, Clearwater, FL, USA
  • 10/23/12-10/24/12: eCrime-Summit, 7th IEEE eCrime Researchers Summit, Held in conjunction with the 2012 APWG General Meeting, Las Croabas, Puerto Rico
  • 10/30/12: NPSec, 7th Workshop on Secure Network Protocols, Austin, Texas, USA
  • 10/31/12-11/ 2/12: Nordsec, 17th Nordic Conference in Secure IT Systems, Karlskrona, Sweden
  • 11/ 5/12-11/ 6/12: GameSec, 3rd Conference on Decision and Game Theory for Security, Budapest, Hungary
  • 11/ 8/12-11/ 9/12: RFIDsec-Asia, Workshop on RFID and IoT Security, Taipei, Taiwan
  • 11/21/12-11/23/12: NSS, 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China
  • 12/ 2/12-12/ 5/12: WIFS, IEEE International Workshop on Information Forensics and Security, Tenerife, Spain
  • 12/ 9/12-12/14/12: LISA, 26th Large Installation System Administration Conference, San Diego, CA, USA
  • 12/15/12-12/19/12: ICISS, 8th International Conference on Information Systems Security, Guwahati, India
  • 1/ 7/13- 1/ 10/13: HICSS-CSS, 46th HAWAII International Conference on System Sciences, Internet and the Digital Economy Track, Cybercrime and Security Strategy Mini-track, Grand Wailea, Maui, Hawaii, USA
  • 2/24/13- 2/27/13: NDSS, 20th Annual Network and Distributed System Security Symposium, Catamaran Resort Hotel and Spa San Diego, California, USA
  • 2/27/13- 3/ 1/13: ESSoS, 5th International Symposium on Engineering Secure Software and Systems, Paris, France
  • 4/ 1/13- 4/ 5/13: FC, 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan
   
  • new calls or announcements added since Cipher E107

  • IEEE Transactions on Information Forensics and Security, Special Issue on Privacy and Trust Management in Cloud and Distributed Systems, June 1, 2013, (Submission Due 31 May 2012)

    Editors: Karl Aberer (École Polytechnique Fédérale de Lausanne, Switzerland), Sen-ching Samson Cheung (University of Kentucky, USA), Jayant Haritsa (Indian Institute of Science, India), Bill Horne (Hewlett-Packard Laboratories, USA), Kai Hwang (University of Southern California, USA), and Yan (Lindsay) Sun (University of Rhode Island, USA)

    With the increasing drive towards availability of data and services anytime anywhere, privacy risks have significantly increased. Unauthorized disclosure, modification, usage, or uncontrolled access to privacy-sensitive data may result in high human and financial costs. In the distributed computing environments, trust plays a crucial role in mitigating the privacy risk by guaranteeing meaningful interactions, data sharing, and communications. Trust management is a key enabling technology for security and privacy enhancement. While privacy preservation and trust management are already challenging problems, it is imperative to explore how privacy-oriented and trust-oriented approaches can integrate to bring new solutions in safeguarding information sharing and protecting critical cyber-infrastructure. Furthermore, there are questions about whether existing trust models and privacy preserving schemes are robust against attacks. This Call for Papers invites researchers to contribute original articles that cover a broad range of topics related to privacy preservation and trust management in cloud and distributed systems, with a focus on emerging networking contexts such as social media, cloud computing, and power grid systems. Example topics include but are not limited to:

    • Privacy Enhanced Technology: privacy preserving data mining, publishing, and disclosure; access control, anonymity, audit, and authentication; applied cryptography, cryptanalysis, and digital signatures in PET; abuse cases and threat modeling; theoretical models and formal methods; application of physical security for privacy enhancement.
    • Trust and Reputation Management: trust management architectures and trust models; quantitative metrics and computation; security of trust management protocols/systems; evaluation and test bed; trust related privacy enhancement solutions.
    • Privacy and Trust in Emerging Complex Systems including: social networking; cloud computing; power grid systems; sensor networks; Internet of Things; multimedia surveillance networks.
    • Other Related Topics such as trust and privacy policies; human factors and usability; censorship; economics of trust and privacy; behavior modeling.

  • IEEE Network Magazine, Special Issue on Cyber Security of Networked Critical Infrastructures, January 2013, (Submission Due 1 June 2012)

    Editors: Saeed Abu-Nimeh (Damballa Inc., USA), Ernest Foo (Queensland University of Technology Australia, Australia), Igor Nai Fovino (Global Cyber Security Center, Italy), Manimaran Govindarasu (Iowa State University, USA), and Tommy Morris (Mississippi State University, USA)

    The daily lives of millions of people depend on processing information and material through a network of critical infrastructures. Critical infrastructures include agriculture and food, water, public health, emergency services, government, the defense industrial base, information and telecommunications, energy, transportation and shipping, banking and finance, chemical industry and hazardous materials, post, national monuments and icons, and critical manufacturing. Disruption or disturbance of critical infrastructures can lead to economical and human losses. Additionally, the control network of most critical installations is integrated with broader information and communication systems, including the company business network. Most maintenance services on process control equipment are performed remotely. Further, the cyber security of critical infrastructure systems has come into focus recently as more of these systems are exposed to the Internet. Therefore, Critical Infrastructure Protection (CIP) has become a topic of interest for academics, industries, governments, and researchers in the recent years. A common theme among critical infrastructure is the dependence upon secure cyber systems for command and control. This special issue will focus on network aspects that impact the cyber security of Critical Infrastructure Protection and Resilience. Tutorial based manuscripts which cover recent advances in one or more of the topic areas below are requested. Topics may include (but are not limited to):

    • Security of supervisory control and data acquisition (SCADA) systems
    • Security of the smart grid
    • Cyber security of industrial control systems
    • Security of complex and distributed critical infrastructures
    • DNS and Internet Security (as critical infrastructures)
    • Security metrics, benchmarks, and data sets
    • Attack modeling, prevention, mitigation, and defense
    • Early warning and intrusion detection systems
    • Self-healing and self-protection systems
    • Advanced forensic methodologies
    • Cyber-physical systems security approaches and algorithms
    • Critical infrastructure security policies, standards and regulations
    • Vulnerability and risk assessment methodologies for distributed critical infrastructures
    • Simulation and testbeds for the security evaluation of critical infrastructures

  • Nordsec 2012 17th Nordic Conference in Secure IT Systems, Karlskrona, Sweden, October 31 - November 2, 2012. (Submissions due 4 June 2012)

    Since 1996, the NordSec conferences have brought together computer security researchers and practitioners from around the world, particular from the Nordic countries and Northern Europe. The conference focuses on applied IT security and is intended to encourage interaction between academic and industrial research. Contributions should reflect original research, developments, studies and practical experience within all areas of IT security. NordSec 2012 welcomes contributions over a broad range of topics in IT security, including, but not limited to, the following areas:

    • Applied Cryptography
    • Information Warfare & Cyber Security
    • Communication & Network Security
    • Wireless and Mobile Security
    • Computer Crime and Forensics
    • Hardware Security
    • Virtual Platform Security
    • Web and Cloud Security
    • Identity Management
    • Authentication and Biometrics
    • Firewalls and Intrusion Detection
    • New Ideas and Paradigms in Security
    • Operating System Security
    • PKI Systems and Key Escrow
    • Privacy & Anonymity
    • Security Education and Training
    • Security Evaluations and Assurance
    • Security Management and Audit
    • Social-Engineering and Phishing
    • Software and Application Security
    • Trust and Reputation Management

  • NSS 2012 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China, November 21-23, 2012. (Submissions due 15 June 2012)

    NSS is an annual international conference covering research in network and system security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of network security, privacy, applications security, and system security. Papers describing case studies, implementation experiences, and lessons learned are also encouraged. Topics of interest include but are not limited to:

    • Active Defense Systems
    • Hardware Security
    • Security in P2P systems
    • Adaptive Defense SystemsAnalysis
    • Benchmark of Security Systems
    • Identity Management
    • Intelligent Defense Systems
    • Security in Cloud and Grid Systems
    • Security in E-Commerce
    • Applied Cryptography
    • Authentication
    • Insider Threats
    • Intellectual Property Rights Protection
    • Security in Pervasive/Ubiquitous Computing
    • Security and Privacy in Smart Grid
    • Biometric Security
    • Complex Systems Security
    • Internet and Network Forensics
    • Intrusion Detection and Prevention
    • Secure Mobile Agents and Mobile Code
    • Security and Privacy in Wireless Networks
    • Database and System Security
    • Data Protection Key Distribution and Management
    • Large-scale Attacks and Defense Security Policy
    • Security Protocols
    • Data/System Integrity
    • Distributed Access Control
    • Malware
    • Network Resiliency
    • Security Simulation and Tools
    • Security Theory and Tools
    • Distributed Attack Systems
    • Network Security
    • Standards and Assurance Methods
    • Denial-of-Service
    • RFID Security and Privacy
    • Trusted Computing
    • High Performance
    • Network Virtualization
    • Security Architectures
    • Trust Management
    • High Performance Security Systems
    • Security for Critical Infrastructures
    • World Wide Web Security

  • HICSS-CSS 2013 46th HAWAII International Conference on System Sciences, Internet and the Digital Economy Track, Cybercrime and Security Strategy Mini-track, Grand Wailea, Maui, Hawaii, USA, January 7 - 10, 2013. (Submissions due 15 June 2012)

    We invite you to submit a paper for mini-track "Cybercrime and Security Strategy" scheduled for the 46th Hawaii International Conference on System Sciences (HICSS). The diffusion of computer technologies worldwide has resulted in an unprecedented global expansion of computer-based criminal activity. There appears to be a need for research into cybercrime activities, and their causes. At the same time, it has become imperative to effectively protect information assets. The endeavor of this mini-track is to also enhance understanding about the issues associated with information security strategy. Few topics of interest include (but not limited to):

    • Cyber crime activities, and their motivations
    • Cyber security policy
    • Cyber-infrastructure protection
    • Legal and ethical challenges to cyber crime
    • Digital forensics
    • Cyber crime and societal implications
    • Information security strategy
    • Planning for information security
    • Organizational barriers to security
    • Understanding security culture

  • GameSec 2012 3rd Conference on Decision and Game Theory for Security, Budapest, Hungary, November 5-6, 2012. (Submissions due 22 June 2012)

    The conference will explore security as a multifaceted economic problem by considering the complexities of the underlying technical infrastructure, and human and social factors. Securing resources involves decision making on multiple levels and multiple time scales, given the limited resources available to both malicious attackers and administrators defending networked systems. The GameSec conference aims to bring together researchers who are working on the theoretical foundations and behavioral aspects of enhancing security capabilities in a principled manner. Previous GameSec contributions included analytic models based on game, information, communication, optimization, decision, and control theories that were applied to diverse security topics. In addition, we welcome research that highlights the connection between economic incentives and real world security, reputation, trust and privacy problems. The conference is soliciting full and short papers on all economic aspects of security and privacy. Submitted papers will be evaluated based on their significance, originality, technical quality, and exposition. They should clearly establish the research contribution, their relevance to security and privacy, and their relation to prior research. General theoretic contributions are welcome if they discuss potential scenarios of application in the areas of security and privacy.

  • WIFS 2012 IEEE International Workshop on Information Forensics and Security, Tenerife, Spain, December 2-5, 2012. (Submissions due 24 June 2012)

    The IEEE International Workshop on Information Forensics and Security (WIFS) is the primary annual event organized by the IEEE's Information Forensics and Security Technical Committee (IEEE IFS TC). Being the main annual event organized by IEEE IFS TC, the scope of WIFS is broader than other more specific conferences, and it represents the most prominent venue for researchers to exchange ideas and identify potential areas of collaboration. Focusing on these targets, the conference will feature three keynote speakers, up to four tutorials, a track of lecture and poster sessions.

  • NPSec 2012 7th Workshop on Secure Network Protocols, Austin, Texas, USA, October 30, 2012. (Submissions due 2 July 2012)

    NPSec focuses on two general areas. The first focus is on the development and analysis of secure or hardened protocols for the operation (establishment and maintenance) of network infrastructure, including such targets as secure multidomain, ad hoc, sensor or overlay networks, or other related target areas. This can include new protocols, enhancements to existing protocols, protocol analysis, and new attacks on existing protocols. The second focus is on employing such secure network protocols to create or enhance network applications. Examples include collaborative firewalls, incentive strategies for multiparty networks, and deployment strategies to enable secure applications. Papers of special merit might be considered for fast track publication in the Computer Communications journal.

  • SAEPOG 2012 Secure Autonomous Electric Power Grids Workshop, Co-located with the Sixth IEEE International Conference on Self-Adaptive and Self-Organizing Systems (SASO 2012), Lyon, France, September 10, 2012. (Submissions due 4 July 2012)

    Electric energy grids worldwide are becoming smarter and more adaptive to efficiently bring power from a wide variety of production technologies to a broad consumer base. With this increase in complexity and adaptivity we see an ever-increasing demand for predictable power availability and cost-optimizing control of power consumption (and local generation where available) among consumers. "Security" in the grid has many dimensions, from protecting national resources against human adversaries to simply guaranteeing the availability of power to customers. This workshop is concerned with creating autonomous electric power grids that are secure in all senses of the word.

    Traditional power management models rely heavily on a centralized authority to dispatch generation and curtail load without any means for consumers to affect the decision process. The increasing dependence on renewable sources of energy invalidates the currently prevailing paradigm "supply follows demand" for energy management, since power generation from wind or solar panels is not controllable and only partially predictable. The resulting new paradigm "demand follows supply" inherently depends on the discovery and exploitation of demand flexibility which implies the necessity of a decentralized energy information system with distributed system intelligence for power management and control. Obviously, distributed control also implies potential security concerns for the system and those who rely on it.

    This situation calls for power generation, storage, and distribution systems that are "aware" of the supply and demand situation and can adapt the load automatically, quickly, and stably. This workshop, will examine how autonomous self-adaptive and self-organizing systems may be designed for energy management and control in the future smart grid ranging from national or international high-voltage transportation systems to low-voltage local distribution systems. We will also consider smart combination with other networks like natural gas or thermal grids. We will discuss how existing systems can be made more autonomic (e.g., self-*) and how the designers of new systems can ensure that these systems deliver power within design constraints reliably.

    The important management challenge is to create dependable, decentralized control and collaboration of the many stakeholders like transportation system operators, distribution system operators and demand-side managers. This is a highly complex system whose complexity is not determined merely by its size. Future power grids are loosely integrated cyber-physical-human systems that combine traditional power control with smart information, communication, and technology, etc. The daunting security and management challenges that arise from these interdependent couplings will require much research for many years to come.

  • RFIDsec-Asia 2012 Workshop on RFID and IoT Security, Taipei, Taiwan, November 8-9, 2012. (Submissions due 9 July 2012)

    The workshop series of RFIDsec Asia, the Asia branch of RFIDsec, aims to provide researchers, enterprises and governments a platform to investigate, discuss and propose new solutions on security and privacy issues of RFID/IoT (Internet of Things) technologies and applications. Papers with original research in theory and practical system design concerning RFID/IoT security are solicited. Topics of the workshop include but are not limited to:

    • New applications for secure RFID/ IoT systems
    • Data integrity and privacy protection techniques for RFID/ IoT
    • Attacks and countermeasures on RFID/IoT systems
    • Design and analysis on secure RFID/IoT hardware
    • Risk assessment and management on RFID/IoT applications
    • Trust model, data aggregation and information sharing for EPCglobal network and sensor network
    • Resource-efficient implementation of cryptography
    • Integration of secure RFID/IoT systems
    • Cryptographic protocols for RFID/IoT systems

  • ICISS 2012 8th International Conference on Information Systems Security, Guwahati, India, December 15-19, 2012. (Submissions due 13 July 2012)

    The conference series ICISS provides a forum for disseminating latest research results in information and systems security. Submissions are encouraged from academia, industry and government addressing theoretical and practical problems in information and systems security and related areas. Research community and academics are invited to submit theoretical and application oriented full and short papers making a significant research contribution on Information Systems Security. Papers with original research and unpublished work are to be submitted. Topics of interest include (but not limited to):

    • Application Security
    • Formal Methods in Security
    • Operating System Security
    • Authentication and Access Control
    • Intrusion Detection, Prevention & Response
    • Privacy and Anonymity
    • Biometric Security
    • Intrusion Tolerance and Recovery
    • Security in P2P, Sensor and Ad Hoc Networks
    • Data Security
    • Key Management and Cryptographic Protocols
    • Software Security
    • Digital Forensics and Diagnostics
    • Language-based Security
    • Vulnerability Detection and Mitigation
    • Digital Rights Management
    • Malware Analysis and Mitigation
    • Web Security
    • Distributed System Security
    • Network Security

  • IEEE Internet Computing, Track Articles on Computer Crime, 2012, (Submission will be accepted for this track from 15 July 2011 to 15 July 2012)

    Editors: Nasir Memon (New York University, USA) and Oliver Spatscheck (AT&T, USA)
    
    As the Internet has grown and extended its reach into every part of people's lives, it shouldn't be surprising that criminals have seized the opportunity to expand their activities into this new realm. This has been fostered in particular by the fact that the Internet was designed as an open and trusting environment. Unfortunately many of these architectural choices are fundamental to the Internet's success and current architecture and are therefore hard to overcome. Computer crime ranges from rather simple crimes such as theft of intellectual property or computer and network resources to complex cooperate espionage or even cyber terrorism. This special track for Internet Computing seeks original articles that cover computer crime as it relates to the Internet. Appropriate topics include:

    • trends and classification of criminal activities on the Internet;
    • computer crime prevention, including approaches implemented in user interfaces, end user systems, networks, or server infrastructure;
    • case studies of criminal activities;
    • computer forensics;
    • impact assessments of criminal activities on the Internet; and
    • new architectures to prevent Internet crime
    Track articles run one per issue for a single calendar year. Articles will be run in the order in which they are accepted for publication.

  • CCSW 2012 ACM Cloud Computing Security Workshop, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA, October 19, 2012. (Submissions due 16 July 2012)

    Notwithstanding the latest buzzword (grid, cloud, utility computing, SaaS, etc.), large-scale computing and cloud-like infrastructures are here to stay. How exactly they will look like tomorrow is still for the markets to decide, yet one thing is certain: clouds bring with them new untested deployment and associated adversarial models and vulnerabilities. It is essential that our community becomes involved at this early stage. The CCSW workshop aims to bring together researchers and practitioners in all security aspects of cloud-centric and outsourced computing, including:

    • practical cryptographic protocols for cloud security
    • secure cloud resource virtualization mechanisms
    • secure data management outsourcing (e.g., database as a service)
    • practical privacy and integrity mechanisms for outsourcing
    • foundations of cloud-centric threat models
    • secure computation outsourcing
    • remote attestation mechanisms in clouds
    • sandboxing and VM-based enforcements
    • trust and policy management in clouds
    • secure identity management mechanisms
    • new cloud-aware web service security paradigms and mechanisms
    • cloud-centric regulatory compliance issues and mechanisms
    • business and security risk models and clouds
    • cost and usability models and their interaction with security in clouds
    • scalability of security in global-size clouds
    • trusted computing technology and clouds
    • binary analysis of software for remote attestation and cloud protection
    • network security (DOS, IDS etc.) mechanisms for cloud contexts
    • security for emerging cloud programming models
    • energy/cost/efficiency of security in clouds

  • STC 2012 7th ACM Workshop on Scalable Trusted Computing, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA, October 19, 2012. (Submissions due 16 July 2012)

    Built on the continuous success of ACM STC 2006-2011, this workshop focuses on fundamental technologies of trusted and high assurance computing and its applications in large-scale systems with varying degrees of trust. The workshop is intended to serve as a forum for researchers as well as practitioners to disseminate and discuss recent advances and emerging issues. The workshop solicits two types of original papers: full papers and short/work-in-progress/position-papers. A paper submitted to this workshop must not be in parallel submission to any other journal, magazine, conference or workshop with proceedings. Topics of interests include but not limited to:

    • security policies and models of trusted computing
    • architecture and implementation technologies for trusted platform
    • limitations, alternatives and tradeoffs regarding trusted computing
    • trusted computing in cloud and data center
    • cloud-based attestation services
    • trusted smartphone devices and systems
    • trust in smart grid, energy, and Internet of Things
    • trusted emerging and future Internet infrastructure
    • trusted online social network
    • trust in authentications, users and computing services
    • hardware based trusted computing
    • software based trusted computing
    • pros and cons of hardware based approach
    • remote attestation of trusted devices
    • censorship-freeness in trusted computing
    • cryptographic support in trusted computing
    • case study in trusted computing
    • principles for handling scales
    • scalable trust supports and services in cloud
    • trusted embedded computing and systems
    • virtualization and trusted computing

  • AISec 2012 5th ACM Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA, October 19, 2012. (Submissions due 16 July 2012)

    The applications of artificial intelligence, machine learning, and data mining for security and privacy problems continue to grow. One recent trend is the growth of Big Data Analytics and the establishment of Security Information and Event Management systems built to obtain security intelligence and situational awareness. With the advent of cloud computing, every advantage the cloud offers, such as large-scale machine learning and data-driven abuse detection, is being leveraged to improve security. We invite original research papers describing the use of AI or machine learning in security and privacy problems. We also invite position and open problem papers discussing the role of AI or machine learning in security and privacy. Submitted papers of these types may not substantially overlap papers that have been published previously or that are simultaneously submitted to a journal or conference/workshop proceedings. Finally we welcome a new systematization of knowledge category of papers this year, which should distill the AI or machine learning contributions of a previously published series of security papers. Topics of interest include, but are not limited to:

    • Adversarial Learning
    • Robust Statistics
    • Online Learning
    • Computer Forensics
    • Spam detection
    • Botnet detection
    • Intrusion detection
    • Malware identification
    • Big data analytics for security
    • Adaptive side-channel attacks
    • Privacy-preserving data mining
    • Design and analysis of CAPTCHAs
    • Phishing detection and prevention
    • AI approaches to trust and reputation
    • Vulnerability testing through intelligent probing (e.g. fuzzing)
    • Content-driven security policy management & access control
    • Techniques and methods for generating training and test sets
    • Anomalous behavior detection (e.g. for the purposes of fraud prevention, authentication)

  • BADGERS 2012 ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA, October 15, 2012. (Submissions due 16 July 2012)

    The BADGERS workshop is concerned with the use of Big Data for security and is intended to report on initiatives for Internet-scale security-related data collection and analysis. It will provide an environment to describe existing real-world, large-scale datasets, and to share with the security community the return on experiences acquired by analyzing such collected data. Furthermore, novel approaches to collect and study such data sets are welcome. Main topics of interest:

    • scalable data collection from networks, hosts, or applications
    • real-time gathering and aggregation of diverse sets of raw data
    • summarization of raw data with respect to security goals
    • attack-resilient data collection
    • characterization of dataset external validity
    • scalability of security analysis with data volume
    • scalability of security analysis with concurrent-attack volume
    • combined historical and real-time security analysis
    • evaluating result accuracy for large datasets
    • real-time, incremental anonymization for data sharing
    • successful, failed, and novel models of data sharing
    • sharing of analysis results and supporting data
    • Internet-scale sharing of security knowledge
    • legal issues around data collection and sharing

  • NDSS 2013 20th Annual Network and Distributed System Security Symposium, Catamaran Resort Hotel and Spa San Diego, California, USA, February 24-27, 2013. (Submissions due 1 August 2012)

    The Network and Distributed System Security Symposium fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available network and distributed systems security technologies. Special emphasis will be made to accept papers in the core theme of network and distributed systems security. Consequently, papers that cover networking protocols and distributed systems algorithms are especially invited to be submitted. Moreover, practical papers in these areas are also very welcome. Submissions are solicited in, but not limited to, the following areas:

    • Anti-malware techniques: detection, analysis, and prevention
    • Combating cyber-crime: anti-phishing, anti-spam, anti-fraud techniques
    • Future Internet architecture and design
    • High-availability wired and wireless networks
    • Implementation, deployment and management of network security policies
    • Integrating security in Internet protocols: routing, naming, network management
    • Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management
    • Intrusion prevention, detection, and response
    • Privacy and anonymity technologies
    • Public key infrastructures, key management, certification, and revocation
    • Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, reliability and cost
    • Security for collaborative applications: teleconferencing and video-conferencing
    • Security for Cloud Computing
    • Security for electronic commerce: e.g., payment, barter, EDI, notarization, timestamping, endorsement, & licensing
    • Security for emerging technologies: sensor networks, wireless/mobile (and ad hoc) networks, and personal communication systems
    • Security for future home networks, Internet of Things, body-area networks
    • Security for large-scale systems and critical infrastructures (e.g., electronic voting, smart grid)
    • Security for peer-to-peer and overlay network systems
    • Security for Vehicular Ad-hoc Networks (VANETs)
    • Security of Web-based applications and services
    • Trustworthy Computing mechanisms to secure network protocols and distributed systems

  • eCrime-Summit 2012 7th IEEE eCrime Researchers Summit, Held in conjunction with the 2012 APWG General Meeting, Las Croabas, Puerto Rico, October 23-24, 2012. (Submissions due 3 August 2012)

    eCRS 2012 will bring together academic researchers, security practitioners, and law enforcement to discuss all aspects of electronic crime and ways to combat it, Topics of interests include (but are not limited to):

    • Case studies of current attack methods, including phishing, malware, rogue antivirus, pharming, crimeware, botnets, and emerging techniques
    • Case studies of online advertising fraud, including click fraud, malvertising, cookie stuffing, and affiliate fraud
    • Case studies of large-scale take-downs, such as coordinated botnet disruption
    • Technical, legal, political, social and psychological aspects of fraud and fraud prevention
    • Economics of online crime, including measurement studies of underground economies and models of e-crime
    • Uncovering and disrupting online criminal collaboration and gangs
    • Financial infrastructure of e-crime, including payment processing and money laundering
    • Techniques to assess the risks and yields of attacks and the effectiveness of countermeasures
    • Delivery techniques, including spam, voice mail, social network and web search manipulation; and countermeasures
    • Techniques to avoid detection, tracking and take-down; and ways to block such techniques
    • Best practices for detecting and avoiding damages to critical internet infrastructure, such as DNS and SCADA, from electronic crime activities

  • ESSoS 2013 5th International Symposium on Engineering Secure Software and Systems, Paris, France, February 27 - March 1, 2013. (Submissions due 30 September 2012)

    Trustworthy, secure software is a core ingredient of the modern world. Hostile, networked environments, like the Internet, can allow vulnerabilities in software to be exploited from anywhere. To address this, high-quality security building blocks (e.g., cryptographic components) are necessary, but insufficient. Indeed, the construction of secure software is challenging because of the complexity of modern applications, the growing sophistication of security requirements, the multitude of available software technologies and the progress of attack vectors. Clearly, a strong need exists for engineering techniques that scale well and that demonstrably improve the software's security properties. The goal of this symposium is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The Symposium seeks submissions on subjects related to its goals. This includes a diversity of topics including (but not limited to):

    • scalable techniques for threat modeling and analysis of vulnerabilities
    • specification and management of security requirements and policies
    • security architecture and design for software and systems
    • model checking for security
    • specification formalisms for security artifacts
    • verification techniques for security properties
    • systematic support for security best practices
    • security testing
    • security assurance cases
    • programming paradigms, models and DLS's for security
    • program rewriting techniques
    • processes for the development of secure software and systems
    • security-oriented software reconfiguration and evolution
    • security measurement
    • automated development
    • trade-off between security and other non-functional requirements (in particular economic considerations)
    • support for assurance, certification and accreditation
    • empirical secure software engineering

  • IEEE Network Magazine, Special Issue on Security in Cognitive Radio Networks, May 2013, (Submission Due 1 October 2012)

    Editors: Kui Ren (Illinois Institute of Technology, USA), Haojin Zhu (Shanghai Jiao Tong University, USA), Zhu Han (University of Houston, USA), and Radha Poovendran (University of Washington, USA)

    Cognitive radio (CR) is an emerging advanced radio technology in wireless access, with many promising benefits including dynamic spectrum sharing, robust cross-layer adaptation, and collaborative networking. Based on a software-defined radio (SDR), cognitive radios are fully programmable and can sense their environment and dynamically adapt their transmission frequencies, power levels, modulation schemes, and networking protocols for improving network and application performance. It is anticipated that cognitive radio technology will be the next wave of innovation in information and communications technologies. Although the recent years have seen major and remarkable developments in the field of cognitive networking technologies, the security aspects of cognitive radio networks have attracted less attention so far. Due to the particular characteristics of the CR system, entirely new classes of security threats and challenges are introduced such as licensed user emulation, selfish misbehaviors and unauthorized use of spectrum bands. These new types of attacks take the advantage the inherent characteristics of CR, and could severely disrupt the basic functionalities of CR systems. Therefore, for achieving successful deployment of CR technologies in practice, there is a critical need for new security designs and implementations to make CR networks secure and robust against these new attacks. Topics of interest include, but are not limited to:

    • General security architecture for CR networks
    • Cross-layer security design of CR networks
    • Secure routing in multi-hop CR networks
    • Physical layer security for CR networks
    • Geo-location for security in CR networks
    • Defending and mitigating jamming-based DoS attacks in CR networks
    • Defending against energy depletion attacks in resource-constrained CR networks
    • Attack modeling, prevention, mitigation, and defense in CR systems, including primary user emulation attacks, authentication methods of primary users, spectrum sensing data falsification, spectrum misusage and selfish misbehaviors and unauthorized use of spectrum bands
    • Methods for detecting, isolating and expelling misbehaving cognitive nodes
    • Security policies, standards and regulations for CR networks
    • Implementation and testbed for security evaluation in CR systems
    • Privacy protection in CR networks
    • Security issues for database-based CR networks
    • Security in CR networks for the smart grid
    • Intrusion detection systems in CR networks

  • FC 2013 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan, April 1-5, 2013. (Submissions due 13 October 2012)

    Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance, with a specific focus on commercial contexts. The conference covers all aspects of securing transactions and systems. Original works focusing on both fundamental and applied real-world deployments on all aspects surrounding commerce security are solicited. Submissions need not be exclusively concerned with cryptography. Systems security and inter-disciplinary efforts are particularly encouraged. Topics include:

    • Anonymity and Privacy
    • Auctions and Audits
    • Authentication and Identification
    • Biometrics
    • Certification and Authorization
    • Cloud Computing Security
    • Commercial Cryptographic Applications
    • Data Outsourcing Security
    • Information Security
    • Game Theoretic Security
    • Securing Emerging Computational Paradigms
    • Identity Theft
    • Fraud Detection
    • Phishing and Social Engineering
    • Digital Rights Management
    • Digital Cash and Payment Systems
    • Digital Incentive and Loyalty Systems
    • Microfinance and Micropayments
    • Contactless Payment and Ticketing Systems
    • Secure Banking and Financial Web Services
    • Security and Privacy in Mobile Devices and Applications
    • Security and Privacy in Automotive and Transport Systems and Applications
    • Smartcards, Secure Tokens and Secure Hardware
    • Privacy-enhancing Systems
    • Reputation Systems
    • Security and Privacy in Social Networks
    • Security and Privacy in Sound and Secure Financial Systems Based on Social Networks
    • Risk Assessment and Management
    • Risk Perceptions and Judgments
    • Legal and Regulatory Issues
    • Security Economics
    • Spam
    • Transactions and Contracts
    • Trust Management
    • Underground-Market Economics
    • Usable Security
    • Virtual Economies
    • Voting Systems

 

• The Technical Committee on Security and Privacy

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org