Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 110,  September 19, 2012 Hilarie Orman,  Editor Book Reviews Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Commentary and Opinion

  • Richard Austin's review of Securing the Virtual Environment: How to defend the enterprise against attack by Davi Ottenheimer and Matthew Wallace

  Book reviews from past Cipher issues

  Conference Reports and Commentary from past Cipher issues

• NewsBits:  Announcements and correspondence from readers (please contribute!)

  • Bank accounts raided by Stuxnet-like malware
  • Shamoom, from "sinister" to "amateurish"
  • Dissidents tracked by government spyware

  News items from past Cipher issues

 

• Listing of academic positions available  by Cynthia Irvine
  

  • Posted July 2012
    Naval Postgraduate School
    Monterey, California
    CS Department Faculty Positions
    Open until filled
    http://www.nps.edu/Academics/Schools/GSOIS/Departments/CS/Faculty/Openings/CSFacultyOpenings.html
  • Posted July 2012
    Imperial College London
    London, UK
    Lectureship
    Closing Date 16 August 2012
    http://www3.imperial.ac.uk/computing/vacancies#L
  • Posted June 2011 (still open as of July 2012)
    University of Waterloo
    Waterloo, ON, Canada
    Postdoctoral Research Position
    Open until filled
    http://crysp.uwaterloo.ca/prospective/postdoc/
 

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      Cipher calendar announcements are on Twitter; follow "ciphernews"
      new calls or announcements added since Cipher E109 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • Calendar Announcements:
    • 9/17/12- 9/18/12: CRITIS, 7th International Workshop on Critical Information Infrastructures Security, Radisson Blu Lillehammer Hotel, Turisthotellveien 6, 2609 Lillehammer, Norway
    • 9/19/12- 9/21/12: NSPW, New Security Paradigms Workshop, Bertinoro, Italy
    • 9/26/12- 9/28/12: ProvSec, 6th International Conference on Provable Security, Chengdu, China
    • 9/30/12: ESSoS, 5th International Symposium on Engineering Secure Software and Systems, Paris, France; Submissions are due
    • 10/ 1/12: IEEE Network Magazine, Special Issue on Security in Cognitive Radio Networks; Submissions are due
    • 10/ 1/12-10/ 4/12: SSS, 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Toronto, Canada
    • 10/ 8/12-10/11/12: SRDS, 31st International Symposium on Reliable Distributed Systems, Irvine, California, USA
    • 10/13/12: FC, 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan; Submissions are due
    • 10/15/12: BADGERS, ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA
    • 10/15/12: IFIP119-DF, 9th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; Submissions are due
    • 10/16/12-10/18/12: ACM-CCS, 19th ACM Conference on Computer and Communications Security, Raleigh, North Carolina, USA
    • 10/19/12: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA
    • 10/19/12: STC, 7th ACM Workshop on Scalable Trusted Computing, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA
    • 10/19/12: AISec, 5th ACM Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA
    • 10/22/12-10/25/12: LCN-SICK, Workshop on Security in Communications Networks, Held in Conjunction with IEEE LCN 2012, Clearwater, FL, USA
    • 10/23/12-10/24/12: eCrime-Summit, 7th IEEE eCrime Researchers Summit, Held in conjunction with the 2012 APWG General Meeting, Las Croabas, Puerto Rico
    • 10/26/12: IDMAN, 3rd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, London, UK; Submissions are due
    • 10/30/12: NPSec, 7th Workshop on Secure Network Protocols, Austin, Texas, USA
    • 10/31/12-11/ 2/12: Nordsec, 17th Nordic Conference in Secure IT Systems, Karlskrona, Sweden
    • 11/ 5/12-11/ 6/12: GameSec, 3rd Conference on Decision and Game Theory for Security, Budapest, Hungary
    • 11/ 8/12-11/ 9/12: RFIDsec-Asia, Workshop on RFID and IoT Security, Taipei, Taiwan
    • 11/10/12: Springer International Journal of Information Security journal, Special Issue on Security in Cloud Computing; Submissions are due
    • 11/14/12: SP, 34th IEEE Symposium on Security and Privacy, San Francisco, California, USA; Submissions are due
    • 11/21/12-11/23/12: NSS, 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China
    • 11/28/12-12/ 1/12: INSCRYPT, 8th China International Conference on Information Security and Cryptology, Beijing, China
    • 12/ 2/12-12/ 5/12: WIFS, IEEE International Workshop on Information Forensics and Security, Tenerife, Spain
    • 12/ 9/12-12/14/12: LISA, 26th Large Installation System Administration Conference, San Diego, CA, USA
    • 12/15/12-12/19/12: ICISS, 8th International Conference on Information Systems Security, Guwahati, India
    • 12/31/12: IFIP1110-CIP, 7th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA; Submissions are due
    • 1/ 7/13- 1/10/13: HICSS-CSS, 46th HAWAII International Conference on System Sciences, Internet and the Digital Economy Track, Cybercrime and Security Strategy Mini-track, Grand Wailea, Maui, Hawaii, USA
    • 1/28/13- 1/30/13: IFIP119-DF, 9th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA
    • 2/18/13- 2/20/13: CODASPY, 3nd ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA
    • 2/24/13- 2/27/13: NDSS, 20th Annual Network and Distributed System Security Symposium, Catamaran Resort Hotel and Spa San Diego, California, USA
    • 2/27/13- 3/ 1/13: ESSoS, 5th International Symposium on Engineering Secure Software and Systems, Paris, France
    • 3/18/13- 3/20/13: IFIP1110-CIP, 7th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA
    • 4/ 1/13- 4/ 5/13: FC, 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan
    • 4/ 8/13- 4/ 9/13: IDMAN, 3rd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, London, UK
    • 5/19/13- 5/22/13: SP, 34th IEEE Symposium on Security and Privacy, San Francisco, California, USA
    • 5/23/13- 5/24/13: SPW, 2nd IEEE CS Security and Privacy Workshops, Co-located with the IEEE Symposium on Security and Privacy (SP 2013), Westin St. Francis Hotel, San Francisco, CA, USA;
    
    
  • new calls or announcements added since Cipher E109

  • ESSoS 2013 5th International Symposium on Engineering Secure Software and Systems, Paris, France, February 27 - March 1, 2013.
    (Submissions due 30 September 2012)

    Trustworthy, secure software is a core ingredient of the modern world. Hostile, networked environments, like the Internet, can allow vulnerabilities in software to be exploited from anywhere. To address this, high-quality security building blocks (e.g., cryptographic components) are necessary, but insufficient. Indeed, the construction of secure software is challenging because of the complexity of modern applications, the growing sophistication of security requirements, the multitude of available software technologies and the progress of attack vectors. Clearly, a strong need exists for engineering techniques that scale well and that demonstrably improve the software's security properties. The goal of this symposium is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The Symposium seeks submissions on subjects related to its goals. This includes a diversity of topics including (but not limited to):

    • scalable techniques for threat modeling and analysis of vulnerabilities
    • specification and management of security requirements and policies
    • security architecture and design for software and systems
    • model checking for security
    • specification formalisms for security artifacts
    • verification techniques for security properties
    • systematic support for security best practices
    • security testing
    • security assurance cases
    • programming paradigms, models and DLS's for security
    • program rewriting techniques
    • processes for the development of secure software and systems
    • security-oriented software reconfiguration and evolution
    • security measurement
    • automated development
    • trade-off between security and other non-functional requirements (in particular economic considerations)
    • support for assurance, certification and accreditation
    • empirical secure software engineering

  • IEEE Network Magazine, Special Issue on Security in Cognitive Radio Networks, May 2013,
    (Submission Due 1 October 2012)

    Editors: Kui Ren (Illinois Institute of Technology, USA), Haojin Zhu (Shanghai Jiao Tong University, USA), Zhu Han (University of Houston, USA), and Radha Poovendran (University of Washington, USA)

    Cognitive radio (CR) is an emerging advanced radio technology in wireless access, with many promising benefits including dynamic spectrum sharing, robust cross-layer adaptation, and collaborative networking. Based on a software-defined radio (SDR), cognitive radios are fully programmable and can sense their environment and dynamically adapt their transmission frequencies, power levels, modulation schemes, and networking protocols for improving network and application performance. It is anticipated that cognitive radio technology will be the next wave of innovation in information and communications technologies. Although the recent years have seen major and remarkable developments in the field of cognitive networking technologies, the security aspects of cognitive radio networks have attracted less attention so far. Due to the particular characteristics of the CR system, entirely new classes of security threats and challenges are introduced such as licensed user emulation, selfish misbehaviors and unauthorized use of spectrum bands. These new types of attacks take the advantage the inherent characteristics of CR, and could severely disrupt the basic functionalities of CR systems. Therefore, for achieving successful deployment of CR technologies in practice, there is a critical need for new security designs and implementations to make CR networks secure and robust against these new attacks. Topics of interest include, but are not limited to:

    • General security architecture for CR networks
    • Cross-layer security design of CR networks
    • Secure routing in multi-hop CR networks
    • Physical layer security for CR networks
    • Geo-location for security in CR networks
    • Defending and mitigating jamming-based DoS attacks in CR networks
    • Defending against energy depletion attacks in resource-constrained CR networks
    • Attack modeling, prevention, mitigation, and defense in CR systems, including primary user emulation attacks, authentication methods of primary users, spectrum sensing data falsification, spectrum misusage and selfish misbehaviors and unauthorized use of spectrum bands
    • Methods for detecting, isolating and expelling misbehaving cognitive nodes
    • Security policies, standards and regulations for CR networks
    • Implementation and testbed for security evaluation in CR systems
    • Privacy protection in CR networks
    • Security issues for database-based CR networks
    • Security in CR networks for the smart grid
    • Intrusion detection systems in CR networks

  • FC 2013 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan, April 1-5, 2013.
    (Submissions due 13 October 2012)

    Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance, with a specific focus on commercial contexts. The conference covers all aspects of securing transactions and systems. Original works focusing on both fundamental and applied real-world deployments on all aspects surrounding commerce security are solicited. Submissions need not be exclusively concerned with cryptography. Systems security and inter-disciplinary efforts are particularly encouraged. Topics include:

    • Anonymity and Privacy
    • Auctions and Audits
    • Authentication and Identification
    • Biometrics
    • Certification and Authorization
    • Cloud Computing Security
    • Commercial Cryptographic Applications
    • Data Outsourcing Security
    • Information Security
    • Game Theoretic Security
    • Securing Emerging Computational Paradigms
    • Identity Theft
    • Fraud Detection
    • Phishing and Social Engineering
    • Digital Rights Management
    • Digital Cash and Payment Systems
    • Digital Incentive and Loyalty Systems
    • Microfinance and Micropayments
    • Contactless Payment and Ticketing Systems
    • Secure Banking and Financial Web Services
    • Security and Privacy in Mobile Devices and Applications
    • Security and Privacy in Automotive and Transport Systems and Applications
    • Smartcards, Secure Tokens and Secure Hardware
    • Privacy-enhancing Systems
    • Reputation Systems
    • Security and Privacy in Social Networks
    • Security and Privacy in Sound and Secure Financial Systems Based on Social Networks
    • Risk Assessment and Management
    • Risk Perceptions and Judgments
    • Legal and Regulatory Issues
    • Security Economics
    • Spam
    • Transactions and Contracts
    • Trust Management
    • Underground-Market Economics
    • Usable Security
    • Virtual Economies
    • Voting Systems

  • IFIP119-DF 2013 9th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 28-30, 2013.
    (Submissions due 15 October 2012)

    The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Ninth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the ninth in the series entitled Research Advances in Digital Forensics (Springer) in the summer of 2013. Revised and/or extended versions of selected papers from the conference will be published in special issues of one or more international journals. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to:

    • Theories, techniques and tools for extracting, analyzing and preserving digital evidence
    • Network and cloud forensics
    • Embedded device forensics
    • Digital forensic processes and workflow models
    • Digital forensic case studies
    • Legal, ethical and policy issues related to digital forensics

  • IDMAN 2013 3rd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, London, UK, April 8-9, 2013.
    (Submissions due 26 October 2012)

    IDMAN conference focuses on the theory, technologies and applications of identity management. The world of the 21st century is, more than ever, global and impersonal. As a result of increasing cyber fraud and cyber terrorism, the demand for better technical methods of identification is growing, not only in companies and organisations but also in the world at large. Moreover, in our society digital identities increasingly play a role in the provision of eGovernment and eCommerce services. For practical reasons, Identity Management Systems are needed that are usable and interoperable. At the same time, individuals increasingly leave trails of personal data when using the Internet, which allows them to be profiled and which may be stored for many years to come. Technical trends such as Cloud Computing and pervasive computing make personal data processing non-transparent, and make it increasingly difficult for users to control their personal spheres. As part of this tendency, surveillance and monitoring are increasingly present in society, both in the public and private domains. Whilst the original intention is to contribute to security and safety, surveillance and monitoring might, in some cases, have unintended or even contradictory effects. Moreover, the omnipresence of surveillance and monitoring systems might directly conflict with public and democratic liberties. These developments raise substantial new challenges for privacy and identity management at the technical, social, ethical, regulatory, and legal levels. Identity management challenges the information security research community to focus on interdisciplinary and holistic approaches, while retaining the benefits of previous research efforts. Papers offering research contributions to the area of identity management are solicited for submission to the 3rd IFIP WG-11.6 IDMAN conference. Papers may present theory, applications or practical experience in the field of identity management, from a technical, legal or socio-economic perspective, including, but not necessarily limited to:

    • Novel identity management technologies and approaches
    • Interoperable identity management solutions
    • Privacy-enhancing technologies
    • Identity management for mobile and ubiquitous computing
    • Identity management solutions for eHealth, eGovernmeant and eCommerce
    • Privacy and Identity (Management) in and for cloud computing
    • Privacy and Identity in social networks
    • Risk analysis techniques for privacy risk and privacy impact assessment
    • Privacy management of identity management
    • Identity theft prevention
    • Attribute based authentication and access control
    • User-centric identity management
    • Legal, socio-economic, philosophical and ethical aspects
    • Impact on society and politics
    • Related developments in social tracking, tracing and sorting
    • Quality of identity data, processes and applications
    • User centered, usable and inclusive identity management
    • Attacks on identity management infrastructures
    • Methods of identification and authentication
    • Identification and authentication procedures
    • Applications of anonymous credentials
    • (Privacy-preserving) identity profiling and fraud detection
    • Government PKIs
    • (Possible) role of pseudonymous and anonymous identity in identity management
    • Electronic IDs: European and worldwide policies and cooperation in the field of identity management
    • Surveillance and monitoring
    • (Inter)national policies on unique identifiers /social security numbers / personalisation IDs
    • Vulnerabilities in electronic identification protocols
    • Federative identity management and de-perimeterisation
    • Biometric verification
    • (Inter)national applications of biometrics
    • Impersonation, identity fraud, identity forge and identity theft
    • Tracing, monitoring and forensics
    • Proliferation/omnipresence of identification
    • Threats to democracy and political control

  • Springer International Journal of Information Security journal, Special Issue on Security in Cloud Computing, Fall 2013,
    (Submission Due 10 November 2012)

    Editors: Stefanos Gritzalis (University of the Aegean, Greece), Chris Mitchell (Royal Holloway, University of London, UK), Bhavani Thuraisingham (University of Texas at Dallas, USA), and Jianying Zhou (Institute for Infocomm Research, Singapore)
    
    This special issue of the International Journal of Information Security aims at providing researchers and professionals with insights on the state-of-the-art in Security in Cloud Computing. It will publish original, novel and high quality research contributions from industry, government, business, and academia. Topics of interest may include (but are not limited to) one or more of the following themes:

    • Auditing in Cloud Computing
    • Business and security risk models
    • Cloud Infrastructure Security
    • Cloud-centric security modeling and threats
    • Copyright protection in the Cloud era
    • Cryptography in the Cloud era
    • Emerging threats in Cloud-based services
    • Forensics in Cloud environments
    • Legal and regulatory issues in the Cloud era
    • Multi-tenancy related security/privacy issues
    • Performance evaluation for security solutions
    • Privacy in Cloud computing
    • Secure identity management mechanisms
    • Secure job deployment and scheduling
    • Secure virtualization and resource allocation mechanisms
    • Securing distributed data storage in the Cloud
    • Security and privacy in big data management
    • Security and privacy in mobile Cloud
    • Security and privacy requirements engineering in the Cloud
    • Security for emerging Cloud programming models
    • Security management in the Cloud
    • Security modelling and threats in Cloud computing
    • Trust and policy management in the Cloud
    • User authentication and access control in Cloud-aware services

  • SP 2013 34th IEEE Symposium on Security and Privacy, San Francisco, California, USA, May 19-22 2013.
    (Submissions due 14 November 2012)

    Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of computer security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation of secure systems. Topics of interest include (This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.):

    • Access control
    • Accountability
    • Anonymity
    • Application security
    • Attacks and defenses
    • Authentication
    • Censorship and censorship-resistance
    • Distributed systems security
    • Embedded systems security
    • Forensics
    • Hardware security
    • Intrusion detection
    • Malware
    • Metrics
    • Language-based security
    • Network security
    • Privacy-preserving systems
    • Protocol security
    • Secure information flow
    • Security and privacy policies
    • Security architectures
    • System security
    • Usability and security
    • Web security
    Systematization of Knowledge Papers: Following the success of the previous years' conferences, we are also soliciting papers focused on systematization of knowledge (SoK). The goal of this call is to encourage work that evaluates, systematizes, and contextualizes existing knowledge. These papers can provide a high value to our community but may not be accepted because of a lack of novel research contributions. Suitable papers include survey papers that provide useful perspectives on major research areas, papers that support or challenge long-held beliefs with compelling evidence, or papers that provide an extensive and realistic evaluation of competing approaches to solving specific problems. Submissions are encouraged to analyze the current research landscape: identify areas that have enjoyed much research attention, point out open areas with unsolved challenges, and present a prioritization that can guide researchers to make progress on solving important challenges. Submissions must be distinguished by a checkbox on the submission form. In addition, the paper title must have the prefix "SoK:". They will be reviewed by the full PC and held to the same standards as traditional research papers, except instead of emphasizing novel research contributions the emphasis will be on value to the community. Accepted papers will be presented at the symposium and included in the proceedings.

  • IFIP1110-CIP 2013 7th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA, March 18-20, 2013.
    (Submissions due 31 December 2012)

    The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Following the success of the first six conferences, the Seventh Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection will again provide a forum for presenting original, unpublished research results and innovative ideas related to all aspects of critical infrastructure protection. Papers and panel proposals are solicited. Submissions will be refereed by members of Working Group 11.10 and other internationally-recognized experts in critical infrastructure protection. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.10. The conference will be limited to seventy participants to facilitate interactions among researchers and intense discussions of research and implementation issues. A selection of papers from the conference will be published in an edited volume - the seventh in the series entitled Critical Infrastructure Protection (Springer) - in the fall of 2013. Revised and/or extended versions of outstanding papers from the conference will be published in the International Journal of Critical Infrastructure Protection (Elsevier). Papers are solicited in all areas of critical infrastructure protection. Areas of interest include, but are not limited to:

    • Infrastructure vulnerabilities, threats and risks
    • Security challenges, solutions and implementation issues
    • Infrastructure sector interdependencies and security implications
    • Risk analysis and risk assessment methodologies
    • Modeling and simulation of critical infrastructures
    • Legal, economic and policy issues related to critical infrastructure protection
    • Secure information sharing
    • Infrastructure protection case studies
    • Distributed control systems/SCADA security
    • Telecommunications network security

 

• The Technical Committee on Security and Privacy

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org