Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 114,  May 28, 2013 Hilarie Orman,  Editor Richard Austin, Book Review Editor Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Commentary and Opinion

  • Richard Austin's review of The CERT Guide to Insider Threats by Dawn Cappelli, Andrew Moore and Randall Trzeciak

  • News Bits:  Some recent headlines (please contribute!)

    • Opinion: Cyber arms control? Forget about it
    • Hackers empty $900K bank account
    • Malware that detects sandboxing
    • School's Out for Hackers
    • Spain arrests suspect in massive cyberattack
    • As cyberthreats mount, hacker's conviction fuels critics' claims of government overreach
    • Proposal seeks to fine tech companies for noncompliance with wiretap orders
    • Silicon Valley uses growing clout to kill a digital privacy bill
    • Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies

  • Book reviews from past Cipher issues

  • Conference Reports and Commentary from past Cipher issues

  • News items from past Cipher issues

 

• Listing of academic positions available  by Cynthia Irvine
  

  • Posted Apr 2013
    Department of Computer Science, TU, Darmstadt
    Darmstadt, Germany
    Multiple Ph.D. and PostDoc positions in Software Security
    Application deadline for all positions: 20 May 2013. However, applications will be considered until the positions are filled.
    http://www.mais.informatik.tu-darmstadt.de/Positions.html
  • Posted Apr 2013
    Mondragon University (Telematics Group)
    Mondragon, Spain
    Research Professors and Research Fellows
    Deadline for Research Professors applications: July 15, 2013 at 12:00 AM, CET
    Deadline for Research Fellows applications: June 30, 2013 at 12:00 AM, CET
    http://www.ikerbasque.net
    http://www.mondragon.edu/en/phs/research/research-lines/computer-security
  • Posted Mar 2013
    University of Versailles-St-Quentin-en-Yvelines
    PRiSM Laboratory - "Cryptology and Information Security" group
    Versailles, France
    Assistant Professor position
    Deadline for applications: March 28, 2013
    http://www.prism.uvsq.fr/~logo/MCF-0781944P-4071_en.htm
 

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      Cipher calendar announcements are on Twitter; follow "ciphernews"
      new calls or announcements added since Cipher E113 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • 5/28/13- 5/30/13: WISTP, 7th Workshop in Information Security Theory and Practice, Heraklion, Greece
  • 5/30/13: SOUPS-RISK, Workshop on Risk Perception in IT Security and Privacy, Newcastle, UK; Submissions are due
  • 5/31/13: WISA, 14th International Workshop on Information Security Applications, Jeju Island, Korea; Submissions are due
  • 6/ 1/13: Security and Privacy Magazine, Issue on Moving Target Defenses, info: Luanne.Goldrich@jhuapl.edu; Guide Web page; abstracts are due
  • 6/ 2/13: DPM, 8th International Workshop on Data Privacy Management, Held in conjunction with ESORICS 2013, Egham, U.K.; Submissions are due
  • 6/ 2/13- 6/ 3/13: HOST, IEEE International Symposium on Hardware-oriented Security and Trust, Austin Convention Center, Austin, TX, USA
  • 6/ 3/13: CRiSIS, 8th International Conference on Risks and Security of Internet and Systems, La Rochelle, France; Submissions are due
  • 6/ 3/13- 6/ 4/13: NSS, 7th International Conference on Network and System Security, Madrid, Spain
  • 6/ 3/13- 6/ 7/13: IFIP-TM, 7th IFIP International Conference on Trust Management, Málaga, Spain
  • 6/ 4/13: D-SPAN, 4th IEEE Workshop on Data Security and Privacy in Wireless Networks, Co-located with the 14th International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2013), Madrid, Spain
  • 6/ 5/13: QASA, 2nd International Workshop in Quantitative Aspects in Security Assurance, Held in conjunction with ESORICS 2013, Egham, U.K.; Submissions are due
  • 6/10/13: BigSecurity, 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA; Submissions are due
  • 6/12/13- 6/14/13: SACMAT, 18th ACM Symposium on Access Control Models and Technologies, Amsterdam, The Netherlands
  • 6/17/13- 6/19/13: TRUST, 6th International Conference on Trust and Trustworthy Computing, London, UK
  • 6/23/13: MWSN, IEEE International Workshop on Security and Privacy of Mobile, Wireless and Sensor Networks, New Orleans, LA, USA
  • 6/24/13- 6/27/13: PRISMS, International Conference on Privacy and Security in Mobile Systems, Atlantic City, NJ, USA
  • 6/25/13: SafeConfig, 6th Symposium on Security Analytics and Automation, Washington, D.C., USA; Submissions are due
  • 6/25/13- 6/28/13: ACNS, 11th International Conference on Applied Cryptography and Network Security, Banff, Alberta, Canada
  • 6/26/13- 6/28/13: CSF, 26th IEEE Computer Security Foundations Symposium, Tulane University, New Orleans Louisiana, USA
  • 6/27/13- 7/ 2/13: CSAW, Cloud Security Auditing Workshop, Held in conjunction with the IEEE 9th World Congress on Services, Santa Clara, CA, USA
  • 6/29/13: FCS, Workshop on Foundations of Computer Security, Tulane University, New Orleans, Louisiana, USA
  • 6/30/13: SIN, 6th International Conference on Security of Information and Networks, Aksaray, Turkey; Submissions are due
  • 7/ 1/13: RFIDsec-Asia, Workshop on RFID and IoT Security, Guangzhou, China; Submissions are due
  • 7/ 1/13: Security and Privacy Magazine, Issue on Moving Target Defenses, info: Luanne.Goldrich@jhuapl.edu; Guide Web page; articles are due
  • 7/ 5/13: eCrime, 8th IEEE eCrime Researchers Summit, San Francisco, California, USA; Submissions are due
  • 7/ 8/13: VizSec, 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA; Submissions are due
  • 7/ 8/13: NFSP, 2nd International Workshop on Network Forensics, Security and Privacy, Held in conjunction with the 33rd International Conference on Distributed Computing Systems (ICDCS 2013), Philadelphia, PA, USA
  • 7/ 9/13- 7/11/13: RFIDSEC, 9th Workshop on RFID Security, Graz, Austria
  • 7/10/13- 7/12/13: PST, 11th International Conference on Privacy, Security and Trust, Tarragona, Catalonia
  • 7/15/13- 7/17/13: DBSEC, 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Rutgers University, Newark, NJ, USA
  • 7/17/13- 7/19/13: VOTE-ID, 4th International Conference on E-voting and Identity, University of Surrey, Guildford, UK
  • 7/18/13- 7/19/13: DIMVA, 10th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Berlin, Germany
  • 7/22/13: SPSM, 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany; Submissions are due
  • 7/24/13- 7/26/13: SOUPS, Symposium On Usable Privacy and Security, Northumbria University, Newcastle, UK
  • 7/24/13- 7/26/13: SOUPS-RISK, Workshop on Risk Perception in IT Security and Privacy, Newcastle, UK
  • 7/29/13- 7/31/13: SECRYPT, 10th International Conference on Security and Cryptography, Reykjavik, Iceland
  • 8/14/13- 8/16/13: USENIX-Security, 22nd USENIX Security Symposium, Washington, DC. USA
  • 8/19/13- 8/21/13: WISA, 14th International Workshop on Information Security Applications, Jeju Island, Korea
  • 8/20/13- 8/23/13: CHES, Workshop on Cryptographic Hardware and Embedded Systems, Co-located with the 33rd Annual International Cryptology Conference (CRYPTO 2013), Santa Barbara, California, USA
  • 8/30/13- 8/31/13: TGC, 8th International Symposium on Trustworthy Global Computing, Buenos Aires, Argentina
  • 9/ 2/13- 9/ 6/13: ECTCM, 1st International Workshop on Emerging Cyberthreats and Countermeasures, Co-located with ARES 2013, University Regensburg, Germany
  • 9/ 2/13- 9/ 6/13: SeCIHD, 3rd IFIP International Workshop on Security and Cognitive Informatics for Homeland Defense, Held in conjunction with the 8th ARES Conference (ARES 2013), Regensburg, Germany
  • 9/12/13- 9/13/13: DPM, 8th International Workshop on Data Privacy Management, Held in conjunction with ESORICS 2013, Egham, U.K.
  • 9/12/13- 9/13/13: QASA, 2nd International Workshop in Quantitative Aspects in Security Assurance, Held in conjunction with ESORICS 2013, Egham, U.K.
  • 9/15/13: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria; Submissions are due
  • 9/17/13- 9/18/13: eCrime, 8th IEEE eCrime Researchers Summit, San Francisco, California, USA
  • 9/25/13- 9/26/13: CMS, 14th Joint IFIP TC6 and TC11 Conference on Communications and Multimedia Security, Magdeburg, Germany
  • 9/25/13- 9/27/13: SECURECOMM, 9th International ICST Conference on Security and Privacy in Communication Networks, Sydney, Australia
  • 9/30/13-10/ 2/13: SeTTIT, Workshop on Security Tools and Techniques for Internet of Things, Co-located with the BODYNETS 2013 conference, Boston, Massachusetts, USA
  • 10/ 4/13: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France; Submissions are due
  • 10/14/13: VizSec, 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA
  • 10/14/13: SafeConfig, 6th Symposium on Security Analytics and Automation, Washington, D.C., USA
  • 10/14/13-10/16/13: CNS, 1st IEEE Conference on Communications and Network Security, Washington D.C., USA
  • 10/23/13-10/25/13: CRiSIS, 8th International Conference on Risks and Security of Internet and Systems, La Rochelle, France
  • 11/ 1/13: IEEE Transactions on Reliability, Special Section on Trustworthy Computing; Submissions are due
  • 11/ 4/13-11/ 8/13: CCS, 20th ACM Conference on Computer and Communications Security, Berlin, Germany
  • 11/ 8/13: SPSM, 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany
  • 11/12/13-11/14/13: HST, 13th annual IEEE Conference on Technologies for Homeland Security, Waltham, Massachusetts, USA
  • 11/18/13-11/20/13: IWSEC, 8th International Workshop on Security, Okinawaken Shichouson Jichikaikan, Japan
  • 11/20/13-11/22/13: ICICS, 15th International Conference on Information and Communications Security, Beijing, China
  • 11/26/13-11/28/13: SIN, 6th International Conference on Security of Information and Networks, Aksaray, Turkey
  • 11/27/13: RFIDsec-Asia, Workshop on RFID and IoT Security, Guangzhou, China
  • 12/ 9/13-12/13/13: BigSecurity, 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA
  • 1/ 8/14- 1/10/14: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria
  • 4/ 7/14- 4/11/14: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France
  • new calls or announcements added since Cipher E113

  • IEEE Security & Privacy Magazine, Special Issue on Moving-Target Defense (Optional) Abstract submissions due to the guest editors: 1 June 2013
    Articles due to ScholarOne: 1 July 2013
    Publication date: March/April 2014
    Author Guidelines
    Submit papers to ScholarOne at https://mc.manuscriptcentral.com/cs-ieee
    Questions: Contact guest editors Luanne Goldrich (Johns Hopkins University Applied Physics Laboratory, Luanne.Goldrich@jhuapl.edu) and Carl Landwehr (George Washington University, Carl.Landwehr@gmail.com).

    Hitting a moving target is usually more difficult than hitting a stationary one. In World War II, naval ships zigzagged through the water to make it harder for submarines to torpedo them, and Hedy Lamarr and George Antheil's invention of frequency-hopping eventually made radio communications harder to jam. But some defensive techniques -- like zigzagging -- are soon negated by effective countermeasures. So how can we embrace a moving-target defense that has promise for long-term effectiveness?

    Typically, in a moving-target defense, some aspect of the computing environment on which an attacker depends changes either over time or between systems. Rather than just trying to remove all vulnerabilities, software (or hardware) diversification hopes to make the attacker work harder by needing to find the vulnerability anew in each system. For example, techniques such as address space layout randomization (ASLR) can change vulnerabilities' locations in a single system over time.

    Moving-target defenses in cyberspace have been an announced priority for research programs for several years, and increasing numbers of techniques have been proposed and some (such as ASLR) have been widely deployed. This special issue of IEEE Security & Privacy magazine seeks papers that characterize the state of the art and future directions in moving-‐target defense. Papers should address questions such as:

    • How does the technique work? Can it avoid attacks or just delay them? What moves and how often, and how can the added work for the attacker be characterized? What kinds of countermeasures might the attacker take in response to a moving-target defense?
    • Are there generalizable, science-based techniques that move beyond heuristics?
    • What kinds of costs, resource constraints, and administrative burdens does the technique impose, and on whom?
    • Diversification has long been practiced in the reliability and safety communities, where models have been developed and substantial data exists. What can we learn from these practices, and where can they be applied to security and privacy?
    • What experience has there been with the deployment of a moving-target technique? In particular, how might the technique be evaluated and its effectiveness compared with alternative techniques?

    We welcome case studies, experience reports, practices, research results, and standards reports. Our readers are eager to hear about industry experiences, especially resulting from empirical studies that help us learn how past successes and failures should inform the next generation.

  • SOUPS-RISK 2013 Workshop on Risk Perception in IT Security and Privacy, Newcastle, UK, July 24-26, 2013. (Submissions due 30 May 2013)

    This workshop is an opportunity to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Willingness to perform actions for security purposes is strongly determined by the costs and perceived benefit to the individual. When end-users' perceptions of risk are not aligned with organization or system, there is a mismatch in perceived benefit, leading to poor user acceptance of the technology. For example, organizations face complex decisions when pushing valuable information across the network to mobile devices, web clients, automobiles and other embedded systems. This may impose burdensome security decisions on employees and clients due to the risks of devices being lost or stolen, shoulder surfing, eavesdropping, etc. Effective risk communication can provide a shared understanding of the need for, and benefits of secure approaches and practices. While risk perception has been studied in non-IT contexts, how well people perceive and react to IT risk is less well understood. How systems measure IT risk, how it is best communicated to users, and how to best align these often misaligned perspectives is poorly understood. Risk taking decisions (policies) are increasingly being pushed out to users who are frequently ill prepared to make complex technical security decisions based on limited information about the consequences of their actions. In other risk domains we know that non-experts think and respond to risk very differently than experts. Non-experts often rely on affect, and may be unduly influenced by the perceived degree of damage that will be caused. Experts, and risk evaluation systems, use statistical reasoning to assess risk. The purpose of this workshop is to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Topics of interest include:

    • Human decision and different attack types: Malware, eavesdropping, inadvertent loss / disclosure of information, phishing, browser attacks, etc.
    • Research methods and metrics for assessing perception of risk
    • Assessing value of assets and resources at risk
    • Communicating and portrayal of risk - security indicators, status indicators, etc.
    • Organizational versus personal risk
    • The psychology of risk perception
    • Behavioral aspects of risk perception
    • Real versus perceived risk
    • Other topics related to measuring IT risk and/or user perception of IT risk

  • WISA 2013 14th International Workshop on Information Security Applications, Jeju Island, Korea, August 19-21, 2013. (Submissions due 31 May 2013)

    This year's program committee chairs decide to convert WISA to be a venue for discussing system security and offensive technology issues among researchers in Asia. More specifically, it will resemble two well-known conferences: USENIX Security and WOOT. The primary focus of WISA 2013, therefore, is on systems and network security, and the secondary focus is on offensive technology. Accordingly, the workshop will be composed of two tracks: regular and OT (Offensive Technology). Regular paper submissions are solicited in all areas relating to systems and network security, including:

    • Analysis of network and security protocols
    • Anonymity and censorship-resistant technologies
    • Applications of cryptographic techniques
    • Authentication and authorization of users, systems, and applications
    • Automated tools for source code/binary analysis
    • Botnet defense
    • Critical infrastructure security
    • Cryptographic implementation analysis and construction
    • Denial-of-service attack countermeasures
    • Embedded systems security
    • Forensics
    • Hardware and physical security
    • Human-computer interaction, security, and privacy
    • Intrusion/anomaly detection and prevention
    • Malware analysis
    • Mobile/wireless/cellular system security
    • Network infrastructure security
    • Operating system security
    • Physical security
    • Security architectures
    • Security in heterogeneous and large-scale environments
    • Security in ubiquitous computing environments
    • Security policy
    • Storage and file system security
    • Techniques for developing secure systems
    • Trustworthy computing
    • Web security, including client-side and server-side security

  • DPM 2013 8th International Workshop on Data Privacy Management, Held in conjunction with ESORICS 2013, Egham, U.K., September 12-13, 2013. (Submissions due 2 June 2013)

    The aim of this workshop is to discuss and exchange the ideas related to privacy data management. We invite papers from researchers and practitioners working in privacy, security, trustworthy data systems and related areas to submit their original papers in this workshop. Topics of interest include, but are not limited to the following:

    • Privacy Information Management
    • Privacy Policy-based Infrastructures and Architectures
    • Privacy-oriented Access Control Languages and Models
    • Privacy in Trust Management
    • Privacy Data Integration
    • Privacy Risk Assessment and Assurance
    • Privacy Services
    • Privacy Policy Analysis
    • Lightweight cryptography & Cryptanalysis
    • Query Execution over Privacy Sensitive Data
    • Privacy Preserving Data Mining
    • Hippocratic and Water-marking Databases
    • Privacy for Integrity-based Computing
    • Privacy Monitoring and Auditing
    • Privacy in Social Networks
    • Privacy in Ambient Intelligence (AmI) Applications
    • Individual Privacy vs. Corporate/National Security
    • Code-based Cryptology
    • Privacy in computer networks
    • Privacy and RFIDs
    • Privacy and Big Data
    • Privacy in sensor networks

  • CRiSIS 2013 8th International Conference on Risks and Security of Internet and Systems, La Rochelle, France, October 23-25, 2013. (Submissions due 3 June 2013)

    The topics addressed by CRiSIS range from the analysis of risks, attacks to networks and system survivability, as well as security models, security mechanisms and privacy enhancing technologies. Prospective authors are invited to submit research results as well as practical experiment or deployment reports. Industrial papers about applications and case studies, such as tele medicine, banking, e-government and critical infrastructure, are also welcome. The list of topics includes but is not limited to:

    • Analysis and management of risk
    • Attacks and defenses
    • Attack data acquisition and network monitoring
    • Cryptography, Biometrics, Watermarking
    • Dependability and fault tolerance of Internet applications
    • Distributed systems security
    • Embedded system security
    • Empirical methods for security and risk evaluation
    • Hardware-based security and Physical security
    • Intrusion detection and Prevention systems
    • Organizational, ethical and legal issues
    • Privacy protection and anonymization
    • Risk-aware access and usage control
    • Security and risk assessment
    • Security and risks metrics
    • Security and dependability of operating systems
    • Security and safety of critical infrastructures
    • Security and privacy of peer-to-peer system
    • Security and privacy of wireless networks
    • Security models and security policies
    • Security of new generation networks, security of VoIP and multimedia
    • Security of e-commerce, electronic voting and database systems
    • Security of social networks
    • Smartphone security and privacy
    • Traceability, metrology and forensics
    • Trust management
    • Use of smart cards and personal devices for Internet applications
    • Web and cloud security

  • QASA 2013 2nd International Workshop in Quantitative Aspects in Security Assurance, Held in conjunction with ESORICS 2013, Egham, U.K., September 12-13, 2013. (Submissions due 5 June 2013)

    There is an increasing demand for techniques to deal with quantitative aspects of security assurance at several levels of the development life-cycle of systems & services, e.g., from requirements elicitation to run-time operation and maintenance. The aim of this workshop is to bring together researchers and practitioners interested in these research topics with a particular emphasis techniques for service oriented architectures. The scope of the workshop, is intended to be broad, including aspects as dependability, privacy, risk and trust. The list of topics includes, but it is not limited to:

    • Probabilistic/stochastic model checking
    • Quantitative information flow analysis
    • Quantitative issues in access and usage control
    • Security testing techniques
    • Static/dynamic code analysis techniques
    • Metrics for security, trust and privacy
    • Incremental/modular security assurance analysis
    • Process compliance assurance techniques
    • Tool support for quantitative security assurance
    • Simulation techniques
    • Model-driven techniques for security, trust, risk and privacy
    • Assurance cases modelling and analysis

  • BigSecurity 2013 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA, December 9-13, 2013. (Submissions due 10 June 2013)

    As we are deep into the Information Age, we witness the explosive growth of data available on the Internet. For example, human beings create about 2.5 quintillion bytes of data every day in 2012, which come from sensors, individual archives, social networks, Internet of Things, enterprise and Internet in all scales and formats. We face one of the most challenging issues, i.e., how to effectively manage such a large amount of data and identify new ways to analyze large amounts of data and unlock information. The issue is also known as Big Data, which has been emerging as a hot topic in Information and Communication Technologies (ICT) research. Security and privacy issue is critical for Big Data. Many works have been carried out focusing on business, application and information processing level from big data, such as data mining and analysis. However, security and privacy issues in Big Data are seldom mentioned to date. Due to its extraordinary scale, security and privacy in Big Data faces many challenges, such as efficient encryption and decryption algorithms, encrypted information retrieval, attribute based encryption, attacks on availability, reliability and integrity of Big Data. This workshop offers a timely venue for researchers and industry partners to present and discuss their latest results in security and privacy related work of Big Data.

  • SafeConfig 2013 6th Symposium on Security Analytics and Automation, Washington, D.C., USA, October 14, 2013. (Submissions due 25 June 2013)

    The new sophisticated cyber security threats demand new security management approaches that offer a holistic security analytics based on the system data including configurations, logs and network traffic. Security analytics must be able to handle large volumes of data in order to model, integrate, analyze and respond to threats at real time. The system configuration/policy is a key component that determines the security and resiliency of networked information systems and services. However, a typical enterprise networked environment contains thousands of network and security devices and millions of inter-dependent configuration variables (e.g., rules) that orchestrate the end-to-end system behavior globally. As the current technology moves toward "smart" cyber infrastructure and open networking platforms (e.g. OpenFlow and virtual computing), the need for security analytics and automation significantly increases. The coupled integration of network sensor data and configuration in a unified framework will enable intelligent response, automated defense, and network resiliency/agility. This symposium offers a unique opportunity by bringing together researchers form academic, industry as well as government agencies to discuss these challenges, exchange experiences, and propose joint plans for promoting research and development in this area. SafeConfig Symposium is a one day program that will include invited talks, technical presentations of peer-reviewed papers, poster/demo sessions, and joint panels on research collaboration. SafeConfig Symposium solicits the submission of original unpublished ideas in 8-page long papers, 4-page sort papers, or 2-pages posters. Security analytics and automation for new emerging application domains such as clouds and data centers, cyber-physical systems software defined networking and Internet of things are of particular interest to SafeConfig community.

  • SIN 2013 6th International Conference on Security of Information and Networks, Aksaray, Turkey, November 26-28, 2013. (Submissions due 30 June 2013)

    The 6th International Conference on Security of Information and Networks (SIN 2013) provides an international forum for presentation of research and applications of security in information and networks. Papers addressing all aspects of security in information and networks are being sought. Researchers and industrial practitioners working on the following and related subjects are especially encouraged: Development and realization of cryptographic solutions, security schemes, new algorithms; critical analysis of existing approaches; secure information systems, especially distributed control and processing applications, and security in networks; interoperability, service levels and quality issues in such systems; information assurance, security, and public policy; detection and prevention of cybercrimes such as fraud and phishing; next generation network architectures, protocols, systems and applications; industrial experiences and challenges of the above.

  • RFIDsec-Asia 2013 Workshop on RFID and IoT Security, Guangzhou, China, November 27, 2013. (Submissions due 1 July 2013)

    The workshop series of RFIDsec Asia, the Asia branch of RFIDsec, aims to provide researchers, enterprises and governments a platform to investigate, discuss and propose new solutions on security and privacy issues of RFID/IoT (Internet of Things) technologies and applications. Papers with original research in theory and practical system design concerning RFID/IoT security are solicited. Topics of interest include, but are not limited to, the following:

    • New applications for secure RFID/IoT systems
    • Data integrity and privacy protection techniques for RFID/IoT
    • Attacks and countermeasures on RFID/IoT systems
    • Design and analysis on secure RFID/IoT hardware
    • Risk assessment and management on RFID/IoT applications
    • Trust model, data aggregation and information sharing for EPCglobal network
    • Resource efficient implementation of cryptography
    • Integration of secure RFID/IoT systems

  • eCrime 2013 8th IEEE eCrime Researchers Summit, San Francisco, California, USA, September 17-18, 2013. (Submissions due 5 July 2013)

    eCRS 2013 consist of two full days which bring together academic researchers, security practitioners, and law enforcement to discuss all aspects of electronic crime and ways to combat it. Topics of interests include (but are not limited to):

    • Case studies of current attack methods, including phishing, malware, rogue antivirus, pharming, crimeware, botnets, and emerging techniques
    • Case studies of online advertising fraud, including click fraud, malvertising, cookie stuffing, and affiliate fraud
    • Case studies of large-scale take-downs, such as coordinated botnet disruption
    • Technical, legal, political, social and psychological aspects of fraud and fraud prevention
    • Economics of online crime, including measurement studies of underground economies and models of e-crime
    • Uncovering and disrupting online criminal collaboration and gangs
    • Financial infrastructure of e-crime, including payment processing and money laundering
    • Techniques to assess the risks and yields of attacks and the effectiveness of countermeasures
    • Delivery techniques, including spam, voice mail, social network and web search manipulation; and countermeasures
    • Techniques to avoid detection, tracking and take-down; and ways to block such techniques
    • Best practices for detecting and avoiding damages to critical internet infrastructure, such as DNS and SCADA, from electronic crime activities

  • VizSec 2013 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA, October 14, 2013. (Submissions due 8 July 2013)

    The 10th International Symposium on Visualization for Cyber Security (VizSec) is a forum that brings together researchers and practitioners from academia, government, and industry to address the needs of the cyber security community through new and insightful visualization and analysis techniques. VizSec will provide an excellent venue for fostering greater exchange and new collaborations on a broad range of security- and privacy-related topics. Important research problems often lie at the intersection of disparate domains. Our focus is to explore effective, scalable visual interfaces for security domains, where visualization may provide a distinct benefit, including computer forensics, reverse engineering, insider threat detection, cryptography, privacy, preventing 'user assisted' attacks, compliance management, wireless security, secure coding, and penetration testing in addition to traditional network security. Human time and attention are precious resources. We are particularly interested in visualization and interaction techniques that effectively capture human analyst insights so that further processing may be handled by machines, freeing the analyst for other tasks. For example, a malware analyst might use a visualization system to analyze a new piece of malicious software and then facilitate generating a signature for future machine processing. When appropriate, research that incorporates multiple data sources, such as network packet captures, firewall rule sets and logs, DNS logs, web server logs, and/or intrusion detection system logs, is particularly desirable.

  • SPSM 2013 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany, November 8, 2013. (Submissions due 22 July 2013)

    The SPSM workshop intends to provide a venue for interested researchers and practitioners to get together and exchange ideas. The workshop will deepen our understanding of various security and privacy issues on smartphones. As with the two very well received previous editions, the topics of interest to SPSM 2013 include (but are not limited to) the following subject categories:

    • Device/hardware security
    • OS/Middleware security
    • Application security
    • Authenticating users to devices and services
    • Mobile Web Browsers
    • Usability
    • Privacy
    • Rogue application detection and recovery
    • Vulnerability detection and remediation
    • Secure application development
    • Cloud support for mobile security

  • IFIP119-DF 2014 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria, January 8-10, 2014. (Submissions due 15 September 2013)

    The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Tenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to:

    • Theories, techniques and tools for extracting, analyzing and preserving digital evidence
    • Network and cloud forensics
    • Embedded device forensics
    • Digital forensic processes and workflow models
    • Digital forensic case studies
    • Legal, ethical and policy issues related to digital forensics

  • POST 2014 3rd Conference on Principles of Security and Trust, Grenoble, France, April 7-11, 2014. (Submissions due 4 October 2013)

    Principles of Security and Trust is a broad forum related to the theoretical and foundational aspects of security and trust. Papers of many kinds are welcome: new theoretical results, practical applications of existing foundational ideas, and innovative theoretical approaches stimulated by pressing practical problems. We seek submissions proposing theories to clarify security and trust within computer science; submissions establishing new results in existing theories; and also submissions raising fundamental concerns about existing theories. We welcome new techniques and tools to automate reasoning within such theories, or to solve security and trust problems. Case studies that reflect the strengths and limitations of foundational approaches are also welcome, as are more exploratory presentations on open questions. Areas of interest include:

    • Access control
    • Anonymity
    • Authentication
    • Availability
    • Cloud security
    • Confidentiality
    • Covert channels
    • Crypto foundations
    • Economic issues
    • Information flow
    • Integrity
    • Languages for security
    • Malicious code
    • Mobile code
    • Models and policies
    • Privacy
    • Provenance
    • Reputation and trust
    • Resource usage
    • Risk assessment
    • Security architectures
    • Security protocols
    • Trust management
    • Web service security

  • IEEE Transactions on Reliability, Special Section on Trustworthy Computing, 2014, (Submission Due 1 November 2013)

    Editors: Shiuhpyng Winston Shieh (National Chiao Tung University, Taiwan)
    
    Trustworthy Computing (TC) has been applied to software-enabled computing systems and networks that are inherently secure, private, available, and reliable. As the fast growing mobile cloud computing emerges to cover smart phones, tablets, smart TV, and cloud computing platforms, these ubiquitous computing devices poses new challenges to trustworthy computing. Cloud computing offers organizations of all sizes the ability to embrace and implement new applications at far less cost than traditional approaches. Organizations that move workloads to the cloud take advantage of the capabilities of their cloud providers to ensure continuous availability of services. However, the ever-growing complexity of such systems and the software that controls them not only makes it much more difficult to guarantee their quality, but also introduces more vulnerability for malicious attacks, intrusion, and data loss. To address these needs, this special section calls for novel applications of emerging techniques for trustworthy computing of information, software, systems, networks. Reviews and case studies which address state-of-art research and state-of-practice industry experiences are also welcomed. The topics of interest include, but are not limited to:

    • Security, reliability, privacy, and availability issues in computing systems and networks
    • Trustworthy computing in small or large systems, such as mobile devices, embedded systems, cloud computing platforms, and internet of things
    • Information, system, and software assurance
    • Auditing, verification, validation
    • Security testing, evaluation, and measurement
    • Data protection, maintenance, recovery, and risk assessment
    • Authentication, authorization, access control, and accounting
    • Penetration analysis, intrusion detection and prevention
    • Malware behavior analysis, and software vulnerability discovery
    • Hardware techniques facilitating trustworthy computing, such as Trusted Platform Module (TPM)
    • Trustworthy operating systems and applications
    • Cloud Computing
    • Mobile Computing
    • Software defined networking (SDN)
    • Cryptographic techniques

 

• The Technical Committee on Security and Privacy

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org