Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 116,  September 22, 2013 Hilarie Orman,  Editor Richard Austin, Book Review Editor Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Commentary and Opinion and News

  • Richard Austin's review of The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich

  • Announcements and correspondence from readers (please contribute!)

    News Items
    • The Cyber Security Hall of Fame, Class of 2013
    • The NSA Is Building the Country's Biggest Spy Center (Watch What You Say)
    • Revealed: how US and UK spy agencies defeat internet privacy and security
    • Deliberately flawed? RSA Security tells customers to drop NSA-related encryption algorithm
      
    • The US Launched 231 Cyberattacks in 2011
    • Tens of thousands of Yahoo accounts accessed by US government this year
    • Google races to encrypt data

  • Book reviews from past Cipher issues

  • Conference Reports and Commentary from past Cipher issues

  • News items from past Cipher issues

 

• Listing of academic positions available  by Cynthia Irvine
  

 

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      Cipher calendar announcements are on Twitter; follow "ciphernews"
      new calls or announcements added since Cipher E115 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • • 9/25/13- 9/26/13: CMS, 14th Joint IFIP TC6 and TC11 Conference on Communications and Multimedia Security, Magdeburg, Germany
    • 9/25/13- 9/27/13: SECURECOMM, 9th International ICST Conference on Security and Privacy in Communication Networks, Sydney, Australia
    • 9/30/13: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria; Submissions are due
    • 9/30/13: Elsevier Journal of Information Security and Applications, Special Issue on Threat Detection, Analysis and Defense; Submissions are due
    • 9/30/13-10/ 2/13: SeTTIT, Workshop on Security Tools and Techniques for Internet of Things, Co-located with the BODYNETS 2013 conference, Boston, Massachusetts, USA
    • 10/ 4/13: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France; Submissions are due
    • 10/14/13: VizSec, 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA
    • 10/14/13: SafeConfig, 6th Symposium on Security Analytics and Automation, Washington, D.C., USA
    • 10/14/13-10/16/13: CNS, 1st IEEE Conference on Communications and Network Security, Washington D.C., USA
    • 10/23/13-10/25/13: CRiSIS, 8th International Conference on Risks and Security of Internet and Systems, La Rochelle, France
    • 11/ 1/13: IEEE Transactions on Reliability, Special Section on Trustworthy Computing; Submissions are due
    • 11/ 4/13: SESOC, 6th International Workshop on Security and Social Networking, Held in conjunction with PerCom 2014, Budapest, Hungary; Submissions are due
    • 11/ 4/13: TrustED, 3rd International Workshop on Trustworthy Embedded Devices, Collocated with the ACM Conference on Computer & Communications Security (CCS) 2013, Berlin, Germany
    • 11/ 4/13-11/ 8/13: CCS, 20th ACM Conference on Computer and Communications Security, Berlin, Germany
    • 11/ 8/13: HotSoS, Symposium and Bootcamp on the Science of Security, Raleigh, North Carolina, USA; Submissions are due
    • 11/ 8/13: SPSM, 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany
    • 11/12/13-11/14/13: HST, 13th annual IEEE Conference on Technologies for Homeland Security, Waltham, Massachusetts, USA
    • 11/13/13: SP, 35th IEEE Symposium on Security and Privacy, San Jose, CA, USA; Submissions are due
    • 11/15/13: Elsevier Computers & Electrical Engineering, Special Issue on Recent Advances in Security and Privacy in Distributed Communications; Submissions are due
    • 11/18/13-11/20/13: IWSEC, 8th International Workshop on Security, Okinawaken Shichouson Jichikaikan, Japan
    • 11/20/13-11/22/13: ICICS, 15th International Conference on Information and Communications Security, Beijing, China
    • 11/21/13-11/22/13: SADFE, 8th International Workshop on Systematic Approaches to Digital Forensics Engineering, Hong Kong
    • 11/26/13-11/28/13: SIN, 6th International Conference on Security of Information and Networks, Aksaray, Turkey
    • 11/27/13: RFIDsec-Asia, Workshop on RFID and IoT Security, Guangzhou, China
    • 12/ 9/13-12/13/13: BigSecurity, 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA
    • 12/15/13: IEEE Computers, Special Issue on Methodologies and Solutions for Mobile Application Security; Submissions are due
    • 12/15/13: Journal of Cyber Security and Mobility, Special issue on Next generation mobility network security; Submissions are due
    • 12/18/13-12/21/13: ATC, 10th IEEE International Conference on Autonomic and Trusted Computing, Sorrento Peninsula, Italy
    • 1/ 8/14- 1/10/14: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria
    • 2/23/14- 2/26/14: NDSS, 21st Annual Network and Distributed System Security Symposium, San Diego, California, USA
    • 2/26/14- 2/28/14: ESSOS, 6th International Symposium on Engineering Secure Software and Systems, Munich, Germany
    • 3/24/14: SESOC, 6th International Workshop on Security and Social Networking, Held in conjunction with PerCom 2014, Budapest, Hungary
    • 3/24/14- 3/28/14: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria
    • 4/ 7/14- 4/11/14: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France
    • 4/ 8/14- 4/ 9/14: HotSoS, Symposium and Bootcamp on the Science of Security, Raleigh, North Carolina, USA
    • 5/18/14- 5/21/14: SP, 35th IEEE Symposium on Security and Privacy, San Jose, CA, USA
  • new calls or announcements added since Cipher E115

  • IFIP119-DF 2014 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria, January 8-10, 2014. (Submissions due 30 September 2013)

    The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Tenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to:

    • Theories, techniques and tools for extracting, analyzing and preserving digital evidence
    • Network and cloud forensics
    • Embedded device forensics
    • Digital forensic processes and workflow models
    • Digital forensic case studies
    • Legal, ethical and policy issues related to digital forensics

  • Elsevier Journal of Information Security and Applications, Special Issue on Threat Detection, Analysis and Defense, July 2014, (Submission Due 30 September 2013)

    Editors: Alan Woodward (Charteris plc, United Kingdom), Konrad Rieck (University of Göttingen, Germany), Andrew Rogoyski (Roke Manor Research Ltd, United Kingdom), and Shujun Li (University of Surrey, United Kingdom)
    
    The majority of organizations in the commercial and government sectors now use digital Information Technology (IT) to store and process data that is sensitive in some way. Sensitive data ranges from individuals' confidential details to valuable intellectual property to market sensitive information or even state secrets. At the same time, the commercialization of the Internet in the mid-1990s has resulted in the Internet becoming the de facto electronic channel over which organizations now interact with each other. Even where systems are not directly connected to the Internet, there are often indirect channels being inadvertently created to reach apparently disconnected systems. The increase in connectivity has bought about new threats and that threat continues to evolve as connectivity evolves with developments such as mobile devices. This special issue is intended to bring forth the recent advancements in the detection, modeling, monitoring, analysis and defense of various threats posed to sensitive data and security systems from unauthorized or other inappropriate access. Areas to be covered include but are not limited to:

    • Monitoring - Novel tools and techniques for monitoring mounting threats including monitoring of ongoing attacks
    • Detection solutions - Innovations in the detection of intrusion, malware and its activity, including post-attack forensics on secure devices
    • Infrastructure - Improvements in network traffic security analysis for identification of threats
    • Threat modelling - Advances in the tools, technologies and processes used in anticipating attacks and understanding what assets it is most important to protect
    • Emergent problems - New threats resulting from new business models for transfer of value, from gold-farming to Paypal, or new forms of payment such as Bitcoin
    • Security designs - Innovations in security architectures, approaches and systems responding to specific emerging threats

  • POST 2014 3rd Conference on Principles of Security and Trust, Grenoble, France, April 7-11, 2014. (Submissions due 4 October 2013)

    Principles of Security and Trust is a broad forum related to the theoretical and foundational aspects of security and trust. Papers of many kinds are welcome: new theoretical results, practical applications of existing foundational ideas, and innovative theoretical approaches stimulated by pressing practical problems. We seek submissions proposing theories to clarify security and trust within computer science; submissions establishing new results in existing theories; and also submissions raising fundamental concerns about existing theories. We welcome new techniques and tools to automate reasoning within such theories, or to solve security and trust problems. Case studies that reflect the strengths and limitations of foundational approaches are also welcome, as are more exploratory presentations on open questions. Areas of interest include:

    • Access control
    • Anonymity
    • Authentication
    • Availability
    • Cloud security
    • Confidentiality
    • Covert channels
    • Crypto foundations
    • Economic issues
    • Information flow
    • Integrity
    • Languages for security
    • Malicious code
    • Mobile code
    • Models and policies
    • Privacy
    • Provenance
    • Reputation and trust
    • Resource usage
    • Risk assessment
    • Security architectures
    • Security protocols
    • Trust management
    • Web service security

  • IEEE Transactions on Reliability, Special Section on Trustworthy Computing, 2014, (Submission Due 1 November 2013)

    Editors: Shiuhpyng Winston Shieh (National Chiao Tung University, Taiwan)
    
    Trustworthy Computing (TC) has been applied to software-enabled computing systems and networks that are inherently secure, private, available, and reliable. As the fast growing mobile cloud computing emerges to cover smart phones, tablets, smart TV, and cloud computing platforms, these ubiquitous computing devices poses new challenges to trustworthy computing. Cloud computing offers organizations of all sizes the ability to embrace and implement new applications at far less cost than traditional approaches. Organizations that move workloads to the cloud take advantage of the capabilities of their cloud providers to ensure continuous availability of services. However, the ever-growing complexity of such systems and the software that controls them not only makes it much more difficult to guarantee their quality, but also introduces more vulnerability for malicious attacks, intrusion, and data loss. To address these needs, this special section calls for novel applications of emerging techniques for trustworthy computing of information, software, systems, networks. Reviews and case studies which address state-of-art research and state-of-practice industry experiences are also welcomed. The topics of interest include, but are not limited to:

    • Security, reliability, privacy, and availability issues in computing systems and networks
    • Trustworthy computing in small or large systems, such as mobile devices, embedded systems, cloud computing platforms, and internet of things
    • Information, system, and software assurance
    • Auditing, verification, validation
    • Security testing, evaluation, and measurement
    • Data protection, maintenance, recovery, and risk assessment
    • Authentication, authorization, access control, and accounting
    • Penetration analysis, intrusion detection and prevention
    • Malware behavior analysis, and software vulnerability discovery
    • Hardware techniques facilitating trustworthy computing, such as Trusted Platform Module (TPM)
    • Trustworthy operating systems and applications
    • Cloud Computing
    • Mobile Computing
    • Software defined networking (SDN)
    • Cryptographic techniques

  • SESOC 2014 6th International Workshop on Security and Social Networking, Held in conjunction with PerCom 2014, Budapest, Hungary, March 24, 2014. (Submissions due 4 November 2013)

    The number of profiles on Social Networking Services, like Facebook, Google-Plus, Snapchat, or Twitter have grown to account for a third of the world's population. Acting as convenient link collections and (group) communication media, they have evolved to central hubs for Web browsing and Internet use. Encouraging their subscribers to publish self-descriptive and user-generated content, usually covering topics, events, and opinions corresponding to their personal environment, these services have become collections of highly detailed profiles of them. A paramount paradigm change is a near to perfect identifiability of their subscribers, who are forced to register using their clear names, instead of pseudonyms or throwaway accounts in previous forums. The extent of information gathered about their subscribers additionally allows the providers to check the credibility of the chosen handles and even re-identify users who have chosen pseudonyms. While SNS previously have largely been walled-gardens, the current development sees an extending integration with the conventional Web. This both opens their content and interaction functions to become a social layer, and allows the providers to even better track their users behavior and activities on the Web. The subscribers additionally increasingly use their mobile applications, thus exposing even their whereabouts and communication patterns beyond their activities on the Web. These services, while offering extensive chances for enhanced communication between their subscribers raise entirely new privacy concerns. They hence require new reflections on security goals and services, and to revisit previously seemingly well understood solutions for confidentiality, trust establishment, key management, or cooperation enforcement. The aim of SESOC 2014 hence is to encompass research advances in all areas of security, trust and privacy in pervasive communication systems with a special focus on the social aspects of the services.

  • HotSoS 2014 Symposium and Bootcamp on the Science of Security, Raleigh, North Carolina, USA, April 8-9, 2014. (Submissions due 8 November 2013)

    Security has been intensively studied, however, previous research has often emphasized the engineering of specific solutions and attacks without developing the scientific understanding of the problem domain. All too often, security research focuses on responding to specific threats in an apparently ad hoc manner. The motivation behind the nascent Science of Security is to understand how computing systems are architected, built, used, and maintained with a view to understanding and addressing security challenges systematically across their life cycle. In particular, two features distinguish the Science of Security from other research programs on security: scope and approach:

    • Scope: The Science of Security considers not just computational artifacts, but incorporates the human, social, and organizational aspects of computing within its purview.
    • Approach: The Science of Security takes a decidedly scientific approach, based on the understanding of empirical evaluation and theoretical foundations as developed in the natural and social sciences, but adapted as appropriate for the artificial science (in Herb Simon's term) that is computing.

  • SP 2014 35th IEEE Symposium on Security and Privacy, San Jose, CA, USA, May 18-21, 2014. (Submissions due 13 November 2013)

    Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include:

    • Access control
    • Accountability
    • Anonymity
    • Application security
    • Attacks and defenses
    • Authentication
    • Censorship and censorship-resistance
    • Distributed systems security
    • Embedded systems security
    • Forensics
    • Hardware security
    • Intrusion detection
    • Malware
    • Metrics
    • Mobile security and privacy
    • Language-based security
    • Network security
    • Privacy-preserving systems
    • Protocol security
    • Secure information flow
    • Security and privacy policies
    • Security architectures
    • System security
    • Usable security and privacy
    • Web security and privacy
    This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.
    
    Given the rapidly expanding and maturing security and privacy community, we hope to increase the acceptance rate of papers that are more "far-reaching" and "risky," as long as those papers also show sufficient promise for creating interesting discussions and questioning widely-held beliefs.
    
    Systematization of Knowledge Papers: Following the success of the previous year's conferences, we are also soliciting papers focused on systematization of knowledge (SoK). The goal of this call is to encourage work that evaluates, systematizes, and contextualizes existing knowledge. These papers can provide a high value to our community but may not be accepted because of a lack of novel research contributions. Suitable papers include survey papers that provide useful perspectives on major research areas, papers that support or challenge long-held beliefs with compelling evidence, or papers that provide an extensive and realistic evaluation of competing approaches to solving specific problems. Submissions are encouraged to analyze the current research landscape: identify areas that have enjoyed much research attention, point out open areas with unsolved challenges, and present a prioritization that can guide researchers to make progress on solving important challenges. Submissions will be distinguished by the prefix "SoK:" in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, except instead of emphasizing novel research contributions the emphasis will be on value to the community. Accepted papers will be presented at the symposium and included in the proceedings.

  • Elsevier Computers & Electrical Engineering, Special Issue on Recent Advances in Security and Privacy in Distributed Communications, June 2014, (Submission Due 15 November 2013)

    Editors: Felix Gomez Marmol (NEC Laboratories Europe, Germany), Jose M. Alcaraz Calero (University of the West of Scotland, United Kingdom), and Gregorio Martinez Perez (University of Murcia, Spain)
    
    Security services need to be considered as part of most communication proposals being discussed nowadays in distributed communication environments. Additionally, in the last few years, privacy has been gaining interest from both the designers and the customers of security solutions, thus being considered now as a key aspect for them. For a good security and/or privacy design, one needs to be informed of the latest advances in this field, this being the main objective of this special issue. This special issue is intended to report the most recent research works on distributed communications related to security and privacy, particularly in the following fields:

    • Anonymity
    • Authentication
    • Authorization and access control
    • Critical Infrastructure Protection (CIP)
    • Cybersecurity and cyberwarfare
    • Data integrity and protection
    • Data security and data privacy
    • Dependability of cloud systems
    • Identity management
    • Intrusion detection and prevention
    • End-to-end security solutions
    • Privacy enhancing technologies
    • Risk analysis and management
    • Secure and private data storage and processing in the cloud
    • Security policies
    • Threats and vulnerabilities
    • Trust and reputation management in distributed scenarios

  • IEEE Computers, Special Issue on Methodologies and Solutions for Mobile Application Security, June 2014, (Submission Due 15 December 2013)

    Editors: Ying-Dar Lin (National Chiao Tung University, Hsinchu, Taiwan), Chun-Ying Huang (National Taiwan Ocean University, Taiwan), Matthew Wright (University of Texas at Arlington), and Georgios Kambourakis (University of the Aegean, Greece)
    
    With the ubiquitous use of mobile devices, mobile application security has become an important research topic. Compared with personal computers or servers, mobile devices store much more sensitive personal information and are thus attractive targets for attackers seeking financial gain. Because these devices are always online and have a restricted user interface, it is easier for attackers to hide their malicious activities. This special issue aims to present high-quality articles describing security algorithms, protocols, policies, and frameworks for applications running on modern mobile platforms such as Android, iOS, and Windows Mobile. Only submissions describing previously unpublished, original, state-of-the-art research that are not currently under review by a conference or journal will be considered. Appropriate topics include, but are not limited to, the following:

    • app and app store security and privacy
    • benchmarking and evaluation of mobile security solutions
    • bots on mobile devices
    • cloud security and privacy, as related to mobile devices
    • mobile device forensics
    • security and privacy in mobile device operating systems and middleware
    • mobile malware collection, statistics, and analysis
    • mobile services and social networking security
    • reverse engineering and automated analysis of mobile malware
    • security for smart payment applications, including near-field communication
    • standardization efforts related to developing and vetting mobile apps
    • testbeds and case studies for mobile platforms
    • traffic monitoring and detection algorithms for mobile platforms
    • usability of approaches for mobile security and privacy
    • virtualization solutions for mobile security
    • Web browser security on mobile devices

  • Journal of Cyber Security and Mobility, Special issue on Next generation mobility network security, July 2014, (Submission Due 15 December 2013)

    Editor: Roger Piqueras Jover (AT&T Security Research Center)
    
    The Long Term Evolution (LTE) is the newly adopted standard technology to offer enhanced capacity and coverage for mobility networks, providing advanced multimedia services beyond traditional voice and short messaging traffic for billions of users. This new cellular communication system introduces a substantial redesign of the network architecture resulting in the new eUTRAN (Enhanced Universal Terrestrial Radio Access Network) and the EPC (Enhanced Packet Core). In this context, the LTE Radio Access Network (RAN) is built upon a redesigned physical layer and based on an Orthogonal Frequency Division Multiple Access (OFDMA) modulation, features robust performance in challenging multipath environments and substantially improves capacity. Moreover, a new all-IP core architecture is designed to be more flexible and flatter. In parallel, the cyber-security landscape has changed drastically over the last few years. It is now characterized by large scale security threats such as massive Distributed Denial of Service Attacks (DDoS), the advent of the Advanced Persistent Threat (APT) and the surge of mobile malware and fraud. These new threats illustrate the importance of strengthening the resiliency of mobility networks against security attacks, ensuring this way full mobility network availability. In this context, however, the scale of the threat is not the key element anymore and traditionally overlooked low range threats, such as radio jamming, should also be included in security studies. This special issue of the Journal of Cyber Security and Mobility addresses research advances in mobility threats and new security applications/architectures for next generation mobility networks. The main topics of interest of this issue include, but are not limited to, the following:

    • LTE RAN security
    • OFDM/OFDMA radio jamming
    • Secure wireless communications under malicious interference/jamming
    • Mobility security threats based on interoperability with legacy networks
    • LTE EPC security
    • Mobile malware/botnet impact on RAN/EPC
    • Femtocell security threats
    • Detection of attacks against mobility networks
    • Self Organizing Network (SON) security applications
    • WiFi-cellular interoperability threats and security
    • Mobile device baseband security

 

• The Technical Committee on Security and Privacy

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org