Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 117,  November 19, 2013 Hilarie Orman,  Editor Richard Austin, Book Review Editor Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Conference and Workshop Announcements

  • Commentary and Opinion

    • Richard Austin's review of Cyber War Will Not Take Place by Thomas Rid

    • News Bits:  From the media, and also announcements and correspondence from readers (please contribute!)

    • CIA Buys Call Data from AT&T
    • Yahoo to encrypt data center traffic
    • Microsoft considering data center traffic encryption
    • UK diverts Internet traffic
    • Lavabit founder explains what he's learned
    • Computer scientists not totally clueless on passwords
    • US documents authorizing email surveillance released
    • No early end to US phone surveillance

    • Book reviews from past Cipher issues

    • Conference Reports and Commentary from past Cipher issues

    • News items from past Cipher issues

   

  • Listing of academic positions available  by Cynthia Irvine
    
    New:
    Posted Oct 2013
    Department of Computer Science, TU, Darmstadt
    Darmstadt, Germany
    Multiple Ph.D. and PostDoc positions in Mobile Software Security and Security Engineering
    Application deadline for all positions: 08 Nov 2013. However, applications will be considered until the positions are filled.
    http://www.mais.informatik.tu-darmstadt.de/Positions.html
    

   

  • Cipher calls-for-papers and calendar
      Cipher calendar announcements are on Twitter; follow "ciphernews"
      new calls or announcements added since Cipher E116 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • 11/18/13-11/20/13: IWSEC, 8th International Workshop on Security, Okinawaken Shichouson Jichikaikan, Japan
  • 11/20/13-11/22/13: ICICS, 15th International Conference on Information and Communications Security, Beijing, China
  • 11/21/13-11/22/13: SADFE, 8th International Workshop on Systematic Approaches to Digital Forensics Engineering, Hong Kong
  • 11/26/13-11/28/13: SIN, 6th International Conference on Security of Information and Networks, Aksaray, Turkey
  • 11/27/13: RFIDsec-Asia, Workshop on RFID and IoT Security, Guangzhou, China
  • 12/ 9/13-12/13/13: BigSecurity, 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA
  • 12/15/13: IEEE Computers, Special Issue on Methodologies and Solutions for Mobile Application Security; Submissions are due
  • 12/15/13: Journal of Cyber Security and Mobility, Special issue on Next generation mobility network security; Submissions are due
  • 12/15/13: COSADE 2014 5th International Workshop on Constructive Side-Channel Analysis and Secure Design, Paris, France; Submissions are due
  • 12/18/13-12/21/13: ATC, 10th IEEE International Conference on Autonomic and Trusted Computing, Sorrento Peninsula, Italy
  • 1/ 1/14: IEEE Security and Privacy Magazine, Special Issue on Security for Energy Sector Control Systems; Submissions are due
  • 1/ 8/14- 1/10/14: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria
  • 1/20/14: IFIP-SEC 2014 29th IFIP TC-11 SEC 2014 International Conference ICT Systems Security and Privacy Protection, Marrakech, Morocco; Submissions are due
  • 2/ 8/14: DIMVA 2014 11th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Royal Holloway London, Egham, UK; Submissions are due
  • 2/23/14- 2/26/14: NDSS, 21st Annual Network and Distributed System Security Symposium, San Diego, California, USA
  • 2/26/14- 2/28/14: ESSOS, 6th International Symposium on Engineering Secure Software and Systems, Munich, Germany
  • 3/ 1/14: RFIDSec 2014 10th Workshop on RFID Security, Co-located with ACM WiSec 2014, Oxford, United Kingdom; Submissions are due
  • 3/ 3/14: WiSec 2014 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Oxford, United Kingdom; Submissions are due
  • 3/ 7/14: WISTP 2014 8th Workshop in Information Security Theory and Practice, Heraklion, Greece; Submissions are due
  • 3/24/14: SESOC, 6th International Workshop on Security and Social Networking, Held in conjunction with PerCom 2014, Budapest, Hungary
  • 3/24/14- 3/28/14: IFIP119-DF, 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria
  • 4/ 7/14- 4/11/14: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France
  • 4/ 8/14- 4/ 9/14: HotSoS, Symposium and Bootcamp on the Science of Security, Raleigh, North Carolina, USA
  • 4/14/14- 4/15/14: COSADE 2014 5th International Workshop on Constructive Side-Channel Analysis and Secure Design, Paris, France
  • 5/18/14- 5/21/14: SP, 35th IEEE Symposium on Security and Privacy, San Jose, CA, USA
  • 6/ 2/14- 6/ 4/14: IFIP-SEC 2014 29th IFIP TC-11 SEC 2014 International Conference ICT Systems Security and Privacy Protection, Marrakech, Morocco
  • 6/23/14- 6/25/14: WISTP 2014 8th Workshop in Information Security Theory and Practice, Heraklion, Greece
  • 7/10/14- 7/11/14: DIMVA 2014 11th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Royal Holloway London, Egham, UK
  • 7/21/14- 7/23/14: RFIDSec 2014 10th Workshop on RFID Security, Co-located with ACM WiSec 2014, Oxford, United Kingdom
  • 7/21/14- 7/25/14: WiSec 2014 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Oxford, United Kingdom
  • new calls or announcements added since Cipher E116

  • IEEE Computers, Special Issue on Methodologies and Solutions for Mobile Application Security, June 2014, (Submission Due 15 December 2013)

    Editors: Ying-Dar Lin (National Chiao Tung University, Hsinchu, Taiwan), Chun-Ying Huang (National Taiwan Ocean University, Taiwan), Matthew Wright (University of Texas at Arlington), and Georgios Kambourakis (University of the Aegean, Greece)
    
    With the ubiquitous use of mobile devices, mobile application security has become an important research topic. Compared with personal computers or servers, mobile devices store much more sensitive personal information and are thus attractive targets for attackers seeking financial gain. Because these devices are always online and have a restricted user interface, it is easier for attackers to hide their malicious activities. This special issue aims to present high-quality articles describing security algorithms, protocols, policies, and frameworks for applications running on modern mobile platforms such as Android, iOS, and Windows Mobile. Only submissions describing previously unpublished, original, state-of-the-art research that are not currently under review by a conference or journal will be considered. Appropriate topics include, but are not limited to, the following:

    • app and app store security and privacy
    • benchmarking and evaluation of mobile security solutions
    • bots on mobile devices
    • cloud security and privacy, as related to mobile devices
    • mobile device forensics
    • security and privacy in mobile device operating systems and middleware
    • mobile malware collection, statistics, and analysis
    • mobile services and social networking security
    • reverse engineering and automated analysis of mobile malware
    • security for smart payment applications, including near-field communication
    • standardization efforts related to developing and vetting mobile apps
    • testbeds and case studies for mobile platforms
    • traffic monitoring and detection algorithms for mobile platforms
    • usability of approaches for mobile security and privacy
    • virtualization solutions for mobile security
    • Web browser security on mobile devices

  • Journal of Cyber Security and Mobility, Special issue on Next generation mobility network security, July 2014, (Submission Due 15 December 2013)

    Editor: Roger Piqueras Jover (AT&T Security Research Center)
    
    The Long Term Evolution (LTE) is the newly adopted standard technology to offer enhanced capacity and coverage for mobility networks, providing advanced multimedia services beyond traditional voice and short messaging traffic for billions of users. This new cellular communication system introduces a substantial redesign of the network architecture resulting in the new eUTRAN (Enhanced Universal Terrestrial Radio Access Network) and the EPC (Enhanced Packet Core). In this context, the LTE Radio Access Network (RAN) is built upon a redesigned physical layer and based on an Orthogonal Frequency Division Multiple Access (OFDMA) modulation, features robust performance in challenging multipath environments and substantially improves capacity. Moreover, a new all-IP core architecture is designed to be more flexible and flatter. In parallel, the cyber-security landscape has changed drastically over the last few years. It is now characterized by large scale security threats such as massive Distributed Denial of Service Attacks (DDoS), the advent of the Advanced Persistent Threat (APT) and the surge of mobile malware and fraud. These new threats illustrate the importance of strengthening the resiliency of mobility networks against security attacks, ensuring this way full mobility network availability. In this context, however, the scale of the threat is not the key element anymore and traditionally overlooked low range threats, such as radio jamming, should also be included in security studies. This special issue of the Journal of Cyber Security and Mobility addresses research advances in mobility threats and new security applications/architectures for next generation mobility networks. The main topics of interest of this issue include, but are not limited to, the following:

    • LTE RAN security
    • OFDM/OFDMA radio jamming
    • Secure wireless communications under malicious interference/jamming
    • Mobility security threats based on interoperability with legacy networks
    • LTE EPC security
    • Mobile malware/botnet impact on RAN/EPC
    • Femtocell security threats
    • Detection of attacks against mobility networks
    • Self Organizing Network (SON) security applications
    • WiFi-cellular interoperability threats and security
    • Mobile device baseband security

  • COSADE 2014 5th International Workshop on Constructive Side-Channel Analysis and Secure Design, Paris, France, April 14-15, 2014. (Submission Due 15 December 2013)

    Side-channel analysis (SCA) and implementation attacks have become an important field of research at universities and in the industry. In order to enhance the resistance of cryptographic and security critical implementations within the design phase, constructive attacks and analyzing techniques may serve as a quality metric to optimize the design and development process. Since 2010, COSADE provides an international platform for researchers, academics, and industry participants to present their work and their current research topics. It is an excellent opportunity to exchange on new results with international experts and to initiate new collaborations and information exchange at a professional level. The workshop will feature both invited presentations and contributed talks. The topics of COSADE 2014 include, but are not limited to:

    • Constructive side-channel analysis and implementation attacks
    • Semi-invasive, invasive and fault attacks
    • Leakage models and security models for side-channel analysis
    • Cache-attacks and micro-architectural analysis
    • Decapsulation and preparation techniques
    • Side-channel based reverse engineering
    • Leakage Resilient Implementations
    • Evaluation methodologies for side-channel resistant designs
    • Secure designs and countermeasures
    • Evaluation platforms and tools for testing side-channel characteristics

  • IEEE Security and Privacy Magazine, Special Issue on Security for Energy Sector Control Systems, November/December 2014, (Submission Due 1 January 2014)

    Editor: Sean Peisert (Lawrence Berkeley National Laboratory and University of California, Davis, USA) and Jonathan Margulies (National Institute of Standards and Technology, USA)
    
    Control systems used in the energy sector present unusual security and reliability challenges: The installed base is often decades old, systems are commonly installed in adverse physical conditions, bandwidth and communication reliability can be very low, with tight performance timelines, and, most important, failure can result in destruction of critical physical systems or loss of life. This special issue seeks articles that can help lead to solutions that can be shown to improve the security and reliability of power systems, including control systems related to generation, transmission, distribution, and consumption or use, such as in industrial plant operations, commercial buildings, or homes. Such solutions might be purely technical, or could be social, policy-related, or some combination. Articles should address questions such as:

    • Very few techniques from "traditional" computer security and information technology (IT) can be shown to demonstrably improve security and reliability of the systems they seek to protect.
      --- Are there techniques that exist for control systems that make the problem more tractable?
      --- Are there challenges that make the problem even worse? How can those be surmounted?
      
    • How can safety engineering traditionally used with control systems be married with computer security techniques traditionally used in IT?
    • How do current policies, laws, and regulations help or hinder security for power-related controls systems? What policy changes might be useful to improving control system security & reliability?
    • What privacy problems or solutions exist in relation to electric power control systems?
    We welcome case studies, experience reports, practices, research results, and standards reports. Our readers are eager to hear about industry experiences, especially resulting from empirical studies that help us learn how past successes and failures should inform new technology or practices. We are also interested in failures, either in research, development, or operations, that can convey valuable learning experience.

  • IFIP-SEC 2014 29th IFIP TC-11 SEC 2014 International Conference ICT Systems Security and Privacy Protection, Marrakech, Morocco, June 2-4, 2014. (Submission Due 20 January 2014)

    This conference is the flagship event of the International Federation for Information Processing (IFIP) Technical Committee 11 on Security and Privacy Protection in Information Processing Systems (TC-11, www.ifiptc11.org). We seek submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of security and privacy protection in ICT Systems. Topics of interest include, but are not limited to:

    • Access control and authentication
    • Applied cryptography
    • Cloud and big data security
    • Critical Infrastructure Protection
    • Data and Applications Security
    • Digital Forensics
    • Human Aspects of Information Security and Assurance
    • Identity Management
    • Information Security Education
    • Information Security Management
    • Information Technology Mis-Use and the Law
    • Managing information security functions
    • Mobile security
    • Multilateral Security
    • Network & Distributed Systems Security
    • Pervasive Systems Security
    • Privacy protection
    • Trust Management
    • Audit and risk analysis

  • DIMVA 2014 11th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Royal Holloway London, Egham, UK, July 10-11, 2014. (Submission Due 8 February 2014)

    The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year, DIMVA brings together international experts from academia, industry, and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group "Security - Intrusion Detection and Response" (SIDAR) of the German Informatics Society (GI). The conference proceedings will appear as a volume in the Springer Lecture Notes in Computer Science (LNCS) series (approval pending). DIMVA encourages submissions from the following broad areas:
    Intrusion Detection
    

    • Novel approaches and domains
    • Insider detection
    • Prevention and response
    • Data leakage and exfiltration
    • Result correlation and cooperation
    • Evasion and other attacks
    • Potentials and limitations
    • Operational experiences
    Malware Detection
    
    • Automated analyses
    • Behavioral models
    • Prevention and containment
    • Infiltration
    • Acquisition and monitoring
    • Forensics and recovery
    • Underground economy
    Vulnerability Assessment
    
    • Vulnerability detection
    • Vulnerability prevention
    • Fuzzing techniques
    • Classification and evaluation
    • Situational awareness

  • RFIDSec 2014 10th Workshop on RFID Security, Co-located with ACM WiSec 2014, Oxford, United Kingdom, July 21-23, 2014. (Submission Due 1 March 2013)

    RFIDsec is the premier workshop devoted to security and privacy in Radio Frequency Identification (RFID) with participants throughout the world. RFIDsec brings together researchers from academia and industry for topics of importance to improving the security and privacy of RFID, NFC, contactless technologies, and the Internet of Things. RFIDsec bridges the gap between cryptographic researchers and RFID developers through invited talks and contributed presentations. Topics of interest include:

    • New applications for secure RFID, NFC and other constrained systems
    • Resource-efficient implementations of cryptography
    • Attacks on RFID systems (e.g. side-channel attacks, fault attacks, hardware tampering)
    • Data protection and privacy-enhancing techniques
    • Cryptographic protocols (e.g. authentication, key distribution, scalability issues)
    • Integration of secure RFID systems (e.g. infrastructures, middleware and security)
    • Data mining and other systemic approaches to RFID security
    • RFID hardware security (e.g. Physical Unclonable Functions (PUFs), RFID Trojans)
    • Case studies

  • WiSec 2014 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Oxford, United Kingdom, July 21-25, 2014. (Submission Due 3 March 2013)

    ACM WiSec has been broadening its scope and seeks to present high quality research papers exploring security and privacy aspects of wireless communications, mobile networks, and their applications. In addition to the traditional ACM WiSec topics of physical, link, and network layer security, we welcome papers focusing on the security and privacy of mobile software platforms, usable security and privacy, biometrics and the increasingly diverse range of mobile or wireless applications. The conference welcomes both theoretical as well as systems contributions. Topics of interest include, but are not limited to:

    • Mobile malware and platform security
    • Security & Privacy for Smart Devices (e.g., Smartphones)
    • Wireless and mobile privacy and anonymity
    • Secure localization and location privacy
    • Cellular network fraud and security
    • Jamming attacks and defenses
    • Key extraction, agreement, or distribution
    • Theoretical foundations, cryptographic primitives, and formal methods
    • NFC and smart payment applications
    • Security and privacy for mobile sensing systems
    • Wireless or mobile security and privacy in health, automotive, avionics, or smart grid applications
    • Self-tracking/Quantified Self Security and Privacy
    • Physical Tracking Security and Privacy
    • Usable Mobile Security and Privacy
    • Economics of Mobile Security and Privacy
    • Bring Your Own Device (BYOD) Security

  • WISTP 2014 8th Workshop in Information Security Theory and Practice, Heraklion, Greece, June 23-25, 2014. (Submission Due 7 March 2014)

    Future ICT technologies, such as the concepts of Ambient Intelligence, Cyber-physical Systems and Internet of Things provide a vision of the Information Society in which: a) people and physical systems are surrounded with intelligent interactive interfaces and objects, and b) environments are capable of recognising and reacting to the presence of different individuals or events in a seamless, unobtrusive and invisible manner. The success of future ICT technologies will depend on how secure these systems may be, to what extent they will protect the privacy of individuals and how individuals will come to trust them. WISTP 2014 aims to address security and privacy issues of smart devices, networks, architectures, protocols, policies, systems, and applications related to Internet of Things, along with evaluating their impact on business, individuals, and the society. The workshop seeks original submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy of Internet of Things, as well as experimental studies of fielded systems, the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law, business, and policy that present these communities' perspectives on technological issues. Topics of interest include, but are not limited to:
    Security and Privacy in Smart Devices
    

    • Biometrics, National ID cards
    • Embedded Systems Security and TPMs
    • Interplay of TPMs and Smart Cards
    • Mobile Codes Security
    • Mobile Devices Security
    • Mobile Malware
    • Mobile OSes Security Analysis
    • New Applications for Secure RFID Systems
    • RFID Systems
    • Smart Card
    • Smart Devices Applications
    • Wireless Sensor Node
    Security and Privacy in Networks
    
    • Ad Hoc Networks
    • Delay-Tolerant Network
    • Domestic Network
    • GSM/GPRS/UMTS Systems
    • Peer-to-Peer Networks
    • Security Issues in Mobile and Ubiquitous Networks
    • Sensor Networks: Campus Area, Body Area, Sensor and Metropolitan Area Networks
    • Vehicular Network
    • Wireless Communication: Bluetooth, NFC, WiFi, WiMAX, others
    Security and Privacy in Architectures, Protocols, Policies, Systems and Applications
    
    • BYOD Contexts
    • Cloud-enhanced Mobile Security
    • Critical Infrastructure (e.g. for Medical or Military Applications)
    • Cyber-Physical Systems
    • Digital Rights Management (DRM)
    • Distributed Systems and Grid Computing
    • Information Assurance and Trust Management
    • Intrusion Detection and Information Filtering
    • Lightweight cryptography
    • Localization Systems (Tracking of People and Goods)
    • M2M (Machine to Machine), H2M (Human to Machine) and M2H (Machine to Human)
    • Mobile Commerce
    • Multimedia Applications
    • Public Administration and Governmental Services
    • Pervasive Systems
    • Privacy Enhancing Technologies
    • Secure self-organization and self-configuration
    • Security Models, Architecture and Protocol: for Identification and Authentication, Access Control, Data Protection
    • Security Policies (Human-Computer Interaction and Human Behavior Impact)
    • Security Measurements
    • Smart Cities
    • Systems Controlling Industrial Processes

 

• The Technical Committee on Security and Privacy

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes
    Ted Lee has announced a new email address.

  • Changing your email address?  Please send updates to cipher@ieee-security.org