Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 124,  January 20, 2015 Hilarie Orman,  Editor Richard Austin, Book Review Editor Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 
   

• Conference and Workshop Announcements

  • Commentary and Opinion

    • Richard Austin's review of Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz

    • NewsBits:  Announcements and correspondence from readers (please contribute!)

      • Malware vs. steel mill, Software 1, Furnace 0?
      • Is Your Smart TV Outsmarting You?
      • Don't Worry About NSA, Anyone Can Listen to Your Phone Calls
      • New Malware Earns Kudos from Experts
      • NSA Says It Watched North Korean Hackers Before SONY Hack

    • Book reviews from past Cipher issues

    • Conference Reports and Commentary from past Cipher issues

    • News items from past Cipher issues

   

  • Listing of academic positions available  by Cynthia Irvine
    (no new listings since Cipher E123)

   

  • Cipher calls-for-papers and calendar
      Cipher calendar announcements are on Twitter; follow "ciphernews"
      new calls or announcements added since Cipher E123 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • 1/19/15- 1/21/15: CS2, 2nd Workshop on Cryptography and Security in Computing Systems, Co-located with HiPEAC 2015 Conference, Amsterdam, The Netherlands
  • 1/20/15: GenoPri, 2nd International Workshop on Genome Privacy and Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; Submissions are due
  • 1/20/15: SACMAT, 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria; Submissions are due
  • 1/23/15: IWPE, 1st International Workshop on Privacy Engineering, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; Submissions are due
  • 1/23/15: TELERISE, 1st International Workshop on TEchnical and LEgal aspects of data pRIvacy and SEcurity, Co-located with ICSE 2015, Florence, Italy; Submissions are due
  • 1/26/15- 1/28/15: IFIP119-DF, 11th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA
  • 1/27/15- 1/30/15: ACSW-AISC, Australasian Information Security Conference, Held as part of Australasian Computer Science Week, Sydney, Australia
  • 1/30/15: WEARABLE-S&P, 1st Workshop on Wearable Security and Privacy, Held in conjunction with Financial Crypto (FC 2015), Isla Verde, Puerto Rico
  • 1/30/15: CAV, 27th International Conference on Computer Aided Verification, San Francisco, California, USA; Submissions are due
  • 2/ 8/15: DIMVA 2015 12th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Milano, Italy; Submissions are due
  • 2/ 8/14: NDSS-USEC, NDSS Workshop on Usable Security, San Diego, California, USA
  • 2/ 9/15- 2/11/15: ICISSP, 1st International Conference on Information Systems Security and Privacy, ESEO, Angers, Loire Valley, France
  • 2/10/15: WiSec, 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, New York City, NY, USA; Submissions are due
  • 2/13/15: EUSIPCO, 23rd European Signal Processing Conference, Information Forensics and Security Track, Nice, Cote d' Azur, France; Submissions are due
  • 2/15/15: PETS, 15th Privacy Enhancing Technologies Symposium, Philadelphia, PA, USA; Submissions are due
  • 2/16/15: LangSec, 2nd Workshop on Language-Theoretic Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA; Submissions are due
  • 2/16/15: USENIX-Security, 24th USENIX Security Symposium, Washington, D.C., USA; Submissions are due
  • 2/17/15: RFIDSec, 11th Workshop on RFID Security, Co-located with ACM WiSec 2015, New York City, NY, USA; Submissions are due
  • 2/22/15: MoST, Mobile Security Technologies Workshop, an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2015), Held in conjunction with the 34th IEEE Symposium on Security and Privacy (IEEE SP 2015), The Fairmont Hotel, San Jose, CA, USA; Submissions are due
  • 2/27/15: WEIS, 14th Annual Workshop on the Economic of Information Security, Delft University of Technology, The Netherlands; Submissions are due
  • 2/28/15: EDFC, National Conference on Ethics and Digital Forensics, Arlington, VA, USA; Submissions are due
  • 2/28/15: Second Workshop for Underrepresented Groups in Computer Security Research (GREPSEC); San Jose, CA; Applications are due
  • 3/ 1/15: IEEE Cloud Computing, Special Issue on Legal Clouds: How to Balance Privacy with Legitimate Surveillance and Lawful Data Access; Submissions are due
  • 3/ 2/15- 3/ 4/15: CODASPY, 5th ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA
  • 3/ 2/15- 3/ 4/15: SPA, International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2015, San Antonio, TX, USA
  • 3/ 3/15: SECRYPT, 12th International Conference on Security and Cryptography, Colmar, Alsace, France; Submissions are due
  • 3/ 4/15- 3/ 6/15: ESSoS, 6th International Symposium on Engineering Secure Software and Systems, Milan, Italy
  • 3/ 6/15: SOUPS, Symposium On Usable Privacy and Security, Ottawa, Canada; Submissions are due
  • 3/31/15: HAISA, International Symposium on Human Aspects of Information Security & Assurance, Lesvos, Greece; Submissions are due
  • 4/ 4/15: ESORICS, 20th European Symposium on Research in Computer Security, Vienna, Austria; Submissions are due
  • 4/14/15- 4/16/15: HST, 14th annual IEEE Symposium on Technologies for Homeland Security, Boston, Massachusetts, USA
  • 4/14/15: IoTPTS, Workshop on IoT Privacy, Trust, and Security, Held in conjunction with ASIACCS 2015, Singapore
  • 4/14/15- 4/17/15: ASIACCS, 10th ACM Symposium on Information, Computer and Communications Security, Singapore
  • 4/14/15: CPSS, 1st Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2015, Singapore
  • 4/15/15: NSS, 9th International Conference on Network and System Security, New York City, NY, USA; Submissions are due
  • 4/24/15: CNS, 3rd IEEE Conference on Communications and Network Security, Florence, Italy; Submissions are due
  • 5/ 1/15: Elsevier Future Generation Computer Systems, Special Issue on Cloud Cryptography: State of the Art and Recent Advances; Submissions are due
  • 5/ 5/15- 5/ 7/15: HOST, IEEE International Symposium on Hardware Oriented Security and Trust, Washington DC Metro Area, USA
  • 5/ 5/15- 5/ 8/15: ISPEC, 11th International Conference on Information Security Practice and Experience, Beijing, China
  • 5/13/15- 5/15/15: EDFC, National Conference on Ethics and Digital Forensics, Arlington, VA, USA
  • 5/16/15- 5/17/15: Second Workshop for Underrepresented Groups in Computer Security Research (GREPSEC); San Jose, CA; NP
  • 5/18/15: TELERISE, 1st International Workshop on TEchnical and LEgal aspects of data pRIvacy and SEcurity, Co-located with ICSE 2015, Florence, Italy
  • 5/18/15- 5/20/15: SP, 36th IEEE Symposium on Security and Privacy, San Jose, CA, USA
  • 5/21/15: W2SP, Web 2.0 Security and Privacy Workshop, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA
  • 5/21/15: GenoPri, 2nd International Workshop on Genome Privacy and Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA
  • 5/21/15: IWPE, 1st International Workshop on Privacy Engineering, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA
  • 5/21/15: LangSec, 2nd Workshop on Language-Theoretic Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA
  • 5/21/15: MoST, Mobile Security Technologies Workshop, an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2015), Held in conjunction with the 34th IEEE Symposium on Security and Privacy (IEEE SP 2015), The Fairmont Hotel, San Jose, CA, USA
  • 5/22/15: IEICE Transactions on Information and Systems, Special Issue on Information and Communication System Security; Submissions are due
  • 6/ 1/15- 6/ 3/15: SACMAT, 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria
  • 6/ 2/15- 6/ 5/15: ACNS, 13th International Conference on Applied Cryptography and Network Security, New York, NY, USA
  • 6/ 7/15- 6/11/15: DAC-Security Track, Design Automation Conference, San Francisco, CA, USA
  • 6/22/15- 6/23/15: RFIDSec, 11th Workshop on RFID Security, Co-located with ACM WiSec 2015, New York City, NY, USA
  • 6/22/15- 6/23/15: WEIS, 14th Annual Workshop on the Economic of Information Security, Delft University of Technology, The Netherlands
  • 6/22/15- 6/26/15: WiSec, 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, New York City, NY, USA
  • 6/30/15- 7/ 2/15: PETS, 15th Privacy Enhancing Technologies Symposium, Philadelphia, PA, USA
  • 7/ 1/15- 7/ 3/15: HAISA, International Symposium on Human Aspects of Information Security & Assurance, Lesvos, Greece
  • 7/ 9/15- 7/10/15: DIMVA 2015 12th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Milano, Italy
  • 7/18/15- 7/24/15: CAV, 27th International Conference on Computer Aided Verification, San Francisco, California, USA
  • 7/20/15- 7/22/15: SECRYPT, 12th International Conference on Security and Cryptography, Colmar, Alsace, France
  • 7/22/15- 7/24/15: SOUPS, Symposium On Usable Privacy and Security, Ottawa, Canada
  • 8/12/15- 8/14/15: USENIX-Security, 24th USENIX Security Symposium, Washington, D.C., USA
  • 8/31/15- 9/ 4/15: EUSIPCO, 23rd European Signal Processing Conference, Information Forensics and Security Track, Nice, Cote d' Azur, France
  • 9/23/15- 9/25/15: ESORICS, 20th European Symposium on Research in Computer Security, Vienna, Austria
  • 9/28/15- 9/30/15: CNS, 3rd IEEE Conference on Communications and Network Security, Florence, Italy
  • 11/ 3/15-11/ 5/15: NSS, 9th International Conference on Network and System Security, New York City, NY, USA
  • new calls or announcements added since Cipher E123

  • GenoPri 2015 2nd International Workshop on Genome Privacy and Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA, May 21, 2015. (Submissions Due 20 January 2015)

    Over the past several decades, genome sequencing technologies have evolved from slow and expensive systems that were limited in access to a select few scientists and forensics investigators to high-throughput, relatively low-cost tools that are available to consumers. A consequence of such technical progress is that genomics has become one of the next major challenges for privacy and security because (1) genetic diseases can be unveiled, (2) the propensity to develop specific diseases (such as Alzheimer's) can be revealed, (3) a volunteer, accepting to have his genomic code made public, can leak substantial information about his ethnic heritage and the genomic data of his relatives (possibly against their will), and (4) complex privacy issues can arise if DNA analysis is used for criminal investigations and medical purposes. As genomics is increasingly integrated into healthcare and "recreational" services (e.g., ancestry testing), the risk of DNA data leakage is serious for both individuals and their relatives. Failure to adequately protect such information could lead to a serious backlash, impeding genomic research, that could affect the well-being of our society as a whole. This prompts the need for research and innovation in all aspects of genome privacy and security, as suggested by the non-exhaustive list of topics below:

    • Privacy-preserving analysis of and computation on genomic data
    • Security and privacy metrics for the leakage of genomic data
    • Cross-layer attacks to genome privacy
    • Access control for genomic data
    • Differentiated access rights for medical professionals
    • Quantification of genome privacy
    • De-anonymization attacks against genomic databases
    • Efficient cryptographic techniques for enhancing security/privacy of genomic data
    • Privacy enhancing technologies for genomic data
    • Implications of synthetic DNA for privacy
    • Applications of differential privacy to the protection of genomic data
    • Storage and long-term safety of genomic data
    • Secure sharing of genomic data between different entities
    • Trust in genomic research and applications
    • Social and economic issues for genome privacy and security
    • Ethical and legal issues in genomics
    • Studies of policy efforts in genomics
    • User studies and perceptions
    • Social and economic issues for genome privacy
    • Studies of issues and challenges with informed consent
    • Privacy issues in transcriptomics and proteomics
    • Systematization-of-knowledge of genome privacy and security research

  • SACMAT 2015 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria, June 1-3, 2015. (Submissions Due 20 January 2015)

    The ACM Symposium on Access Control Models and Technologies (SACMAT) is the premier forum for the presentation of research results and experience reports on leading edge issues of access control, including models, systems, applications, and theory. The aims of the symposium are to share novel access control solutions that fulfil the needs of heterogeneous applications and environments, and to identify new directions for future research and development. SACMAT provides researchers and practitioners with a unique opportunity to share their perspectives with others interested in the various aspects of access control. Papers offering novel research contributions in all aspects of access control are solicited for submission to the 20th ACM Symposium on Access Control Models and Technologies (SACMAT 2015). Accepted papers will be presented at the symposium and published by the ACM in the symposium proceedings. Topics of interest include but are not limited to:

    • Access Intelligence
    • Administration
    • Applications
    • Attribute-based systems
    • Authentication
    • Big data
    • Biometrics
    • Cloud computing
    • Cryptographic approaches
    • Cyber-physical systems
    • Databases and data management
    • Design methodology
    • Distributed and mobile systems
    • Economic models and game theory
    • Enforcement
    • Hardware enhanced
    • Identity management
    • Mechanisms, systems, and tools
    • Models and extensions
    • Obligations
    • Policy engineering and analysis
    • Requirements
    • Risk
    • Safety analysis
    • Standards
    • Theoretical foundations
    • Trust management
    • Usability

  • IWPE 2015 1st International Workshop on Privacy Engineering, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA, May 21, 2015. (Submissions Due 23 January 2015)

    Ongoing news reports regarding global surveillance programs, massive personal data breaches in corporate databases, and notorious examples of personal tragedies due to privacy violations have intensified societal demands for privacy-friendly systems. In response, current legislative and standardization processes worldwide aim to strengthen individual's privacy by introducing legal and organizational frameworks that personal data collectors and processors must follow. However, in practice, these initiatives alone are not enough to guarantee that organizations and software developers will be able to identify and adopt appropriate privacy engineering techniques in their daily practices. Even if so, it is difficult to systematically evaluate whether the systems they develop using such techniques comply with legal frameworks, provide necessary technical assurances, and fulfill users' privacy requirements. It is evident that research is needed in developing techniques that can aid the translation of legal and normative concepts, as well as user expectations into systems requirements. Furthermore, methods that can support organizations and engineers in developing (socio-)technical systems that address these requirements is of increasing value to respond to the existing societal challenges associated with privacy. While there is a consensus on the benefits of an engineering approach to privacy, concrete proposals for processes, models, methodologies, techniques and tools that support engineers and organizations in this endeavor are few and in need of immediate attention. To cover this gap, the topics of the International Workshop on Privacy Engineering (IWPE'15) focus on all the aspects surrounding privacy engineering, ranging from its theoretical foundations, engineering approaches, and support infrastructures, to its practical application in projects of different scale. IWPE'15 welcomes papers that focus on novel solutions on the recent developments in the general area of privacy engineering. Topics of interests include, but are not limited to:

    • Integration of law and policy compliance into the development process
    • Privacy impact assessment
    • Privacy risk management models
    • Privacy breach recovery Methods
    • Technical standards, heuristics and best practices for privacy engineering
    • Privacy engineering in technical standards
    • Privacy requirements elicitation and analysis methods
    • User privacy and data protection requirements
    • Management of privacy requirements with other system requirements
    • Privacy requirements operationalization
    • Privacy engineering strategies and design patterns
    • Privacy architectures
    • Privacy engineering and databases
    • Privacy engineering in the context of interaction design and usability
    • Privacy testing and evaluation methods
    • Validation and verification of privacy requirements
    • Engineering Privacy Enhancing Technologies
    • Models and approaches for the verification of privacy properties
    • Tools supporting privacy engineering
    • Teaching and training privacy engineering
    • Adaptations of privacy engineering into specific software development processes
    • Pilots and real-world applications
    • Privacy engineering and accountability
    • Organizational, legal, political and economic aspects of privacy engineering

  • TELERISE 2015 1st International Workshop on TEchnical and LEgal aspects of data pRIvacy and SEcurity, Co-located with ICSE 2015, Florence, Italy, May 18, 2015. (Submissions Due 23 January 2015)

    Information sharing is essential for today's business and societal transactions. Nevertheless, such a sharing should not violate the security and privacy requirements dictated by Law, by internal regulations of organisations, and by data subjects. An effectual, rapid, and unfailing electronic data sharing among different parties, while protecting legitimate rights on these data, is a key issue with several shades. Among them, how to translate the high-level law obligations, business constraints, and users' requirements into system-level privacy policies, providing efficient and practical solutions for policy definition and enforcement. TELERISE aims at providing a forum for researchers and engineers, in academia and industry, to foster an exchange of research results, experiences, and products in the area of privacy preserving and secure data management, from a technical and legal perspective. The ultimate goal is to conceive new trends and ideas on designing, implementing, and evaluating solutions for privacy-preserving information sharing, with an eye to cross-relations between ICT and regulatory aspects of data management. Topics of interest are (but not limited to):

    • Model-based and experimental assessment of data protection
    • Privacy in identity management and authentication
    • Modelling and analysis languages for representation, visualization, specification of legal regulations
    • Technical, legal and user requirements for data protection
    • User-friendly authoring tools to edit privacy preferences
    • IT infrastructures for privacy and security policies management
    • IT infrastructure for supporting privacy and security policies evolution
    • Privacy and security policies conflict analysis and resolution strategies
    • Electronic Data Sharing Agreements Representation: Languages and Management Infrastructure
    • Cross-relations between privacy-preserving technical solutions and legal regulations
    • Privacy aware access and usage control
    • Privacy and security policies enforcement mechanisms
    • Privacy preserving data allocation and storage
    • Software systems compliance with applicable laws and regulations
    • Heuristic for pattern identification in law text
    • Empirical analysis of consumer's awareness of privacy and security policies

  • CAV 2015 27th International Conference on Computer Aided Verification, San Francisco, California, USA, July 18-24 2015. (Submissions Due 30 January 2015)

    CAV 2015 is the 27th in a series dedicated to the advancement of the theory and practice of computer-aided formal analysis methods for hardware and software systems. CAV considers it vital to continue spurring advances in hardware and software verification while expanding to new domains such as biological systems and computer security. The conference covers the spectrum from theoretical results to concrete applications, with an emphasis on practical verification tools and the algorithms and techniques that are needed for their implementation. The proceedings of the conference will be published in the Springer LNCS series. A selection of papers will be invited to a special issue of Formal Methods in System Design and the Journal of the ACM. Topics of interest include but are not limited to:

    • Algorithms and tools for verifying models and implementations
    • Hardware verification techniques
    • Deductive, compositional, and abstraction techniques for verification
    • Program analysis and software verification
    • Verification methods for parallel and concurrent hardware/software systems
    • Testing and run-time analysis based on verification technology
    • Applications and case studies in verification
    • Decision procedures and solvers for verification
    • Mathematical and logical foundations of practical verification tools
    • Verification in industrial practice
    • Algorithms and tools for system synthesis
    • Hybrid systems and embedded systems verification
    • Verification techniques for security
    • Formal models and methods for biological systems

  • DIMVA 2015 12th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Milano, Italy, July 9-10, 2015. (Submissions Due 8 February 2015)

    The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year, DIMVA brings together international experts from academia, industry, and government to present and discuss novel research in these areas. This year, due to the increased threats against critical infrastructures and industrial control systems, we encourage submissions in these areas. Specifically, we welcome strong technical contributions that consider the cross-area obstacles (e.g., privacy, societal and legal aspects) that arise when deploying protection measures in the real world.

  • WiSec 2015 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, New York City, NY, USA, June 22-26, 2015. (Submissions Due 10 February 2015)

    ACM WiSec is the leading ACM and SIGSAC conference dedicated to all aspects of security and privacy in wireless and mobile and mobile networks and their applications. In addition to the traditional ACM WiSec topics of physical, link, and network layer security, we welcome papers focusing on the security and privacy of mobile software platforms, usable security and privacy, biometrics, cryptography, and the increasingly diverse range of mobile or wireless applications such as Internet of Things, and Cyber-Physical Systems. The conference welcomes both theoretical as well as systems contributions. Topics of interest include, but are not limited to:

    • Mobile malware and platform security
    • Security & Privacy for Smart Devices (e.g., Smartphones)
    • Wireless and mobile privacy and anonymity
    • Secure localization and location privacy
    • Cellular network fraud and security
    • Jamming attacks and defenses
    • Key extraction, agreement, or distribution
    • Theoretical foundations, cryptographic primitives, and formal methods
    • NFC and smart payment applications
    • Security and privacy for mobile sensing systems
    • Wireless or mobile security and privacy in health, automotive, avionics, or smart grid applications
    • Self-tracking/Quantified Self Security and Privacy
    • Physical Tracking Security and Privacy
    • Usable Mobile Security and Privacy
    • Economics of Mobile Security and Privacy
    • Bring Your Own Device (BYOD) Security

  • EUSIPCO 2015 23rd European Signal Processing Conference, Information Forensics and Security Track, Nice, Cote d' Azur, France, August 31 - September 4, 2015. (Submissions Due 13 February 2015)

    EUSIPCO is the flagship conference of the European Association for Signal Processing (EURASIP). EUSIPCO 2015 will feature world-class speakers, oral and poster sessions, keynotes, exhibitions, demonstrations and tutorials and is expected to attract in the order of 600 leading researchers and industry figures from all over the world. The Information Forensics and Security Track addresses all works whereby security is achieved through a combination of techniques from cryptography, computer security, machine learning and multimedia signal processing.

  • PETS 2015 15th Privacy Enhancing Technologies Symposium, Philadelphia, PA, USA, June 30 - July 2, 2015. (Submissions Due 15 February 2015)

    The annual Privacy Enhancing Technologies Symposium (PETS) brings together privacy and anonymity experts from around the world to discuss recent advances and new perspectives. PETS addresses the design and realization of privacy services for the Internet and other data systems and communication networks. Papers should present novel practical and/or theoretical research into the design, analysis, experimentation, or fielding of privacy-enhancing technologies. While PETS has traditionally been home to research on anonymity systems and privacy-oriented cryptography, we strongly encourage submissions in a number of both well-established and some emerging privacy-related topics.
    
    *** New starting this year ***: Papers will undergo a journal-style reviewing process and be published in the Proceedings on Privacy Enhancing Technologies (PoPETs). PoPETs, a scholarly journal for timely research papers on privacy, has been established as a way to improve reviewing and publication quality while retaining the highly successful PETS community event. PoPETs will be published by De Gruyter Open (http://degruyteropen.com/), the world's second largest publisher of Open Access academic content, and part of the De Gruyter group (http://www.degruyter.com/), which has over 260 years of publishing history. Authors can submit papers to one of several submission deadlines during the year. Papers are provided with major/minor revision decisions on a predictable schedule, where we endeavor to assign the same reviewers to major revisions. Authors can address the concerns of reviewers in their revision and rebut reviewer comments before a final decision on acceptance is made. Papers accepted for publication by May 15th will be presented at that year's symposium. Note that accepted papers must be presented at PETS. Suggested topics include but are not restricted to:

    • Behavioural targeting
    • Building and deploying privacy-enhancing systems
    • Crowdsourcing for privacy
    • Cryptographic tools for privacy
    • Data protection technologies
    • Differential privacy
    • Economics of privacy and game-theoretical approaches to privacy
    • Forensics and privacy
    • Human factors, usability and user-centered design for PETs
    • Information leakage, data correlation and generic attacks to privacy
    • Interdisciplinary research connecting privacy to economics, law, ethnography, psychology, medicine, biotechnology
    • Location and mobility privacy
    • Measuring and quantifying privacy
    • Obfuscation-based privacy
    • Policy languages and tools for privacy
    • Privacy and human rights
    • Privacy in ubiquitous computing and mobile devices
    • Privacy in cloud and big-data applications
    • Privacy in social networks and microblogging systems
    • Privacy-enhanced access control, authentication, and identity management
    • Profiling and data mining
    • Reliability, robustness, and abuse prevention in privacy systems
    • Surveillance
    • Systems for anonymous communications and censorship resistance
    • Traffic analysis
    • Transparency enhancing tools

  • LangSec 2015 2nd Workshop on Language-Theoretic Security, Held in conjunction with IEEE Symposium on Security and Privacy (SP 2015), San Jose, CA, USA, May 21, 2015. (Submissions Due 16 February 2015)

    LangSec workshop solicits contributions related to the growing area of language-theoretic security. LangSec offers a coherent explanation for the "science of insecurity" as more than an ad hoc collection of software mistakes or design flaws. This explanation is predicated on the connection between fundamental computability principles and the continued existence of software flaws. LangSec posits that the only path to trustworthy software that takes untrusted inputs is treating all valid or expected inputs as a formal language and treating the respective input-handling routines as a recognizer for that language. The LangSec approach to system design is primarily concerned with achieving practical assurance: development that is rooted in fundamentally sound computability theory, but is expressed as efficient and practical systems components. One major objective of the workshop is to develop and share this viewpoint with attendees and the broader systems security community to help establish a foundation for research based on LangSec principles. The overall goal of the workshop is to bring more clarity and focus to two complementary areas: (1) practical software assurance and (2) vulnerability analysis (identification, characterization, and exploit development). The LangSec community views these activities as related and highly structured engineering disciplines and seeks to provide a forum to explore and develop this relationship.

  • USENIX-Security 2015 24th USENIX Security Symposium, Washington, D.C., USA, August 12-14, 2015. (Submissions Due 16 February 2015)

    The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security and privacy of computer systems and networks. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in computer security. Refereed paper submissions are solicited in all areas relating to systems research in security and privacy, including but not limited to:

    • Systems security
    • Cryptographic implementation analysis and construction, applied cryptography
    • Programming language security
    • Web security
    • Hardware security
    • Network security
    • Privacy-enhancing technologies, anonymity
    • Human-computer interaction, security, and privacy
    • Social issues and security
    • Security analysis
    • Security measurement studies

  • RFIDSec 2015 11th Workshop on RFID Security, Co-located with ACM WiSec 2015, New York City, NY, USA, June 22-23, 2015. (Submissions Due 17 February 2015)

    The RFIDSec workshop is the premier international venue on the latest technological advances in security and privacy in Radio Frequency Identification (RFID). The 11th edition of RFIDSec continues the effort to broaden the scope towards solutions for security and privacy in related constrained environments: Internet of Things, NFC devices, Wireless Tags, and more. Attendees from academia, industry and government can network with a broad range of international experts. The workshop will include both invited and contributed talks. We invite researchers to submit their latest results in Security and Privacy for RFID as well as for associated technologies. Topics of interest include:

    • Implementations of cryptography and protocols with constrained resources in terms of energy, power, computation resources and memory footprint
    • Lightweight cryptography and cryptographic protocols
    • Efficient and secure processor architectures for constrained environments
    • Tamper and reverse-engineering resistant designs for constrained platforms
    • Side-channel and fault attacks as well as countermeasures
    • Novel implementations of cryptography to support privacy and untraceability
    • Cross-layer engineering of constrained secure implementations within secure systems
    • Novel technologies and applications such as NFC, IC anti-counterfeiting, and Internet of Things
    • Design issues related to scalability, large-scale deployment and management of secure tags

  • MoST 2015 Mobile Security Technologies Workshop, an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2015), Held in conjunction with the 34th IEEE Symposium on Security and Privacy (IEEE SP 2015), The Fairmont Hotel, San Jose, CA, USA, May 21, 2015. (Submissions Due 22 February 2015)

    Mobile Security Technologies (MoST) brings together researchers, practitioners, policy makers, and hardware and software developers of mobile systems to explore the latest understanding and advances in the security and privacy for mobile devices, applications, and systems. The scope of MoST 2015 includes, but is not limited to, security and privacy specifically for mobile devices and services related to:

    • Device hardware
    • Operating systems
    • Middleware
    • Mobile web
    • Secure and efficient communication
    • Secure application development tools and practices
    • Privacy
    • Vulnerabilities and remediation techniques
    • Usable security
    • Identity and access control
    • Risks in putting trust in the device vs. in the network/cloud
    • Special applications, such as medical monitoring and records
    • Mobile advertisement
    • Secure applications and application markets
    • Economic impact of security and privacy technologies

  • WEIS 2015 14th Annual Workshop on the Economic of Information Security, Delft University of Technology, The Netherlands, June 22-23, 2015. (Submissions Due 27 February 2015)

    The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security and privacy, combining expertise from the fields of economics, social science, business, law, policy, and computer science. Prior workshops have explored the role of incentives between attackers and defenders of information systems, identified market failures surrounding Internet security, quantified risks of personal data disclosure, and assessed investments in cyber-defense. WEIS 2015 will build on past efforts using empirical and analytic tools not only to understand threats, but also to strengthen security and privacy through novel evaluations of available solutions. We encourage economists, computer scientists, legal scholars, business school researchers, security and privacy specialists, as well as industry experts to submit their research and participate by attending the workshop. Suggested topics include (but are not limited to) empirical and theoretical studies of:

    • Optimal investment in information security
    • Models and analysis of online crime
    • Risk management and cyber-insurance
    • Security standards and regulation
    • Cyber-security and privacy policy
    • Cyber-defense strategy and game theory
    • Security and privacy models and metrics
    • Economics of privacy and anonymity
    • Behavioral security and privacy
    • Vulnerability discovery, disclosure, and patching
    • Incentives for information sharing and cooperation
    • Incentives regarding pervasive monitoring threats

  • EDFC 2015 National Conference on Ethics and Digital Forensics, Arlington, VA, USA, May 13-15, 2015. (Extended Abstract Submissions Due 28 February 2015)

    The National Science Foundation (NSF) and Alabama Cyber Research Consortium (ALCRC) are hosting the first interdisciplinary conference on professional ethics and digital forensics: Professional Ethics and Digital Forensics: An Interdisciplinary Conference. This conference will provide opportunities for both academics and practitioners to address a pressing issue in digital forensics: the lack of unifying ethical standards, procedures and guidelines for routine activities, such as digital forensic analysis, cybercrime case processing, and data mining/surveillance. This conference will also explore cyber ethics from the following interdisciplinary perspectives: Digital Forensic Investigations, Social and Behavioral Sciences, Jurisprudence, and Cyber Education and Awareness.

  • IEEE Cloud Computing, Special Issue on Legal Clouds: How to Balance Privacy with Legitimate Surveillance and Lawful Data Access. (Submissions Due 1 March 2015)

    Editors: Kim-Kwang Raymond Choo (University of South Australia, Australia), and Rick Sarre (University of South Australia, Australia)
    
    This special issue will focus on cutting edge research from both academia and industry on the topic of balancing cloud user privacy with legitimate surveillance and lawful data access, with a particular focus on cross-disciplinary research. For example, how can we design technologies that will enhance "guardianship" and the "deterrent" effect in cloud security at the same time as reducing the "motivations" of cybercriminals? Topics of interest include but are not limited to:

    • Advanced cloud security
    • Cloud forensics and anti-forensics
    • Cloud incident response
    • Cloud information leakage detection and prevention
    • Enhancing and/or preserving cloud privacy
    • Cloud surveillance
    • Crime prevention strategies
    • Legal issues relating to surveillance
    • Enhancing privacy technology for cloud-based apps

  • SECRYPT 2015 12th International Conference on Security and Cryptography, Colmar, Alsace, France, July 20 - 22, 2015. (Submissions Due 3 March 2015)

    SECRYPT is an annual international conference covering research in information and communication security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, security, and cryptography. Papers describing the application of security technology, the implementation of systems, and lessons learned are also encouraged. Papers describing new methods or technologies, advanced prototypes, systems, tools and techniques and general survey papers indicating future directions are also encouraged. Topics of interest include:

    • Access Control
    • Applied Cryptography
    • Biometrics Security and Privacy
    • Critical Infrastructure Protection
    • Data Integrity
    • Data Protection
    • Database Security and Privacy
    • Digital Forensics
    • Digital Rights Management
    • Ethical and Legal Implications of Security and Privacy
    • Formal Methods for Security
    • Human Factors and Human Behavior Recognition Techniques
    • Identification, Authentication and Non-repudiation
    • Identity Management
    • Information Hiding
    • Information Systems Auditing
    • Insider Threats and Countermeasures
    • Intellectual Property Protection
    • Intrusion Detection & Prevention
    • Management of Computing Security
    • Network Security
    • Organizational Security Policies
    • Peer-to-Peer Security
    • Personal Data Protection for Information Systems
    • Privacy
    • Privacy Enhancing Technologies
    • Reliability and Dependability
    • Risk Assessment
    • Secure Software Development Methodologies
    • Security and Privacy for Big Data
    • Security and privacy in Complex Systems
    • Security and Privacy in Crowdsourcing
    • Security and Privacy in IT Outsourcing
    • Security and Privacy in Location-based Services
    • Security and Privacy in Mobile Systems
    • Security and Privacy in Pervasive/Ubiquitous Computing
    • Security and Privacy in Smart Grids
    • Security and Privacy in Social Networks
    • Security and Privacy in the Cloud
    • Security and Privacy in Web Services
    • Security and Privacy Policies
    • Security Area Control
    • Security Deployment
    • Security Engineering
    • Security in Distributed Systems
    • Security Information Systems Architecture
    • Security Management
    • Security Metrics and Measurement
    • Security Protocols
    • Security requirements
    • Security Verification and Validation
    • Sensor and Mobile Ad Hoc Network Security
    • Service and Systems Design and QoS Network Security
    • Software Security
    • Trust management and Reputation Systems
    • Ubiquitous Computing Security
    • Wireless Network Security

  • SOUPS 2015 Symposium On Usable Privacy and Security, Ottawa, Canada, July 22-24, 2015. (Submissions Due 6 March 2015)

    The 2015 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. We welcome a variety of research methods, including both qualitative and quantitative approaches. Topics include, but are not limited to:

    • innovative security or privacy functionality and design
    • new applications of existing models or technology
    • field studies of security or privacy technology
    • usability evaluations of new or existing security or privacy features
    • security testing of new or existing usability features
    • longitudinal studies of deployed security or privacy features
    • studies of administrators or developers and support for security and privacy
    • the impact of organizational policy or procurement decisions, and
    • lessons learned from the deployment and use of usable privacy and security features
    • reports of replicating previously published studies and experiments
    • reports of failed usable security studies or experiments, with the focus on the lessons learned from such experience

  • HAISA 2015 International Symposium on Human Aspects of Information Security & Assurance, Lesvos, Greece, July 1-3, 2015. (Submissions Due 31 March 2015)

    It is commonly acknowledged that security requirements cannot be addressed by technical means alone, and that a significant aspect of protection comes down to the attitudes, awareness, behaviour and capabilities of the people involved. Indeed, people can potentially represent a key asset in achieving security, but at present, factors such as lack of awareness and understanding, combined with unreasonable demands from security technologies, can dramatically impede their ability to do so. Ensuring appropriate attention and support for the needs of users should therefore be seen as a vital element of a successful security strategy. People at all levels (i.e. from organisations to domestic environments; from system administrators to end-users) need to understand security concepts, how the issues may apply to them, and how to use the available technology to protect their systems. In addition, the technology itself can make a contribution by reducing the demands upon users, simplifying protection measures, and automating a variety of safeguards. With the above in mind, this symposium specifically addresses information security issues that relate to people. It concerns the methods that inform and guide users' understanding of security, and the technologies that can benefit and support them in achieving protection. The symposium welcomes papers addressing research and case studies in relation to any aspect of information security that pertains to the attitudes, perceptions and behaviour of people, and how human characteristics or technologies may be positively modified to improve the level of protection. Indicative themes include:

    • Information security culture
    • Awareness and education methods
    • Enhancing risk perception
    • Public understanding of security
    • Usable security
    • Psychological models of security software usage
    • User acceptance of security policies and technologies
    • User-friendly authentication methods
    • Biometric technologies and impacts
    • Automating security functionality
    • Non-intrusive security
    • Assisting security administration
    • Impacts of standards, policies, compliance requirements
    • Organizational governance for information assurance
    • Simplifying risk and threat assessment
    • Understanding motivations for misuse
    • Social engineering and other human-related risks
    • Privacy attitudes and practices
    • Computer ethics and security

  • ESORICS 2015 20th European Symposium on Research in Computer Security, Vienna, Austria, September 23-25, 2015. (Submissions Due 4 April 2015)

    ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities. Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. We encourage submissions of papers discussing industrial research and development. Topics of interest include, but are not limited to:

    • access control
    • accountability
    • ad hoc networks
    • anonymity
    • applied cryptography
    • authentication
    • biometrics
    • database security
    • data protection
    • digital content protection
    • digital forensic
    • distributed systems security
    • electronic payments
    • embedded systems security
    • inference control
    • information hiding
    • identity management
    • information flow control
    • integrity
    • intrusion detection
    • formal security methods
    • language-based security
    • network security
    • phishing and spam prevention
    • privacy
    • risk analysis and management
    • secure electronic voting
    • security architectures
    • security economics
    • security metrics
    • security models
    • security and privacy in cloud scenarios
    • security and privacy in complex systems
    • security and privacy in location services
    • security and privacy for mobile code
    • security and privacy in pervasive/ubiquitous computing
    • security and privacy policies
    • security and privacy in social networks
    • security and privacy in web services
    • security verification
    • software security
    • steganography
    • systems security
    • trust models and management
    • trustworthy user devices
    • web security
    • wireless security

  • NSS 2015 9th International Conference on Network and System Security, New York City, NY, USA, November 3-5, 2015. (Submissions Due 15 April 2015)

    NSS is an annual international conference covering research in network and system security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of network security, privacy, applications security, and system security. Papers describing case studies, implementation experiences, and lessons learned are also encouraged. Topics of interest include but are not limited to:

    • Active Defense Systems
    • Applied Cryptography
    • Analysis, Benchmark of Security Systems
    • Authentication
    • Biometric Security
    • Complex Systems Security
    • Database and System Security
    • Data Protection
    • Data/System Integrity
    • Distributed Access Control
    • Distributed Attack Systems
    • Denial-of-Service
    • High Performance Network Virtualization
    • Hardware Security
    • High Performance Security Systems
    • Identity Management
    • Intelligent Defense Systems
    • Insider Threats
    • Intellectual Property Rights Protection
    • Internet and Network Forensics
    • Intrusion Detection and Prevention
    • Key Distribution and Management
    • Large-scale Attacks and Defense
    • Malware
    • Network Resiliency
    • Network Security
    • RFID Security and Privacy
    • Security Architectures
    • Security for Critical Infrastructures
    • Security in P2P systems
    • Security in Cloud and Grid Systems
    • Security in E-Commerce
    • Security in Pervasive/Ubiquitous Computing
    • Security and Privacy in Smart Grid
    • Security and Privacy in Wireless Networks
    • Security Policy
    • Secure Mobile Agents and Mobile Code
    • Security Theory and Tools
    • Standards and Assurance Methods
    • Trusted Computing
    • Trust Management
    • World Wide Web Security

  • CNS 2015 3rd IEEE Conference on Communications and Network Security, Florence, Italy, September 28-30, 2015. (Submissions Due 24 April 2015)

    IEEE Conference on Communications and Network Security (CNS) is a new conference series in IEEE Communications Society (ComSoc) core conference portfolio and the only ComSoc conference focusing solely on cyber security. IEEE CNS is also a spin-off of IEEE INFOCOM, the premier ComSoc conference on networking. The goal of CNS is to provide an outstanding forum for cyber security researchers, practitioners, policy makers, and users to exchange ideas, techniques and tools, raise awareness, and share experience related to all practical and theoretical aspects of communications and network security. Building on the success of the past two years' conferences, IEEE CNS 2015 seeks original high-quality technical papers from academia, government, and industry. Topics of interest encompass all practical and theoretical aspects of communications and network security, all the way from the physical layer to the various network layers to the variety of applications reliant on a secure communication substrate. Submissions with main contribution in other areas, such as information security, software security, system security, or applied cryptography, will also be considered if a clear connection to secure communications/networking is demonstrated. Particular topics of interest include, but are not limited to:

    • Anonymization and privacy in communication systems
    • Biometric authentication and identity management
    • Computer and network forensics
    • Data and application security
    • Data protection and integrity
    • Availability of communications, survivability of networks in the presence of attacks
    • Key management and PKI for networks
    • Information-theoretic security
    • Intrusion detection and prevention
    • Location privacy
    • Mobile security
    • Outsourcing of network and data communication services
    • Physical layer security methods, cross-layer methods for enhancing security
    • Secure routing, network management
    • Security for critical infrastructures
    • Security metrics and performance evaluation
    • Security and privacy for big data
    • Security and privacy in body area networks
    • Security and privacy in content delivery network
    • Security and privacy in cloud computing and federated cloud
    • Security and privacy in crowdsourcing
    • Security and privacy in the Internet of Things
    • Security and privacy in multihop wireless networks: ad hoc, mesh, sensor, vehicular and RFID networks
    • Security and privacy in peer-to-peer networks and overlay networks
    • Security and privacy in single-hop wireless networks: Wi-Fi, Wi-Max
    • Security and privacy in smart grid, cognitive radio networks, and disruption/delay tolerant networks
    • Security and privacy in social networks
    • Security and privacy in pervasive and ubiquitous computing
    • Social, economic and policy issues of trust, security and privacy
    • Traffic analysis
    • Usable security for networked computer systems
    • Vulnerability, exploitation tools, malware, botnet, DDoS attacks
    • Web, e-commerce, m-commerce, and e-mail security

  • Elsevier Future Generation Computer Systems, Special Issue on Cloud Cryptography: State of the Art and Recent Advances. (Submissions Due 1 May 2015)

    Editors: Kim-Kwang Raymond Choo (University of South Australia, Australia), Josep Domingo-Ferrer (Universitat Rovira i Virgili, Catalonia), and Lei Zhang (East China Normal University, China)
    
    Cloud computing is widely used by organisations and individuals. Despite the popularity of cloud computing, cloud security is still an area needing further research. A particularly promising approach to achieve security in this new computing paradigm is through cryptography, but traditional cryptographic techniques are not entirely suitable for cloud implementation due to computational efficiency limitations and other constraints. This special issue is dedicated to providing both scientists and practitioners with a forum to present their recent research on the use of novel cryptography techniques to improve the security of the underlying cloud architecture or ecosystem, particularly research that integrates both theory and practice. For example, how do we design an efficient cloud cryptography system that offers enhanced security without compromising on usability and performance? An efficient fully homomorphic encryption scheme might be an option. Such a scheme should guarantee that the cloud service provider is unable to view the content of the data he stores (thereby ensuring data confidentiality to users). However, sufficiently efficient fully homomorphic encryption is not yet available. We encourage authors to be exploratory in their submissions – that is, to report on advances beyond the state of the art in research and development of cryptographic techniques that result in secure and efficient means of ensuring security and privacy of cloud data. Topics of interest include but are not limited to:

    • Anonymity
    • Access control
    • Cloud key agreement
    • Distributed authentication and authority
    • Implementation of cryptographic schemes
    • Homomorphic encryption
    • Multi-cloud security
    • Privacy-preserving provisioning
    • Remote proofs of storage
    • Searchable encryption
    • Secure computation

  • IEICE Transactions on Information and Systems, Special Issue on Information and Communication System Security. (Submissions Due 22 May 2015)

    Editors: Toshihiro Yamauchi (Okayama University, Japan), Yasunori Ishihara (Osaka University, Japan), and Atsushi Kanai (Hosei University, Japan).
    
    The major topics include, but are not limited to:

    • Security Technologies on AdHoc Network, P2P, Sensor Network, RFID, Wireless Network, Mobile Network, Home Network, Cloud, and SNS
    • Access Control, Content Security, DRM, CDN, Privacy Protection, E-Commerce, PKI, Security Architecture, Security Protocol, Security Implementation, Technologies, Secure OS, Security Evaluation/Authentication

 

• The Technical Committee on Security and Privacy

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org