Cipher Electronic Newsletter of the Technical Committe on    Security & Privacy A Technical Committee of the Computer Society of the IEEE  Electronic Issue (EI) 140,  September 18, 2017 Hilarie Orman,  Editor Sven Dietrich, Book Review Editor Sven Dietrich, Associate Editor Yong Guan, Calendar Editor

Contents:

• Letter from the Editor 

• Commentary and Opinion and News

  • Sven Dietrich's review of The Internet of Risky Things - Trusting the devices That Surround Us by Sean Smith

  • NewsBits:  Announcements and correspondence from readers (please contribute!)

    • BitCoins diverted? Or not?
    • Roomba the Spy
    • Wifi worst case scenario
    • Browser Extension for "Trust" Enables Privacy Breaches
    • Voter Data and Amazon's Leaky Buckets
    • Cyber Command moves up
    • Elections and the Software They Rely On
    • Power to the hackers
    • Yawn, YA Data Breach
    • Kaspersky too spooky for govmt use?

  • Book reviews from past Cipher issues

  • Conference Reports and Commentary from past Cipher issues

  • News items from past Cipher issues

 

• Listing of academic positions available  by Cynthia Irvine
  

• Conference and Workshop Announcements

  • Cipher calls-for-papers and calendar
      Cipher calendar announcements are on Twitter; follow "ciphernews"
    Requests for inclusion in the list should sent per instructions.
      new calls or announcements added since Cipher E139 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update): 

  • 9/18/17: IFIP119-DF, 14th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India Submissions are due
  • 9/18/17- 9/20/17: RAID, 20th International Symposium on Research in Attacks, Intrusions and Defenses, Atlanta, GA, USA
  • 9/24/17: ICSS, Industrial Control System Security Workshop, Held in conjunction with the 33rd Annual Computer Security Applications Conference (ACSAC), San Juan, Puerto Rico Submissions are due
  • 9/25/17: HOST, IEEE International Symposium on Hardware-Oriented Security and Trust, Washington DC, USA Submissions are due
  • 9/25/17: FDTC, 14th Workshop on Fault Diagnosis and Tolerance in Cryptography, Taipei, Taiwan
  • 9/28/17- 9/29/17: WISTP, 11th International Conference on Information Security Theory and Practice, Crete, Greece
  • 10/ 1/17: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, Submissions are due (monthly deadline)
  • 10/ 1/17: Elsevier Online Social Networks and Media Journal, Special Issue on Information and Opinion Diffusion in Online Social Networks and Media, Submissions are due
  • 10/ 2/17-10/ 4/17: NSPW, New Security Paradigms Workshop, Islamorada, FL, USA
  • 10/ 6/17: PKC, 21st IACR International Conference on Practice and Theory in Public-Key Cryptography, Rio de Janeiro, Brazil, Submissions are due
  • 10/ 9/17-10/11/17: CNS, 5th IEEE Conference on Communications and Network Security, Las Vegas, Nevada, USA
  • 10/16/17: HST, 18th annual IEEE Symposium on Technologies for Homeland Security, Washington D.C., USA, Submissions are due
  • 10/19/17-10/20/17: AsianHOST, IEEE Asian Hardware-Oriented Security and Trust Symposium, Beijing, China
  • 10/23/17-10/24/17: CTC, 7th International Symposium on Secure Virtual Infrastructures - Cloud and Trusted Computing, Rhodes, Greece
  • 10/23/17-10/25/17: GameSec, 8th Conference on Decision and Game Theory for Security, Vienna, Austria
  • 10/23/17-10/25/17: FPS, 10th International Symposium on Foundations & Practice of Security, Nancy, France
  • 10/25/17-10/27/17: ISDDC, International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada
  • 10/27/17: Security and Communication Networks journal, Special Issue on Cybersecurity in the Internet of Things, Submissions are due
  • 10/30/17-11/ 3/17: ACM CCS, 24th ACM Conference on Computer and Communication Security, Dallas, TX, USA
  • 10/30/17-11/ 3/17: MIST, 9th ACM CCS International Workshop on Managing Insider Security Threats, Dallas, USA
  • 10/30/17: WPES, Workshop on Privacy in the Electronic Society, Dallas, Texas, USA
  • 11/ 1/17: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, Submissions are due (monthly deadline, one month revision period for 2018 inclusion)
  • 11/ 5/17-11/ 8/17: SSS, 19th Annual International Symposium on Stabilization, Safety, and Security of Distributed Systems, Boston, Massachusetts, USA
  • 11/ 6/17-11/10/17: DASC, 15th IEEE International Conference on Dependable, Autonomic and Secure Computing, Orlando, Florida, USA
  • 11/16/17-11/17/17: CECC, Central European Cybersecurity Conference, Ljubljana, Slovenia
  • 11/30/17: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain, Submissions are due
  • 12/ 1/17: Information & Communications Technology Express, Special Issue on Critical Infrastructure (CI) & Smart Grid Cyber Security; Submissions are due
  • 12/ 1/17: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, Submissions are due (monthly deadline for 2019)
  • 12/ 4/17-12/ 8/17: ACSAC, 33rd Annual Computer Security Applications Conference, San Juan, Puerto Rico
  • 12/ 5/17: ICSS, Industrial Control System Security Workshop, Held in conjunction with the 33rd Annual Computer Security Applications Conference (ACSAC), San Juan, Puerto Rico
  • 1/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, Submissions are due (monthly deadline for 2019)
  • 1/ 3/18- 1/ 5/18: IFIP119-DF, 14th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India
  • 2/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, Submissions are due (monthly deadline for 2019)
  • 2/28/18: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain, Submissions are due
  • 3/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, Submissions are due (monthly deadline for 2019)
  • 3/25/18- 3/28/18: PKC, 21st IACR International Conference on Practice and Theory in Public-Key Cryptography, Rio de Janeiro, Brazil
  • 4/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, Submissions are due (monthly deadline for 2019)
  • 5/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, Submissions are due (monthly deadline for 2019)
  • 5/ 2/18- 5/ 3/18: HST, 18th annual IEEE Symposium on Technologies for Homeland Security, Washington D.C., USA
  • 5/21/18- 5/23/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA
  • 5/18: HOST, IEEE International Symposium on Hardware-Oriented Security and Trust, Washington DC, USA
  • 7/24/18- 7/27/18: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain
  
  
  • new calls or announcements added since Cipher E139

  • IFIP119-DF 2018 14th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 3-5, 2018. (Submissions Due 18 September 2017)

    The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Fourteenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately a hundred participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the fourteenth volume in the well-known Advances in Digital Forensics book series (Springer, Heidelberg, Germany) during the summer of 2018. Technical papers and posters are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to:

    • Theories, techniques and tools for extracting, analyzing and preserving digital evidence
    • Network and cloud forensics
    • Embedded device forensics
    • Digital forensic processes and workflow models
    • Digital forensic case studies
    • Legal, ethical and policy issues related to digital forensics

  • ICSS 2017 Industrial Control System Security Workshop, Held in conjunction with the 33rd Annual Computer Security Applications Conference (ACSAC), San Juan, Puerto Rico, December 5, 2017. (Submissions Due 24 September 2017)

    Supervisory control and data acquisition (SCADA) and industrial control systems monitor and control a wide range of industrial and infrastructure processes such as water treatment, power generation and transmission, oil and gas refining and steel manufacturing. Such systems are usually built using a variety of commodity computer and networking components and are becoming increasingly interconnected with corporate and other Internet-visible networks. As a result, they face significant threats from internal and external actors. For example, in 2010 the Stuxnet malware was specifically written to attack SCADA systems and caused millions of dollars in damages. The critical requirement for high availability in SCADA and industrial control systems, along with the use of resource constrained computing devices, legacy operating systems, and proprietary software applications limit the applicability of traditional information security solutions. The goal of this workshop is to explore new security techniques that are applicable in the control systems context. Papers of interest including (but not limited to) the following subject categories are solicited:

    • Intrusion detection and prevention
    • Malware
    • Vulnerability analysis and risk management
    • Digital forensics
    • Virtualization
    • Application Security
    • Performance evaluation of security methods and tools in control systems
    • Cybersecurity Education

  • HOST 2018 IEEE International Symposium on Hardware-Oriented Security and Trust, Washington DC, USA, May 2018. (Submissions Due 25 September 2017)

    IEEE International Symposium on Hardware Oriented Security and Trust (HOST) 2018 aims to facilitate the rapid growth of hardware-based security research and development. HOST highlights new results in the area of hardware security. Relevant research topics include architectures, design methods, circuits, and applications of secure hardware. HOST 2018 invites original contributions related to (but not limited to) the following:

    • Hardware security primitives (Crypto, PUFs, RNGs)
    • Hardware design techniques to facilitate software and/or system security
    • Architecture support for security
    • Side-channel analysis, attacks, and protection
    • Hardware Trojan attacks, detection, and countermeasures
    • Hardware security test and verification
    • FPGA and system-on-chip (SoC) security
    • Supply chain risk mitigation (e.g., counterfeit detection & avoidance)
    • Reverse engineering and hardware obfuscation
    • Fault injection and mitigation
    • Metrics, policies, assessment, and standards related to hardware security
    • Hardware IP trust (watermarking, metering, trust verification)
    • Trusted manufacturing including split manufacturing and 2.5/3D integration
    • Hardware tampering attacks and protection

  • Elsevier Online Social Networks and Media Journal, Special Issue on Information and Opinion Diffusion in Online Social Networks and Media, (Submissions Due 1 October 2017)

    Guest Editors: Marco Conti (IIT-CNR, Italy) and Andrea Passarella (IIT-CNR, Italy).
    
    Online Social Networks are a massively successful phenomenon, used by billions of users to interact. Nowadays, information diffusion in Online Social Networks and Media (OSNEM) has a major role, among many others, for recommendation systems, advertising, and political campaigns. Moverover, the way information circulates in OSNEM impacts on the formation of opinions and on the social roles of users and their influence on others. OSNEM are extensively used for spreading information, opinions and ideas, but also to propagate fake news and rumors. Therefore, prevention of spam, bots and fake accounts, information leakage, trustworthiness of information and trust between users are relevant research issues associated with information diffusion. This special issue seeks contributions pushing the state of the art in all facets of information and opinion diffusion in online social networks and media. We solicit manuscripts where quantitative and/or data-driven approach is used to investigate information and opinion diffusion in OSNEM. Topics include, but are not limited to:

    • Dynamics of trends, information and opinion diffusion in OSNEM
    • Recommendations and advertising in OSNEM
    • Spread of news, topics, and opinions
    • Trust, reputation, privacy in OSNEM information and opinion diffusion
    • Rumors and fake news spreading in OSNEM
    • Bots and fake users detection
    • Influence analysis and social influence
    • Identification of diffusion sources and influencers
    • Methods to modify/control/maximise information and opinion diffusion
    • Measurements of information and opinion diffusion in OSNEM
    • Models of information and opinion diffusion
    • Data-driven approaches to study information and opinion diffusion in OSNEM

  • SP 2018 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 21-23, 2018. (Submissions Due first day of each month)

    Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include:

    • Access control and authorization
    • Accountability
    • Anonymity
    • Application security
    • Attacks and defenses
    • Authentication
    • Censorship resistance
    • Cloud security
    • Distributed systems security
    • Economics of security and privacy
    • Embedded systems security
    • Forensics
    • Hardware security
    • Intrusion detection and prevention
    • Malware and unwanted software
    • Mobile and Web security and privacy
    • Language-based security
    • Network and systems security
    • Privacy technologies and mechanisms
    • Protocol security
    • Secure information flow
    • Security and privacy for the Internet of Things
    • Security and privacy metrics
    • Security and privacy policies
    • Security architectures
    • Usable security and privacy
    This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.
    
    Systematization of Knowledge Papers As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate. Submissions will be distinguished by the prefix ?SoK:? in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings.
    
    Workshops The Symposium is also soliciting submissions for co-located workshops. Further details on submissions can be found at https://www.ieee-security.org/TC/SP2018/workshops.html.
    
    Ongoing Submissions To enhance the quality and timeliness of the scientific results presented as part of the Symposium, and to improve the quality of our reviewing process, IEEE S&P now accepts paper submissions 12 times a year, on the first of each month. The detailed process can be found at the conference call-for-papers page.

  • PKC 2018 21st IACR International Conference on Practice and Theory in Public-Key Cryptography, Rio de Janeiro, Brazil, March 25-28, 2018. (Submissions Due 6 October 2017)

    PKC 2018 is the 21st edition of the International Conference on Practice and Theory of Public Key Cryptography, the main annual conference with an explicit focus on public-key cryptography. Original research papers on all aspects of public-key cryptography, covering theory, implementations and applications, are solicited for submission to PKC 2018.

  • HST 2018 18th annual IEEE Symposium on Technologies for Homeland Security, Washington D.C., USA, May 2-3, 2018. (Submissions Due 16 October 2017)

    This symposium brings together innovators from leading academic, industry, businesses, Homeland Security Centers of Excellence, and government agencies to provide a forum to discuss ideas, concepts, and experimental results. Produced by IEEE with technical support from DHS S&T, IEEE, IEEE Boston Section, and IEEE-USA and organizational support from MIT Lincoln Laboratory, Raytheon, and MITRE, this year?s event will once again showcase selected technical papers and posters highlighting emerging technologies to:

    • Secure Cyberspace
    • Secure Land and Maritime Borders
    • Enhance Biometrics & Forensics
    • Prevent Terrorism & Manage Incidents
    We are currently seeking technical paper and poster session submissions in each of the areas noted above. Papers examining the feasibility of transition to practice will also be considered. This year, papers focused on DHS high-priority technology gaps will be of particular interest.

  • Security and Communication Networks journal, Special Issue on Cybersecurity in the Internet of Things, (Submissions Due 27 October 2017)

    Guest Editors: Félix Gómez-Mármol (University of Murcia, Murcia, Spain), Patricia Arias-Cabarcos (Universität Mannheim, Mannheim, Germany), and Vijay Varadharajan (University of Newcastle, Newcastle, Australia). With the settlement of smartphones and tablets in modern societies, as well as the proliferation of an astronomic amount of other electronic devices such as wearables, e-Health sensors, electrical appliances, or vehicles (amidst others), all provided with Internet connection, all potentially dealing with sensitive information, and most of them mobile in essence, we are witnessing today the real advent of the Internet of Things (IoT). This new paradigm brings along many indubitable advantages, but also a nonnegligible number of security threats that should not go underestimated. Besides increasing in number, those threats are becoming more sophisticated and harmful (as it is the case of advanced persistent threats, or APTs), making it unfeasible for a human administrator to manually protect each and every device within the constellation of gadgets, artefacts, and computer systems of the IoT. Moreover, an alarming amount of the new solutions envisaged for the IoT pay higher attention to usability aspects, recklessly ignoring substantial security protection mechanisms, making the IoT an ideal playground for malicious hacking activities. Hence, it is imperative to find solutions aiming at the integral protection of the plethora of vulnerable devices within the IoT. Working on those solutions will help the wider adoption of these new technologies and help users to entrust them. Thus, this Special Issue seeks high-quality original papers presenting innovative solutions dealing with cybersecurity in the field of IoT. In particular, novel techniques and mechanisms aimed at the security and privacy protection of these environments are welcome. Likewise, we encourage review articles describing and analyzing the current state of the art in this field. Papers with a strong cryptographic background will not be considered as part of this special issue. Papers will be evaluated based on their originality, presentation, relevance, and contribution to the field of cybersecurity in the IoT, as well as their suitability to the special issue, and for their overall quality. The submitted papers have to describe original research which has not been published nor currently under review by other journals or conferences. Guest editors will make an initial determination of the suitability and scope of all submissions. Papers that either lack originality and clarity in presentation or fall outside the scope of the special issue will not be sent for review and authors will be promptly informed in such cases. Potential topics include but are not limited to the following:

    • Intrusion detection and prevention systems
    • Malware analysis
    • Privacy-preserving solutions
    • Countermeasures solutions
    • Seamless security solutions
    • Threats and vulnerabilities
    • Botnets analysis
    • BYOD security
    • Identity management
    • Authorization and access control
    • Trust and reputation management
    • Machine learning-based solutions
    • Security Information event management

  • PETS 2018 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain, July 24-27, 2018. (Submissions Due 30 November 2017, 28 February 2018)

    The annual Privacy Enhancing Technologies Symposium (PETS) brings together privacy experts from around the world to present and discuss recent advances and new perspectives on research in privacy technologies. Papers undergo a journal-style reviewing process and accepted papers are published in Proceedings on Privacy Enhancing Technologies (PoPETs), a scholarly, open access journal. Submitted papers should present novel practical and/or theoretical research into the design, analysis, experimentation, or fielding of privacy-enhancing technologies. While PETS/PoPETs has traditionally been home to research on anonymity systems and privacy-oriented cryptography, we strongly encourage submissions on a number of both well-established and emerging privacy-related topics, for which examples are provided below. PoPETs also solicits submissions for Systematization of Knowledge (SoK) papers. These are papers that critically review, evaluate, and contextualize work in areas for which a body of prior literature exists, and whose contribution lies in systematizing the existing knowledge in that area. Authors are encouraged to view our FAQ about the submission process.

    • Behavioural targeting
    • Building and deploying privacy-enhancing systems
    • Crowdsourcing for privacy
    • Cryptographic tools for privacy
    • Data protection technologies
    • Differential privacy
    • Economics of privacy and game-theoretical approaches to privacy
    • Empirical studies of privacy in real-world systems
    • Forensics and privacy
    • Human factors, usability and user-centered design for PETs
    • Information leakage, data correlation and generic attacks to privacy
    • Interdisciplinary research connecting privacy to economics, law, ethnography, psychology, medicine, biotechnology
    • Location and mobility privacy
    • Machine learning and privacy
    • Measuring and quantifying privacy
    • Mobile devices and privacy
    • Obfuscation-based privacy
    • Policy languages and tools for privacy
    • Privacy in cloud and big-data applications
    • Privacy in social networks and microblogging systems
    • Privacy-enhanced access control, authentication, and identity management
    • Profiling and data mining
    • Reliability, robustness, and abuse prevention in privacy systems
    • Surveillance
    • Systems for anonymous communications and censorship resistance
    • Traffic analysis
    • Transparency enhancing tools
    • Web privacy

  • Information & Communications Technology Express, Special Issue on Critical Infrastructure (CI) & Smart Grid Cyber Security, (Submissions Due 1 December 2017)

    Guest Editors: Leandros A. Maglaras (De Montfort University, UK), Ki-Hyung Kim (Ajou University, Korea), Helge Janicke (De Montfort University, UK), Mohamed Amine Ferrag, Guelma University, Algeria), Artemios G. Voyiatzis (SBA Research, Austria), Pavlina Fragkou (T.E.I of Athens, Greece), Athanasios Maglaras (T.E.I. of Thessaly, Greece), and Tiago J. Cruz (University of Coimbra, Portugal).
    
    Cyber-physical systems are becoming vital to modernizing the national critical infrastructure (CI) systems. A smart grid is an energy transmission and distribution network enhanced through digital control, monitoring, and telecommunications capabilities. It provides a real-time, two-way flow of energy and information to all stakeholders in the electricity chain, from the generation plant to the commercial, industrial, and residential end user. Each smart grid subsystem and its associated assets require specific security functions and solutions. For example, the solution to secure a substation is not the same as the solution to secure demand response and home energy management systems. Usual cyber security technologies and best practices - such as antivirus, firewalls, intrusion prevention systems, network security design, defense in depth, and system hardening - are necessary to protect the smart grid. However, history showed they are only part of the solution. Owing to the rapid increase of sophisticated cyber threats with exponentially destructive effects advanced cyber security technologies must be developed. The title of this special issue of ICT Express is therefore coined concisely as "Special Issue on CI & Smart Grid Cyber Security". This special issue focuses on innovative methods and techniques in order to address unique security issues relating to CI and smart grids. Original submissions reflecting latest research observation and achievement in the following areas are invited:

    • Hardware Security Solutions
    • Incident response
    • Real-time threat intelligence
    • Situation Awareness
    • Security information and event management (SIEM) systems
    • Machine Learning Techniques
    • Safety-Security Interactions
    • System Vulnerabilities
    • Cyber Security Engineering
    • Human Awareness & Training
    • Intrusion Detection Systems
    • Trust and privacy
    • Malware Analysis
    • Behavioral Modeling
    • Secure Communication Protocols
    • Malware analysis
    • Network security and protocols
    • Hardware enforced virtualization

 

• The Technical Committee on Security and Privacy

 

• Staying in touch....

  • Information for Subscribers and Contributors

  • Who's where: recent address changes

  • Changing your email address?  Please send updates to cipher@ieee-security.org