We would like to invite you to attend this year’s ACSAC conference in Miami Beach, FL. We have an outstanding program organized in three tracks, featuring invited speakers, peer-reviewed technical papers, case studies, tutorials, a workshop, a works in progress session and panels.  There will be plenty of opportunities to network with your colleagues from around the globe, and if you are a CISSP, to earn continued education credits.

The advance program is posted and registration is now open:

http://www.acsac.org/2007/ACSAC2007_Advance_Program.pdf

http://www.acsac.org/registration

The deadline for securing the early registration discount and hotel room discount is November 19, 2007. Please make sure you register for the hotel BEFORE you register for the conference to get the hotel room discount.

Program highlights include:

• Two days of tutorials on leading edge topics, including: VoIP, botnets,  content protection, web services security, web injection attacks, security code review, and security engineering. Worth noting, for those of you with CISSP (or companies concerned with continuous learning), ACSAC Tutorials are an excellent way of staying up-to-date with currrent trends and technologies in our area of expertise.
• A full day workshop on Software Assurance
• 42 refereed papers, 6 case studies sessions, 3 panels, and our always popular Works in Progress session.  Together these cover a wide range of research topics, from security for P2P and mobile computing to malware and forensics, as well as practical ”how to” information on topics such as achieving DNI-DOD Certification and Accreditation.
• Exciting plenary sessions featuring our three invited speakers:
  • John Rushby will discuss how concepts from the classic ”Randell-Rushbypaper” in 1983 apply to today’s separation kernels and virtual machine monitors.
  • Daniel Weitzner, Director of the World Wide Web Consortium’s Technology and Society activities will talk about a new approach for providing privacy for online activities.
  • Dick Kemmerer, this year’s Distinguished Practitioner, will talk about the new security challenges in front of us and the need to maintain a focus on practitioners as we address these challenges.

Last but not least: The social events include a welcome reception on Tuesdaynight, a dinner by the pool (or in the beautiful Starlight room,depending on the weather) on Wednesday night, and an optional Miami and Everglades trip on Friday afternoon.
We hope to see you in Miami!

For all of those busily working on your submissions for this year’s ACSAC, we have some good news. The submission deadline has been extended to close of business on June 10^th for submissions for our technical track, panels, tutorials, and workshops. You have until June 17^th to get your submissions in for our case studies track, and September 8^th for the Works In Progress.

More information on topic areas of interest can be found in the online Call for Participation. A one-page version of
the call for papers is also available.

We look forward to seeing your submission at ACSAC

In addition to ACSAC, ACSA also sponsors a number of workshops. The New Security Paradigms Workshop (NSPW) is the best known of these. Following is the NSPW CFP.

——————————————————————–
New Security Paradigms Workshop

September 18-21, 2007

White Mountain Hotel and Resort, New Hampshire, USA

Important Dates

1. The submission deadline is May 1
2. Notification of acceptance is by July 3
3. Camera-ready papers for pre-proceedings due August 28
4. Workshop during September 18-21
5. Camera-ready papers for proceedings due November 1

NSPW is a unique workshop that is devoted to the critical examination of new paradigms in security. Each year, since 1992, we examine proposals for new principles upon which information security can be rebuilt from the ground up. We conduct extensive, highly interactive discussions of these proposals, from which we hope both the audience and the authors emerge with a better understanding of the strengths and weaknesses of what has been discussed.

For full call for papers and other details, visit www.nspw.org

Konstantin (Kosta) Beznosov
NSPW ‘07 Publicity Chair

I’m pleased to announce that the ACSAC Call for Participation and Papers is now available. ACSAC 2007 will be held December 10-14, 2007 in Miami Beach, Florida.

We’re looking for technical papers, panels, tutorials, workshops, case studies, and works-in-progress submissions. We encourage you to submit, and we also encourage you to tell your coworkers and colleagues about the CFP. Key dates for submissions are:

We look forward to seeing your submission.

NIAP (the US National Information Assurance Partnership) has announced that effective October 1 2006, they will no longer accept any new Common Criteria evaluations other than those using the “medium robustness” (MR) or “high robustness” protection profiles (PPs). (There’s more to the announcement than this, but that’s the key part.) MR is a superset of EAL4, the highest level reached by most commercial products. It’s unclear at this point whether this is for a year (government FY07) or a permanent change. Details are at http://niap.bahialab.com/cc-scheme/.

This has several impacts.

(1) For vendors who don’t have the market need for MR (because their customers don’t care about it), this forces evaluations to move overseas where other schemes (countries) are still doing EAL1, EAL2, EAL3, and EAL4.

(2) This change essentially guts the mutual recognition agreement, where an evaluation performed in one country is accepted by all of the other signatories. If the US isn’t issuing EAL1-EAL4, and is requiring MR for new procurements (as they’re indicating), then mutual recognition is dead between the US and everyone else.

(3) For vendors whose products don’t fit into one of the MR PPs, no US evaluations are possible. Right now, there are (I believe) MR PPs for operating systems, biometrics, firewalls, PKI, tokens, and VPNs. If you happen to have some other product – say a database or an application or an anti-virus product – it means no more evaluations are possible in the US.

I understand the financial pressures on NIAP due to a severe budget cut. But this new policy is cutting off their nose to spite their face.

This new policy was the subject of much discussion at the International Common Criteria Conference (ICCC) last week. I hope to discuss ideas with vendors, evaluators, and labs and ACSAC in a few months – by which point perhaps the dust will have settled!

I’m pleased to announce that registration for this year’s ACSAC conference in Miami Beach, FL is now open.

I’ve taken a look at the advance program, and I must say that I am impressed with the job done by the program committee and the area chairs (not to mention the tutorial program is wonderful [he said as he beamed proudly]). Although it is hard to summarize in a short entry such as this, there are some wonderful papers on network security, vulnerability analysis, system security, malware, sandboxing, and more. There are also special tracks focusing on the needs of those in government, sessions on web services, and some wonderful keynote speakers. Tutorial topics include forensic analysis, certification and accreditation, security engineering, wireless security, biometrics, and much more. Do take a look at the program.

For information on registration, please visit the ACSAC web page. If you register early, your registration will include an ACSAC-logo polo shirt. Additionally, to encourage folks to stay at the conference hotel, there is a $100 discount on your registration fee if you provide your hotel confirmation number.

I look forward to seeing you at ACSAC in December.

ACSAC has just put out a call for Works-In-Progress proposals for this year’s conference. The Works in Progress (WiP) session packs as many 5 minute presentations as it can into one fast paced and popular session. These talks highlight the most current work in both business and academia, emphasizing goals and value add, accomplishments to date, and future plans. Special consideration is given to topics that discuss real life security experience, including system implementation, deployment, and lessons learned.

ACSAC is looking for Works in Progress that address just about any security topic, including access control, applied cryptography, audit and audit reduction, biometrics, boundary control devices, certification and accreditation, database security, denial of service protection, defensive information warfare, electronic commerce security, enterprise security, forensics, identification and authentication, information survivability, insider threat protection, integrity, intellectual property rights protection, incident response planning, intrusion detection and event correlation, malware, middleware and distributed systems security, mobile and wireless security, modeling and simulation related to security, operating systems security, privacy, risk/vulnerability assessment, security engineering and management, service oriented architectures, security standards and their application, software assurance, and VoIP security.

Abstracts should be 1-2 type-written pages in length and should briefly describe the objectives of the current work, any accomplishments to date, and future plans. Abstracts should be sent as pdf files to wip_chair@acsac.org. Please make sure you include author information (name, affiliation, country) in your email. The deadline for submitting Works in Progress abstracts is September 8, 2006. Acceptance notifications will be sent out on October 1.

More information is available on the ACSAC website.

The question of whether “foreign” software is a security risk keeps coming up, usually (but not always) by government folks worried about malicious code or backdoors being inserted during the software development lifecycle. The term “foreign” is used to mean (at least) three different things - software developed by a foreign-owned company, software developed *in* a foreign country, and software developed by *nationals* of a foreign country.

All three of these can apply no matter where the “home” country is and where the “foreign” country is - the U.S. government is concerned about the Chinese (and others) inserting malicious code, but so too the Chinese are worried about the U.S. government putting in malicious code.

Very little non-trivial software is developed exclusively in one country by nationals of that country. In the U.S., most software development companies have both offshore development facilities, as well as large numbers of non-US citizens working in the US facilities. Anyone who uses open source, or any of the myriad variations of free software, or any software built on top of those products, is almost certainly using software from countries other than the U.S. In many cases, users may not even be aware that there’s free or open source software embedded in their systems - I believe that Internet Explorer includes some Mosaic code (which I believe was free), and at one point Microsoft’s TCP/IP implementation was based on the BSD (free) reference implementation. (Not to pick on Microsoft; just a few examples.)

Additionally, very few commercial software companies believe that there is a real risk of intentional backdoor insertion - or at least they’re not worried enough to do anything about it. Companies are certainly worried about theft of intellectual property when they offshore work, but that’s a different concern. Certain government agencies insist that there is a real threat, and that they have proof, but that it’s too classified to share.

If commercial industry is to treat “foreign” software as a real threat, there needs to be a way to provide believable evidence that the threat exists. Since the government doesn’t want to share the details with the general public, perhaps a way around it is to appoint a blue ribbon panel to review the classified evidence, and release an unclassified report on the level of the threat and suggested countermeasures that could be issue. A panel including respected members of industry and academia could further this government goal, while protecting the secrets the government claims are sensitive.

I’d be interested in other opinions, and would love to have a round table discussion of this topic at lunch during ACSAC. Any takers?

I recently learned that, on July 6, 2006, Mr. John Grimes, Chief Information Officer of the DoD, signed a memo establishing new interim guidance for the IA Certification and Accreditation of DoD Systems. This guidance, which was effective immediately, superseded DoD I 5200.40 (DITSCAP) and its application manual, DoDM 8510.1-M. The new approach implements the DIACAP, the DIACAP Scorecard, and the DIACAP Knowledge Services Website (DOD CAC or ECA required). It is interim because the DIACAP is still going through the final signature coordination process. Alas, I cannot find pointers to the new documents online yet, but if you would like a copy of the interim guidance, drop me a note at faigin -at acsac.org.

Update 2006-07-25: The new Interim Guidance is available at the IASE Site.

If you would like to learn more about Certification and Accreditation, in particular, the US Government approach, I encourage you to consider the ACSAC tutorial program, which will feature a tutorial on C&A from Ron Ross of NIST. NIST Publication 800-53 is considered by many to be an exemplar set of controls for C&A, and a model towards which many groups are working.

Welcome to the new ACSA Blog. This blog permits the members of ACSA to share our observations on the world of Computer Security, and to make announcements regarding ACSA-related activities, such as ACSAC and NSPW.