skip navigation

More signal. Less noise.

Daily briefing.

The cyber world continues to react to Shellshock. Various patches and preventive measures have been released, all of them so far incomplete, but better than nothing. Apple promises a patch to address the Bash bug even as it seeks to reassure OS X users that most of them remain safe. Various web-application firewall and intrusion detection system vendors have updated their products with rules designed to ward off exploitation. Analysts advise taking prompt, prudent action to protect your systems, but recognize that closing this vulnerability will be a labor-intensive process requiring long-term attention to fixes under development.

Shellshock is already being exploited in the wild, with the first reports of malicious activity surfacing within a few hours of the bug's disclosure (AusCERT was among the first to sound warnings). Kaspersky detected reverse-shell exploits, and AlienVault's honeypot picked up two attempts to use the vulnerability to assemble botnets.

BlackEnergy malware, found in attacks against Ukrainian government systems, shows a striking convergence of the political and criminal in its employment. Some observers are calling it "privateering" with Russian attack tools. The Russian government continues to spook its neighbors with a warning to Latvia that it would do well to treat its ethnic Russian minority well. (The Netherlands, at least, draws a public lesson from Russian policy, avowing a Dutch offensive cyber capability as a common-sense military measure.)

Middle Eastern cyber combatants maintain their focus on information operations.

Malvertising rises in the ranks of cyber threats, with some seeing it eclipsing exploit kits.

A note to our readers: We began publishing the CyberWire in September 2012, and today marks our second anniversary. Thanks to all of you for following and subscribing to the CyberWire. Thanks especially for your many supportive emails, tweets, and face-to-face talks. We hope to continue delivering what we promised two years ago: a relevant and intelligently organized daily digest of the critical news happening across the global cyber security domain.

Notes.

Today's issue includes events affecting Australia, Bulgaria, Czech Republic, European Union, Hungary, Iran, Latvia, NATO/OTAN, Netherlands, Romania, Russia, Singapore, Ukraine, United Kingdom, United States.

Cyber Attacks, Threats, and Vulnerabilities

Alert (TA14-268A) GNU Bourne Again Shell (Bash) 'Shellshock' Vulnerability (CVE-2014-6271, CVE-2014-7169) (US-CERT) A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple's Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability

ESB-2014.1657 — ALERT [UNIX/Linux][Debian] bash: Execute arbitrary code/commands — Remote/unauthenticated (AUSCERT External Security Bulletin Redistribution) AusCERT has received reports that this vulnerability is currently being exploited in the wild. Administrators should patch vulnerable systems as soon as possible

Shellshock and its early adopters (Securelist) Shortly after disclosure of the Bash bug called "Shellshock" we saw the first attempts by criminals to take advantage of this widespread vulnerability also known as CVE-2014-6271

Honeypot Snares Two Bots Exploiting Bash Vulnerability (Threatpost) A honeypot run by researchers at AlienVault Labs has snared two separate pieces of malware attempting to exploit the Bash vulnerability

Hackers Are Already Using the Shellshock Bug to Launch Botnet Attacks (Wired) With a bug as dangerous as the "shellshock" security vulnerability discovered yesterday, it takes less than 24 hours to go from proof-of-concept to pandemic

Bashed and Shellshocked: Early Reports of Exploitation in the Wild (Recorded Future) Lots of IT security teams are at work right now to patch the Shellshock vulnerability (CVE-2014-6271) ASAP — while keeping an eye on their threat intelligence sources for exploitation in the wild. And the reports are coming in

Bash Exploit Reported, First Round of Patches Incomplete (Threatpost) The urgency to patch systems against the Bash zero-day vulnerability has been cranked to 10 after reports of an exploit in the wild have been made public by AusCERT, the Computer Emergency Response Team of Australia. This seems to reflect a similar finding posted by a researcher who goes by the handle Yinette who found a malware sample that points to a bot being distributed by the exploit

What is a specific example of how the shellshock bash bug could be exploited? (Information Security) I read some articles about the shellshock bash bug (CVE-2014-6271 reported Sep 24, 2014) and have a general idea of what the vulnerability is and how it could be exploited. To better understand the implications of the bug, what would be a simple and specific example of an attack scenario that could exploit the bug?

Shellshock — How Bad Can It Get? (TrendLabs Security Intelligence Blog) In the immediate aftermath of the Bash vulnerability known as Shellshock, we have already seen some attacks using it to deliver DDoS malware onto Linux systems. However, given the severity of this vulnerability, it is almost certain that we will see bigger, more severe attacks. What are some of the scenarios we could potentially see?

Update on CVE-2014-6271: Vulnerability in bash (shellshock) (Internet Storm Center) Yesterday, a vulnerability in bash was announced, that was originally found by Stephane Schazelas. The vulnerability allows for arbitrary code execution in bash by setting specific environment variables. Later Travis Ormandy released a second exploit that will work on patched systems. Demonstration that the patch released yesterday is incomplete

Bash Vulnerability Leads to Shellshock: What it is, How it Affects You (TrendLabs Security Intelligence Blog) A serious vulnerability has been found in the Bash command shell, which is commonly used by most Linux distributions. This vulnerability — designated as CVE-2014-7169 — allows an attacker to run commands on an affected system. In short, this allows for remote code execution on servers that run these Linux distributions

GNU Bash Shell Function Definitions OS Commands Injection Vulnerability (Secunia) A vulnerability has been reported in GNU Bash, which can be exploited by malicious people to compromise a vulnerable system

Bash 'shellshock' flaw is serious because fixing it will depend on manual intervention (TechWorld) Comparisons with Heartbleed miss the point. Expecting admins to retrofix security is a recipe for perpetual weakness

In Heartbleed's wake, Bash shell flaw puts Linux, Mac OS users at risk (TechTarget) Experts say a 20-year-old vulnerability uncovered in the Bash shell, found in Unix-based operating systems including Linux and Mac OS, could lead to a dangerous worm outbreak unlike anything seen in more than a decade

What is the Shellshock bug? Is it worse than Heartbleed? (Guardian) Security experts have warned that a serious flaw could be about to affect many of the world's web users. Here's what you should do

'Shellshock' Bug Spells Trouble for Web Security (Krebs On Security) As if consumers weren't already suffering from breach fatigue: Experts warn that attackers are exploiting a critical, newly-disclosed security vulnerability present in countless networks and Web sites that rely on Unix and Linux operating systems. Experts say the flaw, dubbed "Shellshock," is so intertwined with the modern Internet that it could prove challenging to fix, and in the short run is likely to put millions of networks and countless consumer records at risk of compromise

This is how the "Shell Shock" bug imperils the whole Internet (Quartz) It's a hacker's wet dream: a software bug discovered in the practically ubiquitous computer program known as "Bash" makes hundreds of millions of computers susceptible to hijacking. The impact of this bug is likely to be higher than that of the Heartbleed bug, which was exposed in April. The National Vulnerability Database, a US government system which tracks information security flaws, gave the bug the maximum score for "Impact" and "Exploitability," and rated it as simple to exploit

Bash Bug is a critical risk to entire Internet infrastructure (Security Affairs) Bash Bug is a critical flaw remotely Exploitable which affects Linux, Unix and Apple Mac OS X and that is threatening the global Internet infrastructure

Apple knew of iCloud API weakness months before celeb photo leak broke (Ars Technica) Security researcher reported brute force attacks were possible in March

BlackEnergy Malware Linked to Targeted Attacks (Security Week) New research is shining a light on the ongoing evolution of the BlackEnergy malware, which has been spotted recently targeting government institutions in the Ukraine

Russian malware used by 'privateer' hackers against Ukrainian government (Guardian) Attackers were carrying out hits to make money, but were 'co-opted' into carrying out state espionage, say security researchers

Kremlin warns about Russian minorities (Washington Post) As top Kremlin officials have sounded ominous new warnings that they will defend ethnic Russians wherever they live, Latvia, the NATO nation with the highest proportion of Russians, is feeling in the crosshairs

A Deep Dive Into the Ayatollah's Twitter Hate for America (Slate) Iranian President Hassan Rouhani spoke at the U.N. General Assembly today as his country negotiates with the United States over their nuclear program and works to normalize relations with the international community. At a press conference during last year's Assembly, Rouhani attempted to offer the Iranian regime a softer image, hailing the United States as a "great nation" and asking that the two countries "stop the escalation of tensions." The country's actual decision maker, though, is Supreme Leader Ayatollah Ali Khamenei and he has continued to take a hardline

ISIS Videos Employ 'Good Cop, Bad Cop' Approach (NPR) While we are just learning about the Khorasan group, ISIS has been actively spreading its message through propaganda videos. This week it released a second video featuring the British hostage John Cantlie

Anonymous Lashes Out at ISIS, calls them Gangsters and Killers (HackRead) Anonymous, a loose collective of hacktivists, have called Islamic State militants (ISIS) as gangsters who have hijacked Islam and have launched a social media campaign against them, according to reports

Malvertising Could Rival Exploit Kits (Dark Reading) Spate of malvertising campaigns gain steam in recent months, including the Kyle and Stan network, which researchers now believe is nine times bigger than initially estimated

Optimized Mal-Ops: Hack the ads network like a boss (Bromium Labs) In this research we perform an in-depth analysis of malicious web ads with the focus on Flash banners. We investigate various possibilities for an attacker to leverage ad networks to spread malware. Then we showcase that from the attackers perspective ad networks are no different and may be even better than exploit kits and thus it's a viable candidate for the next primary attack vector. And finally we explore how current security technologies are ineffective against attacks propagated through ad networks

Cyber Criminals Using Fake Government E-Mail to Perpetrate Scam (IC3) Cyber criminals posing as Internet Crime Complaint Center (IC3) employees are defrauding the public. The IC3 has received complaints from victims who were receiving e-mails purported to be from the IC3. This advisory informs readers how the scheme works, offers measures to help mitigate the threat, and advises how to report incidents to law enforcement

SMB Employees Targeted With Fake Termination Emails: Bitdefender (SecurityWeek) Bitdefender is warning the employees and IT administrators of small and medium-sized businesses (SMBs) to be on the lookout for fake emails designed to distribute information-stealing malware

Arris Cable Modem Backdoor — I'm a technician, trust me. (Console Cowboys) Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable

Cyber Thieves Targeting Flower Shops Across Southern California (ABC 7 Los Angeles) Angel Flowers and Gifts in Riverside fell victim to cyber thieves. The business' identity was hijacked, and a website that dupes customers into believing they're ordering from the real flower shop, is in fact stealing their business

Breached Retailers Harden PoS, For Now (Dark Reading) Yet another point-of-sale (POS) breach at a major retail chain, and the victim adds encryption

Home Depot: Could The Impact Of The Data Breach Be Significant? (Forbes) Falling unemployment rates, rising builders' confidence and increasing number of housing starts — all bode well for the U.S. housing industry in the near term. In turn, this trend should benefit the largest home improvement retailer, Home Depot, which depends on consumers who look to buy home improvement goods and services to furbish their newly bought/rented homes. However, in light of the recent news of a massive data breach at the retailer, the expected rise in sales for the retailer in the latter half of the year could be drastically hurt

Security Patches, Mitigations, and Software Updates

Apple to release fix for Bash bug (ComputerWeekly) Apple has confirmed that its Mac OS X operating system is vulnerable to the newly reported Bash bug that experts estimate puts up to 500 million Unix-based computers at risk

'Vast majority' of Mac users safe from Shellshock bash bug, Apple says (C/NET) Apple says users of its OS X operating system are "safe by default" from the new security vulnerability, which has been described as bigger than Heartbleed

iOS 8.0.2 released to fix TouchID, cell network woes on newest iPhones (Ars Technica) Patch notes otherwise resemble those from yesterday's yanked 8.0.1 update

Cyber Trends

The Rise of the Hacker Bounty Hunter (New York Magazine) One night earlier this year, while playing around with a new anonymous-sharing app called Secret, Benjamin Caudill was gripped by a familiar sensation: This thing is not secure

'Bitcoin Jesus' Offers Bounties to Hunt Down Hackers and Thieves (Wired) Roger Ver is so well known for his role in the rise of the world's most popular digital currency that some people call him "The Bitcoin Jesus." That makes him a prime target for hackers. They've stolen his money, and they've broken into his email account. But the Bitcoin Jesus is becoming the Bitcoin Vigilante

Consumers increasingly blame companies for data breaches (Help Net Security) Moving forward, every company involved in a major data breach — those actually attacked, such as retailers Home Depot, Target, Goodwill and Neiman Marcus, as well as banks, healthcare, insurance and Internet Service Providers, etc. — is going to pay an even higher price when customers' information is compromised. In fact, each high-profile hack will take its toll on the executive suite and the bottom line alike, say the results of a poll conducted by HyTrust

Energy IT pros show surprising optimism (Help Net Security) Tripwire announced the results of a survey of 104 attendees at the EnergySec Security Summit in Texas

Malware attack complexity prompts partnerships between enterprises and MSS providers (FierceITSecurity) In response to the growing complexity of malware attacks, managed security service, or MSS, providers are playing a more active role in threat remediation for enterprises in Europe, the Middle East and Africa (EMEA), notes market research firm Frost & Sullivan

Online privacy: It's time for a new security paradigm (FCW) Compounding the challenge is the fact that verifying identity, relationships and authorization typically involves evaluating sensitive and proprietary information about us and our relationships. Often, that information is more sensitive than the content to be accessed

Do we need to 'disrupt' the cybersecurity status quo? (Nextgov) Next Wednesday marks the beginning of the 11th annual Cybersecurity Awareness Month

Businesses, governments value local skills in joint malware fight: BAE SAI (CSO) Establishment and expansion of Australian information-security centres of excellence is becoming increasingly appealing to private and public-sector organisations that are finding them invaluable partners in the race to keep up with malware threats, according to the regional head of cyber security at BAE Systems Applied Intelligence (SAI)

National Security Agency: No risk to Bulgaria's banking system (Standart News) "At the moment no serious risk is facing the banking system," assured National Security Agency director Vladimir Pisanchev after participating in an international conference on information security and data storage in Sofia. "We see no cardinal threat to the banking system in terms of cyber security," he added

Marketplace

Updates and 'bendgates' spell a very bad week for Apple (MicroScope) With Apple being forced to withdraw the iOS 8.0.1 update after widespread reports of it bricking iPhones, it's apparent that 'measure twice, cut once' is not an adage that has ever made it to Cupertino

General Motors appoints its first cybersecurity chief (Reuters) General Motors Co (GM.N) on Tuesday named an engineer to serve as its first cybersecurity chief as the No. 1 U.S. automaker and its rivals come under increasing pressure to better secure their vehicles against hackers

Cyber-Ark Jumps 87% On Nasdaq Debut (Bidness etc.) Cyber-Ark made its public debut on the Nasdaq today, and its shares closed up almost 87% after pricing its IPO at $16 earlier in the day

In-Q-Tel Eyes MemSQL's In-Memory Database for Gov't Agencies (ExecutiveBiz) In-Q-Tel has invested in MemSQL to develop in-memory distributed database for U.S. government applications

Jindal and CSC Officials Break Ground on 800-Job Technology Center in NELA (MyArkLaMiss) Today, Governor Bobby Jindal, CSC executive John DeSimone and local officials broke ground on CSC's 116,000-square-foot, next-generation technology center at the National Cyber Research Park in Bossier City. The project will create 800 new direct jobs over the next four years, as CSC becomes an anchor tenant of the 3,000-acre research park being developed by the Cyber Innovation Center, a not-for-profit research corporation

China Mobile selects Gemalto NFC security tech for Beijing mass transit services (Finextra) Gemalto (Euronext NL0000400653 GTO), the world leader in digital security, has been selected by China Mobile to offer its UpTeq NFC Multi-tenant SIMs to protect consumer credentials used for mobile contactless applications, starting with mass transit services in Beijing

Products, Services, and Solutions

Symantec Unveils Norton Security for Threat Protection (Zacks) IT security provider Symantec Corporation (SYMC - Analyst Report) recently rolled out an enhanced personalized security service product named Norton Security, which is expected to protect consumers across multiple devices

Oxygen Forensic Suite 2014 Adds New Mobile Device Acquisition Methods (Forensic Focus) Oxygen Forensics has updated its flagship mobile evidence discovery solution, Oxygen Forensic Suite 2014, with additional extraction options

FireEye and Mandiant unite to deliver industry's first global security as a service solution with FireEye as a Service (ITWeb) Introduces next-generation threat intelligence suite for deeper insights into cyber attacks

FireEye Introduces New FireEye App for Splunk Enterprise (MarketWatch) FireEye, Inc. FEYE, -3.35% the leader in stopping today's advanced cyber attacks, today announced the new FireEye App for Splunk® Enterprise

Technologies, Techniques, and Standards

What to do about Shellshock Bash bug on Mac OS X, web servers, routers, and more (We Live Security) A serious software vulnerability called the "Bash Bug" or "Shellshock" has just come to light and it affects a wide range of computers and digital devices, many of which will need to be fixed to prevent them leaking information or being taken over by malicious persons. The systems affected include Mac OS X computers, many web servers, and some home networking devices like routers

The BASH Bug and You — Lessons in Providing Patches (Digital Bond) There is a truism in information security, and it is that everything will eventually be found to be vulnerable

New Forensic Subcommittee on Digital Evidence Added to NIST OSAC (Forensic Focus) Digital evidence, one of the fastest growing areas of forensic science, will now have its own subcommittee in the National Institute of Standards and Technology (NIST)-administered Organization of Scientific Area Committees (OSAC). NIST is establishing the OSAC to identify and develop national standards and guidelines for forensic science practitioners to strengthen forensic science in the United States

The New World of Mobile Investigations: Finding Important Evidence in Third-Party Applications (Magnet Forensics) Over the last few years, we have seen a massive shift in the mobile communications market. Smartphones have taken over the world, and mobile users spend the majority of time on their devices emailing, browsing the web, using social media and/or chatting with others using various applications

The FBI's big, bad identification system (CSO) The FBI's formidable Next Generation Identification is up and running

Design and Innovation

Spotlight: Threat Visualizations (Arbor Insight Blog) Research firm Software Advice has published a review of Threat Visualizations. According to the firm, "When deciding which Threat Maps to feature, we were seeking maps that combined innovative designs with informational clarity, so that the viewer could clearly see what attack information was being presented. Visual elegance, interactivity, user friendly qualities, and organization were all also taken into consideration"

Research and Development

Why you're terrible at calculating risk (Quartz) It's a typical afternoon, which means that you're on Facebook instead of doing whatever it is you're supposed to be doing

Academia

Lockheed Martin CEO Outlines Technology Priorities (Lockheed Martin) Lockheed Martin [NYSE: LMT] Chairman, President and Chief Executive Officer Marillyn Hewson shared her vision for the future in a speech to 500 of the Corporation's top engineering, technical and scientific professionals

Leidos Invests $200K in UMd Innovation (InTheCapital) The University of Maryland received a generous donation from a national security, health and engineering solutions company Wednesday. According to the College Park school, Leidos is investing $200,000 to support research, programs, activities and fellowships that help facilitate high-quality education and innovation on campus

Cyber school: The future of protecting your info online (KING 5 News) Why students at The University of Washington see a future in protecting your information and what you can learn from it

Legislation, Policy, and Regulation

Ukraine Pushes for NATO Membership as Gas Talks Commence (Bloomberg) Ukraine kick-started the process to strengthen its ties with NATO and will strive to join the alliance in the "short term," its government said, a day after its president declared the worst of its separatist war was over

Hungary 'indefinitely' turns off gas supplies to Ukraine (Russia Today) Natural gas deliveries to neighboring Ukraine have been halted "indefinitely", said Hungary's prime minister, Viktor Orban, a day after securing a new deal with Russian gas giant Gazprom

Defense Dept. Expands Digital Warfare (Netherlands Times) A special Cyber Command has been established so that the Dutch army may now shut down opponents' computer networks using viruses

Terror laws clear Senate, enabling entire Australian web to be monitored and whistleblowers to be jailed (Sydney Morning Herald) Australian spies will soon have the power to monitor the entire Australian internet with just one warrant, and journalists and whistleblowers will face up to 10 years' jail for disclosing classified information

National Crime Agency to feed UK banks real-time cyber-alerts (TechWorld) Financial Crime Alerts Service to launch in 2015

Business and academia urged to help safeguard Singapore's 'cyber ecosystem' (Out-Law) Singapore's government has called on businesses, public sector bodies and academia to work together to boost cyber security, as "key stakeholders" in strengthening the country's "cyber ecosystem"

Ramping Up Medical Device Cybersecurity (HealthcareInfoSecurity) FDA initiates risk assessment effort

Terror warning: FBI director sweating over Google and Apple privacy (IT Pro Portal) FBI Director James Comey is concerned about the new privacy features on Apple and Google devices, although tech companies are still able to hand over cloud storage data to the police

HRC may shut some personnel systems down, command says (Army Times) The Human Resources Command is working with Army Cyber Command, the Army Network Enterprise Technology Command and the Army G6 (chief information officer) to resolve a "significant and complex" information technology challenge that may result in several key personnel services systems being pulled off line, HRC officials said Thursday morning

Governors Cuomo and Christie Sign Bi-State Memorandum of Understanding to Increase Security for New York and New Jersey (LongIsland[.]com) Shared infrastructure of both states requires coordinated security, communications and intelligence-gathering to protect public safety, assets and commerce

Litigation, Investigation, and Law Enforcement

Yahoo reports a drop in government data requests (IDG via CSO) The amount of personal information held by firms like Google and Facebook has made them ripe targets for data-hungry governments and intelligence agencies. But the bull's-eye on Yahoo's back may be losing its appeal

Health Insurance Marketplaces Generally Protected Personally Identifiable Information but Could Improve Certain Information Security Controls (Office of the Inspector General, US Department of Health and Human Services) This summary report provides an overview of the results of three reviews of the security of certain information technology at the Federal, Kentucky, and New Mexico Health Insurance Marketplaces

Home Depot breach leads to fraudulent transactions, class-action lawsuits (SC Magazine) The retailer's massive breach has spawned multiple lawsuits and reports of fraudulent transactions. In the wake of Home Depot's breach, reports of fraudulent transactions have surfaced on the heels of two class-action lawsuits, one filed in Canada by a consumer and the other filed in Florida on behalf of financial institutions

Law Professor Claims Any Internet Company 'Research' On Users Without Review Board Approval Is Illegal (TechDirt) For many years I've been a huge fan of law professor James Grimmelmann. His legal analysis on various issues is often quite valuable, and I've quoted him more than a few times. However, he's now arguing that the now infamous Facebook happiness experiment and the similarly discussed OkCupid "hook you up with someone you should hate" experiments weren't just unethical, but illegal

And there he stood, with a smoking datum in his hand (Fortune) In the growing field of digital forensics, any device you use can and will be held against you in a court of law

United Kingdom: Four Men Jailed For Carbon Credit Cyber-Heist (hetq) Four British men have been sentenced to jail for aiding the sophisticated theft of US$ 9.4 million worth of EU carbon credits in an international cyber-attack

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

U.S. Army ITA Security Forum (Fort Belvoir, Virginia, USA, October 20, 2014) The U.S. Army Information Technology Agency Security Forum is taking place at the Ft. Belvoir site and will be a one day event focusing on cyber security education and training for the workforce. The...

Upcoming Events

Workshop on Cryptographic Hardware and Embedded Systems 2014 (CHES 2014) (Busan, Korea, September 23 - 26, 2014) The annual CHES workshop highlights new results in the design and analysis of cryptographic hardware and software implementations. CHES provides a valuable connection between the research and cryptographic...

VB2014 (, January 1, 1970) Over its 24-year history, the VB conference has become a major highlight of the IT security calendar, with many of its regular attendees citing it as the security event of the year. The conference provides...

DerbyCon 4.0 (Louisville, Kentucky, USA, September 24 - 28, 2014) Welcome to DerbyCon 4.0 — "Family Rootz". This is the place where security professionals from all over the world come to hang out. DerbyCon 4.0 will be held September 24-28th, 2014. DerbyCon 2013...

BruCON 2014 (Ghent, Belgium, September 25 - 26, 2014) BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical...

ROOTCON 8 (, January 1, 1970) ROOTCON is the first hacking convention in the Philippines. A hacker conference and not a seminar, training or a workshop. It will feature the following tracks: advanced HTTP header security analysis,...

INTEROP (New York, New York, USA, September 29 - October 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect...

Indianapolis SecureWorld (Indianapolis, Indiana, USA, October 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute,...

Suits and Spooks New York (, January 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks...

Open Analytics Summit (Dulles, Virginia, USA, October 7, 2014) Open Analytics Summits are for Developers, Engineers, Data Scientists, CMOs, Data Analysts, CTOs, Architects, Brand Managers, and anyone passionate about open source technologies, big data, or data analytics...

MIRcon 2014 (Washington, DC, USA, October 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily

Cyber Security, Meet Workforce Development (Silver Spring, Maryland, USA, October 8, 2014) Per Scholas convenes leaders in the Nation's Capital to develop a blueprint for building today's entry-level cyber security workforce

Technology & Cyber Security Day (Hill Air Force Base, Utah, October 8, 2014) The Armed Forces Communications & Electronics Association (AFCEA) Wasatch Chapter will once again host the 5th Annual Information Technology & Cyber Security Day at Hill AFB. This annual event is an excellent...

Cyber Security EXPO (, January 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing...

InfoSec 2014 (Kuala Terengganu, Malaysia, October 8 - 10, 2014) You are invited to participate in The International Conference on Information Security and Cyber Forensics (InfoSec 2014) that will be held at Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu,...

Hacktivity 2014 (Budapest, Hungary, October 10 - 11, 2014) Official and alternative representatives of the information security profession meet with all those interested in this field in framework which is at the same time informal and informative, and sometimes...

Ruxcon (Melbourne, Australia, October 26 - 27, 2013) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities...

Critical Infrastructure Cyber Community (C3) Voluntary Program Meeting (San Diego, California, USA, October 13, 2014) Join stakeholders from across the cyber community to discuss building a cyber risk management program, using DHS resources, and to learn how organizations of all sizes are using the Cybersecurity Framework...

Hack-in-the-Box Malaysia (Kuala Lumpur, Malaysia, October 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia...

FS-ISAC Fall Summit 2014 (Washington, DC, USA, October 13 - 16, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services...

CYBERSEC 2014 (, January 1, 1970) CYBERSEC is a 4-day event geared toward helping you achieve your cybersecurity goals. Whether your focus is on cybersecurity management, investigation, defense, or offense we are offering specialty cybersecurity...

Black Hat Europe 2014 (, January 1, 1970) The premier conference on information security returns to the beautiful city of Amsterdam, Netherlands in October, 2014. Professionals from all over the world gather for two days of intense Trainings and...

Denver SecureWorld (Denver, Colorado, USA, October 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North...

TechCrunch Disrupt Europe Hackathon (London, England, UK, October 18 - 19, 2014) For the second year in a row, TechCrunch is jumping across the pond and bringing the iconic Disrupt and our Hackathon to Europe. We're heading your way, London

CSEC 2014 Cyber Security Summit (Kingdom of Bahrain, October 20 - 22, 2014) At the Inaugural Cyber Security Summit 2014, you will have the opportunity to seek ways to reset your IT security and risk strategy for success; stay relevant as IT security and risk are redefined; implement...

2014 ICS Cyber Security Conference (, January 1, 1970) The 14th ICS Cyber Security Conference (sometimes known as "Weisscon") will be held October 20-23, 2014 at Georgia Tech in Atlanta, GA. Cyber Security is becoming a critical infrastructure issue with implications...

Cyber Security Summit 2014 (, January 1, 1970) Cyber security breaches have a profound impact on all areas of society. Join the discussion at Cyber Security Summit 2014. For two days, leaders from the public and private sectors meet to identify cyber...

Collaborative Approaches for Medical Device and Healthcare Cybersecurity; Public Workshop (Arlington, Virginia, USA, October 21 - 22, 2014) The Food and Drug Administration (FDA) is announcing the following public workshop entitled "Collaborative Approaches for Medical Device and Healthcare Cybersecurity." FDA, in collaboration with other...

ISSA International Conference (Orlando, Florida, USA, October 22 - 23, 2014) Join us for solution oriented, proactive and innovative sessions focused on security as a vital part of the business.

Hack.lu 2014 (Dommeldange, Luxembourg, October 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society

ToorCon San Diego (San Diego, California, USA, October 22 - 26, 2014) For hackers like you, because what could possibly go wrong?

FOCUS 14: Empowering the Connected World (Las Vegas, Nevada, USA, October 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while...

Dallas SecureWorld (Dallas, Texas, USA, October 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged...

CyberMaryland 2014 (Baltimore, Maryland, USA, October 29 - 30, 2014) Entrepreneurs, investors, academia and government will convene in Maryland — the nation's epicenter for cybersecurity for the fourth annual CyberMaryland Conference.

Cyber Job Fair (Baltimore, Maryland, USA, October 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals...

ekoparty Security Conference 10th edition (Buenos Aires, Argentina, October 29 - 31, 2014) ekoparty — Electronic Knock Out Party — Security Conference, is a one of a kind event in South America; an annual security conference held in Buenos Aires, where security specialists from all over Latin...

Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management.

Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, October 30 - November 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.