The CyberWire Daily Briefing for 10.18.2012
Iranian hackers continue their DDoS campaign against US banks: BB&T is the latest victim. MiniFlame, apparently a Western espionage tool (InformationWeek thinks it's a US "cyberweapon") was discovered by accident during an investigation of a Flame command-and-control server, which leads observers to wonder how much other espionage malware is out there. (Flame watches Middle Eastern targets, they observe. What's watching North Korea?)
Rapid7 discovers a zero-day information disclosure vulnerability in Novell ZENWorks. Microsoft finds Nitol botnet code in Chinese free malware sites. Researchers demonstrate that pacemakers can be hacked to deliver lethal shocks, and analysts agree that the state of medical device security is "not encouraging."
Adobe and Apple both issue security upgrades.
Gartner predicts the Big Data will drive $232B in IT spending through 2016. Cyber Security Hall of Famer Whitfield Diffie offers the contrarian opinion that a degree of crime is good for the Internet. (He also likens security to reliability: neither is likely to be built in from the bottom up.)
Recent official concern over cyber security should make stock markets bullish on cyber equities, but instead a soft European market and US budget uncertainty have dragged share prices lower. The White House appears to have cleared Huawei of espionage, but concerns about that company and ZTE persist.
Canada's Harper government announces plans to double cyber security spending. Northrop Grumman opens a cyber range in Australia. Australia considers mandating breach disclosure. The Netherlands debates new cyber crime legislation. Volokh conspiracy blawgers wrap up their discussion of active defense.
Notes.
Today's issue includes events affecting Australia, Brazil, Canada, China, Georgia, Germany, Greece, India, Iran, Japan, Lebanon, Netherlands, North Korea, Palestinian Territories, Qatar, Russia, Saudi Arabia, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Iran Renews Internet Attacks On U.S. Banks (Wall Street Journal) Iranian hackers renewed a campaign of cyberattacks against U.S. banks this week, targeting Capital One Financial Corp. and BB&T Corp. and openly defying U.S. warnings to halt, U.S. officials and others involved in the investigation into the attacks said
7 MiniFlame Facts: How Much Espionage Malware Lurks? (InformationWeek) Just how much cyber-espionage malware is currently at large, and who does it target? Kaspersky Lab Monday revealed that in September 2012, its researchers discovered that a mysterious piece of code connected to the Flame malware, which they
Information Disclosure Zero-Day Discovered in Novell ZENworks (Threatpost) A zero-day vulnerability in Novell ZENworks Asset Management Software 7.5 gives access to any files with system privileges and could also allow an attacker to grab configuration parameters, including the backend credentials in clear text, according to Rapid7 exploit developer Juan Vazquez who discovered the vulnerability and wrote an exploit module for Metasploit
Nitol Botnet Shares Code with Other China-Based DDoS Malware (Threatpost) Microsoft has learned that much of the code used by the Nitol malware family is copied from free malware resources hosted on Chinese websites. Microsoft posted portions of the code online this week where similar lines used for denial of service attack functionality are present in Nitol and on the sites in question
Hacked Pacemakers Could Send Deadly Shocks (TechCrunch) The next frontier of computer hacking could be lifesaving medical devices: at a recent developer conference, a pacemaker was wirelessly hacked to send deadly 830 volt shocks
Medical Device Security in Need of Major Upgrade (Theatpost) Security researchers and hackers have spent the last 20 years or so tearing apart all manner of software and hardware, looking for vulnerabilities, attack vectors and bugs, and the advent of embedded and implantable devices has now drawn their attention to this new class of targets. Medical devices, both implantable and external, have become the subjects of quite a lot of research lately, and the results are not encouraging
Could Hackers Change Our Election Results? (Dark Reading) Many of the same vulnerabilities exist in electronic voting systems as the last time we elected a president, and new ones abound that could put voter databases at risk and undermine civic confidence
O2 drops Ericsson after outage (ComputerWeekly) O2 has blamed software provided by Ericsson for the outages its network suffered both last week and in July.
Security Patches, Mitigations, and Software Updates
Adobe Extends Security of Reader and Acrobat With Better Sandbox, Force ASLR (Threatpost) Adobe has upgraded the security capabilities of both Reader and Acrobat with new releases this week, extending the functionality of the sandbox and adding a feature that forces all of the DLLs loaded by the applications to use ASLR, regardless of whether they originally were compiled with ASLR enabled
Apple gets aggressive - latest OS X Java security update rips out browser support (Naked Security) Oracle patches Java, then Apple issues its own updates. You can never be quite sure how long that's going to take. This month, it all happened pretty quickly - and Apple took the opportunity to kick Java out of your browser at the same time
Apple resumes User Tracking with iOS 6. Here's how to disable it (Naked Security) Apple was eager to promote the many new features in iOS6, but avoided mention of one: IFA - or identifier for advertisers - the company's newest device tracking technology
Cyber Trends
Akamai Releases Second Quarter 2012 'State Of The Internet' Report (Dark Reading) Akamai observed attack traffic from 188 unique countries/regions during the second quarter of 2012
Big Data To Drive $232 Billion In IT Spending Through 2016 (TechCrunch) Big data will drive $232 billion in spending through 2016. It will directly or indirectly drive $96 billion of worldwide IT spending in 2012, and is forecast to drive $120 billion of IT spending in 2013
Don't secure the internet, it needs crime: Diffie (ZDNet) While many people see securing the internet as a means to stopping cybercrime, former vice president for information security and cryptography at the Internet Corporation for Assigned Names and Numbers (ICANN) Whitfield Diffie thinks that internet
Sick crazies on the web: boringly nice people don't become infamous trolls (Telegraph) "I'm a boringly nice person IRL." That three letter abbreviation, which stands for "in real life", is the cause of a lot of internet problems. It establishes a distinction between the Wild West of the web and the real world with its real laws and real consequences
Marketplace
IT Pay Raises to Be Almost Twice National Average (ERE) Salaries for tech workers in the U.S. will rise almost twice the national average in 2013 — some will increase even more, up to 12 percent — a symptom of how competitive the competition for talent has become
Insecurity at Internet Security Firms (CHKP, FTNT, FIRE, PANW, IBM, INTC) (24/7 Wall Street) Internet security providers Check Point Software Technologies Ltd. (NASDAQ: CHKP) and Fortinet Inc. (NASDAQ: FTNT) both reported weaker than expected results for the third quarter and both lowered fourth quarter forecasts. Another competitor, Sourcefire Inc. (NASDAQ: FIRE) is falling just as far and just as fast in sympathy
The Warships of Silicon Valley (Wired Business) The giants of the technology world; Google, Amazon, Apple, Facebook, and Microsoft; are locked in a host of epic struggles
Canada To Beef Up Its Cyber Defenses (Wall Street Journal) Canada said it will more than double spending on defense against cyberattacks, amid heightened global worries over cyber warfare
Northrop Grumman to Build Cyber Test Range in Australia (Sacramento Bee) Range will help Australian military develop, test and evaluate integrated cyber technologies
Former Defense Official Calls Congressional Paralysis A Threat (GovExec.com) In an event at The George Washington Universitys Elliott School of International Affairs, Michele Flournoy, the undersecretary of Defense for policy from 2009 to 2012, said that Congress inability to pass a budget and set long term policy goals was detrimental to the government, especially in an incredibly complex and dynamic security environment worldwide
Web content management diminishing in importance, says GSA official (Fierce Government IT) The White House's digital government strategy directs agencies to streamline their backend web content management systems and create application programming interfaces, or APIs, for their content. But crafting APIs is far more important than focusing on web platforms, said Gray Brooks, API strategist at the General Services Administration's digital services innovation center
IC runs apps acquisition pilot (Fierce Government IT) The intelligence community is running an acquisition pilot under which qualified apps or widget developers can submit their code to a marketplace and be paid a nominal fee--but if the application's uptake is significant, be paid what it would have cost the federal government to otherwise purchase it, said Dawn Meyerriecks, assistant director of national intelligence for acquisition, technology and facilities
Google's CIO Dilemma (InformationWeek) CIOs torn are torn between wanting to back a company that represents the future and needing predictability. Google execs must now ask CIOs the right questions--and be prepared for stubborn answers
Enterprise Hunger For Custom Apps Equals Developer Jobs (InformationWeek) IT job hunters, it's a good time to be an application developer. Thanks in part to BYOD, the demand for custom enterprise apps is booming
What Huawei, ZTE Must Do To Regain Trust (InformationWeek) The U.S. is not the only country scrutinizing the security of Chinese-made telecom equipment from Huawei and ZTE. Without major changes, significant contracts are at risk
SAIC Awarded $18 Million Task Order By Defense Information Systems (Stockhouse) Under the contract, SAIC will provide strategic C3 system engineering and technical ... the intelligence community, the US Department of Homeland Security
CACI Awarded Prime Contract on $7 Billion Multiple-Award Program to Support U.S. Army Communications-Electronics Command (MarketWatch) New Work Will Upgrade Software Used In-Theatre and in Business and Enterprise Areas
NJVC Realigns, Promotes Programs Lead Michael Carr to CTO (Govconwire) NJVC has promoted Michael Carr, formerly acting chief technology officer and senior vice president of programs, to the CTO position on a permanent basis, the company announced Wednesday
QinetiQ Names TASC, GDIT Vet Bruce Feldman National Systems SVP (Govconwire) Qinetiq North America has appointed Bruce Feldman senior vice president for the national systems sector within the mission and information solutions operating unit, the company announced Monday. He will manage service delivery and technology development for contracts with both intelligence and defense customers
Google opens data center Kimono: Why cloud players will follow (ZDNet) Google and Facebook are opening up about their data centers. Why? It's the best asset to earn trust as a steward of your data. Web giants are throwing the doors open to their data centers in a move that would look bizarre in most industries. This go round it's Google, which is showing off its Lenoir, NC data center
Products, Services, and Solutions
Product Watch: New Fortinet Tools Help Enforce Policy By Device, Reputation (Dark Reading) FortiOS 5.0 enables enterprises to restrict user access based on behavior, device ownership
Android APK 4.2 teardown shows Google getting serious about security (Ars Technica) New features might include VPN lockdown, SELinux, and SMS confirmation
Ubuntu 12.10 "Quantal Quetzal" takes flight with a bag full of Juju (Ars Technica) Ubuntu kicks off a new two-year cycle with fancy enterprise features
IBM claims first with Hadoop data security suite (The Register) IBM is launching what it claims is the first data security system for Hadoop, as part of its biggest product rollout of security software and services yet seen from the company. Big Blue's not the highest profile security firm, but it has been buying in a lot of talent over the last three years and last year grouped staff and resources around a dedicated security unit. That team has now released a raft of new and updated products as part of a drive to make the company something for everything, from the datacenter to the mobile
McAfee Launches New Data Center Security Suites (Dark Reading) Suites offer combination of whitelisting, blacklisting, and virtualization technologies for protecting servers and virtual desktops
Secure64 Releases Enhanced Version Of DNS Management Software (Dark Reading) New capabilities unify management of entire Secure64 DNS product suite from a single application
Seagate unveils three new enterprise-class HDDs (Help Net Security) Seagate announced three new enterprise-class hard disk drives optimized for traditional data centers and emerging cloud infrastructures. Perfect for cloud bulk data storage, the Seagate Enterprise
Cloud-based document security from SealPath (Help Net Security) SealPath launched its cloud-based software solution for Professionals and Enterprise users. Using SealPath technology, documents containing sensitive business information are encrypted before they are
Cloud security application uses electronic fingerprint (Help Net Security) Intrinsic-ID launched Saturnus, an application that allows users to protect data with their mobile devices before sending it to the cloud. It is the first application that offers security based on the
Cisco and Citrix partner on networking and cloud (Help Net Security) Cisco and Citrix announced an expansion of their desktop virtualization partnership into three strategic areas: cloud networking, cloud orchestration, and mobile workstyles
Mandiat unveils cloud-based network monitoring service (Help Net Security) Mandiant announced Mandiant Cloud Alert, a subscription-based service which requires no hardware or software installation. It helps organizations pinpoint compromise in their network environments
Thales Intros World's Fastest Elliptic Curve HSMs (Dark Reading) "As the use of cryptography becomes a mainstream approach to protecting critical systems and valuable data, there is a requirement for algorithms that address the needs of important new markets. The rise of the smartphone and the emergence of
Adobe Reader and Acrobat get another layer of security (Ars Technica) Adobe announced new security features this week for its Reader and Acrobat XI products, including enhanced sandboxing, Force ASLR, PDF whitelisting, and Elliptic Curve Cryptography. In addition to a number of new features enhancing Reader's and
Facebook Just Launched Its Next Billion-Dollar Business (Business Insider) For months, Facebook has been testing a new kind of ad on mobile devices--ads for other apps. Now it's officially launched the app-ad program to all developers
Malicious links: Facebook reinforces their service via third parties (Generation NT) These are Avast!, AVG, Avira, Kaspersky Lab, Panda Security, Total Defense and Webroot. From the AV Marketplace, users can download an antimalware
Microsoft says Surface screen outperforms iPad Retina display (Apple Insider) Microsoft says Surface screen outperforms iPad Retina display. By Neil Hughes. Even though Microsoft's new Surface has a lower resolution screen than the Retina display on the new iPad, one Microsoft engineer has argued that the Surface offers superior
Windows 8 leaves users 'dazed and confused' (BGR) Windows 8 Resistance. There's no doubt about it that Microsoft's (MSFT) upcoming Windows 8 is a huge upgrade. Gone is the Start menu and in its place is a Windows Phone-inspired Start screen populated with flat and colorful tiles for launching applications
Cisco Takes On VMware With OpenStack Cloud Tools (InformationWeek) Cisco Edition of OpenStack aims to simplify private cloud deployments and offers an open-source alternative to VMware's cloud software
SAP Launches Cloud Platform Built On Hana (InformationWeek) SAP's in-memory technology is the differentiator for application services and database services that will take on Oracle and Salesforce.com in the cloud
Technologies, Techniques, and Standards
Cyber Security Awareness Month - Day 17 - A Standard for Risk Management - ISO 27005 (Internet Storm Center) A word that I'm hearing a lot these days from clients is "Risk". And yes, it has a capital R. Every time. Folks tend to think of any risk as unacceptable to the business. Every change control form now-a-days has a Risk Assessment and Risk Remediation sections, and any issue that crops up that wasn't anticipated now becomes a process failure that needs to be addressed
Electric Sector Security Metrics Motherload (Smart Grid Security) Not all are technical metrics, nor are they all technically, metrics. But in the space of just a few months this summer, North American electric utility executives and their security leadership have seen a spate of new guidance documents published that intend to help them manage, monitor, and measure the effectiveness of their cyber risk mitigation strategies and controls. Where once there was just the cross-sector ISO 27000 series to steer your security course by (or for Federal folks, FISMA), there are suddenly a near handful of freshly minted how-to manuals at their disposal
How to complywith updated NIST incident response guidelines (TechTarget) "Incident Handling Guide (SP 800-61) [PDF]. This third revision offers guidance on issues that have arisen since the last release in March 2008 with an emphasis on addressing new technologies and attack vectors, changing the prioritization criteria for incident response and facilitating information sharing. In this tip, we examine these major changes and discuss how to integrate them into a security and compliance program
Ask The Experts: Favorite Security Tools (infosec island) I'm in the risk management area of information security; I dont know enough about technical information security tools to give an informed opinion about them. However, my favorite information security tool is the Consensus Audit Groups Twenty Critical Security Controls for Effective Cyber Defense (which is very similar to MicroSolveds own 80/20 Rule of Information Security). The CAG as I call it gives me as a risk manager clearer, more proactive, and detailed information security guidance than any of the other standards such as the ISO or NIST
Time to rethink network management (Help Net Security) The acceleration in data speeds and volumes in telecom networks is increasing the need for real-time network management solutions, according to Napatech. Network probes have been identified
The Secure Operating System Equation (Dark Reading) Many experts like the idea of a purpose-built, secure operating system. It's just that adopting one is not so straightforward, even if it's specifically for security-strapped SCADA systems. Hardened, secure operating systems for sensitive computing environments are nothing new. Trustix, SELinux, Sidewinder SecureOS, and Green Hills Integrity are among many secure OSes, some that have survived for niche environments and others that have faded into obscurity
How One Midsize Bank Protects Against Hacks (InformationWeek) In light of ongoing hacktivist attacks on major banks, Lake Trust Credit Union information security pro shares insights on how a smaller bank stays secure without too-big-to-fail resources
Design and Innovation
FireEye Earns JPMorgan Chase Hall of Innovation Award (Equities.com) FireEye, Inc., the leader in stopping advanced cyber attacks, today announced that it was inducted into the JPMorgan Chase Hall of Innovation. FireEye received the award for helping protect JPMorgan Chase
Research and Development
Duncan Watts: From Sociology to Social Network (IEEE Spectrum) Everything changed for an Ivy League professor when he reinvestigated the "six degrees of separation"
What's Wrong With Common Sense (IEEE Spectrum) A "Techwise Conversation" with social network theorist Duncan Watts
Academia
UIT promotes cybersecurity on campus this month (Tufts Daily) In light of increased global awareness about the importance of password security on smartphones and tablets, UIT has declared mobile passwords its focus for the Department of Homeland Security's National Cyber Security Awareness month. Theft of cell
UMBC to launch Cyber Scholars program with $1M Northrop Grumman gift (Bizjournals.com) University of Maryland, Baltimore County is creating a "Cyber Scholars" program with a $1 million grant from the Northrop Grumman Foundation. Beginning in 2013, the program will award scholarships, internships and opportunities for advanced research to
UW Tacoma forging jobs, training links in cyber security (Business Examiner) Cyber security is an industry ripe for growth in the South Sound – and one with zero current unemployment here, according to the University of Washington Center for Information Assurance and Cyber Security. Thus, the UW Tacoma campus is combining its
The FBI's "Cyber Surf Island" game aims to promote internet safety amongst students (Naked Security) Do you remember Dewey the Turtle? The US Federal Trade Commission's online safety mascot? Of course you don't. Nobody does. He dropped on the scene in 2002 to tell us all to watch out for spam and viruses, then tucked inside his shell in 2005, never to be heard from again
Lockheed Martin and Tech Council of Maryland Host Maryland High Schools (Sacramento Bee) "As a hub of America's intelligence and cyber security sectors, Maryland has the capacity to kick start our regional and national economies with quality jobs that keep us safer and more secure," said Sen. Cardin. "I applaud Lockheed Martin for the
Legislation, Policy, and Regulation
Australia Might Introduce Mandatory Data Breach Notification Laws (Softpedia) Who should be notified in case of a data breach? Customers, authorities or both? Thats one of the questions Australian authorities are hoping to answer before issuing new data breach notification laws
Dutch Govt Expresses Intent To Draft New Cybercrime Legislation (infosec island) On October 15th 2012, the Dutch Minister of Security & Justice (Ivo Opstelten) sent this letter (. pdf in Dutch) to the Dutch parliament expressing intentions to draft new cybercrime legislation in the Netherlands. Below is my Dutch-to-English translation of the entire letter
India Cyber Security: Need For More Robust Approach - Analysis (Eurasia Review) Even as, cyber wars, have become a reality across the globe, Indias' security czars have issued a report on Recommendations of the Joint Working Group (JWG) on Engagement with Private Sector on Cyber Security. The pork barreled Report which appears to be designed to benefit the large Information Technology sector in the country has a narrow focus that of convergence in public and private sector on cyber security. The motive is laudable yet the proposals appear to be too infirm to facilitate development of capabilities in meeting the challenges in the cyber domain in real time
Sen. Rockefeller asks Fortune 500 CEOs for cybersecurity best practices (Homeland Security Newswire) Last month, Senator Jay Rockefeller (D-West Virginia) sent a letter to the CEOs of fortune 500 companies asking them what cybersecurity practices they have adopted, how these practices were adopted, who developed them, and when they were developed. Many saw Rockefellers letter as an admission that the Obama administration does not have a basis for trying to impose cybersecurity practices on the private sector through the Cybersecurity Act of 2012. When the act failed to get through the house in early August, the Obama administration said it would consider an executive order to mandate the main clauses in the stalled act, but this has not happened yet
Measured Response to a Limited Threat (New York Times) Federal regulation will only crowd out innovation. The fact is that there is no evidence that anyone has ever died as a result of a cyber attack. And the evidence of cyber attacks causing physical destruction are limited to very subtle and targeted
The Cybersecurity debate (FederalNewsRadio.com) The nation's critical infrastructure needs to be improved to ward off a potential catastrophic cyber attack but the Cybersecurity Act of 2012 is stalled in Congress. What are the President's next steps and how much will this cost? Financial Analyst
Holes in US cyber security (Los Angeles Times) Any business that complied with these practices would have been immune to punitive damages if customers sued them in the event of a successful cyber attack, which is a sensible incentive to participate. Business groups are backing a bipartisan House
Wheeler: ITAR typically no barrier to releasing government open source code (Fierce Government IT) Export control regulations shouldn't necessarily be an obstacle to the release of unclassified government open source code, said David Wheeler, a research staff member of the Institute for Defense Analyses. He spoke Oct. 15 during the Mil-OSS WG4 conference in Arlington
Litigation, Investigation, and Law Enforcement
Twitter Uses Country-Specific Blocking Powers For The First Time To Restrict Neo-Nazi Account In Germany (TechCrunch) Twitter has used country-by-country blocking powers for the first time to restrict access to a neo-Nazi Twitter account in Germany at the request of local authorities. The move was spotted by the FT, which also flagged up two tweets from Twitter's general counsel, Alex Macgillivray confirming both the request to close the account and the fact that Twitter had acted on the request
Chinese cyber-criminals caught laundering $48 mln through online games (Cyberwarzone) In Chinas largest ever cybercrime bust, the authorities have nabbed a gangsuspected of defrauding small-business owners of around 300 million (about $48 million)…The cyber-criminals contacted their victims through Chinese instant-messaging service QQ, where they offered naive users a link to a deal they couldnt refuse
Cyber crime can strangle your business, not just your IT (Cyberwarzone) A conference on the rising threat of cyber attacks emphasised the need for businesses to do more than merely comply with rulesAT RSAS EUROPE conference 2012 in London last week, the information security sector made a case for appropriating the old line about not knowing which 50 per cent of spending is wasted. In keynotes and executive briefings, RSA executives kept returning to the theme that too many businesses invest in the wrong areas of security. For some, dealing with the issue has simply become a box-ticking exercise that owes more to regulatory compliance than addressing actual threats
Apple Vs Samsung: U.K. Appeal Court Upholds 'Galaxy Tab Not Cool Enough To Copy iPad' Ruling (TechCrunch) Apple has lost an appeal against a ruling in a U.K. High Court that Samsung's Galaxy Tab does not infringe the iPad's design. The original ruling by Judge Colin Birss said Samsung's tablets were not cool enough to be confused with Apple's because they lacked the "extreme simplicity" of the iPad. That ruling has now been upheld by the Court of Appeal
The Big Chill: How Obama Is Operating in Unprecedented Secrecy (Huffington Post) Prosecutors had filed 10 felony charges against Thomas Drake, a National Security Agency (NSA) whistleblower who allegedly provided classified information about mismanagement at the NSA to a Baltimore Sun reporter. But days before the trial was to
Obama Pursuing Leakers Sends Warning to Whistle-Blowers (Businessweek) "They want to destroy you personally," said Thomas Drake, a senior National Security Agency employee prosecuted in 2010 by Obama's Justice Department under the Espionage Act. The message to government workers seeking to expose waste, fraud and
White House Review Finds No Evidence Of Spying By Huawei: Sources (Reuters) A White House-ordered review of security risks posed by suppliers to U.S. telecommunications companies found no clear evidence that Huawei Technologies Ltd had spied for China, two people familiar with the probe told Reuters
The Legality of Counterhacking: Baker's Last Post (Volokh Conspiracy) Now the debate with Orin is actually getting somewhere. Sort of. Here's a scorecard: 1. Does authorization depend exclusively on ownership? Orin's latest post does a good job of showing that the CFAA often draws a coherent distinction between rights in data and rights in a computer, and that rights in the computer are the statute's principal focus. I don't disagree
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Anatomy of an Attack (New York, New York, Nov 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
ZeroNights (Moscow, Russia, Nov 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense tools. Another purpose is to create a communication venue for skilled professionals in the field of information security.
Passwords^12 (, Jan 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO FreeBSD, inventor of scrypt), Simon Marechal (John the Ripper co-developer), Frank Stajano (Cambridge) and many more, this will be the premier event for everything and anything related to password security. Passwords^12 is the first and only conference of its kind, bringing together academic institutions, researchers and security professionals from around the world. It's a not-for-profit and non-commercial conference. No sales personnel, no marketing managers and deep technical talks.
BayThreat (Sunnyvale, California, Dec 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.