The CyberWire Daily Briefing for 6.13.2014
Anonymous having gone quiet for the moment, World Cup cyber action falls into three categories: attempts against gaming sites (mostly denial-of-service extortion), malicious fútbol-baited mobile apps (particularly targeting Android devices), and the customary phishing scams.
Card data apparently stolen from restaurant chain P.F. Chang's have turned up for sale on black market stall rescator[dot]so, the same place the fruits of the Target breach were shopped. The P.F. Chang caper remains under investigation, and it's too soon to draw many parallels with Target, Neiman Marcus, and Sally Beauty, but rescator's involvement shows the persistence of black market actors.
POSCLOUD malware is currently scraping small business point-of-sale systems.
Feedly remains under denial-of-service attack as it refuses to pay off the extortionists responsible. The US Federal Communications Commission has denied it suffered a denial-of-service attack, but Naked Security offers reason to think that in fact the Commission was DDoSed in response to a comedian's viral net neutrality rant.
"Maple," a Zeus variant, is circulating through Canadian banking customers. The Zeus framework is proving highly adaptable, and affords an interesting if dismal case study of malware evolution.
VMware patches products against OpenSSL bugs. Recent Google Play permission changes are coldly received.
FireEye notes that mergers and acquisitions predictably raise the cyber risk of the businesses involved.
In product and industry news, companies work toward increasingly automated security solutions and superior encryption products. Aggressive red-teaming and penetration testing also gain respect (especially in the US Department of Defense).
Emerging NIST standards address supply-chain cyber risk.
Today's issue includes events affecting Austria, Bahamas, Belgium, Brazil, Canada, China, Colombia, Japan, Republic of Korea, Netherlands, Singapore, Switzerland, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Fake, malicious World Cup-themed apps targeting Android users (Help Net Security) The 2014 FIFA World Cup in Brazil start today, and Trend Micro researchers have pointed out yet another thing that fans need to be careful about: fake and malicious versions of World Cup-themed apps
World Cup Attracts Online Betting Cyber Attackers (Online-Casinos) The world of the internet and online gambling is ripe for cyber attack as was recently witnessed by Cloud-based security service Incapsula. The attack designed to blackmail gaming providers was experienced by Incapsula which the firm says is becoming more common. The 100 gigabits per second distributed denial-of-service attack against an online gambling website client of Incapsula utilized more than five DDoS attack vectors
Online Extortion Rears its Head Prior to World Cup (Online-Casino) An advanced cyperattack was prevented at an online gambling website recently. Cloud-based security service Incapsula has fought off what is becoming an increasingly common cyber attack tactic designed to blackmail gaming providers. The 100 gigabits per second (Gbps) distributed denial-of-service (DdoS) attack against an online gambling website client of Incapsula utilized more than five DDoS attack vectors. Vectors used in the attack included an SYN flood, Large SYN flood, NTP amplification, DNS flood, and DNS amplification
Watch Out For Fake Versions of World Cup 2014 Apps (TrendLabs Security Intelligence Blog) The 2014 FIFA World Cup in Brazil is all but underway, and the fervor of such a prestigious and newsworthy event is already setting competing nations' populations on fire. Unfortunately, cybercriminals are getting into the mood too
Don't be a World Cup loser online: give football cyber-scammers the boot (The Guardian) Watch out for soccer-themed cybercrime, from phishing emails to malware-toting Cristian Ronaldo websites
Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware (SC Magazine) Attackers developed 'POSCLOUD' malware to compromise cloud-based POS systems used by small businesses. Unique malware targeting cloud-based point-of-sale (POS) software has been discovered by researchers with cyber intelligence company IntelCrawler
Banks: Credit Card Breach at P.F. Chang's (Krebs on Security) Nationwide chain P.F. Chang's China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide
P.F. Chang's Breach: Link to Target? (GovInfoSecurity) Restaurant chain P.F. Chang's China Bistro continues to investigate an apparent payments breach and subsequent payment card fraud. But several security experts and cyber-intelligence researchers say they believe the chain suffered a malware attack similar to those that compromised the point-of-sale networks of U.S. retailers Target Corp., Neiman Marcus and Sally Beauty Holdings Corp.. Other experts, however, say it's too soon to tell what the cause of the latest breach was, and whether it was linked to any previous breaches
A welcomed response, PF Chang's (Internet Storm Center) Krebs is running a story about the recent data breach that has happened to restaurant chain PF Chang's. As it so happens we decided to have lunch their today and I polled one of the managers if she had been briefed on the breach. She had been informed
Feedly reels from second DDoS attack, refuses to pay extortion money (FierceITSecurity) RSS reader Feedly is reeling from a second distributed denial of service attack and has been forced to shut down its service, the firm said in a blog
FCC DoSed into silence as John Oliver roused net neutrality trolls (Naked Security) Around about minute 11:05 of comedian John Oliver's viral, epic rant about net neutrality, he invites trolls to do what they do best: channel "that anger, that badly spelled bile", at the Federal Communications Commission (FCC) site's comments section
Zeus variant 'Maple' targets financial data of Canadian users (SC Magazine) A new Zeus variant called "Maple" improves upon a number of malicious capabilities familiar to fraudsters wielding the trojan
Versatility of Zeus Framework Encourages Criminal Innovation (Threatpost) A new report on the Zeus trojan's evolution shows that the malware was moved from harvesting online banking credentials to controlling botnets and launching distributed denial of service attacks attributes the evolution to the highly customized and incredibly versatile framework Zeus is today
Banking malware using Windows to block anti-malware apps (Ars Technica) BKDR_VAWTRAK is using Software Restriction Policies to restrict security software
Aviva mobile phones hit by third-party cyber attack (Post Online) Hundreds of Aviva staff were hit by a cyber attack on the insurer's mobile phone technology supplier last month
Xiaomi smartphones can wirelessly 'steal' bank card data: report (Want China Times (h/t Security Affairs)) Smartphones made by Chinese brand Xiaomi have been identified as a security threat for their ability to "steal" personal details from bank cards through wireless communication, reports the Nanjing-based Yangtse Evening News
TweetDeck bug resembles earlier MySpace 'Samy Worm', says researcher (FierceITSecurity) TweetDeck, a social media management tool for Twitter, was taken down on Wednesday for over an hour to fix a bug involving a cross-site scripting error, the Washington Post reports
A Day to Forget for Teen at Center of Tweetdeck Shutdown (Threatpost) The last 24 hours have been a sad, scary and frustrating time for an 19-year-old aspiring programmer in Austria who found himself smack in the middle of Wednesday's TweetDeck mess — all because of a Unicode heart
CryptoLocker ransom malware infected 2,000 users in Singapore (TechWorld) Clean up goes global
Advanced Mask cyber campaign ripped off 80s hacker tricks (V3) The Mask or Careto family of malware used tactics originally thought up by 80s and 90s hackers to infect government systems, according to Context Information Security
Advanced cyber attacks rely on privileged credential exploitation (Help Net Security) While new and sophisticated malware variants were continually developed to exploit systems in 2013, criminals, hacktivists and advanced attacks continue to do the most damage by exploiting privileged accounts
The state of GRX security (Help Net Security) Late last year, documents from Edward Snowden's NSA trove have revealed that Britain's GCHQ has mounted a successful attack against Belgacom (the largest telecom in Belgium) and its subsidiary BICS (Belgacom International Carrier Services), a Global Roaming Exchange (GRX) provider. Other GRXs have been targeted as well
Chinese counterfeiters are selling the iPhone 6 before it has even been released (Quartz) The release of Apple's iPhone 6 isn't expected for at least another two months. Yet, a former Taiwanese pop star has posted what he claims are photos of the phone on his blog (registration required). Meanwhile, merchants on China's largest e-commerce site Taobao are already selling non-working "models" of the iPhone 6 for anywhere between 15 yuan and 460 yuan ($2.40 and $74.06). Some are even selling something called an "iPnoho7"
Daktronics Responds to ICS-CERT Vanguard® Default Credentials Alert (Wall Street Journal) Recently, a small number of North Carolina Department of Transportation Daktronics (Nasdaq:DAKT) Vanguard® dynamic message signs were compromised. As a result, on June 5, 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security, issued alert ICS-ALERT-14-155-01A referencing a hardcoded password in the Vanguard controller as the primary cause. The ICS-CERT later clarified the alert on Friday, June 6, 2014, stating the password is not hardcoded but is a default password that display owners should change upon installation. ICS-CERT also communicated mitigation recommendations (reprinted below) within the alert
AT&T Mobility data breach (CSO) This week AT&T Mobility filed a breach notification in California
Security Patches, Mitigations, and Software Updates
VMware Patches ESXI Against OpenSSL Flaw, But Many Other Products Still Vulnerable (Threatpost) While the group of vulnerabilities that the OpenSSL Project patched last week hasn't grown into the kind of mess that the Heartbleed flaw did, the vulnerabilities still affect a huge range of products. Vendors are still making their way through the patching process, and VMware has released an advisory confirming that a long list of its products are vulnerable to the latest OpenSSL bugs
Automatic updating of Android apps becomes riskier (Help Net Security) Google has made unwelcome changes to the way new app permissions are disclosed to users: no warnings will be shown if a new permission if is in the same category as an old one that has previously been accepted
Hot, Cold Reactions to New Google Play App Permissions (Threatpost) Google's revamped app permissions for Google Play are not being well received by Android users. Reddit threads are rife with adjectives such as "stupid" and "dangerous," primarily because Google's attempt to simplify permissions granted to automatically updated applications may in fact expose users to greater risk
Facebook to let advertisers see where you're surfing (Naked Security) Remember back in 2011, when Mark Zuckerberg dissed Google, Yahoo and Microsoft for following you around on the web, using browser cookies to collect a huge amount of information about who you are "behind your back"?
Apple's iOS 8 will help keep out Wi-Fi marketers and snoops, but not totally (Naked Security) A small change in iOS 8 will make privacy advocates happy, although it's going to be a tough pill to swallow for mobile marketers
M&A Activity Makes Companies Cyber Targets (Wall Street Journal) Companies involved in merger and acquisition deals are a target for data thieves who may try to exploit employee confusion to gain access to internal systems. FireEye Inc., a Silicon Valley maker of security software, released case studies Thursday, culled from its experience investigating breaches relating to M&A deals
Report: Slow Detection, Slow Response (Dark Reading) More than one-third of data breaches aren't detected for hours, and recovering from a breach takes anywhere from days to months, a new survey says
When chatbots could become a real security threat (CSO) As the conversation programs become better at imitating real people, they could morph into a serious threat to companies
Authentication innovation, identity and credential management (Help Net Security) In this interview, Richard Parris, CEO of Intercede, talks about how the digital world has shaped our identity, the main catalyst behind authentication innovation as well as key issues you have to deal with when implementing identity and credential management
Why online tracking is getting creepier (Ars Technica) Online marketers are increasingly trying to track users offline as well
Information Risk Maturity Index Says We're Aware But Not Ready (Dark Reading) A new study from PwC and Iron Mountain shows that businesses are having trouble balancing the need for data insight and the need for data security
With the Americas running out of IPv4, it's official: The Internet is full (Ars Technica) Where did all those IP addresses go?
Security and data center vendors renew focus on DDoS as attacks multiply (CiOL) The data center and mobile DDoS prevention segments are projected to maintain healthy double-digit CAGRs from 2013-2018
DHS readies next CDM task orders (Federal Times) The Department of Homeland Security is gearing up to issue new task orders for its Continuous Diagnostics and Mitigation program, ensuring that more agencies can obtain the necessary tools to improve the security and resilience of their networks
Korean Banks Subject to Spending Billions of Won on Every Expiration of Windows OS (Business Korea) Major Korean banks are actively seeking to strengthen security of automatic teller machines (ATMs), since most ATMs still run Windows XP. Microsoft's official support of the aging operating system (OS) ended as of April 8, and thus it has become more vulnerable to hacking or security attacks. However, the replacement of Windows XP with Windows 7 and the upgrade of the existing security solution for ATMs would cost a huge amount of money. Even with the upgrade, security problems cannot be solved completely. Therefore, Industry analysts are saying that it is necessary to come up with a measure that can fundamentally address the problem
Bank of England receives '7 or 8 cyber attacks a week', says CISO (CSO) Hires geopolitical analyst to bolster cyber security team
Exclusive: FireMon chairman says sale similar to past venture FishNet (Kansas City Business Journal) FireMon executive chairman Gary Fish says the company is following a similar strategy to that of his past venture, FishNet Security
Telefonica picks Kaspersky Lab for cyber-security services (Telecompaper) Kaspersky Lab has signed a cooperation agreement with Telefonica, to provide its customers in Europe and Latin America with cyber-security services
NICE Safe City Solutions Deployed in Glasgow to Bolster Security, Safety, and Operations Management (MarketWatch) NICE Systems (NASDAQ: NICE) today announced that the city of Glasgow is deploying its security solutions to enhance the community's safety and security infrastructure. The implementation, which includes NICE Situator and NiceVision for video management, will help the city strengthen its daily operations and streamline incident response
CounterTack named Cool Vendor Application and Endpoint Security (NewswireToday) For the third consecutive year High-Tech Bridge receives prestigious OTA Honor Roll award for demonstrating strong data protection, privacy and security in an effort to better protect the customers, partners and the brand
BAE Systems Applied Intelligence joins BBA to counter digital crime (Banking Business Review) BAE Systems Applied Intelligence is announcing that is has become an associate member of the British Bankers' Association (BBA), as part of a broader working partnership in which the two organisations will work together to counter the growing threat to the UK banking and financial services industry from cyber-enabled financial crime.
Turning Interns into Cyber Warriors (StateTech) Montgomery County, Md., is launching paid internships to build the local cybersecurity workforce
Panda Security Rewards Beta Tester of the Year With Up to $800 (Digital Journal) Panda Security, The Cloud Security Company, today announced the beta release of Panda Global Protection 2015, its comprehensive anti-malware solution for protecting the information and digital life of home computer users. The new version has more features and is lighter, more secure and more complete than ever before
Products, Services, and Solutions
Blackphones coming in three weeks, will ship in millions, backers say (ComputerWorld) Carriers in Europe and the Americas have committed to selling the secure handset, Silent Circle and Geeksphone say
Twitter nabs top honors in security, privacy audit (CNET) Group that includes Symantec, VeriSign, and Microsoft tags Twitter tops among 800 websites for user protection, security
Chrome Perfected: Fast, Massively Secure and Gloriously Private (1/2) (Bromides on Infrastructure) Bromium or Chromium? The right answer is both. Chrome users have an almost religious passion for their browser, whose rapid ascent threatens to eclipse IE. Bromium's micro-virtualized Chrome substantially surpasses Google's own vision, delivering fast, massively secure and gloriously private browsing. Micro-virtualization delivers superior security, and its granular, task-centric isolation preserves the Chrome user experience while rigorously protecting user privacy — something that no browser has ever achieved before
Check Point releases software-defined protection security architecture (BusinessDay) Check Point Software Technologies Limited, the worldwide leader in securing the internet, says it has introduced Software-defined Protection (SDP), a revolutionary security architecture that can protect organisation in today's fast-evolving IT and threat landscape. Software-defined Protection offers modern security today that can effectively protect against tomorrow's threats, through a design that is modular, agile and most importantly, secure
ESET launches new and improved mobile protection for Android (CiOL) ESET has announced the availability of the enhanced ESET Mobile Security in Asia Pacific
Tenable Integration with ThreatGRID Enhances Detection of Persistent Malware (Fort Mill Times) Tenable Customers Gain Access to ThreatGRID Content that Enriches Log Data enabling them to more quickly and accurately defend against advanced threats
Lockheed Martin Earns NSA Cyber-Response Accreditation (HS Today) Lockheed Martin's Cyber Incident Response Assistance (CIRA) program earned accreditation from the National Security Agency's (NSA) Information Assurance Directorate (NSA/IAD), becoming one of the first federally-recognized companies to help organizations respond to cyberattacks
Mission impossible? Malwarebytes invents software that blocks zero-day attacks (TechWorld) Can this software end the tyranny of zero-day attacks?
HP Atalla Tackles Encryption in the Post-Snowden Era (eSecurity Planet) The need for encryption now is greater than ever
Technologies, Techniques, and Standards
Life after XP: a survival guide (Trend Micro Simply Security) April 8, 2014 marked the end of an era: the day when Microsoft withdrew support for its hugely successful Windows XP operating system for good. Statistics show that, despite declines of late, the OS is still extremely popular. In fact, it still has a market share of around 25% globally, a figure which has changed only slightly since April 8. It's true that some organizations need to stick with XP because of third-party app support reasons, and Trend Micro can help these firms, more of which I'll share later. The problem for those who refuse to migrate onto a newer system, however, is that they're unnecessarily exposing themselves to a much higher risk of infection
NIST Guide Targets Supply Chain Risks (GovInfoSecurity) Breaking down silos should help organizations mitigate vulnerabilities introduced into their systems from the information and communications technology supply chain, says the co-author of revised guidance being drafted by the National Institute of Standards and Technology
Heartbleed still matters, and we're all partly to blame (ComputerWorld) Extremely weak passwords make us vulnerable, but there are ways to create passwords you'll remember and yet are hard to crack
Why You Need to Allow Your IT Systems to Be Hacked (by the Good Guys) (IT Business Edge) If you were to give permission for an ethical hacking team to try to penetrate your systems, how difficult do you think it would be for the team to get in? According to one IT security expert who specializes in this sort of penetration testing, it would likely be a walk in the park
Not challenging DoD network resilience delusional, says CYBERCOM official (FierceGovernmentIT) When Lt. Gen. Jon Davis, deputy commander for Cyber Command, arrived at CYBERCOM the focus was on keeping networks operational, not on challenging the network's resilience to an advanced persistent threat
Leaking Trade Secrets: A Conversation with Michael Schrenk (Cyveillance) Cyveillance was recently lucky enough to chat with business intelligence specialist, author, and developer Michael Schrenk in advance of his upcoming DEF CON talk, "You're Leaking Trade Secrets." Read on for a first glimpse at his lecture and his thoughts on organizational secrets
Life after TrueCrypt (Help Net Security) While speculation continues around the fate of popular disk encryption software TrueCrypt, Sophos conducted a survey of over 100 IT professionals regarding their use of encryption. including TrueCrypt
Tool for creating booby-trapped PDFs made public (Help Net Security) Freelance security researcher Claes Spett has made available a tool he dubbed "PDF Exploit Generator," which allows penetration testers — but also malicious attackers — to create a booby-trapped PDF in a matter of minutes
Made any new friends lately? (Internet Storm Center) Earlier this week, we were testing the security aspects of an application that integrates with LinkedIn. Given that I do not own a LinkedIn account, I had to create one temporarily, to be able to test. I used a throw-away email address, and did not add any personal data, but I happened to connect to LinkedIn from the business where we were performing the work
Behind the Great Firewall: What it's really like to log on from China (ITWorld) Censorship in China affects many popular Internet services and websites, but there are ways to make do
Monitor DNS Traffic & You Just Might Catch A RAT (Dark Reading) Criminals will exploit any Internet service or protocol when given the opportunity. Here are six signs of suspicious activity to watch for in the DNS
Academia: Government's Biggest Cyber Security Ally? (Dark Reading) Federal cyber security programs need access to fresh talent. They can boost the quality of that talent by bolstering cyber security training in colleges and universities
Hackers Beware—Reinforcements Are On the Way (American News Report) If you've been following the news stories about data security breaches at such retail giants as Target and eBay the following won't surprise you
New cybersecurity company signs lease with Cecil College (Cecil Whig) Cecil College signed a one-year lease Tuesday with a cybersecurity company that will open new avenues of private-public partnerships in the future
Kids To Hack Corporate Crime Caper Case At DEF CON (Dark Reading) The Social Engineering Capture the Flag contest for kids is now an official DEF CON contest
School cancels reading program rather than promote "hacker culture" (Ars Technica) Boing Boing editor responds, offers 200 free copies to the school's students
Legislation, Policy, and Regulation
Guest Post: The Foreign Intelligence Surveillance Court: Is Reform Needed? (Just Security) With the advent of the Edward Snowden leaks commencing in June 2013, much has been written about Snowden and the United States intelligence community. This short blog post examines one of the only proposals to emerge that would constitute systemic procedural change, namely the creation of a special advocate or institutional amicus system before the Foreign Intelligence Surveillance Court — the FISC (hereafter referred to as a "special advocate" reform, for ease of reference). Such a system would be beneficial for both substantive and procedural reasons. A recently passed House bill, which merely keeps the status quo by permitting the court to appoint an amicus — a power it has now — falls short of what is needed
The Facebook War (Slate) Would taking down the social network justify a real-world attack?
House Intel chief 'extremely optimistic' on cyber bill's chances (The Hill) The head of the House Intelligence Committee thinks the odds are good that the Senate will pass a long-delayed cybersecurity bill this year
Former NSA director backs House bill to rein in spy agency (Washington Times) The head of the government's civil liberties protection board said Thursday that its classified review of the NSA's collection of Americans telephone records didn't turn up any evidence of abuses — but both he and the man who lead the National Security Agency's program said it's still time to end bulk collection
Liberty vs. security in post-9/11 world (Washington Times) Are the threats so great as to require sacrificing our rights, freedoms?
Sen. Franken's anti-stalking bill could restrict location-based mobile advertising (FierceMobileIT) Privacy is good, right? Not for mobile advertisers
DoD Bolstering Cyber Warfare Capabilities in at Risk Nations (USNI News) The Pentagon's cadre of cyberwarriors are working to bolster cyberwarfare capabilities of individual countries, tagged by the Defense Department as being particularly susceptible to cyber attacks
NSA Chief: Military Not Organized for Cyber Warfare (National Defense) The U.S. military's hidebound culture and outdated procurement system are slowing down efforts to improve cyber defenses against increasingly sophisticated network attacks, said Navy Adm. Michael S. Rogers, director of the National Security Agency and head of U.S. Cyber Command
Cyber Policy Chief Shares Perspective on Mission (American Forces Press Service) Teamwork, balancing between opportunity and risk, and transparency of intent are the keys to U.S. efforts in the cyber domain, the acting deputy assistant secretary of defense for cyber policy said today
US cyber official: Treat IT architecture as a weapon (Defense Systems) If the Defense Department wants to improve cybersecurity it needs to get a handle on its IT infrastructure and start treating it more like a weapons system, the U.S. Cyber Command's former deputy commander said this week
Litigation, Investigation, and Law Enforcement
New charges brought against Zuluaga 'peace talks hacker' (Colombia Reports) New evidence suggests that Andres Sepulveda's wiretapping operation was much more extensive than originally suspected, Colombia media reported on Wednesday
New Ruling Shows the NSA Can't Legally Justify Its Phone Spying Anymore (Wired) The Eleventh Circuit Court of Appeals said no this week to tracking your movements using data from your cell phone without a warrant when it declared that this information is constitutionally protected
If The NSA's System Is Too Big To Comply With Court Orders, Court Should Require It To Change Its System (TechDirt) Last week, we wrote about the latest in the Jewel v. NSA case, where the Justice Department admitted to the EFF that the NSA was still destroying surveillance evidence, despite a temporary restraining order in March ordering it to stop
Local cops in 15 US states confirmed to use cell tracking devices (Ars Technica) Stingray use is widespread: Baltimore, Chicago, and even Anchorage have them
Police lack cyber skills (The Times) Police forces in England and Wales are unprepared to tackle cyber crime which is fast becoming a major element of offending, according to a report published yesterday
U.S. To Answer N.S.A. Spy Claim (Tribune242) John Kerry, the United States Secretary of State, has stepped in to oversee the investigation of reports that the National Security Agency is intercepting and recording all cell phone conversations in The Bahamas, with the ability to store them for up to 30 days
The Feds Are Auctioning a Small Fortune in Silk Road Bitcoins (Wired) The Bitcoin world has been waiting for more than six months to see where the millions in cryptocash seized from the Silk Road black market for drugs would end up. Now that fortune is about to be sold off, like so many mafiosos' cars or drug dealers' bling, to the highest bidder
Former Microsoft Employee Involved In Windows 8 Leaks Given 3-Month Sentence (TechCrunch) After pleading guilty, former Microsoft employee Alex Kibkalo will pay a $100 fine and serve three months in prison for stealing trade secrets
Man arrested for parodying mayor on Twitter files civil rights lawsuit (Ars Technica) Police raid follows mayor being upset over the portrayal of him as drug abuser
For a complete running list of events, please visit the Event Tracker.
BSidesLV 2014 (Las Vegas, Nevada, USA, Aug 5 - 6, 2014) We have an amazing array of speakers each year, covering topics such as Penetration Testing, Forensics, Incident Response, Risk, and everything in between. We have a Lockpick Village, the Squirrels in a Barrel World Championship Social Engineering Capture The Flag, uncensored talks, and proximity to the other big InfoSec conferences in the world.
EDSC 2014 (Seattle, Washington, USA, Nov 20 - 21, 2014) EDSC is a security conference focusing on embedded systems, hardware, and anything behind the silicon curtain. Embedded testing is a rapidly expanding area of the security industry staying current is important for engineers, researchers, and testers alike. EDSC will bring the top thought leaders in the embedded security field together for two days to share knowledge, techniques, and research.
(ISC)² Security Congress EMEA (London, England, UK, Dec 8 - 10, 2014) Building on the experience of the US-based (ISC)2 Security Congress, now in its fourth year, (ISC)2 Security Congress EMEA will offer a complementary and unique opportunity within the Europe Middle East and Africa region to participate in a comprehensive education program — over five focused tracks — and to connect with fellow colleagues in their international professional community. The themes are: Governance, Risk & Compliance; Mobile Security; Human Factor; Architecture; Data Security.
Global Summit on Computer and Information Technology (, Jan 1, 1970) The summit is hosting multiple conferences in different areas of Computer & Information Technology. CIT is a major platform for researchers and industry practitioners from different fields of computer and information technology promising multidisciplinary exchanges in computer and information technology. We are attracting many high quality research papers spanning over the various aspects of information technology, computing science and computer engineering. Such research highlights foundational work that strives to push beyond limits of existing computer technologies, including experimental efforts, innovative systems, and investigations that identify weaknesses in existing IT services.
NRC Cyber Security Seminar/ISSO Security Workshop (Bethesda, Maryland, USA, Jun 16, 2014) NRC will be hosting its second NRC Semi-Annual All-Hands ISSO Workshop. This workshop will consist of computer security policy, standards, cybersecurity, guidance, FISMA compliance, and training updates. The event will be promoted agency-wide. Exhibit tables will be set-up just outside the Auditorium and companies will have the opportunity to demo their latest technologies to NRC's IT personnel. A complete agenda will be posted once all speakers are confirmed.
2014 Spring National SBIR Conference (Washington, DC, USA, Jun 16 - 18, 2013) SBIR/STTR programs are the nation's largest source of early stage / high risk R&D funding for small business. At this conference you'll learn how to participate and compete for funding in these two programs that encourage small businesses to engage in Federal Research/Research and Development (R/R&D) and to commercialize your technological innovations.
18th Annual Colloquium for Information Systems Security Education (, Jan 1, 1970) The Colloquium recognizes that the protection of information and infrastructures that are used to create, store, process, and communicate information is vital to business continuity and security. The Colloquium's goal is to work together to define current and emerging requirements for information assurance education and to influence and encourage the development and expansion of information assurance curricula, especially at the graduate and undergraduate levels.
MeriTalk's Cyber Security Brainstorm (Washington, DC, USA, Jun 18, 2014) This second annual event will take place on Wednesday, June 18 2014 at the Newseum in Washington D.C. The event will bring together Federal cyber security experts to share best practices, collaborate on challenges, and discuss what is needed for the future of cyber security. This year's program will begin with a keynote from White House Federal Agency Cybersecurity Director John Banghart, followed by panel sessions on continuous diagnostics & mitigation (CDM), data breach, and identity management.
Suits and Spooks New York (, Jan 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks New York will return to Soho House on October 2-3, 2014. Stay tuned for our speaker list and agenda coming this summer.
SANSFIRE (Baltimore, Maryland, USA, Jun 21 - 30, 2014) For more than 10 years, the Internet Storm Center has been providing free analysis and warning to our community. SANSFIRE 2014 is not just another training event. It is our annual "ISC Powered" event. It taps into the expertise behind our daily postings, podcasts, and data collection efforts by offering evening events focusing on current trends and actual relevant threats. The strength of the Internet Storm Center is its group of handlers, who are network security practitioners tasked with securing real networks just like you. This is your chance to meet some of them in person.
26th Annual FIRST Conference (Boston, Massachusetts, USA, Jun 22 - 27, 2014) The Forum of Incident Response and Security Teams (FIRST) is a global non-profit organization dedicated to bringing together computer security incident response teams (CSIRTs) and includes response teams from over 240 corporations, government bodies, universities and other institutions spread across the Americas, Asia, Europe and Oceania. The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community. The conference also creates opportunities for networking, collaboration, and sharing technical information and management practices. The conference enables attendees to meet their peers and build confidential relationships across corporate disciplines and geographical boundaries. FIRST conference participants include not only CSIRT staff, but also IT managers, network and system administrators, software and hardware vendors, law enforcement representatives, security solutions providers, telecommunications organizations, ISPs, and general computer and network security personnel.
Gartner Security & Risk Management Summit 2014 (National Harbor, Maryland, US, Jun 23 - 26, 2014) The Gartner Security & Risk Management Summit is the only time when the entire Gartner analyst and security and risk management community come together in one location to bring the latest research, insights and forward-thinking perspectives.
AFCEA International Cyber Symposium (Baltimore, Maryland, USA, Jun 24 - 25, 2014) National security is continuously being redefined as awareness of the cyberspace domain evolves. Cyber threats and challenges grow every day. Successfully defending our networks requires a team approach. With this in mind, the AFCEA International Cyber Symposium will engage the key players, including the U.S. Government, the International Community, Industry and Academia, to discuss the development of robust cyberspace capabilities and partnerships. The operational theme "Cyber Awakening: Protecting a Nation's Cyber Security" will explore the aspects of operational security of U.S. Government, DoD and Industry Networks, cyber cooperation among Joint and Coalition partners, and discuss the training and development of the cyber workforce.
United Nations Interregional Crime and Justice Research Institute Cyber Threats Workshop (Turin, Italy, Jun 27 - 29, 2014) The United Nations Interregional Crime and Justice Research Institute (UNICRI) is organizing a series of workshops and short courses within the framework of the UNICRI Journalism and Public Information Programme, a unique international programme tailored for journalists, chief information officers and students who want to specialize in public information and journalism. The programme aims at deepening knowledge of emerging security threats.