The CyberWire Daily Briefing 08.28.14
Coincidentally or not, as Russian operations against Ukraine become increasingly kinetic and even less plausibly deniable, and as the OSCE meets in Vienna to seek a European response to the crisis, cyber attacks strike Norwegian oil companies and US banks.
Fifty Norwegian oil and energy companies have been hacked; another two hundred fifty have been warned to check their networks. Norway's National Security Authority believes it has a good idea of who's responsible for the attacks, but is for the moment refraining from attribution.
Across the Atlantic, JPMorgan Chase and perhaps four other Wall Street banks appear to have been subjected to cyber attacks earlier this month. The FBI is investigating, and the media report strong evidence of Russian responsibility. Observers note that, while sensitive information appears to have been stolen, it appears not to have been used by criminals. While this argues for state rather than criminal activity, absence of crime isn't by itself definitive evidence of espionage. (The Telegraph does note that Russia's Foreign Ministry has criticized JP Morgan Chase for blocking payments in accordance with US sanctions.) While the coordinated attacks could ultimately result in customer losses, they could also enable market manipulation (in many respects a more troubling threat).
Backoff point-of-sale malware continues its spread, and the PCI Council issues retailers a call-to-action.
The International Chamber of Commerce warns the maritime industry that cyber risk to shipping has significantly risen.
In industry news, analysts look at HP and think it's preparing for a cyber security acquisition.
Notes.
Today's issue includes events affecting Colombia, European Union, Norway, Russia, South Africa, Ukraine, United Kingdom, and United States.
Cyber Attacks, Threats, and Vulnerabilities
50 confirmed, possibly more Norwegian oil companies hacked (Help Net Security) 50 Norwegian oil and energy companies have been hacked, and 250 more have been warned to check their networks and systems for evidence of a breach
JPMorgan confirms it is investigating possible cyber attack (Reuters) JPMorgan Chase & Co is investigating a possible cyber attack and working with law enforcement to determine the scope, company spokeswoman Trish Wexler said
FBI investigates alleged Russian cyber attack on Wall Street (Telegraph) Major US financial institutions reportedly targeted by sophisticated high-level cyber-attack amid suspicions that operation was launched in retaliation for sanctions over Ukraine
FBI Probes Possible Hacking Incident at J.P. Morgan (Wall Street Journal) The Federal Bureau of Investigation is probing a computer-hacking attack on J.P. Morgan Chase (JPM -0.25%) & Co. and as many as four other banks, in what people familiar with the probe described as a significant breach of corporate computer security
Cyber attacks on US banks fuel financial sector concerns (ComputerWeekly) The FBI is investigating what appears to be a series of co-ordinated cyber attacks at JP Morgan Chase and at least four other financial institutions, according to US reports
Bank Hackers Said to Steal Data for Draining Accounts (Bloomberg) A hacking attack on U.S. banks this month led to the theft of customer data that could be used to drain accounts, according to person briefed by U.S. law enforcement
70% of finance apps vulnerable to input validation attacks (Help Net Security) A growing number of data breaches and security incidents can be directly linked to poor code quality, according to CAST
Backoff malware widespread, PCI Council issues call to action (FierceRetailIT) Backoff malware has affected more than 1,000 U.S. businesses, infecting POS systems from Target to Supervalu. The United States Secret Service and Department of Homeland Security has issued a warning that the Backoff POS malware may have infected more systems than previously believed
PCI SSC Bulletin on Malware Related to Recent Breach Incidents (PCI Security Standards Council) In a statement released on 22 August by the United States Secret Service and Department of Homeland Security, a warning was issued that a Point of Sale (POS) malware dubbed "Backoff" may have infected systems in over 1,000 organizations and represents a very real threat to the security of cardholder data in all organizations. This malware released in 2013 infects electronic cash registers (ECRs) and similar POS systems, and was not recognized by antivirus software solutions until this August. It infects POS systems and has already resulted in large amounts of cardholder data being compromised and transmitted to criminal organizations
Backoff, Dairy Queen, UPS & Retail's Growing PoS Security Problem (Dark Reading) Retail brands are trying to pass the buck for data security to banks and franchisees, say some experts
One More Day of Trolling in POS Memory (Internet Storm Center) Further to the recent story on Memory Trolling for PCI data, I was able to spend one more day fishing in memory, I dug a bit deeper and come up with more fun Credit Card / Memory goodness with our friend the Point of Sale application
Risk of cyber attack on the shipping supply chain increasing, say experts (Business Reporter) The International Maritime Bureau has warned that the sophisticated IT systems used to facilitate international shipping have made the industry vulnerable to hackers
IBM: Heartbleed Attacks Thousands of Servers Daily (Threatpost) On the one hand, the total number of vendor-reported vulnerabilities are down so far this year. On the other, 2014 was the year of the Heartbleed, the common name for a vulnerability in the nearly ubiquitous OpenSSL's encryption implementation library, which IBM Security Systems characterized as "one of the most widespread and impactful security vulnerabilities of all time"
Cybercriminals Leverage Rumored Windows 9 Developer Preview Release With Social Engineering (TrendLabs Threat Intelligence Blog) We're seeing schemes that are taking advantage of the buzz around the upcoming developer preview release of Windows™ 9 this September
Java.com, TMZ Serving Malvertising Redirects to Angler Exploit Kit (Threatpost) Online ad network AppNexus has again been identified at the core of another malvertising campaign using the Angler Exploit Kit to redirect visitors to sites hosting the Asprox malware
iPhones, iPads ripe for the picking (NetworkWorld via CSO) USENIX Security Symposium: Georgia Tech researchers show how PC botnets could infect iOS devices to steal passwords
Flashback to the Biggest Mac Malware Attack of All Time — Is it Still a Threat? (Intego) In early 2012, the biggest Mac malware attack of all time was taking place — catching out at least 600,000 unguarded Mac users around the world, including (to potentially one famous company's embarrassment) some 274 in Cupertino
Popular Hackforums Website Defaced by Egyptian Hacker (Hacker News) Hackforums — one of the popular hacking forum in the world — has been hacked and defaced by the famous Egyptian hacker
SWAT Team Detains Popular Gamer Who Was Live-Streaming 'Counter-Strike' (TechCrunch) An incredible video showing the apparent swatting of a video game player who operates under the moniker 'Kootra' was published today
Another Day, Another Data Breach (Big Brother Watch) In what is becoming an ever more regular occurrence for the NHS, it has been reported that the East Midlands Ambulance Service has lost a disk containing the notes of 42,000 patients' who had been treated by paramedics in the last few months
Security Patches, Mitigations, and Software Updates
Scratched PC-dispatch patch patched, hatched in batch rematch (Register) Windows security update fixed after triggering blue screens (and screams) of death
Cyber Trends
Vulnerabilities on the decline, but risk assessment is often flawed, study says says (IT World) The number of vulnerabilities could reach a three-year low in 2014, but correctly assessing their risk can be hard, IBM researchers said
Financial, insurance sectors most targeted by cyber attackers: IBM (Business Insurance) IBM Corp. said in a research report that the financial and insurance sectors are those most targeted by cyber attackers, making up nearly 50% of the cases reported in 2014, reports
Why You Need To Add "Cyber" To Your Job Title (Forrester Blog) Sometimes ambiguity has power — the power to capture the zeitgeist of a movement, culture, or vision without getting dragged into the weeds about what really is or isn't included; it provides time for an idea to crystallize, become defined, or reach critical mass
Marketplace
Anti-spy technology remains hot a year after NSA leaks (Ars Technica) With surveillance a worry, startups offer products to help users gain privacy
How privacy fears are driving automakers in the age of the connected car [w/poll] (Autoblog) As cars collect and store more and more data about the whereabouts of their drivers, automakers are responding to critics who say they should be more transparent about how those details are used. Ford is hiring a global privacy policy attorney to craft the company's customer privacy policies in the era of connected and autonomous cars
Hewlett-Packard Expected To Invest In Cyber Security (Bidness Etc) Hewlett-Packard is expected to acquire a security company soon to expand its enterprise security position
Google goes public with security audits to ease corporate concerns (C-NET) The tech titan makes available to the public for the first time two independent security audits, as it works to prove its commitment to customer data protection
InfoReliance Wins DHS Contract to Provide Specialized Security Services for the National Cyber Protection System (IT Business Net) Security services to support DHS Office of Cybersecurity and Communications Network Security Deployment Division
Colombian police opt for Radware cyber-protection (NJBiz) Radware Ltd., an application delivery and security company, said Tuesday that the Colombia National Police has chosen it to protect its network against cyber-attacks
No Clear Solutions in the Cybersecurity Hiring Crisis (NoVA Infosec) Here's an excellent post on the infosec worker shortage by Violet Blue the other day with comments from the likes of Richard Bejtlich, James Arlen, and Chris Hoff. It's like the Cybersecurity Dreamteam … but even they can't offer any clear solutions
ThreatTrack Security Appoints Stuart Itkin as Chief Marketing Officer (Providence Journal) ThreatTrack Security - a leader in cyber threat prevention solutions that substantially change how organizations respond to cyberattacks - today announced the appointment of Stuart Itkin as Chief Marketing Officer. Itkin previously led global marketing at fast-growing startups and large public companies, including CEB, Kronos, Zebra Technologies, Lucid and Symbol Technologies
HP ArcSight?s Doron Keller Joins Exabeam to Lead Security Research (Virtual Strategy) Keller brings in-demand expertise to Exabeam as it assembles dynamic team of early SIEM influencers to build the next big thing in security analytics
One Woman's Journey from Clerical Worker to Cyber Warrior (Cleared Jobs) There are many interesting paths and stories leading to a career in cybersecurity. In this article Jen Havermann, Raytheon Portfolio Manager Cyber Intelligence & Analysis Programs, shares her tale
Products, Services, and Solutions
Firefox OS app permissions will give users more privacy than Android (Naked Security) Mozilla's mobile platform, Firefox OS, is behind Android in just about every way
Varonis Keeps Emerson Industrial Automation Secure and Productive (MarketWired) Varonis Systems, Inc. (NASDAQ: VRNS), the leading provider of software solutions for unstructured, human-generated enterprise data, today disclosed how its product suite has helped Emerson Industrial Automation regain control of its file shares and increase efficiency at the same time. The UK-based manufacturer was crippled by a variation of the Conficker virus just over two years ago
Prelert Extends Anomaly Detection to Elasticsearch (BusinessWire) Prelert, the anomaly detection company, today announced the release of an Elasticsearch Connector to help developers quickly and easily deploy its machine learning-based Anomaly Detective® engine on their Elasticsearch ELK (Elasticsearch, Logstash, Kibana) stack
Alert Logic Threat Manager and Alert Logic Log Manager Achieve VMware Ready — vCloud Air Status under Access Tier in vCloud Air ISV Partner Program (PRNewswire) Company Brings Managed IDS and Log Management Capabilities to vCloud Air Customers
Ixia and Plixer Provide Enhanced Cyber Attack and Application Performance Analysis (BusinessWire) Ixia (Nasdaq: XXIA) announced the integration of its Application and Threat Intelligence (ATI) Processor with the Plixer International, Inc. Scrutinizer cyber threat incident response solution. The joint solution improves forensic incident response and application optimization capabilities that help IT professionals prepare for the next cyber attack or application performance issue
Panda partners with iBurst to deliver comprehensive security for home users (ITWeb) National Internet service provider iBurst has partnered with Panda Security to improve iBurst's security offering to its customers. In addition to facilitating increased connectivity for South Africans, iBurst now offers customers industry leading security products, thanks to its partnership with Panda Security
Mobile Banking is Completely Insecure: SnoopWall Launches PrivacyShield To Fix This Problem (Broadway World) SnoopWall, the world's first counterveillance security software company, announces the launch of Privacy Shield, a powerful patent-pending counterveillance engine designed to shield your financial application from eavesdropping by malicious apps on your device and from cybercriminals in close proximity intercepting the transmission of sensitive information
iboss Addresses Security Risks Associated With Rising Chromebook Adoption (Sys-Con Media) New Chromebook SSO authentication feature increases security and BYOD policy management for K-12 schools
AVG Internet Security is the Lightweight Antivirus Program For PC Protection (Streetwise Tech) It is important to have your computers protected with antivirus programs, even if you are sure that you always avoid untrustworthy websites. One of the best antivirus suites that will ensure you real time protection is AVG. It does not put too much pressure on speed and performance when scanning and only takes a little space out of your system
SAIC Introduces CyberSecurity Edge™ (Insurancenewsnet) Cyberattacks disrupt activities and steal information every day. Science Applications International Corp. (NYSE: SAIC) today launched CyberSecurity Edge™, an adaptive cybersecurity solution that offers advanced data security and mitigates vulnerabilities to ensure customers are protected from hackers, viruses, and malware
Creators of New Fed-Proof Bitcoin Marketplace Swear It's Not for Drugs (Wired) When the recording industry smashed Napster with a $20 billion lawsuit more than a decade ago, filesharing morphed into Bittorrent, a fully peer-to-peer system with no central server for law enforcement to attack. Now the developers behind one software project are trying to pull off a similar trick with the anarchic model of bitcoin e-commerce pioneered by the billion-dollar Silk Road black market. And just as with Bittorrent, their new system may be so decentralized that not even its creators can control exactly how it will be used
Technologies, Techniques, and Standards
Spotting Web threats in the confusion of short-lived hostnames (CSO) Here's what you can do to spot malicious sites among the vast number of legitimate hostnames that exist for less than a day on the Web
10 most significant software security design flaws (Help Net Security) The IEEE Center for Secure Design, a cybersecurity initiative focused on the identification of software design flaws, released a report based on real-world data collected and analyzed by experts at the world's leading technology companies
Avoiding the Top 10 Software Security Design Flaws (IEEE Center for Secure Design) The goal of a secure design is to enable a system that supports and enforces the necessary authentication, authorization, confidentiality, data integrity, accountability, availability, and non-repudiation requirements, even when the system is under attack
"There is no inside" — How to get the most from your firewall (Naked Security) Firewalls seem like a fixture of IT security, having been used for more than 15 years in most business environments to protect our internal assets from the scary nasties that are out there on the big bad internet
Toss routers with hardcoded passwords, expert says (CSO) A Chinese manufacturer's routers that contain a hardcoded password that can be used to open a 'backdoor' should be thrown away and replaced with more reputable gear, experts say
10 Ways To Strengthen Healthcare Security (InformationWeek) As recent hacks show, keeping a healthcare organization safe from security threats takes planning, technical expertise, and business knowledge. Has your team taken these 10 steps?
Hackers Target Healthcare Providers — How to Protect Yourself (LinkedIn) In any industry, you hear conflicting opinions about the necessary level of data security, and healthcare is certainly no exception
Security in the Cloud (Trend Micro: Simply Security) You're off to the cloud, and the first thing you run into before you can reach altitude is a wall. That wall is your organization's security requirements
Design and Innovation
Verizon Bolsters User Authentication with QR Codes (Threatpost) If you want to know what the future holds for authentication on the web, it all depends whom you ask. Some say it'll come in the form of biometrics — iris and fingerprint scans, etc. Others say the answer lies in a tangle of constantly changing two-factor verification codes users need to punch in
Legislation, Policy, and Regulation
OSCE holds urgent meeting over Ukraine (The Local) Agence France-Presse (AFP) reports that the European security body OSCE will hold a special meeting in Vienna on Thursday to discuss developments in conflict-torn Ukraine, following reports of Russian troops on the ground there, the US mission to the organisation said
Russia Ramps Up Information War in Europe (Wall Street Journal) Image battered by conflict in Ukraine, Russia pushes to rebuild and expand Soviet-era foreign state media
The executive order that led to mass spying, as told by NSA alumni (Ars Technica) Feds call it "twelve triple three"; whistleblowers says it's the heart of the problem
Editorial: Unpacking DISA's Forecast to Industry (C4ISR & Networks) Most military organizations are in receive mode when it comes to dealing with industry. A few, though, including the Army's Program Executive Office for Command, Control and Communications-Tactical (PEO C3T) and the Defense Information Systems Agency (DISA), reach out to industry at least on an annual basis to let it know what requirements, RFIs/RFPs and priorities can be expected in the coming year
Army's network plan overhauls strategy along with equipment (C4ISR & Networks) The Army's goal is simple: increase operational effectiveness, improve security and be efficient. Getting there is not. The question becomes: How do you connect the global Army across approximately 1.4 million people in nearly 150 countries with the latest capabilities and the highest security? The Army has an answer in the current network-modernization effort
Security tops Navy PEO-EIS priority list (C4ISR & Networks) Victor Gavin, a member of the Senior Executive Service, is the Navy's program executive officer for Enterprise Information Systems (PEO EIS). He oversees a $2 billion portfolio of programs designed to enable common business processes and provide standard IT capabilities to the Department of Navy. PEO EIS programs include Navy Marine Corps Intranet (NMCI) and the follow-on Next Generation Enterprise Network (NGEN), as well as enterprise resource planning systems and Department of Navy enterprise software licensing
We Must Secure America's Cell Networks — From Criminals and Cops (Wired) This month, FCC Chairman Tom Wheeler revealed, in response to a letter from Congressman Alan Grayson, that his agency is assembling a task force "to combat the illicit and unauthorized use of IMSI catchers." Often known as the brand-name "StingRay," these are surveillance devices that impersonate legitimate cell towers, enabling them to covertly identify and locate nearby cell phones and, in some cases, to intercept the content of calls or text messages those phones send or receive
How Cops and Hackers Could Abuse California's New Phone Kill-Switch Law (Wired) Beginning next year, if you buy a cell phone in California that gets lost or stolen, you'll have a built-in ability to remotely deactivate the phone under a new "kill switch" feature being mandated by California law — but the feature will make it easier for police and others to disable the phone as well, raising concerns among civil liberties groups about possible abuse
Facebook and Twitter users 'more likely' to censor their views offline (Guardian) Pew study warns about 'spiral of silence' in US discussion of Edward Snowden's NSA online surveillance revelations
Litigation, Investigation, and Law Enforcement
Colombia: Hacker Who Spied on FARC and Gov't "Hired by Uribe" (InSerbia) Andrés Sepúlveda, the Colombian hacker at the center of a spying scandal that involved peace negotiators on behalf of the Santos government and the FARC rebels, said this week that he was hired by former conservative leader Álvaro Uribe Vélez's campaign group run by the party he founded
Raytheon, NOAA criticized for ignoring cyber vulnerabilities in satellite program (Washington Business Journal) The Commerce Department inspector general is criticizing a federal climate-satellite program receiving support from Raytheon for ignoring thousands of major cyber vulnerabilities, according to Defense One
Law in the Boardroom 2014 (FTI Consulting) Cyber risk, M&A, shareholder engagement, and compliance dominate today's legal oversight environment. Here are the results of our nationwide survey of directors and general counsel on the risks that matter most in 2014
Cybersecurity official uses Tor but still gets caught with child porn (Ars Technica) Timothy DeFoggi wrongly thought he was covering his tracks
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Build IT Break IT Fix IT: Build IT (Online, Aug 28, 2014) The Build it Break it Fix it security contest is a new security-oriented programming contest held by the Maryland Cybersecurity Center, Cyberpoint, and Trail of Bits. The Build it Break it Fix it security contest aims to teach students to write more secure programs. The contest evaluates participants' abilities to develop secure and efficient programs. The contest is broken up into three rounds that take place over consecutive weekends. During the Build It round, builders write software that implements the system prescribed by the contest. In the Break It round, breakers find as many flaws as possible in the Build It implementations submitted by other teams. During the Fix It round, builders attempt to fix any problems in their Build It submissions that were identified by other breaker teams. Each round will respectively start on August 28th, September 4th, and September 12th
The Hackers Conference (New Delhi, India, Aug 30, 2014) The Hackers Conference is an unique event, where the best of minds in the hacking world, leaders in the information security industry and the cyber community along with policymakers and government representatives on cyber security meet face-to-face to join their efforts to cooperate in addressing the most topical issues of the Internet Security space. This is the third edition of the Conference. Following the huge success of the conference last year the current edition of the conference brings back to you all the knowledge, all the fun in a better, grander way.
SEACRYPT 2013 (Vienna, Austria, Sep 2 - 4, 2014) The purpose of SECRYPT 2014, the International Conference on Security and Cryptography, is to bring together researchers, mathematicians, engineers and practitioners interested on security aspects related to information and communication. Theoretical and practical advances in the fields of cryptography and coding are a key factor in the growth of data communications, data networks and distributed computing. In addition to the mathematical theory and practice of cryptography and coding, SECRYPT also focuses on other aspects of information systems and network security, including applications in the scope of the knowledge society in general and information systems development in particular, especially in the context of e-business, internet and global enterprises. Papers are due April 15, 2014.
Build IT Break IT Fix IT: Break IT (Online, Sep 4, 2014) The Build it Break it Fix it security contest is a new security-oriented programming contest held by the Maryland Cybersecurity Center, Cyberpoint, and Trail of Bits. The Build it Break it Fix it security contest aims to teach students to write more secure programs. The contest evaluates participants' abilities to develop secure and efficient programs. The contest is broken up into three rounds that take place over consecutive weekends. During the Build It round, builders write software that implements the system prescribed by the contest. In the Break It round, breakers find as many flaws as possible in the Build It implementations submitted by other teams. During the Fix It round, builders attempt to fix any problems in their Build It submissions that were identified by other breaker teams. Each round will respectively start on August 28th, September 4th, and September 12th
Security B-Sides Cape Breton (Sydney, Nova Scotia, Canada, Sep 5, 2014) Security B-Sides Cape Breton is an open platform that gives security experts, enthusiasts, and industry professionals the opportunity to share ideas, insights, and develop longstanding relationships with others in the community. It is a rare opportunity to directly connect and create trusted relationships with key members of the community.
BalCCon2k14: Balkan Computer Congress (Novi Sad, Serbia, Sep 5 - 7, 2014) The Balkan Computer Congress is an international hacker conference organized by LUGoNS — Linux Users Group of Novi Sad and Wau Holland Foundation from Hamburg and Berlin. It is the second conference taking place in the Balkans, where some 20 years ago people were at war with each other. Now the BalCCon brings together hackers, hacktivists and computer enthusiasts from this area and they are joined by fellow hackers from all over the world. This event emphasizes the role of hacking as a mean of peaceful cooperation and international understanding. The program consist of numerous presentations, workshops and lectures about information, privacy, technology, programming, free software and socio-political issues. One part of the congress will be dedicated to hacking, project and hacks
Ground Zero Summit, Sri Lanka (Colombo, Sri Lanka, Sep 9 - 10, 2014) Ground Zero Summit 2014, Colombo will be a unique gathering of Cyber Security Researchers, Hackers, CERTs, Corporates and Government officials to discuss latest hacks, exploits, research and cyber threats. Sri Lanka is now transitioning from being a developing economy to Global economy with blooming telecommunications, insurance, banking, tourism and information technology services. Sri Lanka will be exposed to cyber threats similar to India thus, a synergy between Indian and Sri Lankan Cyber Security Communities will be beneficial for both countries in combating the threats to their information security
Detroit SecureWorld (Detroit, Michigan, USA, Sep 9 - 10, 2014) Two days of cyber security education and networking. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
Cyber Attack Against Payment Processes Exercise 1 (Online, Sep 9 - 10, 2014) FS-ISAC, the Financial Services Information Sharing and Analysis Center will conduct its fifth annual simulated cyber security exercise related to payment processes used by banks, community institutions, credit unions and associated financial services organizations. Over a two day period this fall, hundreds of security, risk and IT professionals will experience a highly realistic set of scenarios in a safe environment in order to practice and improve their response to cyber incidents. The teams are encouraged to involve multiple parts of their organizations, from IT and security to payments experts to communications teams to line of business leaders and executive teams. The simulation is known as CAPP or Cyber Attack Against Payment Processes
AFCEA TechNet Augusta 2014: Achieving Force 2025 Through Signals and Cyber (Augusta, Georgia, USA, Sep 9 - 11, 2014) The overall theme of TechNet Augusta 2014 is "Achieving Force 2025 Through Signals and Cyber." The overall focus is on Army ground forces, including Joint component interface, other Department of Defense Organizations, Inter-Agency, Industry, and Academia. Presentations, panels, and track sessions will highlight empowerment of Soldiers on the battlefield through training, different methodologies for connecting through enhanced technology, and command and control functions to enable the U.S. Armed Forces to dominate the battlefield. Government, industry, and academia speakers will address a broad range of topics and focus on the importance of the network, security issues, and training to enable operational forces to modernize and be ready to meet emerging challenges in 2025 and beyond.
Build IT Break IT Fix IT: Fix IT (Online, Sep 12, 2014) The Build it Break it Fix it security contest is a new security-oriented programming contest held by the Maryland Cybersecurity Center, Cyberpoint, and Trail of Bits. The Build it Break it Fix it security contest aims to teach students to write more secure programs. The contest evaluates participants' abilities to develop secure and efficient programs. The contest is broken up into three rounds that take place over consecutive weekends. During the Build It round, builders write software that implements the system prescribed by the contest. In the Break It round, breakers find as many flaws as possible in the Build It implementations submitted by other teams. During the Fix It round, builders attempt to fix any problems in their Build It submissions that were identified by other breaker teams. Each round will respectively start on August 28th, September 4th, and September 12th
Suits and Spooks London (London, England, UK, Sep 12, 2014) On September 12th, in London's South bank neighborhood of Southwork, approximately 50 former intelligence officials, corporate executives, and security practitioners from the U.S. and the EU will gather at the top floor auditorium of the Blue Fin building, just behind the Tate Modern museum in Central London to discuss present and future threats to global critical infrastructure and how best to mitigate them. It will be closed to the press and held under the Chatham House Rule
NOPcon Security Conference (Istanbul, Turkey, Sep 16, 2014) NOPcon is a non-profit hacker conference. It is the only geek-friendly conference without sales pitches in Turkey. The conference aims to learn and exchange ideas and experiences between security researchers, consultants and developers
5th Annual Billington Cybersecurity Summit (Washington, DC, USA, Sep 16, 2014) The 5th Annual Billington Cybersecurity Summit, a leading conference produced by Billington CyberSecurity, will feature an all-star cast of cybersecurity speakers including Admiral Michael Rogers, Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service. This leading summit also will feature Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, The White House; David DeWalt, Chairman and Chief Executive Officer, FireEye; Dr. Phyllis Schneck, Deputy Under Secretary for Cybersecurity, NPPD, Department of Homeland Security, along with over twenty-five other distinguished speakers. Along with increasing awareness on the most pressing cybersecurity topics, one of the primary goals of this summit is to enhance networking. Thus, three new features have been added to this year's summit: 1. Cybersecurity Interactive Roundtable Sessions: These tables will enable attendees to exchange experiences and information regarding all of the dire cybersecurity topics. 2. One-on-One Meetings: These intimate encounters with the cybersecurity experts will allow your questions to be answered in a personalized manner. 3. Multiple Tracks: Several, concurrent tracks will be offered at this summit in order for a more thorough education about cybersecurity in the healthcare, finance and energy sectors, about continuous monitoring and insider threats
SINET Global Summit (London, England, UK, Sep 16 - 17, 2014) "Advancing Global Collaboration and Innovation." Global Summit focuses on building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures, national security and economic interests. The Global Summit's objective is to build and maintain international communities of interest and trust that foster vital information sharing, broad awareness and the application of our nation's most innovative technologies to enable a safer and more secure homeland for the United States, United Kingdom and our trusted allies. The US Department of Homeland Security Science & Technology Directorate supports this event along with Her Majesty's Government (HMG) as the UK representative.
Cyber Attack Against Payment Processes Exercise 2 (Online, Sep 16 - 17, 2014) FS-ISAC, the Financial Services Information Sharing and Analysis Center will conduct its fifth annual simulated cyber security exercise related to payment processes used by banks, community institutions, credit unions and associated financial services organizations. Over a two day period this fall, hundreds of security, risk and IT professionals will experience a highly realistic set of scenarios in a safe environment in order to practice and improve their response to cyber incidents. The teams are encouraged to involve multiple parts of their organizations, from IT and security to payments experts to communications teams to line of business leaders and executive teams. The simulation is known as CAPP or Cyber Attack Against Payment Processes
Global Identity Summit (Tampa, Florida, USA, Sep 16 - 18, 2014) The Global Identity Summit is focused on identity management solutions for corporate, defense and homeland security communities. This conference and associated exhibition bring together a distinctive, yet broad comprehensive look at the identity management capabilities, challenges and solutions in the topic areas of: Biometrics, Radio-Frequency Identification, Mobile, Cyber, Smart Card Technologies, and Big Data.
Fraud Summit Toronto (Toronto, Ontario, Canada, Sep 17, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology solutions designed to stop them.
Defense Intelligence Agency (DIA)/National Intelligence University (NIU) Open House (Washington, DC, USA, Sep 17, 2014) On September 17, 2014, the National Intelligence University (NIU) will hold a Tech Expo as part of its annual "NIU OUTREACH DAY" in the Tighe Lobby of DIA Headquarters on Joint Base Bolling-Anacostia. This Tech Expo will be open to all personnel within the DIA Headquarters as well as the 600+ students and faculty of NIU. Several of the 'schools' within DIA are expected to participate with their own exhibitions, including: School of Intelligence Studies, School of Science and Technology Intelligence, Center for Strategic Intelligence Research and Center for International Engagement and the John T. Hughes Library.
Cloud Security Alliance Congress 2014 (, Jan 1, 1970) This year, the CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events into a conference in the heart of Silicon Valley that will offer attendees eighty sessions to choose from covering all aspects of privacy and cloud security. Nowhere else will cloud, IT and privacy professionals be able to meet and learn from each other, and gain visibility to practical, implementable solutions delivered by leading industry experts. Together the conferences will broaden the educational and networking opportunities available to both IAPP and CSA members. Proposals for speakers are due February 21, 2014.
ICS-ISAC Fall Conference (Atlanta, Georgia, USA, Sep 17 - 20, 2014) Cybersecurity issues — such as the DHS release of Operation Aurora information; legislation like CISA (S. 2588), CIRDA (H.R. 2952) & H.R. 3696; and the NIST Cybersecurity Framework — can leave one wondering "What, where, how and with whom should I share?" and "Where can I find solutions?" At the ICS-ISAC Fall Conference you will develop knowledge you can take to further enhance your organization's cybersecurity posture through answers to these and many other questions
Ft. Meade Technology Expo (Fort Meade, Maryland, USA, Sep 18, 2014) The Ft. Meade Technology Expo is a one-day event held at the Officers' Club (Club Meade) on base. Industry vendors will have the unique opportunity to showcase their products and services to personnel that may otherwise be unattainable. The target audience will be comprised of personnel from the ARMY, the newly headquartered DISA (Defense Information Systems Agency), DMA (Defense Media Activity), DINFOS (Defense Information School), and Ft. Meade's various military personnel. All of the above groups and military units around the base will receive promotions for this event.
The 2014 Cyber Security Summit (New York, New York, USA, Sep 18, 2014) The Cyber Security Summit, an exclusive conference series sponsored by The Wall Street Journal, has announced their second annual event in New York City. The event will connect C-Level & Senior Executives responsible for protecting their companies' critical infrastructures with cutting-edge technology providers and renowned information security experts. This informational forum will focus on educating attendees on how to best protect their highly vulnerable business applications and intellectual property. Attendees will have the opportunity to meet the nation's leading solution providers and discover the latest products and services for enterprise cyber defense
NYIT Cyber Security Conference (New York, New York, USA, Sep 18, 2014) Presented by NYIT's School of Engineering and Computing Sciences, this conference will address a broad range of pressing topics including privacy; innovations in enterprise security; systems security and the Internet of things; mobile security; the protection of critical infrastructure, organizations, and individuals against cyberattacks; and cybersecurity research and education frontiers. Keynote speeches by Robert Bigman, CEO 2BSecure LLC, Former Chief Information Security Officer, Central Intelligence Agency and Phyllis Schneck, Ph.D., Deputy Under Secretary for Cybersecurity, U.S. Department of Homeland Security
Dutch Open Hackathon (Amsterdam, the Netherlands, Sep 20 - 21, 2014) Join leading Dutch companies, during a 30-hour hackathon, as they open up APIs and technologies. Work together and develop new applications and drive global innovation
St. Louis SecureWorld (, Jan 1, 1970) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
Workshop on Cryptographic Hardware and Embedded Systems 2014 (CHES 2014) (Busan, Korea, Sep 23 - 26, 2014) The annual CHES workshop highlights new results in the design and analysis of cryptographic hardware and software implementations. CHES provides a valuable connection between the research and cryptographic engineering communities and attracts participants from industry, academia, and government organizations
Rock Stars of Cybersecurity (Austin, Texas, USA, Sep 24, 2014) The unprecedented Target breach and NSA spying scandal have put cybersecurity in the global spotlight. With cyberattacks on the rise, it is now even more important to learn how to identify weaknesses and protect company infrastructure from incursions. At the Rock Stars of Cybersecurity conference, well-respected cybersecurity authorities from leading companies will deliver case studies and actionable advice that you can immediately put to use.
VB2014 (, Jan 1, 1970) Over its 24-year history, the VB conference has become a major highlight of the IT security calendar, with many of its regular attendees citing it as the security event of the year. The conference provides a focus for the industry, representing an opportunity for experts in the field to share their research interests, discuss methods and technologies and set new standards, as well as meet with - and learn from - those who put their technologies into practice in the real world.
DerbyCon 4.0 (Louisville, Kentucky, USA, Sep 24 - 28, 2014) Welcome to DerbyCon 4.0 — "Family Rootz". This is the place where security professionals from all over the world come to hang out. DerbyCon 4.0 will be held September 24-28th, 2014. DerbyCon 2013 pulled in over 2,000 people with an amazing speaker lineup and a family-like feel. We've listened to your feedback and plan on making this conference even better this year
BruCON 2014 (Ghent, Belgium, Sep 25 - 26, 2014) BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker community.
ROOTCON 8 (, Jan 1, 1970) ROOTCON is the first hacking convention in the Philippines. A hacker conference and not a seminar, training or a workshop. It will feature the following tracks: advanced HTTP header security analysis, browser extension malware extend cybercrime capabilities, new techniques: email-based threat and attacks, shellcode exploit analysis: tips and tricks, the Necurs rootkit, social engineering: hacking the mind, an hacking your way to ROOTCON.
INTEROP (New York, New York, USA, Sep 29 - Oct 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect Summit, Collaboration, Infrastructure, Mobility, Risk Management & Security, and Software-Defined Networking (SDN)