The CyberWire Daily Briefing 09.17.14
news from the 5th Annual Billington Cybersecurity Summit
The consensus on cyber resiliency? Chasing perfect cyber defense is a mug's game. While traditional perimeter defenses, especially defenses-in-depth, have their place, the future lies in detection, mitigation, management, and mission assurance.
Current NSA Director Rogers and former NSA Director Hayden offered different metaphors for this approach to resiliency. Rogers likened it to shipboard damage control. You expect warships to sustain damage in combat, and you prepare for it. You identify, contain, and repair damage as soon as you can, and you do it in a way designed to maintain or restore mission capability. Hayden chose a biological metaphor: consider the way an organism responds to injury or infection, and the way it restores itself, because here, again, injury and infection are expected.
Cyber attacks are to be expected because of the large number of actors and the sheer complexity of cyberspace. FireEye's Dewalt warned of the tremendous current interest in offensive activities — some 500 organizations in 204 countries are involved in offensive cyber operations. Nearly all critical-infrastructure companies are being breached weekly, and adversaries are becoming more effective. Former NSA Director Hayden sees those adversaries are falling into three tiers: states, gangs, and the disaffected (listed in decreasing order of capability). States tend to be self-limited, gangs are hired guns, but the disaffected, although currently the least capable, are in some ways the most worrisome. Their motives are obscure, and they are less susceptible to deterrence or negotiation. And the disaffected are beginning to acquire capabilities we associate now with low-end nation states.
Attackers find ample opportunity to work in the vulnerabilities the sheer complexity of cyberspace inevitably presents. The closing keynote speaker, NIST's Ronald Ross, described three tiers of vulnerability: known vulnerabilities (the kind fixed on Patch Tuesday), unknown vulnerabilities (zero-days), and adversary created vulnerabilities (such as advanced persistent threats).
Partnership — across all levels of government, with the private sector, and internationally among responsible governments — was agreed to be essential. But barriers to effective collaborative defense remain. White House Cybersecurity Coordinator Daniel noted the inherent difficulty of the problem: the psychology and economics of cyberspace, he thinks, remain imperfectly understood, and this is particularly true of the incentives that operate in that domain. Efforts like the NIST framework (also commended by DHS Deputy Undersecretary for Cybersecurity for NPPD Schneck) are a solid start, but remain works in progress. Schneck noted the difficulties involved in sharing information that's often classified (and over-classified).
Many of the speakers mulled the tension between privacy and security, and counseled a need for balance. Improved transparency (or perhaps, as Hayden suggested, "translucence") on the part of government would help matters here. Former NSA executive Chris Inglis in particular thought this an important policy lesson from the Snowden affair. Espionage has traditionally been an executive function, Hayden observed, and that Congressional and judicial oversight, as in US, are outliers internationally, and that they afford an opportunity for improving transparency. "NSA surveillance blew up," he said, "because of a significant change in US political culture. People stopped believing that consent of the governors was equivalent to consent of the governed."
Cyber security needs to move away from its preoccupation with network security to become data-centric. Inglis and Venture capitalist Ted Schlein in particular called this out. Inglis emphasized that the value lies in the data, and that assessing that value, and protecting it, is a corporate board level issue. "Bad guys don't care about the network," Schlein noted, "They care about data." Frictionless key management would represent a tremendous advance in data protection. Anti-virus will evolve into breach detection and management, and this, he believes, will amount to a new industry. He also sees signature-based endpoint security as on its way out. Security analytics, threat feeds, and next-generation endpoint security are trending among VCs.
In sum, cyber resiliency requires credible, rigorous risk analysis and vulnerability management. It needs to be pursued collaboratively, and within the context of realistic goals and well-founded best practices.
See the links below for other accounts of the Summit and background on the issue of cyber resiliency.
Two significant cyber campaigns are disclosed. IBM Trusteer has detected a large, highly targeted campaign using Citadel malware against Middle Eastern petrochemical companies. Citadel, designed originally as an evasive form of financial malware, has evolved into a tool capable of use against targets in other sectors.
Bromium has announced its own discovery of a different campaign, this one a waterhole attack designed to infect viewers of a technology startup in the oil and gas sector. The waterhole was established immediately after the startup announced significant new funding; the attackers seem to have believed the news would draw high-value targets.
"Tinybanker" malware, whose source code was leaked in July, is now active against US financial institutions.
The German government is under Wikileaks-driven criticism for its alleged role in fostering or at least tolerating Gamma's development and sale of FinFisher.
Post mortems on the JPMorgan, Home Depot, and Goodwill hacks continue.
An Amazon cross-site-scripting issue is reported and quickly addressed. A Twitter vulnerability to credit card theft is similarly reported and fixed.
A new exploit kit, "Archie," is targeting Adobe and Silverlight vulnerabilities.
Android malware is found using SSL-based evasion techniques.
SANS deplores, in a more-in-sorrow, we-told-you-so mood, cyber criminals' avid purchases of space in new top-level domains (".support," ".club," etc.).
Three stories give reason to think thrice about selling old hardware: children's tablets, smartphones, even servers. They're harder to sanitize than one might think.
Apple has added two-step verification to iCloud. Adobe patches Reader.
US cyber legislation looks unlikely this year.
Today's issue includes events affecting Australia, China, European Union, Germany, Iceland, Israel, Japan, Russia, Turkey, United Kingdom, and United States.
Washington, DC: the latest from the Billington Cybersecurity Summit 2014
5th Annual Billington Cybersecurity Summit: Innovations in Cyber Resiliency (Billington CyberSecurity) The 5th Annual Billington Cybersecurity Summit: Innovations in Cyber Resiliency [was] held on Sept. 16 at the Capital Hilton in Washington DC and is the leading Fall forum on cybersecurity
NSA Director Rogers Urges Cyber-Resiliency (Threatpost) In his keynote address at the Billington Cybersecurity Summit, NSA Director and Commander of U.S. Cyber Command, Admiral Mike Rogers, explained that the Defense Department and corporate information security teams must focus on cyber-resiliency rather than total network protection
US bolstering cyber defense with new corps: NSA chief Michael Rogers (Economic Times) The US military is building a new cyber defense corps that can be used to protect the nation and possibly for offensive purposes, the commander of the unit said Tuesday
The National Conversation No One Wants to Have (Billington Cybersecurity Summit 2014) First, an easy risk management problem
Cyber Attacks, Threats, and Vulnerabilities
Massively Distributed Citadel Malware Targets Middle Eastern Petrochemical Organizations (Security Intelligence) Recently, IBM Trusteer researchers identified targeted cyber attacks on several Middle Eastern petrochemical companies. They have identified a campaign in which attackers are using a variant of the evasive Citadel malware. Citadel was originally created for the purpose of stealing money from banks and has been massively distributed on users' PCs around the world
Pirates of the Internetz: The curse of the waterhole (Bromium Labs Call of the Wild Blog) Last week the Bromium Labs team was contacted by a Fortune 1000 customer that detected an interesting attack via one of their installed LAVA sensors. We get such events frequently from our customers; however this attack was a bit different. The attack was a classic waterhole attack targeting potential viewers of a technology startup in the Oil and Gas sector. Interestingly, this attack occurred days after the company announced a sizable funding grant. It's likely that the attackers were expecting more traffic to the website and hoped to increase their chances of a successful infection. The names of the companies involved are redacted and they have confirmed that the infection has been remediated and both have confirmed that no sensitive information was leaked
'Tiny banker' malware targets US financial institutions (Computerworld) Its source code was leaked in July, which may have broadened its use among cybercriminals
Wikileaks releases FinFisher files to highlight government malware abuse (Guardian) Germany has been criticised by the whistleblowing site for failing to block a 'weaponised malware' dealer selling to regimes with poor human rights records
Home Depot Data Hacks Caused By Outdated Information System, Low Security Level, Executives Allegedly Refused To Upgrade Security System (Franchise Herald) Former members of Home Depot's security group revealed that the payment system that the retailer uses was not a system that encrypts data from credit and debit cards. This window could allow potential hackers to take advantage of the customers' data
JP Morgan denies that system blueprints were stolen in June cyber attack (Computing) More details have emerged about the attack on banking giant JP Morgan, which saw sensitive banking systems hacked and details about clients and deals apparently transmitted to systems in Russia
Breach at Goodwill Vendor Lasted 18 Months (Krebs on Security) C&K Systems Inc., a third-party payment vendor blamed for a credit and debit card breach at more than 330 Goodwill locations nationwide, disclosed this week that the intrusion lasted more than 18 months and has impacted at least two other organizations
Amazon.com Stored XSS via Book Metadata (B.FL7.DE) Amazon's Kindle Library, also known as "Manage Your Content and Devices" and "Manage your Kindle", is, at the time of writing, vulnerable to Stored Cross-Site Scripting (XSS) attacks. (Update 2014-09-16: Apparently, Amazon fixed the issue earlier today.) Malicious code can be injected via e-book metadata; for example, an e-book's title
Archie Exploit Kit Targets Adobe, Silverlight Vulnerabilities (Threatpost) A relatively new exploit kit that borrows modules copied from the Metasploit Framework and exploits any older versions of Adobe Flash, Reader and, Silverlight the user may be using has begun to make the rounds
"Shocking" Android browser bug could be a "privacy disaster": here's how to fix it (Naked Security) Independent security researcher Rafay Baloch has written about a security bug in the Android Browser app that allows one website to steal data from another
Android Malware Use SSL for Evasion (TrendLabs Security Intelligence Blog) Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are designed to provide a secure, encrypted connection between a client and a server online
AppLock Vulnerability Leaves Configuration Files Open for Exploit (TrendLabs Security Intelligence Blog) We have previously discussed about certain file locker apps that fail to hide files properly
From the Labs: VBA is definitely not dead — in fact, it's undergoing a resurgence (Naked Security) Earlier this year, Principal Researcher at SophosLabs, Gabor Szappanos (Szappi) published an excellent paper, "VBA is not dead", on the re-emergence of Visual Basic code in malicious documents
The Prevalence of Crypto-Ransomware (TrendLabs Security Intelligence Blog) Cryptolocker, a refinement of Ransomware with file-encryption capabilities emerged in the wild last October 2013. It continuously evolves as seen in the inclusion of new tactics and methods to avoid early detection and convinces unsuspecting users to pay the 'ransom' to get their files back
FreeBSD Denial of Service advisory (CVE-2004-0230) (Internet Storm Center) A vulnerability has been discovered by Johnathan Looney at the Juniper SIRT in FreeBSD (base for Junos and many other products) in the way that FreeBSD processes certain TCP packets
https[:]//yourfakebank.support — TLD confusion starts! (Internet Storm Center) Pretty much ever since the new top level domain (TLD) ".biz" went online a couple years ago, and the only ones buying domains in this space were the scammers, we kinda knew what would happen when ICANN's latest folly and money-grab went live
Vulnerability Allows Attacker to Delete Credit Cards from Any Twitter Account (HackRead) An Egyptian security researcher Ahmed Mohamed Hassan Aboul-Ela has found a critical vulnerability in Twitter that allows hacker to delete credit card details from any account
Back-and-Forth with Google Led to Disclosure of Android Browser Flaw (Threatpost) The researcher who originally discovered the same-origin policy bypass in the Android browser said he reported the vulnerability to Google some time ago, but that the company's Android security team said it was unable to reproduce the issue
Why it's a bad idea to sell your child's cheap tablet on eBay (Guardian) Difficulties wiping data could lead to privacy problems including recovery of children's data and passwords
No old iPhone is left behind in this Shenzhen market (IT World) Dealers in Shenzhen are making a business re-selling and refurbishing old iPhones
Man buys old servers, accuses Ernst & Young of data breach (Naked Security) A Canadian who calls himself the owner of a used-computer dealership in Calgary (one that apparently doesn't have a website) says he's sitting on a pile of data for Ernst & Young's customers, stored on servers he bought in 2006
Beware overdue invoice malware attack, wrapped in an .ARJ file! (We Live Security) If you've been messing around with technology for a while, you may remember the good old days of acoustic couplers, ZModem, and Bulletin Board Systems (BBSes)
Security Patches, Mitigations, and Software Updates
Apple adds two-step verification for iCloud, effective immediately (Naked Security) Apple really is listening, and doubly so! The company backed down over the "foistware" U2 album that you recently received via iTunes, like it or not
Adobe Gets Delayed Reader Update Out the Door (Threatpost) Adobe has straightened out issues it spotted during regression testing that caused a Reader and Acrobat update to be postponed last week
Big Batch of Bugs FIxed in Various Versions of IDA (Threatpost) The makers of the popular IDA disassembly and debugging tool have fixed more than a dozen security vulnerabilities in a variety of versions. Some of the vulnerabilities are a couple of years old, and patches are provided for versions from 6.1 up through 6.6
M-Payments — New Ways and New Risks in Moving Money (Willis Wire) Electronic payment systems are nothing new. The first electronic payments were made over telegraph wires in the 19th century, hence still referring to 'wire transfers' today
Cyber Risk As Board Room Agenda (Business World) With the high pace growth of Information Technology and now disruptive technologies, in the business world today, cyber risk is a crucial issue for the business leaders
Looking for the Key to Security in the Internet of Things (IEEE Spectrum) As the number of Internet connected-devices in any home skyrockets from a few, to a few dozen, to perhaps even a few hundred — including interconnecting thermostats, appliances, health and fitness monitors and personal accessories like smart watches — security concerns for this emerging Internet of Things (IoT) will skyrocket too
Imagine if Gmail bought Facebook and they were both owned by the president's buddy (Quartz) Mail.ru, Russia's most popular email provider, this morning announced that it has paid $1.47 billion for the 48% that it did not already own of VKontakte, Russia's most popular social network. Mail.ru already owns Odnoklassniki, the second-most popular network. It's as if Gmail (if it were an independent company) were to buy Facebook
Startup Spotlight: Threat Detection Specialist ThetaRay (eSecurity Planet) Israeli security startup ThetaRay promises to detect zero-day attacks, hidden APTs and other threats in seconds by simultaneously analyzing all security and operational data sources
The Security Skills Shortage No One Talks About (InformationWeek) Lack of soft skills in information security is an even bigger problem than the shortage of technical expertise
Products, Services, and Solutions
Cisco unveils threat-focused next-generation firewall (Help Net Security) Cisco introduced a threat-focused Next-Generation Firewall (NGFW). Cisco ASA with FirePOWER Services provides the full contextual awareness and dynamic controls needed to automatically assess threats, correlate intelligence, and optimize defenses to protect all networks
Porticor Fosters HIPAA Compliance, Cloud Security (NewsFactor) Porticor®, a leading cloud data security company delivering the only cloud-based key management and data encryption solution that infuses trust into the cloud and keeps cloud data confidential
Biometric security: giving cyber criminals the finger (Finextra) Last week, Barclays committed to a progressive future in banking security with the launch of the Barclays Biometric Reader
Cyveillance Launches Cyber Threat Center for Security, Cyber, and Risk Professionals (PR Newswire) The Cyveillance Cyber Threat Center combines web search, social media monitoring, global intelligence reports, and a suite of investigative tools and databases in an easy-to-use, cloud-based portal
Meet The Next Next-Gen Firewall (Dark Reading) Or at least the latest iteration of one of the oldest-running security tools that continues to evolve and transform with the times
Spirent Federal's New Proof of Concept Facility Helps Federal Agencies and Integrators Prepare for Offensive and Defensive Security Operations (Herald Online) New facilities offer realistic environments used to demonstrate cyber ops teams to defend assets and attack targets
SurfWatch Labs Announces Availability of Cyber Risk Business Intelligence Application that is Purpose-Built for C-Level Executives and Board Members (InsuranceNewsNet) SurfWatch Labs, a provider of cyber risk intelligence solutions, announced the general availability of SurfWatch C-Suite, an interactive dashboard application designed specifically to give corporate executives and board members the ability to easily and immediately understand cyber risk KPIs
Technologies, Techniques, and Standards
New CVE Naming Convention Could Break Vulnerability Management (Dark Reading) MITRE sets deadline for releasing new CVEs with different ID format syntax, regardless of how many vulnerabilities we see in 2014
Testing Security Controls for Logic Based Attacks (CSO) A lot of attention is being focused on cryptography and other security controls being manipulated by attackers who are exploiting poor implementations, lack of maintenance and seemingly unforseen omissions in the controls coding. This can lead to a trusted security control being turned into a weapon of choice. I overheard a group of people discussing software controls testing and the various methods being used, commercial code analysis tools, in-house scripts and test packs and also the ingenuity of pen testing. After a while, the conversation turned to the testing of logic based attacks on security controls and it seemed to be agreed there was nothing you could really do to get ahead of these sophisticated attacks
In Defense Of Passwords (Dark Reading) Long live the password (as long as you use it correctly along with something else)
Avoid Hybrid Cloud Gotchas — Part 1 (Equinix Interconnections) Over the last year, cloud deployments represented one third of our new Equinix business and we expect to see more and more hybrid cloud migrations as this business continues to grow
Avoid Hybrid Cloud Gotchas — Part 2: Data Security (Automated Trader) As the 12 security breaches that shaped history illustrates, information theft was going on long before the birth of Edward Snowden or the cloud. In fact, one of the most famous traitors of the 1600s, England's Guy Fawkes, is the now the face of this century's most infamous and "anonymous" hacker network
Design and Innovation
Internet giants band together to improve open source programs (Help Net Security) A group of companies that includes Facebook, Google, Dropbox, GitHub and Khan Academy has announced a new collaboration that will focus on making open source "easier for everyone"
Research and Development
The Quantum of Cryptography: Australia's Role in New Unbreakable Encryption (Techly) Spies aren't the only ones who need to encrypt data; in an increasingly privacy and security-conscious world, consumers would do well to consider their own cryptography needs
Just how much information can be squeezed from one week of your metadata? (Naked Security) Because of Edward Snowden, we've been hearing a lot about metadata for the past 15 months
Students Study a Rampant Virus at University Cybersecurity Lab (EdTechMagazine) The new Maine facility provides a closed network for finding defenses against cyberattacks
Legislation, Policy, and Regulation
GDS unveils 'Gov.UK Verify' public services identity assurance scheme (ComputerWeekly) The government's system for proving users' identities when using public services online will be launched under the brand name "Gov.UK Verify"
EU data protection reform threatens NHS record-sharing plans (ComputerWeekly) Proposed changes to European Union (EU) data-sharing legislation could obstruct the NHS' plans for seamless data integration across GP surgeries and hospitals
'You can play with you bitcoins, but you can't pay with them': Russia may ban cryptocurrencies by 2015 (Russia Today) Russia is set to become the latest country to restrict virtual currencies such as Bitcoin, after a top official announced that a law will be passed banning their exchange into real money by next spring due to their use by criminals and terrorists
Privacy, diversity and cybersecurity take center stage in new intel strategy (Washington Times) Director of National Intelligence James R. Clapper will roll out a National Intelligence Strategy this week. This will be the third such document, after reports by John D. Negroponte in 2005 and Dennis C. Blair in 2009
NSA reform bill stalled with Congress headed toward fall recess (IDG via ComputerWorld) Members of Congress are set to leave Washington for an extended fall recess in a few days
The FTC's expanding cybersecurity influence (Fed Scoop) The answer to who is in charge of the federal effort to bolster the nation's cybersecurity posture may not be as difficult to uncover as previously thought
Coming soon: Computer monitoring for highly-cleared contractors (Politico) Federal contracting companies will soon be required to use enhanced computer monitoring techniques on employees that access classified networks, under new Pentagon rules designed to stop the next Edward Snowden or Pvt. Chelsea Manning from making off with intelligence or military secrets
Army investing in Soldiers, civilians to fight war against hackers (Bayonet and Sabre) The commander who oversees the Army's cyber world spoke at the monthly breakfast of the Association of the U.S. Army on the 13th anniversary of 9/11, saying the information technology that company commanders have at their disposal today is equivalent to what a division commander had in 2001
Litigation, Investigation, and Law Enforcement
Google Piles Pressure On Congress With Latest Transparency Report (Forbes) Government requests for user data are still rising, says Google — up 19 percent in the US from six months ago and 250 percent since the company started publishing the figures in 2009
Apple questioned on Watch privacy by state attorney general (Naked Security) Apple WatchApple's calling its new Apple Watch its "most personal device ever"
Double latte with your bogus tax refund? Feds win guilty plea in Detroit scam (Detroit Free Press) Free Wi-Fi at Starbuck's helped produce $1.8 million in bogus tax refunds for some Detroit customers
China's ambassador to Iceland has been allegedly detained for leaking secrets to Japan (Quartz) Chinese ambassador to Iceland Ma Jisheng and his wife, Zhong Yue, have been arrested by Beijing on suspicion of leaking national security secrets to Japan, according to a Chinese-language media report
For a complete running list of events, please visit the Event Tracker.
SINET Global Summit (London, England, UK, Sep 16 - 17, 2014) "Advancing Global Collaboration and Innovation." Global Summit focuses on building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures, national security and economic interests. The Global Summit's objective is to build and maintain international communities of interest and trust that foster vital information sharing, broad awareness and the application of our nation's most innovative technologies to enable a safer and more secure homeland for the United States, United Kingdom and our trusted allies. The US Department of Homeland Security Science & Technology Directorate supports this event along with Her Majesty's Government (HMG) as the UK representative.
Cyber Attack Against Payment Processes Exercise 2 (Online, Sep 16 - 17, 2014) FS-ISAC, the Financial Services Information Sharing and Analysis Center will conduct its fifth annual simulated cyber security exercise related to payment processes used by banks, community institutions, credit unions and associated financial services organizations. Over a two day period this fall, hundreds of security, risk and IT professionals will experience a highly realistic set of scenarios in a safe environment in order to practice and improve their response to cyber incidents. The teams are encouraged to involve multiple parts of their organizations, from IT and security to payments experts to communications teams to line of business leaders and executive teams. The simulation is known as CAPP or Cyber Attack Against Payment Processes
Global Identity Summit (Tampa, Florida, USA, Sep 16 - 18, 2014) The Global Identity Summit is focused on identity management solutions for corporate, defense and homeland security communities. This conference and associated exhibition bring together a distinctive, yet broad comprehensive look at the identity management capabilities, challenges and solutions in the topic areas of: Biometrics, Radio-Frequency Identification, Mobile, Cyber, Smart Card Technologies, and Big Data.
Fraud Summit Toronto (Toronto, Ontario, Canada, Sep 17, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology solutions designed to stop them.
Defense Intelligence Agency (DIA)/National Intelligence University (NIU) Open House (Washington, DC, USA, Sep 17, 2014) On September 17, 2014, the National Intelligence University (NIU) will hold a Tech Expo as part of its annual "NIU OUTREACH DAY" in the Tighe Lobby of DIA Headquarters on Joint Base Bolling-Anacostia. This Tech Expo will be open to all personnel within the DIA Headquarters as well as the 600+ students and faculty of NIU. Several of the 'schools' within DIA are expected to participate with their own exhibitions, including: School of Intelligence Studies, School of Science and Technology Intelligence, Center for Strategic Intelligence Research and Center for International Engagement and the John T. Hughes Library.
Cloud Security Alliance Congress 2014 (, Jan 1, 1970) This year, the CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events into a conference in the heart of Silicon Valley that will offer attendees eighty sessions to choose from covering all aspects of privacy and cloud security. Nowhere else will cloud, IT and privacy professionals be able to meet and learn from each other, and gain visibility to practical, implementable solutions delivered by leading industry experts. Together the conferences will broaden the educational and networking opportunities available to both IAPP and CSA members. Proposals for speakers are due February 21, 2014.
ICS-ISAC Fall Conference (Atlanta, Georgia, USA, Sep 17 - 20, 2014) Cybersecurity issues — such as the DHS release of Operation Aurora information; legislation like CISA (S. 2588), CIRDA (H.R. 2952) & H.R. 3696; and the NIST Cybersecurity Framework — can leave one wondering "What, where, how and with whom should I share?" and "Where can I find solutions?" At the ICS-ISAC Fall Conference you will develop knowledge you can take to further enhance your organization's cybersecurity posture through answers to these and many other questions
Ft. Meade Technology Expo (Fort Meade, Maryland, USA, Sep 18, 2014) The Ft. Meade Technology Expo is a one-day event held at the Officers' Club (Club Meade) on base. Industry vendors will have the unique opportunity to showcase their products and services to personnel that may otherwise be unattainable. The target audience will be comprised of personnel from the ARMY, the newly headquartered DISA (Defense Information Systems Agency), DMA (Defense Media Activity), DINFOS (Defense Information School), and Ft. Meade's various military personnel. All of the above groups and military units around the base will receive promotions for this event.
The 2014 Cyber Security Summit (New York, New York, USA, Sep 18, 2014) The Cyber Security Summit, an exclusive conference series sponsored by The Wall Street Journal, has announced their second annual event in New York City. The event will connect C-Level & Senior Executives responsible for protecting their companies' critical infrastructures with cutting-edge technology providers and renowned information security experts. This informational forum will focus on educating attendees on how to best protect their highly vulnerable business applications and intellectual property. Attendees will have the opportunity to meet the nation's leading solution providers and discover the latest products and services for enterprise cyber defense
NYIT Cyber Security Conference (New York, New York, USA, Sep 18, 2014) Presented by NYIT's School of Engineering and Computing Sciences, this conference will address a broad range of pressing topics including privacy; innovations in enterprise security; systems security and the Internet of things; mobile security; the protection of critical infrastructure, organizations, and individuals against cyberattacks; and cybersecurity research and education frontiers. Keynote speeches by Robert Bigman, CEO 2BSecure LLC, Former Chief Information Security Officer, Central Intelligence Agency and Phyllis Schneck, Ph.D., Deputy Under Secretary for Cybersecurity, U.S. Department of Homeland Security
Dutch Open Hackathon (Amsterdam, the Netherlands, Sep 20 - 21, 2014) Join leading Dutch companies, during a 30-hour hackathon, as they open up APIs and technologies. Work together and develop new applications and drive global innovation
St. Louis SecureWorld (, Jan 1, 1970) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
Workshop on Cryptographic Hardware and Embedded Systems 2014 (CHES 2014) (Busan, Korea, Sep 23 - 26, 2014) The annual CHES workshop highlights new results in the design and analysis of cryptographic hardware and software implementations. CHES provides a valuable connection between the research and cryptographic engineering communities and attracts participants from industry, academia, and government organizations
Rock Stars of Cybersecurity (Austin, Texas, USA, Sep 24, 2014) The unprecedented Target breach and NSA spying scandal have put cybersecurity in the global spotlight. With cyberattacks on the rise, it is now even more important to learn how to identify weaknesses and protect company infrastructure from incursions. At the Rock Stars of Cybersecurity conference, well-respected cybersecurity authorities from leading companies will deliver case studies and actionable advice that you can immediately put to use.
VB2014 (, Jan 1, 1970) Over its 24-year history, the VB conference has become a major highlight of the IT security calendar, with many of its regular attendees citing it as the security event of the year. The conference provides a focus for the industry, representing an opportunity for experts in the field to share their research interests, discuss methods and technologies and set new standards, as well as meet with - and learn from - those who put their technologies into practice in the real world.
DerbyCon 4.0 (Louisville, Kentucky, USA, Sep 24 - 28, 2014) Welcome to DerbyCon 4.0 — "Family Rootz". This is the place where security professionals from all over the world come to hang out. DerbyCon 4.0 will be held September 24-28th, 2014. DerbyCon 2013 pulled in over 2,000 people with an amazing speaker lineup and a family-like feel. We've listened to your feedback and plan on making this conference even better this year
BruCON 2014 (Ghent, Belgium, Sep 25 - 26, 2014) BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker community.
ROOTCON 8 (, Jan 1, 1970) ROOTCON is the first hacking convention in the Philippines. A hacker conference and not a seminar, training or a workshop. It will feature the following tracks: advanced HTTP header security analysis, browser extension malware extend cybercrime capabilities, new techniques: email-based threat and attacks, shellcode exploit analysis: tips and tricks, the Necurs rootkit, social engineering: hacking the mind, an hacking your way to ROOTCON.
INTEROP (New York, New York, USA, Sep 29 - Oct 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect Summit, Collaboration, Infrastructure, Mobility, Risk Management & Security, and Software-Defined Networking (SDN)
Indianapolis SecureWorld (Indianapolis, Indiana, USA, Oct 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute, will deliver the opening keynote. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
Suits and Spooks New York (, Jan 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks New York will return to Soho House on October 2-3, 2014. Stay tuned for our speaker list and agenda coming this summer.
Open Analytics Summit (Dulles, Virginia, USA, Oct 7, 2014) Open Analytics Summits are for Developers, Engineers, Data Scientists, CMOs, Data Analysts, CTOs, Architects, Brand Managers, and anyone passionate about open source technologies, big data, or data analytics
MIRcon 2014 (Washington, DC, USA, Oct 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily
Cyber Security EXPO (, Jan 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing sensitive data and function closer to the user and away from traditional controls. Cyber crime is at an all-time high, attackers are using highly sophisticated methods taking advantage of a hyper-connected world. The challenge of securing corporate data and networks to mitigate risk is greater than ever. CISOs need new tools, new thinking and policies to meet these challenges. Cyber Security Expo 2014 has been designed to do just that. Cyber Security Expo will have a dedicated conference as well as five highly focused theatres and a significant exhibition. Major themes examined include: Internet & Network Security, Social and Consumer Trends, Cyber Crime, Log Data & Advanced Analytics, Identity & Access Management, Privacy & Data Protection, Cloud Security & Governance and Mobile Device Management.
InfoSec 2014 (Kuala Terengganu, Malaysia, Oct 8 - 10, 2014) You are invited to participate in The International Conference on Information Security and Cyber Forensics (InfoSec 2014) that will be held at Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu, Malaysia on October 8-10, 2014. The event will be held over three days, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lecture
Hacktivity 2014 (Budapest, Hungary, Oct 10 - 11, 2014) Official and alternative representatives of the information security profession meet with all those interested in this field in framework which is at the same time informal and informative, and sometimes very in-depth technological.
Ruxcon (Melbourne, Australia, Oct 26 - 27, 2013) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities and demonstrations presented by security experts from the Aus-Pacific region and invited guests from around the world. Ruxcon is widely regarded as a leading computer security conference within Australia attracting all facets of the security landscape from industry, academics, to enthusiasts.
Hack-in-the-Box Malaysia (Kuala Lumpur, Malaysia, Oct 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia and Amsterdam in The Netherlands, HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events routinely feature two days of trainings and a two-day multi-track conference featuring cutting-edge hardcore technical talks delivered by some of the most respected names in the computer security industry. HITBSecConf is a place where ideas are exchanged, talent discovered and genius celebrated
FS-ISAC Fall Summit 2014 (Washington, DC, USA, Oct 13 - 16, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. Its Fall Summit will feature sessions of interest to both security professionals and the financial sector
CYBERSEC 2014 (, Jan 1, 1970) CYBERSEC is a 4-day event geared toward helping you achieve your cybersecurity goals. Whether your focus is on cybersecurity management, investigation, defense, or offense we are offering specialty cybersecurity information tracks just for you.
Black Hat Europe 2014 (, Jan 1, 1970) The premier conference on information security returns to the beautiful city of Amsterdam, Netherlands in October, 2014. Professionals from all over the world gather for two days of intense Trainings and two thought-provoking days of Briefings brought to you by some of the brightest minds in the industry.
Denver SecureWorld (Denver, Colorado, USA, Oct 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
CSEC 2014 Cyber Security Summit (Kingdom of Bahrain, Oct 20 - 22, 2014) At the Inaugural Cyber Security Summit 2014, you will have the opportunity to seek ways to reset your IT security and risk strategy for success; stay relevant as IT security and risk are redefined; implement BCM best practices for threat resilience; mitigate the risks of new social collaboration tools; craft strategy for emerging BYOD and mobile threats; learn new regulatory compliance requirements; and more. This year's CSEC Summit attendees will: hear the latest presentations from the Information Security community on today's most pressing topics, attend workshops run by expert analysts and industry leaders, hear real-life experiences during peer case studies, engage in analyst-user roundtables and one-on-one meetings with industry experts, and check out the latest solutions in our Solution Showcase
2014 ICS Cyber Security Conference (, Jan 1, 1970) The 14th ICS Cyber Security Conference (sometimes known as "Weisscon") will be held October 20-23, 2014 at Georgia Tech in Atlanta, GA. Cyber Security is becoming a critical infrastructure issue with implications that go far beyond the plant fence. Plant engineers, corporate officers, insurance company executives and more will be handling cyber security issues in the coming years. This conference is essential attendance for people in the manufacturing or utility environment.
Hack.lu 2014 (Dommeldange, Luxembourg, Oct 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society
Cyber Security Summit 2014 (, Jan 1, 1970) Cyber security breaches have a profound impact on all areas of society. Join the discussion at Cyber Security Summit 2014. For two days, leaders from the public and private sectors meet to identify cyber threat issues and their countermeasures.
ISSA International Conference (Orlando, Florida, USA, Oct 22 - 23, 2014) Join us for solution oriented, proactive and innovative sessions focused on security as a vital part of the business.
ToorCon San Diego (San Diego, California, USA, Oct 22 - 26, 2014) For hackers like you, because what could possibly go wrong?
FOCUS 14: Empowering the Connected World (Las Vegas, Nevada, USA, Oct 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while reducing costs, streamlining processes, and driving efficiencies in the daily administration of their networks and systems. Network with security peers who share your challenges, concerns and issues, and learn more about their own success strategies
Dallas SecureWorld (Dallas, Texas, USA, Oct 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
CyberMaryland 2014 (Baltimore, Maryland, USA, Oct 29 - 30, 2014) Entrepreneurs, investors, academia and government will convene in Maryland — the nation's epicenter for cybersecurity for the fourth annual CyberMaryland Conference.
Cyber Job Fair (Baltimore, Maryland, USA, Oct 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals held the first day of the conference
ekoparty Security Conference 10th edition (Buenos Aires, Argentina, Oct 29 - 31, 2014) ekoparty — Electronic Knock Out Party — Security Conference, is a one of a kind event in South America; an annual security conference held in Buenos Aires, where security specialists from all over Latin America (and beyond) have the chance to get involved with state-of-art techniques, vulnerabilities, and tools in a relaxed environment never seen before.
Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.
Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, Oct 30 - Nov 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed for non-technical and technical executives who seek to gain a deeper understanding of not just the technical aspects of data breach prevention, but also the important role that insurance, crisis management, legal and human resources play. Speakers include Dr. Ed Schlesinger, Dean of Johns Hopkins University's Whiting School of Engineering, Dr. Andy Ozment, Assistant Secretary of the Office of Cybersecurity and Communications, Department of Homeland Security, and Mr. Eric Joost, Chief Operating Officer, Willis North America