The CyberWire Daily Briefing 09.19.14

Summary

By The CyberWire Staff

ISIL continues to use hostages in online propaganda.

The Senate Armed Services Committee declassifies an inquiry into Chinese cyber espionage against US Transportation Command (TRANSCOM — a unified, functional combatant command in the Department of Defense) and the details aren't pretty. More than twenty advanced persistent attacks (and around thirty other intrusions) occurred between June 2012 and May 2013, with attacks largely accomplished against TRANSCOM's contractors. TRANSCOM was aware of two of them, and the Senate attributes this institutional myopia to poor information sharing on the part of pretty much everyone: TRANSCOM, contractors (and subcontractors), the FBI, other elements of the Defense Department, etc. The campaign targeted both intellectual property and military information.

IBM warns that it's seeing banking Trojans repurposed for use against other sectors.

Home Depot says it's contained the breach it sustained, and that some 56M cards were affected. The investigation is focused on self-checkout point-of-sale systems, which appear to be where the malicious code was installed.

A partial answer to the black-market value of medical records is provided, unfortunately, by a breach at a Texas insurance company. KrebsOnSecurity has found "medical records being sold in bulk for as little as $6.40 apiece" in criminal markets.

Apple releases iOS 8 and OS X 10.9.5. Microsoft struggles again with its patch process.

In industry news, layoffs at Microsoft and elsewhere are churning the IT labor market. Huawei dismisses Western security concerns as "noise around the perimeter."

TrueCrypt seems ready to reappear as "CipherShed."

New Zealand's GCSB clarifies Project Speargun.

Notes.

Today's issue includes events affecting China, European Union, Iraq, Ireland, Russia, Singapore, Syria, Ukraine, United Arab Emirates, United States

Selected Reading

Cyber Trends

Big data security analytics still immature, say security experts (ComputerWeekly) While big data security analytics promises to deliver great insights in the battle against cyber threats, the concept and the tools are still immature, according to a panel of security experts

Cyber crime wake-up call (MicroScope) Mounting levels of cyber crime and industrial espionage are sounding a long-awaited and much- needed wake-up call in the ears of corporate executives

Cybercrime in 2025: Where do you go when there's nowhere to hide? (GMA Network) Imagine a world where your house can talk to you, your car drives itself, and even your refrigerator knows what you eat

The state of document security in a post-Snowden world (TechRadar) Sharing sensitive data can be a tricky business

Netskope exposes cloud data fears (MicroScope) No matter how hard the cloud industry does its best to reassure customers over data security issues users continue to have doubts that those hosting their sensitive information are going to be able to protect it

White House: Internet not Borderless, but Lacking Interior (Threatpost) In an afternoon keynote address at the Billington Cybersecurity Summit yesterday, Michael Daniel, a special assistant to the president and White House Cybersecurity Coordinator, refuted the common sentiment that the Internet is difficult to defend because it is borderless. To the contrary, Daniel explained that the border is everywhere on the Internet, and what is really lacking is an interior

V3 Security Summit: Skills gap puts the future of UK cyber security at risk (V3) The latest manifesto from TechUK indicates a need to address both the digital skills gap and improve cyber security, otherwise the future of the UK's technology industry may be at risk

3 out of 4 Internet users in Singapore concerned about social network privacy (MIS Asia) More than half of respondents (almost 66 percent) in Singapore are not protected on their mobile devices and personal computers

Legislation, Policy and Regulation

GCSB clarifies 'Project Speargun' (Stuff) The Government Communications Security Bureau has tightened its defence over claims of mass surveillance by confirming the term "Project Speargun" was used to describe an abandoned element of a proposed cyber defence system

US Official: Chinese Want NSA Cyber Schools. Really. (Nextgov) Chinese universities are welcome to adopt the U.S. National Security Agency's cyber education program, the top U.S. computer security education official said, after a recent trip to Beijing

'Need To' Declassify More Cyber Attacks: NSA Deputy Ledgett (Breaking Defense) The deputy director of the National Security Agency said today that the Intelligence Community should declassify the existence of more cyber attacks to improve the agency's ability to mobilize the private sector and to get help when needed

Is NSA Planning to Beef Up Cyber Response Capabilities? (Nextgov) Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, said the Obama administration's controversial spying programs have not cost the country friends or allies either in the technology industry or abroad. Indeed, the agency shows no signs of slowing down at all

GAO: DHS needs a better approach to assess vulnerabilities in critical infrastructure (FierceHomelandSecurity) Congressional investigators said the Homeland Security Department needs a better way to consistently assess vulnerabilities in critical infrastructure despite conducting thousands of reviews in recent years

Audit finds numerous IT-related security problems for DHS agencies at airport (FierceHomelandSecurity) An internal audit found that the Homeland Security Department's IT systems and assets at Dallas-Fort Worth International Airport had inadequate security measures, which could potentially be exploited or compromised

Identifying regulatory gaps in big data difficult, says FTC panel (FierceGovernmentIT) Once reserved for scientific studies, big data is now regularly used by corporations to analyze information about consumers — and privacy experts say these emerging practices raise tough policy questions

Federal Inaction Breeds ID Theft, Says Frank Abagnale (InformationWeek) Onetime "Catch Me If You Can" swindler turned anti-fraud consultant says identity theft is "4,000 times easier" than when he was living a life of crime

Dateline

New York City Cyber Security Summit (CyberSummitUSA) The Cyber Security Summit is an exclusive conference series connecting C-Level & Senior Executives responsible for protecting their companies' critical infrastructures with cutting-edge technology providers and renowned information security experts

Products, Services, and Solutions

TrueCrypt Getting a New Life (eSecurity Planet) TrueCrypt will stay alive, thanks to devotees who are forking the encryption program's code. 'Cleaned up' code will get a new name, CipherShed, and a different open source license

How two "holy grails" of cryptography can make the cloud safe everywhere (Quartz) The cloud can be a scary place, whether you're a celebrity with risqué photos or a bank with $10 billion in assets

In-depth: How CloudFlare promises SSL security — without the key (Ars Technica) CEO shares technical details about changing the way encrypted sessions operate

Brit corrals heavyweight capacity for cyber launch (Insurance Insider) Brit Insurance has put together a $250mn consortium, including capacity from Berkshire Hathaway, to write a new cover to protect critical infrastructure against cyber attacks, The Insurance Insider can reveal

McAfee, Symantec Join Cyber Threat Alliance (eWeek) Fortinet, McAfee, Palo Alto Networks and Symantec will dedicate resources to determine the most effective mechanisms for sharing advanced threat data

DigiCert Releases Tool to Simplify SHA-2 Migration for System Administrators (MarketWired) DigiCert, Inc., a leading global Certificate Authority and provider of trusted identity and authentication services, today released a free tool which helps system administrators analyze their use of SHA-1 hashing algorithms across all domains and subdomains

FireEye and Mandiant Unite to Deliver Industry's First Global Security as a Service Solution (Dark Reading) Introduces next generation Threat Intelligence Suite for deeper insights into cyber attacks

Alert Logic Launches UK Datacenter, Provides Enhanced Data Protection to European Customers (PRNewswire) Alert Logic, the leading provider of Security-as-a-Service for the cloud, has announced the completion of its European Datacenter, now generally available for partners and customers

LabTech Software, Thycotic Unveil Password Management Integration (MSPmentor) LabTech Software says new integration with Thycotic Secret Server streamlines connectivity to shared credentials

Sookasa's Dropbox Encryption Solution Named by Blog HIPAA as One of "5 Key Tools to Help Achieve HIPAA Compliance" (PRWeb) Blog HIPAA chooses Sookasa's Dropbox Encryption Solution as top tool to enable healthcare organizations achieve HIPAA compliance in the cloud

Simply Secure aims to make security technology usable (Help Net Security) Just two days after they joined a collaboration that will focus on making open source "easier for everyone," Google and Dropbox have announced that they will be working together on another initiative: Simply Secure

Technologies, Techniques, and Standards

5 Ways To Monitor DNS Traffic For Security Threats (Dark Reading) Check out these examples of how to implement real-time or offline traffic monitoring using common commercial or open source security products

Is a Remote-Wipe Policy a Crude Approach to BYOD Security? (CIO) While the capability to remotely wipe data from lost or stolen mobile phones may help CIOs sleep at night, it may be an outdated approach to BYOD security

How to change Safari's default search engine in iOS 8 for greater privacy (We Live Security) If you're one of the many millions of iPhone and iPad users who managed to successfully upgrade to iOS 8 overnight congratulations

Persistence tech offers layered approach to security (GCN) Faced with the complex trifecta of workforce mobility, increased connectivity and regulatory compliance, government IT leaders are managing a delicate juggling act in today's intricate security and regulatory environment

Free tool simplifies SHA-2 migration for system administrators (Help Net Security) DigiCert released a free tool which helps system administrators analyze their use of SHA-1 hashing algorithms across all domains and subdomains and map out a path for SHA-2 migration

Marketplace

Microsoft closing standalone Trustworthy Computing group, folding into other units (Geekwire) Microsoft will shutter its standalone Trustworthy Computing group, folding elements of the unit's work on security, privacy and related issues into its Cloud & Enterprise Division, and its Legal & Corporate Affairs group

Growing IT layoffs add to recruiter feeding frenzy (FierceCIO) As reported by FierceCIO last Thursday, news that Microsoft will lay off close to 18,000 workers caught even the most critical analysts off guard, with the media now scrambling to figure out what it all means for the tech giant. But one thing that was immediately agreed to is that the announcement means 'open season' for recruiters

Western security concerns are 'noise on the periphery' says Huawei exec, as firm looks to impress CIOs (Computing) Chinese telecommunications firm Huawei regards security questions surrounding its products as "noise on the periphery", saying that CIOs are more interested in hearing about how Huawei can benefit their organisations

Raytheon Ready for Acquisitions? (Barron's) The contractor will be in a net cash position for the first time since 2010

Desmond invests in cyber security firm (Irish Times) Vahna said it received "significant investment" from IIU in order to fund expansion

Larry Ellison Steps Down: Succession Done Well (LinkedIn) Founders always have a very hard time giving up their roles as CEO

David Keffer Named EVP, CFO at SRA (GovConWire) David Keffer, formerly corporate controller at SRA International, has been promoted to executive vice president and chief financial officer and will be in charge of the company?s financial functions and operations

Why CSO pay is too low in San Francisco, New York (CSO) CSOs get paid more in San Francisco and New York, but they can live better in Chicago and Denver

Security Patches, Mitigations, and Software Updates

Apple Releases Security Updates for iOS, Apple TV, and Xcode (US-CERT) Apple released security updates for iOS devices, Apple TV, and Xcode to address multiple vulnerabilities, some of which could allow attackers to execute code with system privileges or cause an unexpected application termination

Apple ships a sevenfold security surprise, including iOS 8 and OS X 10.9.5 (Naked Security) Apple doesn't have Patch Tuesdays, but it does have Update Surprisedays

Is Enterprise IT Security Ready For iOS 8? (Dark Reading) Apple bakes in more security features, but iOS 8 won't come without security ops headaches

Microsoft patch system seriously flawed — withdraws more updates (myce) A week after the release of a security update for Microsoft Lync Server, the software giant yesterday decided to withdraw a patch for the software. Lync Server (previously known as Microsoft Office Communications Server) is a real time communication platform for enterprises and used for e.g. instant messaging and video conferences. A security update for Lync Server which Microsoft released last week caused issues and has been withdrawn

Google to turn on encryption by default in next Android version (IDG via CSO) Google is turning on data encryption by default in the next version of Android, a step that mirrors broad moves in the technology industry to ensure better data security

Cyber Attacks, Threats, and Vulnerabilities

New Islamic State Video Features British Hostage as Group Spokesman (New York Times) The Islamic State released the latest in a series of propaganda videos on Thursday, a slickly produced introduction to what it promised would be a multipart series on the group and the folly of efforts by the United States to fight it

Chinese Penetrate TRANSCOM Amid Lack of Data Sharing (Threatpost) Hackers allegedly affiliated with the Chinese government compromised the computer networks of the United States Transportation Command, the group tasked with providing air, land and sea transportation services to the Department of Defense, according to the findings of a Senate Armed Services Committee investigation

Chinese hacked U.S. military contractors, Senate panel finds (Reuters) Hackers associated with the Chinese government have repeatedly infiltrated the computer systems of U.S. airlines, technology companies and other contractors involved in the movement of U.S. troops and military equipment, a U.S. Senate panel has found

US Military In The Dark On Cyberattacks Against Contractors (Dark Reading) A lack of communication between military contractors and government agencies about Chinese cyber espionage attacks is revealed in a new Senate report

Charges of China's military hacking into corporate America piling up (Ars Technica) US appears powerless to bring Chinese soldier hackers to justice

Cyber espionage carries high cost to U.S., expert says in Las Cruces talk (Las Cruces Sun-News) In 2003, Chinese cyber espionage of the U.S. Department of Defense computer system led to a theft of data equal to 20 percent of all the information stored in the Library of Congress, Joel Brenner told those attending the Domenici Public Policy Conference on Thursday in Las Cruces

IBM warns over proliferating use of banking Trojans in enterprise attacks (Computing) Banking Trojans are increasingly being used to launch cyber attacks on organisations because of the proliferation of such malware on PCs around the world

Home Depot: 56M Cards Impacted, Malware Contained (KrebsOnSecurity) Home Depot said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers from its customers between April and September 2014. That disclosure officially makes the incident the largest retail card breach on record

In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes (KrebsOnSecurity) The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation. The finding could mean thieves stole far fewer cards during the almost five-month breach than they might have otherwise

eBay takes flak for leaving rigged iPhone listing up for 12 hours (Naked Security) On Wednesday, a redirect attack was discovered on the auction site, working to grab customers' credentials on a spoofed eBay site

Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm (KrebsOnSecurity) How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach

Beware Apple ID phishing and free iPhone 6 scams (Foursys Blog) In the next few days, those people who have been queueing outside Apple stores in their pyjamas or were lucky enough to survive the avalanche of online pre-orders, will have their paws on a shiny new Apple iPhone 6 or its big brother, the iPhone 6 Plus

Tech firm tries to pull back curtain on surveillance efforts in Washington (Washington Post) As a black sedan pulled into downtown Washington traffic earlier this week, a man in the back seat with a specially outfitted smartphone in each hand was watching for signs of surveillance in action. "Whoa, we've just been hit twice on this block," he said, excitement rising in his voice, not far from FBI headquarters

Cyber security and the electric grid — it IS a problem (Control) Politico had an article, "U.S. grid safe from large-scale attack, experts say". Digital Bond had a discussion on the article. Enclosed is my response as I don't believe the "experts" understand the issues including Aurora

Academia

UAE student hackers put to the test (National) The task seemed malicious: to see which of 11 teams of student hackers could breach the security systems of a model town

Student Competitors Learn To Foil Cyber Attacks (Huffington Post) Like every respectable geek, I remember my first personal computer

Litigation, Investigation, and Enforcement

NSA Director Implies ISIL Intel Estimates Could Have Been Better (Breaking Defense) How well did the American Intelligence Community do in its most fundamental job: providing strategic warning of war and major strategic events to the president when it came to Russia's invasion of Ukraine and ISIL's invasion of Iraq?

Intelligence chief says Snowden leaks created 'perfect storm' (The Hill) Edward Snowden's national security leaks have created a "perfect storm" degrading the intelligence community?s capabilities, Director of National Intelligence James Clapper said Thursday

No, Apple probably didn't get new secret gov't orders to hand over data (Ars Technica) Rare warrant canary vanished, likely due to new 2014 Justice Dept. guidelines

Europe Seeks A Common Appeals Process For The 'Right To Be Forgotten' (TechCrunch) Data protection regulators in Europe are working on creating a common set of guidelines for handling appeals by individuals whose requests to search engines to de-index personal information, under the region's recent right to be forgotten ruling, have been refused

Rape victim's lawsuit shows the limits of website immunity law (Ars Technica) Judge: CDA Section 230 isn't "all purpose get-out-of-jail-free card" for websites

Exclusive: NSA Won’t Say If Official's Spouse Does Business With The Agency (BuzzFeed) A powerful National Security Agency official involved in the controversial domestic surveillance program is married to an executive at a company that appears to be doing or seeking business with the agency. The executive also registered an intelligence business at the couple’s home. The NSA says it has a strict ethics policy

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

Cloud Security Alliance Congress 2014 (, January 1, 1970) This year, the CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events into a conference in the heart of Silicon Valley that will offer attendees eighty sessions to choose from covering all aspects of privacy and cloud security. Nowhere else will cloud, IT and privacy professionals be able to meet and learn from each other, and gain visibility to practical, implementable solutions delivered by leading industry experts. Together the conferences will broaden the educational and networking opportunities available to both IAPP and CSA members. Proposals for speakers are due February 21, 2014.

ICS-ISAC Fall Conference (Atlanta, Georgia, USA, September 17 - 20, 2014) Cybersecurity issues — such as the DHS release of Operation Aurora information; legislation like CISA (S. 2588), CIRDA (H.R. 2952) & H.R. 3696; and the NIST Cybersecurity Framework — can leave one wondering "What, where, how and with whom should I share?" and "Where can I find solutions?" At the ICS-ISAC Fall Conference you will develop knowledge you can take to further enhance your organization's cybersecurity posture through answers to these and many other questions

Dutch Open Hackathon (Amsterdam, the Netherlands, September 20 - 21, 2014) Join leading Dutch companies, during a 30-hour hackathon, as they open up APIs and technologies. Work together and develop new applications and drive global innovation

St. Louis SecureWorld (, January 1, 1970) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

Workshop on Cryptographic Hardware and Embedded Systems 2014 (CHES 2014) (Busan, Korea, September 23 - 26, 2014) The annual CHES workshop highlights new results in the design and analysis of cryptographic hardware and software implementations. CHES provides a valuable connection between the research and cryptographic engineering communities and attracts participants from industry, academia, and government organizations

Rock Stars of Cybersecurity (Austin, Texas, USA, September 24, 2014) The unprecedented Target breach and NSA spying scandal have put cybersecurity in the global spotlight. With cyberattacks on the rise, it is now even more important to learn how to identify weaknesses and protect company infrastructure from incursions. At the Rock Stars of Cybersecurity conference, well-respected cybersecurity authorities from leading companies will deliver case studies and actionable advice that you can immediately put to use.

VB2014 (, January 1, 1970) Over its 24-year history, the VB conference has become a major highlight of the IT security calendar, with many of its regular attendees citing it as the security event of the year. The conference provides a focus for the industry, representing an opportunity for experts in the field to share their research interests, discuss methods and technologies and set new standards, as well as meet with - and learn from - those who put their technologies into practice in the real world.

DerbyCon 4.0 (Louisville, Kentucky, USA, September 24 - 28, 2014) Welcome to DerbyCon 4.0 — "Family Rootz". This is the place where security professionals from all over the world come to hang out. DerbyCon 4.0 will be held September 24-28th, 2014. DerbyCon 2013 pulled in over 2,000 people with an amazing speaker lineup and a family-like feel. We've listened to your feedback and plan on making this conference even better this year

BruCON 2014 (Ghent, Belgium, September 25 - 26, 2014) BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker community.

ROOTCON 8 (, January 1, 1970) ROOTCON is the first hacking convention in the Philippines. A hacker conference and not a seminar, training or a workshop. It will feature the following tracks: advanced HTTP header security analysis, browser extension malware extend cybercrime capabilities, new techniques: email-based threat and attacks, shellcode exploit analysis: tips and tricks, the Necurs rootkit, social engineering: hacking the mind, an hacking your way to ROOTCON.

INTEROP (New York, New York, USA, September 29 - October 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect Summit, Collaboration, Infrastructure, Mobility, Risk Management & Security, and Software-Defined Networking (SDN)

Indianapolis SecureWorld (Indianapolis, Indiana, USA, October 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute, will deliver the opening keynote. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

Suits and Spooks New York (, January 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks New York will return to Soho House on October 2-3, 2014. Stay tuned for our speaker list and agenda coming this summer.

Open Analytics Summit (Dulles, Virginia, USA, October 7, 2014) Open Analytics Summits are for Developers, Engineers, Data Scientists, CMOs, Data Analysts, CTOs, Architects, Brand Managers, and anyone passionate about open source technologies, big data, or data analytics

MIRcon 2014 (Washington, DC, USA, October 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily

Cyber Security EXPO (, January 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing sensitive data and function closer to the user and away from traditional controls. Cyber crime is at an all-time high, attackers are using highly sophisticated methods taking advantage of a hyper-connected world. The challenge of securing corporate data and networks to mitigate risk is greater than ever. CISOs need new tools, new thinking and policies to meet these challenges. Cyber Security Expo 2014 has been designed to do just that. Cyber Security Expo will have a dedicated conference as well as five highly focused theatres and a significant exhibition. Major themes examined include: Internet & Network Security, Social and Consumer Trends, Cyber Crime, Log Data & Advanced Analytics, Identity & Access Management, Privacy & Data Protection, Cloud Security & Governance and Mobile Device Management.

InfoSec 2014 (Kuala Terengganu, Malaysia, October 8 - 10, 2014) You are invited to participate in The International Conference on Information Security and Cyber Forensics (InfoSec 2014) that will be held at Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu, Malaysia on October 8-10, 2014. The event will be held over three days, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lecture

Hacktivity 2014 (Budapest, Hungary, October 10 - 11, 2014) Official and alternative representatives of the information security profession meet with all those interested in this field in framework which is at the same time informal and informative, and sometimes very in-depth technological.

Ruxcon (Melbourne, Australia, October 26 - 27, 2013) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities and demonstrations presented by security experts from the Aus-Pacific region and invited guests from around the world. Ruxcon is widely regarded as a leading computer security conference within Australia attracting all facets of the security landscape from industry, academics, to enthusiasts.

Critical Infrastructure Cyber Community (C3) Voluntary Program Meeting (San Diego, California, USA, October 13, 2014) Join stakeholders from across the cyber community to discuss building a cyber risk management program, using DHS resources, and to learn how organizations of all sizes are using the Cybersecurity Framework

Hack-in-the-Box Malaysia (Kuala Lumpur, Malaysia, October 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia and Amsterdam in The Netherlands, HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events routinely feature two days of trainings and a two-day multi-track conference featuring cutting-edge hardcore technical talks delivered by some of the most respected names in the computer security industry. HITBSecConf is a place where ideas are exchanged, talent discovered and genius celebrated

FS-ISAC Fall Summit 2014 (Washington, DC, USA, October 13 - 16, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. Its Fall Summit will feature sessions of interest to both security professionals and the financial sector

CYBERSEC 2014 (, January 1, 1970) CYBERSEC is a 4-day event geared toward helping you achieve your cybersecurity goals. Whether your focus is on cybersecurity management, investigation, defense, or offense we are offering specialty cybersecurity information tracks just for you.

Black Hat Europe 2014 (, January 1, 1970) The premier conference on information security returns to the beautiful city of Amsterdam, Netherlands in October, 2014. Professionals from all over the world gather for two days of intense Trainings and two thought-provoking days of Briefings brought to you by some of the brightest minds in the industry.

Denver SecureWorld (Denver, Colorado, USA, October 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

CSEC 2014 Cyber Security Summit (Kingdom of Bahrain, October 20 - 22, 2014) At the Inaugural Cyber Security Summit 2014, you will have the opportunity to seek ways to reset your IT security and risk strategy for success; stay relevant as IT security and risk are redefined; implement BCM best practices for threat resilience; mitigate the risks of new social collaboration tools; craft strategy for emerging BYOD and mobile threats; learn new regulatory compliance requirements; and more. This year's CSEC Summit attendees will: hear the latest presentations from the Information Security community on today's most pressing topics, attend workshops run by expert analysts and industry leaders, hear real-life experiences during peer case studies, engage in analyst-user roundtables and one-on-one meetings with industry experts, and check out the latest solutions in our Solution Showcase

2014 ICS Cyber Security Conference (, January 1, 1970) The 14th ICS Cyber Security Conference (sometimes known as "Weisscon") will be held October 20-23, 2014 at Georgia Tech in Atlanta, GA. Cyber Security is becoming a critical infrastructure issue with implications that go far beyond the plant fence. Plant engineers, corporate officers, insurance company executives and more will be handling cyber security issues in the coming years. This conference is essential attendance for people in the manufacturing or utility environment.

Hack.lu 2014 (Dommeldange, Luxembourg, October 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society

Cyber Security Summit 2014 (, January 1, 1970) Cyber security breaches have a profound impact on all areas of society. Join the discussion at Cyber Security Summit 2014. For two days, leaders from the public and private sectors meet to identify cyber threat issues and their countermeasures.

ISSA International Conference (Orlando, Florida, USA, October 22 - 23, 2014) Join us for solution oriented, proactive and innovative sessions focused on security as a vital part of the business.

ToorCon San Diego (San Diego, California, USA, October 22 - 26, 2014) For hackers like you, because what could possibly go wrong?

FOCUS 14: Empowering the Connected World (Las Vegas, Nevada, USA, October 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while reducing costs, streamlining processes, and driving efficiencies in the daily administration of their networks and systems. Network with security peers who share your challenges, concerns and issues, and learn more about their own success strategies

Dallas SecureWorld (Dallas, Texas, USA, October 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

CyberMaryland 2014 (Baltimore, Maryland, USA, October 29 - 30, 2014) Entrepreneurs, investors, academia and government will convene in Maryland — the nation's epicenter for cybersecurity for the fourth annual CyberMaryland Conference.

Cyber Job Fair (Baltimore, Maryland, USA, October 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals held the first day of the conference

ekoparty Security Conference 10th edition (Buenos Aires, Argentina, October 29 - 31, 2014) ekoparty — Electronic Knock Out Party — Security Conference, is a one of a kind event in South America; an annual security conference held in Buenos Aires, where security specialists from all over Latin America (and beyond) have the chance to get involved with state-of-art techniques, vulnerabilities, and tools in a relaxed environment never seen before.

Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.

Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, October 30 - November 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed for non-technical and technical executives who seek to gain a deeper understanding of not just the technical aspects of data breach prevention, but also the important role that insurance, crisis management, legal and human resources play. Speakers include Dr. Ed Schlesinger, Dean of Johns Hopkins University's Whiting School of Engineering, Dr. Andy Ozment, Assistant Secretary of the Office of Cybersecurity and Communications, Department of Homeland Security, and Mr. Eric Joost, Chief Operating Officer, Willis North America

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.