The CyberWire Daily Briefing 09.19.14
news from the New York City Cyber Security Summit
Following the morning keynote (described in yesterday's issue of the CyberWire) a panel addressed the challenges of "Securing the Human." Panelists offered sensible counsel on the need for buy-in, the importance of fixing executive responsibility and deploying metrics to ensure accountability, and the futility of checkbox approaches to inspiring sound security practices.
CrowdStrike co-founder and CEO George Kurtz delivered the afternoon keynote, "Hand-to-Hand Combat with a Targeted Attacker." The combat he described involved detection, response and remediation, and ultimately attribution, not hacking back.
Kurtz would take the Chinese attackers Hurricane Panda and Deep Panda as his case studies of advanced attackers engaged in highly targeted campaigns. Such advanced operators evade traditional defenses: they use little or no malware (in the strictest sense), little or no command and control, and they leave no file-based artifacts. The advanced attacker, Kurtz noted, "wants to be you." They seek to gain and escalate privileges, and then operate as if they were one of your own.
The lesson he drew from this is that most enterprises don't have a malware problem. They have instead an adversary problem. To return to his two Chinese case studies, Kurtz described Deep Panda as very active across many sectors, focused on IP theft. Hurricane Panda, tracked since 2013, has focused on telecoms and tech companies. It specializes in webshells, an important tool in the advanced attacker's kit. In the summer of 2013, Hurricane Panda installed webshells on its targets and successfully maintained persistence undetected for one year.
Such elusive campaigns, Kurtz argued, are better detected by looking for indicators of attack — adversary activity detection — as opposed to the more commonly sought-out indicators of compromise. In the case of the Hurricane Panda attack, the victim couldn't figure out how the attackers kept getting back in (there was, after all, no malware). Once in, the attackers would dump credentials, then pass the hash to move laterally, or crack passwords. They also adapted: once we had found them, they changed their tactics, techniques, and procedures.
He concluded by predicting that targeted attacks would continue to grow in sophistication and stealth. He advised focus on indicators of attack: observe the adversaries' attack tradecraft, and then move to remediation. And remember, he said, the limitations of common defenses: what happens in a virtual container isn't necessarily what happens in your endpoints.
A panel discussion on social computing opened with general agreement that network boundaries were fading. Some disagreement over the efficacy of policy in modifying user behavior in social media was resolved with the conclusion that data were manageable through policy, but people could only be moved (imperfectly) through guidance. The panel showed considerable interest in social media's potential for identity management and authentication, perhaps replacing those familiar security questions — your pet's name? your junior high school? — they have done so much to undermine. Your social network, your geolocation, could serve to help determine your identity.
Leo Taddeo (Special Agent in Charge, Cyber/Special Operations, FBI — New York) offered a law enforcement perspective. He deplored continuing unwillingness to disclose breaches: only 56% of companies notify the FBI of a breach when they're not required to do so by law. He also wanted to clarify, in brief, Federal roles and missions in cyberspace. The Department of Homeland Security mitigates, shares information, and develops intelligence. The Department of Defense performs foreign collection, conducts cyber operations, and generally works in the cyber battlespace. The Department of Justice is responsible for attribution.
The final panel addressed threats to the financial sector. No one has any idea how many threat groups are out there, let alone what those groups are up to. Nation-states tend to commit cyber exploitation. Hacktivists tend to commit cyber attacks.
Eastern Europe, panelists said, is a leading source of threats, but Brazil is rising, and so is Africa (where rapid growth and weak governance combine to offer a crime-friendly environment). Exploit kits and denial-of-service (DDoS) remain common attack methods. DDoS is a particularly low-cost attack: we're seeing 100 Gbps attacks daily; 2-300 Gbps attacks aren't uncommon, and some believe we've seen Tbps-range attacks.
Unpatched systems remain a source of commonly exploited vulnerabilities, with poor network hygiene a problem at smaller, under-resourced enterprises.
Nation states represent some of the most capable attackers. Unlike the smash-and-grab cyber criminals who want to get in, get out, and monetize their take quickly, national cyber services opt for complex, difficult to detect and mitigate persistent attacks. China's attack on NY Times was a watershed — the Chinese service was embarrassed by its outing, and moved to more sophisticated attacks.
Much of a CSO's budget, unfortunately, goes to compliance as opposed to defense, and mere compliance is poor defense against the more sophisticated, multi-vectored attacks we're seeing.
The recent JPMorgan hack should, the panel thought, offer an instructive use case, especially as boards in the financial sector grapple with cyber risk. Panelists urged the community to develop some communication paradigm that enables cyber attack disclosures unmediated by lawyers. FS-ISAC is a step in the right direction, panelists thought, but it generates so many alerts you've got to dedicate people to reading them: valuable, if you've got the resources to consume what FS-ISAC produces.
In response to questions about pricing in cyber risk, the panel said that companies tended to pay enough for insurance to mitigate catastrophe, and then self-insure the rest. Sustaining a breach tends to induce budgeting for security in the next cycle, however, not as a cost of doing business, but rather as a cost of saving the business.
Deborah A. Snyder, Acting CISO, New York State Office of Information Technology Services, Enterprise Information Security Office, closed the conference with a keynote that described interstate cyber security cooperation and the cyber support the state provides businesses and citizens.
ISIL continues to use hostages in online propaganda.
The Senate Armed Services Committee declassifies an inquiry into Chinese cyber espionage against US Transportation Command (TRANSCOM — a unified, functional combatant command in the Department of Defense) and the details aren't pretty. More than twenty advanced persistent attacks (and around thirty other intrusions) occurred between June 2012 and May 2013, with attacks largely accomplished against TRANSCOM's contractors. TRANSCOM was aware of two of them, and the Senate attributes this institutional myopia to poor information sharing on the part of pretty much everyone: TRANSCOM, contractors (and subcontractors), the FBI, other elements of the Defense Department, etc. The campaign targeted both intellectual property and military information.
IBM warns that it's seeing banking Trojans repurposed for use against other sectors.
Home Depot says it's contained the breach it sustained, and that some 56M cards were affected. The investigation is focused on self-checkout point-of-sale systems, which appear to be where the malicious code was installed.
A partial answer to the black-market value of medical records is provided, unfortunately, by a breach at a Texas insurance company. KrebsOnSecurity has found "medical records being sold in bulk for as little as $6.40 apiece" in criminal markets.
Apple releases iOS 8 and OS X 10.9.5. Microsoft struggles again with its patch process.
In industry news, layoffs at Microsoft and elsewhere are churning the IT labor market. Huawei dismisses Western security concerns as "noise around the perimeter."
TrueCrypt seems ready to reappear as "CipherShed."
New Zealand's GCSB clarifies Project Speargun.
Notes.
Today's issue includes events affecting China, European Union, Iraq, Ireland, Russia, Singapore, Syria, Ukraine, United Arab Emirates, and United States.
New York, New York: the latest from the 2014 Cyber Security Summit
New York City Cyber Security Summit (CyberSummitUSA) The Cyber Security Summit is an exclusive conference series connecting C-Level & Senior Executives responsible for protecting their companies' critical infrastructures with cutting-edge technology providers and renowned information security experts
Cyber Attacks, Threats, and Vulnerabilities
New Islamic State Video Features British Hostage as Group Spokesman (New York Times) The Islamic State released the latest in a series of propaganda videos on Thursday, a slickly produced introduction to what it promised would be a multipart series on the group and the folly of efforts by the United States to fight it
Chinese Penetrate TRANSCOM Amid Lack of Data Sharing (Threatpost) Hackers allegedly affiliated with the Chinese government compromised the computer networks of the United States Transportation Command, the group tasked with providing air, land and sea transportation services to the Department of Defense, according to the findings of a Senate Armed Services Committee investigation
Chinese hacked U.S. military contractors, Senate panel finds (Reuters) Hackers associated with the Chinese government have repeatedly infiltrated the computer systems of U.S. airlines, technology companies and other contractors involved in the movement of U.S. troops and military equipment, a U.S. Senate panel has found
US Military In The Dark On Cyberattacks Against Contractors (Dark Reading) A lack of communication between military contractors and government agencies about Chinese cyber espionage attacks is revealed in a new Senate report
Charges of China's military hacking into corporate America piling up (Ars Technica) US appears powerless to bring Chinese soldier hackers to justice
Cyber espionage carries high cost to U.S., expert says in Las Cruces talk (Las Cruces Sun-News) In 2003, Chinese cyber espionage of the U.S. Department of Defense computer system led to a theft of data equal to 20 percent of all the information stored in the Library of Congress, Joel Brenner told those attending the Domenici Public Policy Conference on Thursday in Las Cruces
IBM warns over proliferating use of banking Trojans in enterprise attacks (Computing) Banking Trojans are increasingly being used to launch cyber attacks on organisations because of the proliferation of such malware on PCs around the world
Home Depot: 56M Cards Impacted, Malware Contained (KrebsOnSecurity) Home Depot said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers from its customers between April and September 2014. That disclosure officially makes the incident the largest retail card breach on record
In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes (KrebsOnSecurity) The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation. The finding could mean thieves stole far fewer cards during the almost five-month breach than they might have otherwise
eBay takes flak for leaving rigged iPhone listing up for 12 hours (Naked Security) On Wednesday, a redirect attack was discovered on the auction site, working to grab customers' credentials on a spoofed eBay site
Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm (KrebsOnSecurity) How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach
Beware Apple ID phishing and free iPhone 6 scams (Foursys Blog) In the next few days, those people who have been queueing outside Apple stores in their pyjamas or were lucky enough to survive the avalanche of online pre-orders, will have their paws on a shiny new Apple iPhone 6 or its big brother, the iPhone 6 Plus
Tech firm tries to pull back curtain on surveillance efforts in Washington (Washington Post) As a black sedan pulled into downtown Washington traffic earlier this week, a man in the back seat with a specially outfitted smartphone in each hand was watching for signs of surveillance in action. "Whoa, we've just been hit twice on this block," he said, excitement rising in his voice, not far from FBI headquarters
Cyber security and the electric grid — it IS a problem (Control) Politico had an article, "U.S. grid safe from large-scale attack, experts say". Digital Bond had a discussion on the article. Enclosed is my response as I don't believe the "experts" understand the issues including Aurora
Security Patches, Mitigations, and Software Updates
Apple Releases Security Updates for iOS, Apple TV, and Xcode (US-CERT) Apple released security updates for iOS devices, Apple TV, and Xcode to address multiple vulnerabilities, some of which could allow attackers to execute code with system privileges or cause an unexpected application termination
Apple ships a sevenfold security surprise, including iOS 8 and OS X 10.9.5 (Naked Security) Apple doesn't have Patch Tuesdays, but it does have Update Surprisedays
Is Enterprise IT Security Ready For iOS 8? (Dark Reading) Apple bakes in more security features, but iOS 8 won't come without security ops headaches
Microsoft patch system seriously flawed — withdraws more updates (myce) A week after the release of a security update for Microsoft Lync Server, the software giant yesterday decided to withdraw a patch for the software. Lync Server (previously known as Microsoft Office Communications Server) is a real time communication platform for enterprises and used for e.g. instant messaging and video conferences. A security update for Lync Server which Microsoft released last week caused issues and has been withdrawn
Google to turn on encryption by default in next Android version (IDG via CSO) Google is turning on data encryption by default in the next version of Android, a step that mirrors broad moves in the technology industry to ensure better data security
Cyber Trends
Big data security analytics still immature, say security experts (ComputerWeekly) While big data security analytics promises to deliver great insights in the battle against cyber threats, the concept and the tools are still immature, according to a panel of security experts
Cyber crime wake-up call (MicroScope) Mounting levels of cyber crime and industrial espionage are sounding a long-awaited and much- needed wake-up call in the ears of corporate executives
Cybercrime in 2025: Where do you go when there's nowhere to hide? (GMA Network) Imagine a world where your house can talk to you, your car drives itself, and even your refrigerator knows what you eat
The state of document security in a post-Snowden world (TechRadar) Sharing sensitive data can be a tricky business
Netskope exposes cloud data fears (MicroScope) No matter how hard the cloud industry does its best to reassure customers over data security issues users continue to have doubts that those hosting their sensitive information are going to be able to protect it
White House: Internet not Borderless, but Lacking Interior (Threatpost) In an afternoon keynote address at the Billington Cybersecurity Summit yesterday, Michael Daniel, a special assistant to the president and White House Cybersecurity Coordinator, refuted the common sentiment that the Internet is difficult to defend because it is borderless. To the contrary, Daniel explained that the border is everywhere on the Internet, and what is really lacking is an interior
V3 Security Summit: Skills gap puts the future of UK cyber security at risk (V3) The latest manifesto from TechUK indicates a need to address both the digital skills gap and improve cyber security, otherwise the future of the UK's technology industry may be at risk
3 out of 4 Internet users in Singapore concerned about social network privacy (MIS Asia) More than half of respondents (almost 66 percent) in Singapore are not protected on their mobile devices and personal computers
Marketplace
Microsoft closing standalone Trustworthy Computing group, folding into other units (Geekwire) Microsoft will shutter its standalone Trustworthy Computing group, folding elements of the unit's work on security, privacy and related issues into its Cloud & Enterprise Division, and its Legal & Corporate Affairs group
Growing IT layoffs add to recruiter feeding frenzy (FierceCIO) As reported by FierceCIO last Thursday, news that Microsoft will lay off close to 18,000 workers caught even the most critical analysts off guard, with the media now scrambling to figure out what it all means for the tech giant. But one thing that was immediately agreed to is that the announcement means 'open season' for recruiters
Western security concerns are 'noise on the periphery' says Huawei exec, as firm looks to impress CIOs (Computing) Chinese telecommunications firm Huawei regards security questions surrounding its products as "noise on the periphery", saying that CIOs are more interested in hearing about how Huawei can benefit their organisations
Raytheon Ready for Acquisitions? (Barron's) The contractor will be in a net cash position for the first time since 2010
Desmond invests in cyber security firm (Irish Times) Vahna said it received "significant investment" from IIU in order to fund expansion
Larry Ellison Steps Down: Succession Done Well (LinkedIn) Founders always have a very hard time giving up their roles as CEO
David Keffer Named EVP, CFO at SRA (GovConWire) David Keffer, formerly corporate controller at SRA International, has been promoted to executive vice president and chief financial officer and will be in charge of the company?s financial functions and operations
Why CSO pay is too low in San Francisco, New York (CSO) CSOs get paid more in San Francisco and New York, but they can live better in Chicago and Denver
Products, Services, and Solutions
TrueCrypt Getting a New Life (eSecurity Planet) TrueCrypt will stay alive, thanks to devotees who are forking the encryption program's code. 'Cleaned up' code will get a new name, CipherShed, and a different open source license
How two "holy grails" of cryptography can make the cloud safe everywhere (Quartz) The cloud can be a scary place, whether you're a celebrity with risqué photos or a bank with $10 billion in assets
In-depth: How CloudFlare promises SSL security — without the key (Ars Technica) CEO shares technical details about changing the way encrypted sessions operate
Brit corrals heavyweight capacity for cyber launch (Insurance Insider) Brit Insurance has put together a $250mn consortium, including capacity from Berkshire Hathaway, to write a new cover to protect critical infrastructure against cyber attacks, The Insurance Insider can reveal
McAfee, Symantec Join Cyber Threat Alliance (eWeek) Fortinet, McAfee, Palo Alto Networks and Symantec will dedicate resources to determine the most effective mechanisms for sharing advanced threat data
DigiCert Releases Tool to Simplify SHA-2 Migration for System Administrators (MarketWired) DigiCert, Inc., a leading global Certificate Authority and provider of trusted identity and authentication services, today released a free tool which helps system administrators analyze their use of SHA-1 hashing algorithms across all domains and subdomains
FireEye and Mandiant Unite to Deliver Industry's First Global Security as a Service Solution (Dark Reading) Introduces next generation Threat Intelligence Suite for deeper insights into cyber attacks
Alert Logic Launches UK Datacenter, Provides Enhanced Data Protection to European Customers (PRNewswire) Alert Logic, the leading provider of Security-as-a-Service for the cloud, has announced the completion of its European Datacenter, now generally available for partners and customers
LabTech Software, Thycotic Unveil Password Management Integration (MSPmentor) LabTech Software says new integration with Thycotic Secret Server streamlines connectivity to shared credentials
Sookasa's Dropbox Encryption Solution Named by Blog HIPAA as One of "5 Key Tools to Help Achieve HIPAA Compliance" (PRWeb) Blog HIPAA chooses Sookasa's Dropbox Encryption Solution as top tool to enable healthcare organizations achieve HIPAA compliance in the cloud
Simply Secure aims to make security technology usable (Help Net Security) Just two days after they joined a collaboration that will focus on making open source "easier for everyone," Google and Dropbox have announced that they will be working together on another initiative: Simply Secure
Technologies, Techniques, and Standards
5 Ways To Monitor DNS Traffic For Security Threats (Dark Reading) Check out these examples of how to implement real-time or offline traffic monitoring using common commercial or open source security products
Is a Remote-Wipe Policy a Crude Approach to BYOD Security? (CIO) While the capability to remotely wipe data from lost or stolen mobile phones may help CIOs sleep at night, it may be an outdated approach to BYOD security
How to change Safari's default search engine in iOS 8 for greater privacy (We Live Security) If you're one of the many millions of iPhone and iPad users who managed to successfully upgrade to iOS 8 overnight congratulations
Persistence tech offers layered approach to security (GCN) Faced with the complex trifecta of workforce mobility, increased connectivity and regulatory compliance, government IT leaders are managing a delicate juggling act in today's intricate security and regulatory environment
Free tool simplifies SHA-2 migration for system administrators (Help Net Security) DigiCert released a free tool which helps system administrators analyze their use of SHA-1 hashing algorithms across all domains and subdomains and map out a path for SHA-2 migration
Academia
UAE student hackers put to the test (National) The task seemed malicious: to see which of 11 teams of student hackers could breach the security systems of a model town
Student Competitors Learn To Foil Cyber Attacks (Huffington Post) Like every respectable geek, I remember my first personal computer
Legislation, Policy, and Regulation
GCSB clarifies 'Project Speargun' (Stuff) The Government Communications Security Bureau has tightened its defence over claims of mass surveillance by confirming the term "Project Speargun" was used to describe an abandoned element of a proposed cyber defence system
US Official: Chinese Want NSA Cyber Schools. Really. (Nextgov) Chinese universities are welcome to adopt the U.S. National Security Agency's cyber education program, the top U.S. computer security education official said, after a recent trip to Beijing
'Need To' Declassify More Cyber Attacks: NSA Deputy Ledgett (Breaking Defense) The deputy director of the National Security Agency said today that the Intelligence Community should declassify the existence of more cyber attacks to improve the agency's ability to mobilize the private sector and to get help when needed
Is NSA Planning to Beef Up Cyber Response Capabilities? (Nextgov) Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, said the Obama administration's controversial spying programs have not cost the country friends or allies either in the technology industry or abroad. Indeed, the agency shows no signs of slowing down at all
GAO: DHS needs a better approach to assess vulnerabilities in critical infrastructure (FierceHomelandSecurity) Congressional investigators said the Homeland Security Department needs a better way to consistently assess vulnerabilities in critical infrastructure despite conducting thousands of reviews in recent years
Audit finds numerous IT-related security problems for DHS agencies at airport (FierceHomelandSecurity) An internal audit found that the Homeland Security Department's IT systems and assets at Dallas-Fort Worth International Airport had inadequate security measures, which could potentially be exploited or compromised
Identifying regulatory gaps in big data difficult, says FTC panel (FierceGovernmentIT) Once reserved for scientific studies, big data is now regularly used by corporations to analyze information about consumers — and privacy experts say these emerging practices raise tough policy questions
Federal Inaction Breeds ID Theft, Says Frank Abagnale (InformationWeek) Onetime "Catch Me If You Can" swindler turned anti-fraud consultant says identity theft is "4,000 times easier" than when he was living a life of crime
Litigation, Investigation, and Law Enforcement
NSA Director Implies ISIL Intel Estimates Could Have Been Better (Breaking Defense) How well did the American Intelligence Community do in its most fundamental job: providing strategic warning of war and major strategic events to the president when it came to Russia's invasion of Ukraine and ISIL's invasion of Iraq?
Intelligence chief says Snowden leaks created 'perfect storm' (The Hill) Edward Snowden's national security leaks have created a "perfect storm" degrading the intelligence community?s capabilities, Director of National Intelligence James Clapper said Thursday
No, Apple probably didn't get new secret gov't orders to hand over data (Ars Technica) Rare warrant canary vanished, likely due to new 2014 Justice Dept. guidelines
Europe Seeks A Common Appeals Process For The 'Right To Be Forgotten' (TechCrunch) Data protection regulators in Europe are working on creating a common set of guidelines for handling appeals by individuals whose requests to search engines to de-index personal information, under the region's recent right to be forgotten ruling, have been refused
Rape victim's lawsuit shows the limits of website immunity law (Ars Technica) Judge: CDA Section 230 isn't "all purpose get-out-of-jail-free card" for websites
Exclusive: NSA Won’t Say If Official's Spouse Does Business With The Agency (BuzzFeed) A powerful National Security Agency official involved in the controversial domestic surveillance program is married to an executive at a company that appears to be doing or seeking business with the agency. The executive also registered an intelligence business at the couple’s home. The NSA says it has a strict ethics policy
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Cloud Security Alliance Congress 2014 (, Jan 1, 1970) This year, the CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events into a conference in the heart of Silicon Valley that will offer attendees eighty sessions to choose from covering all aspects of privacy and cloud security. Nowhere else will cloud, IT and privacy professionals be able to meet and learn from each other, and gain visibility to practical, implementable solutions delivered by leading industry experts. Together the conferences will broaden the educational and networking opportunities available to both IAPP and CSA members. Proposals for speakers are due February 21, 2014.
ICS-ISAC Fall Conference (Atlanta, Georgia, USA, Sep 17 - 20, 2014) Cybersecurity issues — such as the DHS release of Operation Aurora information; legislation like CISA (S. 2588), CIRDA (H.R. 2952) & H.R. 3696; and the NIST Cybersecurity Framework — can leave one wondering "What, where, how and with whom should I share?" and "Where can I find solutions?" At the ICS-ISAC Fall Conference you will develop knowledge you can take to further enhance your organization's cybersecurity posture through answers to these and many other questions
Dutch Open Hackathon (Amsterdam, the Netherlands, Sep 20 - 21, 2014) Join leading Dutch companies, during a 30-hour hackathon, as they open up APIs and technologies. Work together and develop new applications and drive global innovation
St. Louis SecureWorld (, Jan 1, 1970) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
Workshop on Cryptographic Hardware and Embedded Systems 2014 (CHES 2014) (Busan, Korea, Sep 23 - 26, 2014) The annual CHES workshop highlights new results in the design and analysis of cryptographic hardware and software implementations. CHES provides a valuable connection between the research and cryptographic engineering communities and attracts participants from industry, academia, and government organizations
Rock Stars of Cybersecurity (Austin, Texas, USA, Sep 24, 2014) The unprecedented Target breach and NSA spying scandal have put cybersecurity in the global spotlight. With cyberattacks on the rise, it is now even more important to learn how to identify weaknesses and protect company infrastructure from incursions. At the Rock Stars of Cybersecurity conference, well-respected cybersecurity authorities from leading companies will deliver case studies and actionable advice that you can immediately put to use.
VB2014 (, Jan 1, 1970) Over its 24-year history, the VB conference has become a major highlight of the IT security calendar, with many of its regular attendees citing it as the security event of the year. The conference provides a focus for the industry, representing an opportunity for experts in the field to share their research interests, discuss methods and technologies and set new standards, as well as meet with - and learn from - those who put their technologies into practice in the real world.
DerbyCon 4.0 (Louisville, Kentucky, USA, Sep 24 - 28, 2014) Welcome to DerbyCon 4.0 — "Family Rootz". This is the place where security professionals from all over the world come to hang out. DerbyCon 4.0 will be held September 24-28th, 2014. DerbyCon 2013 pulled in over 2,000 people with an amazing speaker lineup and a family-like feel. We've listened to your feedback and plan on making this conference even better this year
BruCON 2014 (Ghent, Belgium, Sep 25 - 26, 2014) BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker community.
ROOTCON 8 (, Jan 1, 1970) ROOTCON is the first hacking convention in the Philippines. A hacker conference and not a seminar, training or a workshop. It will feature the following tracks: advanced HTTP header security analysis, browser extension malware extend cybercrime capabilities, new techniques: email-based threat and attacks, shellcode exploit analysis: tips and tricks, the Necurs rootkit, social engineering: hacking the mind, an hacking your way to ROOTCON.
INTEROP (New York, New York, USA, Sep 29 - Oct 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect Summit, Collaboration, Infrastructure, Mobility, Risk Management & Security, and Software-Defined Networking (SDN)
Indianapolis SecureWorld (Indianapolis, Indiana, USA, Oct 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute, will deliver the opening keynote. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
Suits and Spooks New York (, Jan 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks New York will return to Soho House on October 2-3, 2014. Stay tuned for our speaker list and agenda coming this summer.
Open Analytics Summit (Dulles, Virginia, USA, Oct 7, 2014) Open Analytics Summits are for Developers, Engineers, Data Scientists, CMOs, Data Analysts, CTOs, Architects, Brand Managers, and anyone passionate about open source technologies, big data, or data analytics
MIRcon 2014 (Washington, DC, USA, Oct 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily
Cyber Security EXPO (, Jan 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing sensitive data and function closer to the user and away from traditional controls. Cyber crime is at an all-time high, attackers are using highly sophisticated methods taking advantage of a hyper-connected world. The challenge of securing corporate data and networks to mitigate risk is greater than ever. CISOs need new tools, new thinking and policies to meet these challenges. Cyber Security Expo 2014 has been designed to do just that. Cyber Security Expo will have a dedicated conference as well as five highly focused theatres and a significant exhibition. Major themes examined include: Internet & Network Security, Social and Consumer Trends, Cyber Crime, Log Data & Advanced Analytics, Identity & Access Management, Privacy & Data Protection, Cloud Security & Governance and Mobile Device Management.
InfoSec 2014 (Kuala Terengganu, Malaysia, Oct 8 - 10, 2014) You are invited to participate in The International Conference on Information Security and Cyber Forensics (InfoSec 2014) that will be held at Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu, Malaysia on October 8-10, 2014. The event will be held over three days, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lecture
Hacktivity 2014 (Budapest, Hungary, Oct 10 - 11, 2014) Official and alternative representatives of the information security profession meet with all those interested in this field in framework which is at the same time informal and informative, and sometimes very in-depth technological.
Ruxcon (Melbourne, Australia, Oct 26 - 27, 2013) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities and demonstrations presented by security experts from the Aus-Pacific region and invited guests from around the world. Ruxcon is widely regarded as a leading computer security conference within Australia attracting all facets of the security landscape from industry, academics, to enthusiasts.
Critical Infrastructure Cyber Community (C3) Voluntary Program Meeting (San Diego, California, USA, Oct 13, 2014) Join stakeholders from across the cyber community to discuss building a cyber risk management program, using DHS resources, and to learn how organizations of all sizes are using the Cybersecurity Framework
Hack-in-the-Box Malaysia (Kuala Lumpur, Malaysia, Oct 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia and Amsterdam in The Netherlands, HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events routinely feature two days of trainings and a two-day multi-track conference featuring cutting-edge hardcore technical talks delivered by some of the most respected names in the computer security industry. HITBSecConf is a place where ideas are exchanged, talent discovered and genius celebrated
FS-ISAC Fall Summit 2014 (Washington, DC, USA, Oct 13 - 16, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. Its Fall Summit will feature sessions of interest to both security professionals and the financial sector
CYBERSEC 2014 (, Jan 1, 1970) CYBERSEC is a 4-day event geared toward helping you achieve your cybersecurity goals. Whether your focus is on cybersecurity management, investigation, defense, or offense we are offering specialty cybersecurity information tracks just for you.
Black Hat Europe 2014 (, Jan 1, 1970) The premier conference on information security returns to the beautiful city of Amsterdam, Netherlands in October, 2014. Professionals from all over the world gather for two days of intense Trainings and two thought-provoking days of Briefings brought to you by some of the brightest minds in the industry.
Denver SecureWorld (Denver, Colorado, USA, Oct 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
CSEC 2014 Cyber Security Summit (Kingdom of Bahrain, Oct 20 - 22, 2014) At the Inaugural Cyber Security Summit 2014, you will have the opportunity to seek ways to reset your IT security and risk strategy for success; stay relevant as IT security and risk are redefined; implement BCM best practices for threat resilience; mitigate the risks of new social collaboration tools; craft strategy for emerging BYOD and mobile threats; learn new regulatory compliance requirements; and more. This year's CSEC Summit attendees will: hear the latest presentations from the Information Security community on today's most pressing topics, attend workshops run by expert analysts and industry leaders, hear real-life experiences during peer case studies, engage in analyst-user roundtables and one-on-one meetings with industry experts, and check out the latest solutions in our Solution Showcase
2014 ICS Cyber Security Conference (, Jan 1, 1970) The 14th ICS Cyber Security Conference (sometimes known as "Weisscon") will be held October 20-23, 2014 at Georgia Tech in Atlanta, GA. Cyber Security is becoming a critical infrastructure issue with implications that go far beyond the plant fence. Plant engineers, corporate officers, insurance company executives and more will be handling cyber security issues in the coming years. This conference is essential attendance for people in the manufacturing or utility environment.
Hack.lu 2014 (Dommeldange, Luxembourg, Oct 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society
Cyber Security Summit 2014 (, Jan 1, 1970) Cyber security breaches have a profound impact on all areas of society. Join the discussion at Cyber Security Summit 2014. For two days, leaders from the public and private sectors meet to identify cyber threat issues and their countermeasures.
ISSA International Conference (Orlando, Florida, USA, Oct 22 - 23, 2014) Join us for solution oriented, proactive and innovative sessions focused on security as a vital part of the business.
ToorCon San Diego (San Diego, California, USA, Oct 22 - 26, 2014) For hackers like you, because what could possibly go wrong?
FOCUS 14: Empowering the Connected World (Las Vegas, Nevada, USA, Oct 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while reducing costs, streamlining processes, and driving efficiencies in the daily administration of their networks and systems. Network with security peers who share your challenges, concerns and issues, and learn more about their own success strategies
Dallas SecureWorld (Dallas, Texas, USA, Oct 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
CyberMaryland 2014 (Baltimore, Maryland, USA, Oct 29 - 30, 2014) Entrepreneurs, investors, academia and government will convene in Maryland — the nation's epicenter for cybersecurity for the fourth annual CyberMaryland Conference.
Cyber Job Fair (Baltimore, Maryland, USA, Oct 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals held the first day of the conference
ekoparty Security Conference 10th edition (Buenos Aires, Argentina, Oct 29 - 31, 2014) ekoparty — Electronic Knock Out Party — Security Conference, is a one of a kind event in South America; an annual security conference held in Buenos Aires, where security specialists from all over Latin America (and beyond) have the chance to get involved with state-of-art techniques, vulnerabilities, and tools in a relaxed environment never seen before.
Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.
Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, Oct 30 - Nov 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed for non-technical and technical executives who seek to gain a deeper understanding of not just the technical aspects of data breach prevention, but also the important role that insurance, crisis management, legal and human resources play. Speakers include Dr. Ed Schlesinger, Dean of Johns Hopkins University's Whiting School of Engineering, Dr. Andy Ozment, Assistant Secretary of the Office of Cybersecurity and Communications, Department of Homeland Security, and Mr. Eric Joost, Chief Operating Officer, Willis North America