The CyberWire Daily Briefing 09.23.14

Summary

By The CyberWire Staff

Allied strikes on ISIS (and other Islamist targets, particularly the Khorasan Group) have begun. Security analysts still look for signs of an incipient cyber threat from the targeted groups.

eBay continues to work to stanch its cross-site scripting issues, attracting much odium in the process. Observers ask whether the online auction giant tilted too far toward "seller happiness" at the expense of security.

Travel service Viator disclosed a payment card breach Friday that could affect up to 1.4M customers' data. No word on how the breach occurred.

The Home Depot breach post mortem proceeds. The chain's former security architect, journalists note, is now doing time for sabotaging his former employer. It's unclear that his alleged dodgy character had anything to do with Home Depot's point-of-sale problems, but it does pile bad news on the past week's I-told-them-so insider commentary. Forbes concludes it's only a matter of time before card issuers start squeezing retailers into better (and more expensive) security.

Google begins blocking malvertising from the compromised Zedo advertising platform — the ads had been redirecting visitors to sites pushing the "Zermot" downloader.

Regulators and policy mavens romp freely in overheated metaphors this week: we're headed for an "Armageddon-style" cyber attack (Gog and Magog left unidentified) and apparently only "re-education camps" can preserve social justice from big data (history teaches us this, sez they).

The Information Security Forum (ISF) maps the NIST Framework to ISF's best practices.

Lawyers ask if iOS8's apparent design to thwart warrants is really such a good idea.

Notes.

Today's issue includes events affecting Australia, Denmark, European Union, Iran, Iraq, Israel, New Zealand, Pakistan, Russia, Singapore, Syria, United Kingdom, United States

Selected Reading

Cyber Trends

US regulator raises alarm for 'Armageddon-type' cyber attack (Guardian) Several prominent US firms including Target, Home Depot and JP Morgan have suffered data breaches in the past year

Five ways the internet of things is already broken — and how to fix it (Quartz) There are some 10 billion internet-connected devices in the world today. These include phones, computers, cars, and the assorted grab-bag of devices that fall under the rubric of the "internet of things" (IoT)

More enterprises are using selective wiping to protect corporate data, employee privacy (FierceMobileIT) More enterprises are using selecting wiping of mobile devices as a way to protect corporate data while safeguarding employee privacy, according to a study by Fiberlink, IBM's mobile device management (MDM) unit

Users trust mobile service providers more than employers (Help Net Security) Privacy from employers is the top concern for employees being asked to use their own devices for work purposes, according to AdaptiveMobile

Mobile-Only Employee Trend Could Break Security Models (Dark Reading) One-third of employees exclusively use mobile devices for work, but security organizations still aren't shifting their risk management focus

Why big data evangelists should be sent to re-education camps (ZDNet) Big data is a dangerous, faith-based ideology. It's fuelled by hubris, it's ignorant of history, and it's trashing decades of progress in social justice

Big data: Still dogged by security fears but Europe's catching up (ZDNet) The right to be forgotten and EU regulations have hardly helped the big-data cause in western Europe but the technology is still managing to gain ground

'Data deserts' could have negative social and economic impacts, warns paper (FierceGovernmentIT) Data is increasingly seen as a valuable resource. But a new paper published by the Information Technology and Innovation Foundation warns that if high-quality data collection regularly excludes certain individuals or communities then their problems could be neglected

Legislation, Policy and Regulation

New Chief of Spy Unit Is Appointed in Pakistan (New York Times) The Pakistani military chief, Gen. Raheel Sharif, on Monday appointed a close ally as head of the powerful Inter-Services Intelligence spy agency, consolidating his power at a time of sharp tension with the country's civilian leaders and fluctuating policy toward the Taliban

Australia seeks broad new security powers after anti-terror raids (Reuters) Australia's government is seeking broad new security powers to combat what it says is a rising threat from militant Islamists, the prime minister said on Monday, on the heels of sweeping counter-terrorism raids last week

PM cites Iran threat at launch of new cyber defense authority (Israel Hayom) New cyber defense authority will protect all of Israel from cyber attacks, "not just important installations and security assets," Prime Minister Benjamin Netanyahu says

Govt to work with private, education sectors to fight cyber threats (Channel NewsAsia) The cyber environment is too vast and complex for a single stakeholder to have complete oversight, Senior Minister of State for Home Affairs and Foreign Affairs Masagos Zulkifli said at the GovWare conference

Data localization movement won't improve privacy, says Internet governance panel (FierceGovernmentIT) Data localization and "technological sovereignty" movements have gathered strength in Europe and South America since the National Security Agency's surveillance programs became public knowledge. But it's a knee-jerk reaction to require that data reside within a country's borders and it doesn't necessarily ensure security or privacy, said Internet governance experts at a Sept. 19 New America Foundation event

Snowden fatigue is spreading abroad (Washington Post: Volokh Conspiracy) If you think Edward Snowden and Glenn Greenwald have stopped attacking NSA, you haven't been following them closely enough. While American media have largely lost interest in Snowden and Greenwald, the pair continue to campaign outside the United States against the intelligence agency

Department Of Homeland Security Officials Leaving Agency In Droves, Is The Nation At Risk? (Inquisitr) Department of Homeland Security (DHS) top-level officials have reportedly been leaving the federal agency in droves during the past four years. A federal database review which garnered nationwide headlines this week states that DHS officials are exiting the homeland security agency at almost twice the rate as in the rest of the federal government overall

Statement by Secretary Johnson About Today's Washington Post Story on DHS (DHS Press Office) Today's story in The Washington Post, "Turnover at the top has DHS unsettled," is about the past and disregards the present. The story's portrayal of the Department of Homeland Security is unrecognizable to anyone acquainted with the remarkable reconstruction of this agency over the last nine months

Active, reserve components spar over 'sexy' cyber mission (Marine Corps Times) After months of bureaucratic battles, the Pentagon is finalizing a plan to give reservists a limited role in the evolving cyber force

FTC official addresses cyber security (Rutland Herald) Julie Brill, a commissioner with the Federal Trade Commission and a resident of Randolph, was at Norwich University Monday to talk about what businesses can do to protect themselves from cyber attacks

The FCC Hasn't Decided How It Will Enforce Net Neutrality (TechCrunch) This morning the Federal Communications Commission (FCC) indicated in a blog post that it is "reviewing" a number of legal methods concerning how to enforce new net neutrality rules

Census Bureau making changes to prevent data falsification despite being cleared of allegations (FierceGovernmentIT) The director of the Census Bureau recently testified that the agency has implemented several recommendations to reduce data-collection vulnerabilities for its surveys despite being cleared of allegations of data falsification

Federal CIO steps down to bring tech expertise to Ebola response efforts (FierceGovernmentIT) Federal Chief Information Officer Steven VanRoekel will leave OMB, return to USAID for Ebola response

Bitcoin gains support of cryptography think tank (C/NET) Coin Center, a newly created research and advocacy center, will focus on public policy issues faced by the virtual currency

Products, Services, and Solutions

McAfee announces 2015 editions of its antivirus and security suites (PC World via CSO) If you're still paying for your desktop security suite, you'll be happy to hear that McAfee on Monday released the newest editions of its security suites. The new lineup includes McAfee AntiVirus Plus 2015, McAfee Internet Security 2015, McAfee Total Protection 2015, and McAfee Live Safe 2015 for Mac and Windows

Mobile Security Software Newly Released by Trend Micro (Mobile Commerce Press) Trend Micro Inc. has released a new and improved version of its Trend Micro Security 2015 suite, which offers Antivirus Security, Mac Security, Internet Security, Maximum security and Premium Security, and the company has also released a mobile security app which prevents the installation of malicious apps

Alert Logic Adds Machine Learning Analytics to Security as a Service (Talkin' Cloud) Alert Logic is adding machine learning analytics capabilities to its security-as-a-service offerings through an OEM partnership with Prelert, which calls itself "the anomaly detection company"

Whonix Anonymous Operating System Version 9 Released! (Whonix) Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP

Out in the Open: The Site That Teaches You to Code Well Enough to Get a Job (Wired) Wanna be a programmer? That shouldn't be too hard. You can sign-up for an iterative online tutorial at a site like Codecademy or Treehouse. You can check yourself into a "coding bootcamp" for a face-to-face crash course in the ways of programming. Or you could do the old fashioned thing: buy a book or take a class at your local community college

PGI Opens Advanced Cyber-training Academy in UK (Infosecurity Magazine) UK risk management firm Protection Group International (PGI) on Monday opened what it is already claiming to be the world’s “most sophisticated” facility for cybersecurity training

Technologies, Techniques, and Standards

ISF Maps NIST's Cybersecurity Framework (Infosecurity Magazine) Now that the US National Institute of Standards and Technology (NIST) has released the official version of its Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity, meant to promote public-private information sharing, the question becomes how to spur along implementation by organizations. To help ease the process, the Information Security Forum (ISF) has created a mapping between the framework and its annual Standard of Good Practice for IT security professionals

Behavioral analysis and information security (Help Net Security) In this interview, Kevin Watkins, Chief Architect at Appthority, talks about the benefits of using behavioral analysis in information security, how behavioral analysis can influence the evolution of security technologies and offers several behavioral analysis strategies

The Truth About Ransomware: You're On Your Own (Dark Reading) What should enterprises do when faced with ransomware? The answer is, it depends

Self-hacking key to Daimler's cyber defence strategy (Computerweekly) Vehicle manufacturer Daimler has a team of hackers to continually test the effectiveness of its cyber defences from the perspective of an outside attacker

Tracking Attackers: Honeypot, Part 3 (Dionaea) (Infosec Institute) Malicious entities are common on the Internet and most often fall into a category of malware such as worms, viruses and Trojan horses. Malware poses a major threat on the Internet. The malware is often the source of further malicious activity such as DDOS attack, spam emails and the hosting of illegal content. Detection and mitigation of malware is essential, and because of that, approaches for detecting it have been proposed. Honeypot is widely used method for detecting malware on networks

Cyber Essentials — a Good First Step to Raise SMEs' Cyber Security Bar from Zero Level, to One (EIN News) IT Governance is urging SMEs to be proactive and comply with the Cyber Essentials scheme in order to ensure at least a minimum level of security

How a Times Cybersecurity Reporter Protects Her Data. And What You Can Do to Protect Yours. (New York Times) Nicole Perlroth covers cybersecurity and privacy. Last week she wrote on Home Depot's confirmation that hackers had broken into its in-store payments systems in what could be the largest-known breach of a retail company's computer network. She shares her thoughts on security and personal data with Times Insiders

Is it *really* such a bad idea to use a password twice? (Naked Security) We regularly warn you against using the same password for multiple accounts

No, 'Apple Wave' does not let you charge your iPhones in the microwave (Naked Security) Back in 2012, one YouTube user demonstrated in a video that charging an iPhone 5 in a microwave oven had the tendency to set the crackling phone on fire after 40 seconds, after which it burst into a ball of flames

Dyslexic spies sharpen GCHQ's senses (Sunday Times) The intelligence agency is employing operatives with dyslexia and dyspraxia whose conditions give them skills that other employees do not have

How Two Men Unlocked Modern Encryption (Atlantic) The idea of public-key cryptography is surprisingly simple, once you've figured it out

The ethics of security (IT News) The people who are paid to poke holes in your company's defences lead interesting existences in an area that's both legally and ethically very much shades of grey

Marketplace

New Federal Regulations on Cyber Security Lead to Revenue Loss, Business Disruption and Loss of Productivity in Financial Services Sector, Radware Survey Finds (MarketWatch) Radware® RDWR, -1.33% a leading provider of application delivery and application security solutions for virtual and cloud data centers, released a new survey which finds that even though 87 percent of those surveyed in the financial service industry agree that current regulatory changes are very important or critical to keeping their companies and industry secure, these new federal guidelines were having an adverse impact on their businesses

Security Now a 'Board-Level' Issue: Venture Capitalist (eWeek) Steve Herrod, a former VMware CTO and now a venture capitalist, discusses what he's investing in today and why security is his top priority

The Last Day of Microsoft Research in Silicon Valley (IEEE Spectrum) While exuberant tech fanboys crowd Silicon Valley's Apple stores today, eager to be among the first to get their hands on a new iPhone 6, a much more somber scene prevails at Microsoft Research's outpost in Mountain View

Ann Arbor-based Duo Security gets $12M in Series B funding led by Silicon Valley VC firm (MichiganLive) The five-year-old Ann Arbor-based tech company Duo Security has raised $12 million in Series B Funding led by the Silicon Valley-based venture capital firm Benchmark

EMC reportedly held merger talks with Hewlett-Packard (IT World) HP CEO Meg Whitman would have led a combined company, according to the Wall Street Journal

Sotera Wins Prime Position on $22 Billion DHS EAGLE II Contract (Broadway World) Sotera Defense Solutions (Sotera), a provider of mission-critical, technology-based systems, solutions and services for national security agencies and programs of the U.S. Government, was recently awarded a prime position on the Department of Homeland Security (DHS) Enterprise Acquisition Gateway for Leading Edge Solutions II (EAGLE II) program Functional Category 1 (FC1) Unrestricted (UNR) track

NCI to Support Army's Cyber Network Operations (GovConWire) The U.S. Army has awarded an NCI subsidiary (NASDAQ:NCIT) a potential $125,118,224.75 contract to provide information technology services to the agency's Network Enterprise Technology Command

Sqrrl Bolsters Cybersecurity Capabilities with New Advisors (Virtual Strategy) Sqrrl has added two cybersecurity luminaries to its advisory board: Dr. Sameer Bhalotra and Richard Beijtlich

Nathan Houser to Lead Deloitte National Security Sector (PRNewswire) Deloitte announced today that Nathan Houser, a principal in Deloitte Consulting LLP, has been selected to lead its national security sector

Northrop Grumman Appoints John Kropf Corporate Privacy Executive (Yahoo! Finance) Northrop Grumman Corporation (NOC) has announced the appointment of John Kropf as corporate privacy executive

Research and Development

The Military Wants to Understand Why You Believe What You Believe (Defense One) At what point does an idea like the Islamic State go viral? What conditions on the ground must be present for the creation of an Islamic caliphate across the Middle East to spread?

Stanford Promises Not to Use Google Money for Privacy Research (Pro Publica) Stanford's Center for Internet and Society has long received funding from Google, but a filing shows the university recently pledged to only use the money for non-privacy research. Academics say such promises are problematic

Security Patches, Mitigations, and Software Updates

Fitness App Patches Privacy Vulnerability (Threatpost) The details of a patched vulnerability in a popular mobile fitness application have been disclosed three months after a fixed was released. The flaw could have allowed a user to fetch the personal profile of another registered app user

Cyber Attacks, Threats, and Vulnerabilities

Analysts eye cyber attack threat from Islamic State terrorists (The Australian) As the US expands military involvement in fighting the militant group Islamic State, Western companies may need to prepare for potential cyber attacks

State-sponsored hackers spied on Denmark (Local: Denmark's News in English) The Center for Cyber Security says it has an idea of who carried out the previously-secret "state-sponsored" attacks in 2012 but doesn't name names

Number of malicious eBay listings rises, accounts are hijacked (Help Net Security) Pressure is mounting against eBay to quickly detect and remove bogus listings triggering cross-site scripting flaws to redirect users to phishing and other malicious pages

eBay under pressure as hacks continue (BBC) Leading security researchers have called on eBay to take immediate action over dangerous listings, as the problem continues to put users at risk

Is eBay trading too much security for seller happiness? (CSO) Experts say eBay's policy of letting sellers use Javascript and Flash to customize stores makes the site vulnerable to certain types of Web attacks

Payment card info of 880k Viator customers compromised (Help Net Security) Payment card and personal information of approximately 1.4 million Viator.com customers may have been compromised in a breach that was confirmed late last Friday

Home Depot's former security architect had history of techno-sabotage (Ars Technica) Now serving four year federal sentence, Ricky Joe Mitchell spread viruses as teen

Why The Home Depot Breach Is Worse Than You Think (Forbes) A few weeks ago, my wife and I discovered that our credit card number was stolen. How? She got flowers

Parallels Among the Three Most Notorious POS Malware Attacking U.S. Retailers (Infosec Island) POS stands for 'Point-of-Sale' as in the Point of Sale devices used by retailers at check out stands worldwide

Who's Behind the Bogus $49.95 Charges? (Krebs on Security) Hardly a week goes by when I don't hear from a reader wondering about the origins of a bogus credit card charge for $49.95 or some similar amount for a product they never ordered. As this post will explain, such charges appear to be the result of crooks trying to game various online affiliate programs by using stolen credit cards

Google stops malicious advertising campaign that could have reached millions (Ars Technica) Latest bit of "malvertising" targeted a popular ad platform distributed by Google

Kyle and Stan Malvertising Network Nine Times Bigger than First Reported (Threatpost) The Kyle and Stan malvertising network has a much bigger reach than first reported — about nine times bigger

No Silver Bullet for Use-After-Free Flaws (eSecurity Planet) There is no shortage of threats on the modern Internet and no shortage of vendors aiming to provide security solutions. One vendor, Bromium, employs a virtualization micro-visor to provide isolation and security. Bromium also actively researches security threats in a bid to make sure its own platform and the Internet at large is secure

Fake LogMeIn Certificate Update with Bad AV Detection Rate (Internet Storm Center) I just receive a pretty "plausible looking" e-mail claiming to originate from Logmein.com. The e-mail passed the first "gut check"

Government Gateway attack attempts to spread malware, with a little help from a body builder (Hot for Security) If you live in the UK, chances are that you may find yourself using the Government Gateway website

Nuclear Exploit Kit Evolves, Includes Silverlight Exploit (TrendLabs Security Intelligence Blog) Exploit kits have long been part of a cybercriminal's arsenal. One of the most notorious exploit kits in recent years is the Blackhole Exploit Kit. Coverage over this particular exploit kit reached a fevered pitch with the arrest of its author in 2013

FinFisher Malware Dropper Analysis (Code and Sec) As you may have heard, recently Finfisher malware sample leaked online. As I got a little free time today, I decided to take a look at it

Recently introduced TLDs create new opportunities for criminals (CSO) Earlier this year, the Internet Corporation for Assigned Names and Numbers (ICANN) released over 300 top-level domains (TLDs), and more are coming

Serious Vulnerabilities Found in Wireless Thermostats (SecurityWeek) Wi-Fi thermostats developed by UK-based company Heatmiser are plagued by several vulnerabilities that can be exploited remotely by a malicious actor, a researcher reported on Saturday

Hacking Canon Pixma Printers — Doomed Encryption (Context) This blog post is another in the series demonstrating current insecurities in devices categorised as the 'Internet of Things'. This instalment will reveal how the firmware on Canon Pixma printers (used in the home and by SMEs) can be modified from the Internet to run custom code. Canon Pixma wireless printers have a web interface that shows information about the printer, for example the ink levels, which allows for test pages to be printed and for the firmware to be checked for updates

Risky Links: Layers and Protocols of Internet of Everything Devices (TrendLabs Security Intelligence Blog) We see the 'cool' when we wear or operate our smart TVs and watches and all other smart devices we own. But are we aware of how the data is processed in these devices? And where does the data we get or the data that these devices transmit end up?

Tango down report of OP China ELF DDoS'er (Malware Must Die) We are releasing the take-down (Tango OP) project information of our current on-going operation against the ELF DDoS malware, the threat with origin from China

Academia

CSC and Louisiana Tech chart out cyber engineering degree this week (KTBS 3) Louisiana's Tech's cyber engineering degree program is the first of its kind in the country, and this week it gets some help from industry leaders, CSC

Litigation, Investigation, and Enforcement

Rand Paul's NSA lawsuit put on hold (Politico) Sen. Rand Paul's lawsuit over National Security Agency surveillance was put on hold Monday, pending an appeals court ruling on a parallel case brought before the senator's

Apple's dangerous game (Washington Post: Volokh Conspiracy) Apple has announced that it has designed its new operating system, iOS8, to thwart lawful search warrants

Apple's dangerous game, part 2: The strongest counterargument (Washington Post: Volokh Conspiracy) My Friday morning post on Apple's new iOS8 operating system pretty much kicked the hornet's nest, both here and on Twitter

Landmark SEC award could encourage more whistle blowing (FierceCFO) The commission's recent whistle-blower award should serve as cautionary tale for companies, lawyers warn

Android banking malware suspects arrested by Russian police (TechWorld) Two accused of account fraud

Design and Innovation

Microsoft tells cloud developers to check services for malware or risk blacklisting (V3) Microsoft has called for cloud developers to be more rigorous with their security practices when creating products in a bid to help them avoid being blacklisted

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

St. Louis SecureWorld (, January 1, 1970) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

Workshop on Cryptographic Hardware and Embedded Systems 2014 (CHES 2014) (Busan, Korea, September 23 - 26, 2014) The annual CHES workshop highlights new results in the design and analysis of cryptographic hardware and software implementations. CHES provides a valuable connection between the research and cryptographic engineering communities and attracts participants from industry, academia, and government organizations

Rock Stars of Cybersecurity (Austin, Texas, USA, September 24, 2014) The unprecedented Target breach and NSA spying scandal have put cybersecurity in the global spotlight. With cyberattacks on the rise, it is now even more important to learn how to identify weaknesses and protect company infrastructure from incursions. At the Rock Stars of Cybersecurity conference, well-respected cybersecurity authorities from leading companies will deliver case studies and actionable advice that you can immediately put to use.

VB2014 (, January 1, 1970) Over its 24-year history, the VB conference has become a major highlight of the IT security calendar, with many of its regular attendees citing it as the security event of the year. The conference provides a focus for the industry, representing an opportunity for experts in the field to share their research interests, discuss methods and technologies and set new standards, as well as meet with - and learn from - those who put their technologies into practice in the real world.

DerbyCon 4.0 (Louisville, Kentucky, USA, September 24 - 28, 2014) Welcome to DerbyCon 4.0 — "Family Rootz". This is the place where security professionals from all over the world come to hang out. DerbyCon 4.0 will be held September 24-28th, 2014. DerbyCon 2013 pulled in over 2,000 people with an amazing speaker lineup and a family-like feel. We've listened to your feedback and plan on making this conference even better this year

BruCON 2014 (Ghent, Belgium, September 25 - 26, 2014) BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker community.

ROOTCON 8 (, January 1, 1970) ROOTCON is the first hacking convention in the Philippines. A hacker conference and not a seminar, training or a workshop. It will feature the following tracks: advanced HTTP header security analysis, browser extension malware extend cybercrime capabilities, new techniques: email-based threat and attacks, shellcode exploit analysis: tips and tricks, the Necurs rootkit, social engineering: hacking the mind, an hacking your way to ROOTCON.

INTEROP (New York, New York, USA, September 29 - October 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect Summit, Collaboration, Infrastructure, Mobility, Risk Management & Security, and Software-Defined Networking (SDN)

Indianapolis SecureWorld (Indianapolis, Indiana, USA, October 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute, will deliver the opening keynote. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

Suits and Spooks New York (, January 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks New York will return to Soho House on October 2-3, 2014. Stay tuned for our speaker list and agenda coming this summer.

Open Analytics Summit (Dulles, Virginia, USA, October 7, 2014) Open Analytics Summits are for Developers, Engineers, Data Scientists, CMOs, Data Analysts, CTOs, Architects, Brand Managers, and anyone passionate about open source technologies, big data, or data analytics

MIRcon 2014 (Washington, DC, USA, October 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily

Cyber Security, Meet Workforce Development (Silver Spring, Maryland, USA, October 8, 2014) Per Scholas convenes leaders in the Nation's Capital to develop a blueprint for building today's entry-level cyber security workforce

Cyber Security EXPO (, January 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing sensitive data and function closer to the user and away from traditional controls. Cyber crime is at an all-time high, attackers are using highly sophisticated methods taking advantage of a hyper-connected world. The challenge of securing corporate data and networks to mitigate risk is greater than ever. CISOs need new tools, new thinking and policies to meet these challenges. Cyber Security Expo 2014 has been designed to do just that. Cyber Security Expo will have a dedicated conference as well as five highly focused theatres and a significant exhibition. Major themes examined include: Internet & Network Security, Social and Consumer Trends, Cyber Crime, Log Data & Advanced Analytics, Identity & Access Management, Privacy & Data Protection, Cloud Security & Governance and Mobile Device Management.

InfoSec 2014 (Kuala Terengganu, Malaysia, October 8 - 10, 2014) You are invited to participate in The International Conference on Information Security and Cyber Forensics (InfoSec 2014) that will be held at Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu, Malaysia on October 8-10, 2014. The event will be held over three days, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lecture

Hacktivity 2014 (Budapest, Hungary, October 10 - 11, 2014) Official and alternative representatives of the information security profession meet with all those interested in this field in framework which is at the same time informal and informative, and sometimes very in-depth technological.

Ruxcon (Melbourne, Australia, October 26 - 27, 2013) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities and demonstrations presented by security experts from the Aus-Pacific region and invited guests from around the world. Ruxcon is widely regarded as a leading computer security conference within Australia attracting all facets of the security landscape from industry, academics, to enthusiasts.

Critical Infrastructure Cyber Community (C3) Voluntary Program Meeting (San Diego, California, USA, October 13, 2014) Join stakeholders from across the cyber community to discuss building a cyber risk management program, using DHS resources, and to learn how organizations of all sizes are using the Cybersecurity Framework

Hack-in-the-Box Malaysia (Kuala Lumpur, Malaysia, October 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia and Amsterdam in The Netherlands, HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events routinely feature two days of trainings and a two-day multi-track conference featuring cutting-edge hardcore technical talks delivered by some of the most respected names in the computer security industry. HITBSecConf is a place where ideas are exchanged, talent discovered and genius celebrated

FS-ISAC Fall Summit 2014 (Washington, DC, USA, October 13 - 16, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. Its Fall Summit will feature sessions of interest to both security professionals and the financial sector

CYBERSEC 2014 (, January 1, 1970) CYBERSEC is a 4-day event geared toward helping you achieve your cybersecurity goals. Whether your focus is on cybersecurity management, investigation, defense, or offense we are offering specialty cybersecurity information tracks just for you.

Black Hat Europe 2014 (, January 1, 1970) The premier conference on information security returns to the beautiful city of Amsterdam, Netherlands in October, 2014. Professionals from all over the world gather for two days of intense Trainings and two thought-provoking days of Briefings brought to you by some of the brightest minds in the industry.

Denver SecureWorld (Denver, Colorado, USA, October 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

TechCrunch Disrupt Europe Hackathon (London, England, UK, October 18 - 19, 2014) For the second year in a row, TechCrunch is jumping across the pond and bringing the iconic Disrupt and our Hackathon to Europe. We're heading your way, London

CSEC 2014 Cyber Security Summit (Kingdom of Bahrain, October 20 - 22, 2014) At the Inaugural Cyber Security Summit 2014, you will have the opportunity to seek ways to reset your IT security and risk strategy for success; stay relevant as IT security and risk are redefined; implement BCM best practices for threat resilience; mitigate the risks of new social collaboration tools; craft strategy for emerging BYOD and mobile threats; learn new regulatory compliance requirements; and more. This year's CSEC Summit attendees will: hear the latest presentations from the Information Security community on today's most pressing topics, attend workshops run by expert analysts and industry leaders, hear real-life experiences during peer case studies, engage in analyst-user roundtables and one-on-one meetings with industry experts, and check out the latest solutions in our Solution Showcase

2014 ICS Cyber Security Conference (, January 1, 1970) The 14th ICS Cyber Security Conference (sometimes known as "Weisscon") will be held October 20-23, 2014 at Georgia Tech in Atlanta, GA. Cyber Security is becoming a critical infrastructure issue with implications that go far beyond the plant fence. Plant engineers, corporate officers, insurance company executives and more will be handling cyber security issues in the coming years. This conference is essential attendance for people in the manufacturing or utility environment.

Hack.lu 2014 (Dommeldange, Luxembourg, October 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society

Cyber Security Summit 2014 (, January 1, 1970) Cyber security breaches have a profound impact on all areas of society. Join the discussion at Cyber Security Summit 2014. For two days, leaders from the public and private sectors meet to identify cyber threat issues and their countermeasures.

ISSA International Conference (Orlando, Florida, USA, October 22 - 23, 2014) Join us for solution oriented, proactive and innovative sessions focused on security as a vital part of the business.

ToorCon San Diego (San Diego, California, USA, October 22 - 26, 2014) For hackers like you, because what could possibly go wrong?

FOCUS 14: Empowering the Connected World (Las Vegas, Nevada, USA, October 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while reducing costs, streamlining processes, and driving efficiencies in the daily administration of their networks and systems. Network with security peers who share your challenges, concerns and issues, and learn more about their own success strategies

Dallas SecureWorld (Dallas, Texas, USA, October 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

CyberMaryland 2014 (Baltimore, Maryland, USA, October 29 - 30, 2014) Entrepreneurs, investors, academia and government will convene in Maryland — the nation's epicenter for cybersecurity for the fourth annual CyberMaryland Conference.

Cyber Job Fair (Baltimore, Maryland, USA, October 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals held the first day of the conference

ekoparty Security Conference 10th edition (Buenos Aires, Argentina, October 29 - 31, 2014) ekoparty — Electronic Knock Out Party — Security Conference, is a one of a kind event in South America; an annual security conference held in Buenos Aires, where security specialists from all over Latin America (and beyond) have the chance to get involved with state-of-art techniques, vulnerabilities, and tools in a relaxed environment never seen before.

Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.

Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, October 30 - November 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed for non-technical and technical executives who seek to gain a deeper understanding of not just the technical aspects of data breach prevention, but also the important role that insurance, crisis management, legal and human resources play. Speakers include Dr. Ed Schlesinger, Dean of Johns Hopkins University's Whiting School of Engineering, Dr. Andy Ozment, Assistant Secretary of the Office of Cybersecurity and Communications, Department of Homeland Security, and Mr. Eric Joost, Chief Operating Officer, Willis North America

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.