The CyberWire Daily Briefing 09.25.14

Summary

By The CyberWire Staff

Today's big story is the newly discovered Bash vulnerability, variously called "Bourne Again" or "Shellshock." It affects Unix and related operating systems (including of course Linux and OS X). The vulnerability allows attackers on a network to set environmental codes (via web requests, secure shell, telnet sessions, etc.) that enable them to run scripts on vulnerable systems. Since Bash can be called in different ways by different applications, exploitation may be difficult to detect and mitigate. Some patches, detection tools, firewall upgrades, and workarounds are hastily issued (and are urgently commended to the attention of admins) but Shellshock is a widespread vulnerability susceptible to diverse forms of exploitation, and it will be some time before the community sorts it out. "Bigger than Heartbleed?" Maybe, maybe not, but in any case something to take seriously. Credit researcher Stéphane Chazelas with the discovery.

A botnet DDoS toolkit, "Spike," is infesting the Internet-of-things (and that other Internet of users). It's been most active, so far, in Asia. Mitigations are available.

Japan Airlines (JAL) and Jimmy John's (a US sandwich chain) have suffered data breaches. A JAL database was compromised; Jimmy John's sustained a point-of-sale attack.

Mozilla patches a crypto flaw (called "phishing friendly") in its NSS library. Apple pulls its just-released iOS 8.01 after widespread reports that the update caused dropped phone service and disabled TouchID. Cupertino is working on iOS 8.02, but in the interim recommends reverting to iOS 8.

US regulatory agencies continue to push cyber resiliency and corporate board responsibility.

Notes.

Today's issue includes events affecting Brazil, Canada, China, Finland, France, Germany, India, Japan, New Zealand, United Kingdom, United States

Selected Reading

Cyber Trends

FDIC's Gruenberg: Cyber-Threat Defenses Require a 'Shift in Thinking' (PYMNTS) New technologies often bring with them new vulnerabilities, and in this period of rapid innovation, banks need to manage the associated operational risks is the most urgent, a top U.S. banking official advised this week

Board practices regarding IT oversight and cybersecurity (Help Net Security) Greater director involvement in social media oversight, concern about the Department of Homeland Security/NIST cybersecurity frameworks and increased use of IT consultants are among the trends shaping governance and the board of the future, according to PwC

Cedars-Sinai CIO: Patient expectations will drive data protection efforts (FierceHealthIT) Healthcare organizations facing new and greater threats to patients' electronic health information need to take more steps to keep that data secure, according to Darren Dworkin, senior vice president of enterprise information systems and CIO of Cedars-Sinai Health System in Los Angeles

Emerging international data privacy challenges (Help Net Security) According to a new survey from the Cloud Security Alliance there is a growing and strong interest in harmonizing privacy laws towards a universal set of principles

Databarracks survey shows slow uptake of DRaaS — but that will change (CloudTech) The latest survey from cloud provider Databarracks has found that small businesses are lagging behind when it comes to disaster recovery planning and cloud exit strategies

Secure Computing as Threats Evolve (Infographic) (ZDNet) Hackers are moving away from broad-based email attacks and favoring campaigns that target individual workers. A smart security solution stays ahead of the bad guys by blocking attacks as soon as they're discovered

Executive Cyber Intelligence Report: September 15, 2014 (Tripwire: the State of Security) This report was prepared by The Institute for National Security Studies (INSS) and The Cyber Security Forum Initiative (CSFI) to create better cyber situational awareness (Cyber SA) of the nature and scope of threats and hazards to national security worldwide in the domains of cyberspace and open source intelligence. It is provided to Federal, State, Local, Tribal, Territorial and private sector officials to aid in the identification and development of appropriate actions, priorities, and follow-up measures

Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and Proprietary Information (IC3) There has been an increase in computer network exploitation and disruption by disgruntled and/or former employees. The FBI and DHS assess that disgruntled and former employees pose a significant cyber threat to US businesses due to their authorized access to sensitive information and the networks businesses rely on

What Business Can Learn From Intelligence (Wall Street Journal) I just read the interesting story about Edward Snowden in Wired, and I can't quite figure out what I think of the man. He seems neither the patriot that James Bamford (not surprising, given his background) portrays him to be, nor the traitor that some argue

Edward Snowden Emerges as a Cult Hero in Germany (Wall Street Journal) In Germany, the new Che Guevara wears glasses instead of a beret, wields a computer rather than a shotgun, and is popping up on the streets of the German capital in graffiti, posters, and T-shirts

Legislation, Policy and Regulation

Russian lawmakers just can't decide whether — or why — they should ban Skype (Quartz) The State Duma, Russia's lower legislative house, was today supposed to discuss a bill that would impose restrictions on the way Skype and other online telephony services operate. Instead, they postponed it to October, following reports in the Russian press that the government wanted to ban Skype and the like altogether, reports ITAR-TASS, the state news agency

How the U.S. military's idiotic tribal mentality leaves us vulnerable to cyber catastrophe (The Week) Our leaders could solve this problem. But they won't

Disarry or Dream Team? DHS Cyber Efforts Under Scrutiny (Nextgov) The Department of Homeland Security's cybersecurity efforts have been been hamstrung by high-level turnover at the agency, fueled in part by the "lure of private security companies" willing to pay big bucks, according to a report this week in The Washington Post

Regulatory agencies doing less regulating, more advising for cyber resilience and response (FierceGovernmentIT) Federal regulatory agencies are taking on a greater advisory role in helping critical infrastructure and financial services companies apply the National Institute of Standards and Technology's cybersecurity framework and reduce their cyber risks, several experts recently said

From Securities To Security: Why The SEC Is Bringing Cyber To The Boardroom (Dark Reading) The SEC is emerging as a key proponent of corporate cyber security responsibility and diligence. What does that mean for the CISO?

The FDA wants to talk about medical device cybersecurity (Washington Post) The Food and Drug Administration is asking the public to weigh in on the cybersecurity of medical devices and holding a conference on the subject, organized in collaboration with the Department of Homeland Security

Paper highlights legal, ethical issues with open health data, makes policy recommendations (FierceGovernmentIT) Government open data initiatives have made patient health information more readily available online through healthdata.gov and third-party sites that pull from public sources. But coherent legal and ethics policies are lagging data innovation, says a paper recently published in the Berkeley Technology Law Journal

Citizen Science: The Law and Ethics of Public Access to Medical Big Data (Berkeley Technology Law Journal) Patient-related medical information is becoming increasingly available on the Internet, spurred by government open data policies and private sector data sharing initiatives. Websites such as HealthData.gov, GenBank, and PatientsLikeMe allow members of the public to access a wealth of health information. As the medical information terrain quickly changes, the legal system must not lag behind. This Article provides a base on which to build a coherent data policy. It canvasses emergent data troves and wrestles with their legal and ethical ramifications

Products, Services, and Solutions

iboss Network Security to Deliver Unified Location-Based Security Using Ruckus Smart Wi-Fi (MarketWatch) iboss Network Security today announced a unified location-based security solution, iboss Web and Mobile Device Security, featuring expanded technology integration with Smart Wi-Fi from Ruckus Wireless

Hillstone Networks and AlgoSec Deliver Integrated Solution to Drive Security and Agility in Complex Enterprise Networks (Sys-Con Media) Hillstone Networks, a leading provider of enterprise network firewall solutions today announced a strategic alliance with AlgoSec, the market leader for Security Policy Management

Voltage Security Introduces Data-centric Protection for Sensitive Data in Hadoop (bobsguide) Industry standards-based, format-preserving encryption and tokenization ensures maximum data protection, enables regulatory compliance and successful Hadoop adoption

ThreatTrack Security Enables EnCase Users to Easily Analyze Sophisticated Malware Used in Cybercrimes (Providence Journal) ThreatTrack Security — a leader in cyber threat prevention solutions that substantially change how organizations respond to cyberattacks — today announced the availability of the ThreatAnalyzer Automation Toolkit on Guidance Software, Inc.'s EnCase® App Central

Technologies, Techniques, and Standards

Incident Response Fail (Dark Reading) Fortune 500 companies with incident response teams and plans in place are pessimistic about their effectiveness amid a climate of data breach domination

Cyber attack testing material made available to banks to use in their own simulations (Out-Law) UK financial institutions have been given access to cyber security test exercise materials by Bank of England (the Bank) to help them practice how they would respond to a major cyber attack on the banking system

A Police Dog for the Digital Age: She Can Smell the USB Drive You're Hiding (Bloomberg) Even in the digital age, you can teach old dogs new tricks

China Hacks Expose Communications Flaw (GovInfoSecurity) Military, contractors construe breach reporting rules differently

We just might put a dent in data breaches (Computerworld) New developments in payment technology could show the way to keep credit card data away from the prying eyes of cyberthieves

10 mistakes companies make handling outages (and how to avoid them) (VentureBeat) No one likes to talk about outages. They're horrible to experience as an employee and they take a heavy toll in customer confidence and future revenue. But they do happen

7 safety tips from hackers (CNN Money) It's easy to get hacked. And yes, it can happen to you. Follow this advice from actual hackers, and you'll be a lot safer online

York County becomes member of cyber security readiness effort (York Daily Record) York County joined the Multi-State Information Sharing and Analysis Center, which is described in an information sheet as "a voluntary and collaborative effort" with a focus on increasing Internet security readiness for private and public entities

We can fix security, but it's not going to be easy (Help Net Security) When I think about computer security, I like to go back to its early days and compare the situation then with the situation now. Taking a step back is very useful because, even though we work very hard, we need to ask ourselves if we're making things fundamentally better. In other words, are we focusing our efforts on the right problems?

Marketplace

GRID: Danger of a cyber-caused power blackout prompts new insurance strategies (E&E News) Seeing opportunity in an evolving cyberwar battleground, the insurance industry is rolling out new, big-ticket polices to protect grid utilities against damage claims by their customers from catastrophic cyber-caused blackouts

Why Startups Are The New Super Heroes Of Cyber Security (Forbes) It's hard to imagine a time when cyber security wasn't an almost daily fixture in headlines

The story of Bugcrowd, from Startmate to San Francisco (StartupSmart) There are many more bad people hacking computer systems than good ones helping them not get hacked. Each week it seems that some huge institution reveals that their customer's financial information has been breached or passwords compromised. There was Target earlier this year and Home Depot in the US more recently and hundreds more that never see the light of media attention

CyberArk Announces Pricing of Initial Public Offering (MarketWatch) CyberArk Software Ltd., a global leader and pioneer of a new layer of IT security solutions that protects organizations from cyber attacks that have made their way inside the network perimeter, announced the pricing of its initial public offering of 5,360,000 million ordinary shares at a price to the public of $16.00 per share

More Alarming Data on the Cybersecurity Skills Shortage (Networkworld) Network security skills and staffing continues to lag at enterprise organizations. Time to sound the alarm?

Kevin Mitnick, Once the World's Most Wanted Hacker, Is Now Selling Zero-Day Exploits (Wired) As a young man, Kevin Mitnick became the world's most notorious black hat hacker, breaking into the networks of companies like IBM, Nokia, Motorola, and other targets. After a stint in prison, he reinvented himself as a white hat hacker, selling his skills as a penetration tester and security consultant

MITRE Gets $29m For First Cybersecurity Center of Excellence (Invincea Security Ledger) MITRE Corporation has been awarded $29 million from the U.S. Commerce Department for the nation's first federally funded National Cybersecurity Center of Excellence (NCCoE), according to a statement by the Commerce Department's National Institute of Standards and Technology (or NIST)

Viscount Systems to Secure U.S. Citizenship and Immigration Services Facilities in Florida and New Jersey (Sys-Con Media) Viscount Systems (OTCQB:VSYS), a leading provider of IT-based security access control software and services, today announced that it has been awarded additional contracts to secure U.S. Federal Government facilities in Florida and New Jersey for the Department of Homeland Security United States Citizenship and Immigration Services (USCIS)

CACI Wins Department of Homeland Security's $212M Contract (Zacks) CACI International Inc. (CACI — Analyst Report) recently procured a $212 million Blanket Purchase Agreement from the U.S. Department of Homeland Security (DHS) to provide Desktop Support Services to its Headquarters, the National Protection and Programs Directorate and the Science and Technology Directorate

AVG Technologies Announces Its Commitment to Digital Citizenship in Partnership with Clinton Global Initiative (The Wall Street Transcript) AVG Technologies N.V. (NYSE: AVG), the online security company for 182 million active users, today announced its Digital Citizenship Program as its Clinton Global Initiative Commitment to Action. AVG's "Smart User" mission is to increase the ratio of smart users to smart phones by teaching the next two billion digital citizens skills how to engage in the digital world safely and securely in a way that protects them and others

EdgeWave Adds Former Navy Intelligence Officer to Lead Cyber Operations (MarketWired) Tom Chapman brings over 20 years of cyber warfare experience to EdgeWave Military-Grade Cyber Security™

Akamai Appoints Doug Tilford as Senior Vice President and General Manager, EMEA (MarketWatch) Veteran and transformative sales leader at Akamai, Tilford to focus on Company's next wave of growth across Europe, the Middle East, and Africa

Research and Development

Researchers Work to Predict Malicious Domains (Threatpost) A typical phishing or Web-based malware attack usually isn't terribly complex. But they need a few things in order to work, and one of the key components often is a malicious domain. Researchers spend a lot of time identifying and taking these domains down, but some researchers now are trying to stay a step ahead of the game by predicting which domains will be used for malicious purposes

Security Patches, Mitigations, and Software Updates

Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) (Red Hat) Red Hat has been made aware of a vulnerability affecting all versions of the bash package as shipped with Red Hat products. This vulnerability CVE-2014-6271 could allow for arbitrary code execution. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue

Mozilla fixes "phishing friendly" cryptographic bug in Firefox and Thunderbird (Naked Security) Here's a quick note about an important issue! Mozilla just patched a bug in its cryptographic library, NSS

Apple asks iPhone 6 users in trouble to revert to iOS 8 (IT World) A fix for an update Wednesday, which caused phones to lose cellular service and Touch ID functionality, is coming in a few days

Apple IOS Update Said to Cause Dropped IPhone Service (Bloomberg) Apple Inc. (AAPL) released an update to its operating system for the iPhone to fix software issues. The company may have created bigger problems in the process

Cyber Attacks, Threats, and Vulnerabilities

Bourne Again Shell (Bash) Remote Code Execution Vulnerability (US-CERT) US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system

Update on CVE-2014-6271: Vulnerability in bash (shellshock) (Internet Storm Center) Yesterday, a vulnerability in bash was announced, that was originally found by Stephane Schazelas. The vulnerability allows for arbitrary code execution in,bash by setting specific environment variables. Later, Travis Ormandy released,a second exploit that will work on patched systems, demonstration that the patch released yesterday is incomplete

Attention *NIX admins, time to patch! (Internet Storm Center) This vulnerability is actually really bad and you want to patch any Internet-facing systems ASAP. It allows remote, unauthenticated attackers to run code on vulnerable systems. It scores a 10 on the NVD severity scale

Bash specially-crafted environment variables code injection attack (Red Hat Security Blog) Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses

Bug in Bash shell creates big security hole on anything with *nix in it (Ars Technica) Could allow attackers to execute code on Linux, Unix, and Mac OS X

Remote exploit vulnerability in bash CVE-2014-6271 (CSO) A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271 and has been given the name Shellshock by some. This affects Debian as well as other Linux distributions. You will need to patch ASAP

The Shellshock Bash bug — What is it, and are your computers vulnerable? (Graham Cluley) A critical vulnerability has been discovered in the widely used Bash command processor, present in most Linux and UNIX distributions and Mac OS X

Internet Braces for Crazy Shellshock Worm (Wired) A nasty bug in many of the world's Linux and Unix operating systems could allow malicious hackers to create a computer worm that wreaks havoc on machines across the globe, security experts say

Worse than Heartbleed? (Cloud Security Alliance) Today at 10am EST a vulnerability in the command shell Bash was announced. Bash is a local shell, it doesn?t handle data supplied from remote users, so no big deal right? Wrong

New toolkit seeks routers, Internet of Things for DDoS botnet (CSO) Dubbed Spike, the toolkit has been used in a distributed denial of service attack that reached a peak of 215 gigabits per second

Mitigations for Spike DDoS toolkit-powered attacks (Help Net Security) Akamai Technologies released, through the company's Prolexic Security Engineering & Response Team (PLXsert), a new cybersecurity threat advisory that alerts enterprises to a high-risk threat of powerful distributed denial of service (DDoS) attacks from the Spike DDoS toolkit. With this toolkit, malicious actors are building bigger DDoS botnets by targeting a wider range Internet-capable devices

Vulnerability Note VU#772676: Mozilla Network Security Services (NSS) fails to properly verify RSA signatures (Vulnerability Notes Database) The Mozilla Network Security Services (NSS) library fails to properly verify RSA signatures due to incorrect ASN.1 parsing of DigestInfo. This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate

BadUSB: The unusual suspect (SC Magazine) When security research like the most recent findings regarding BadUSB announced by SR Labs appears, security experts and vendors usually take two sides

Cyber attack: JAL customers' data compromised (eTurboNews) Japan Airlines (JAL) reports that personal information of up to 750,000 of its miles program customers had been compromised due to a cyber attack. Airline did not confirm if banking details had also been affected

Brightcove: Cyber attack disrupted service for two days (Boston Business Journal) Brightcove, a Boston-based provider of cloud services for video, said its services were disrupted for two days last week by a cyber attack on a third-party data center that the company uses

Jimmy John's Gourmet Sandwiches POS Systems Hacked (Dark Reading) Sandwich chain is the latest data breach victim, with credit and debit card data breached in 216 of its restaurants

Your medical record is worth more to hackers than your credit card (Toledo Blade) Your medical information is worth 10 times more than your credit card number on the black market

Disgruntled employees are increasingly e-sabotaging businesses, FBI says (Naked Security) Employees with an axe to grind are increasingly sticking it to their current or former employers using e-tools such as cloud storage sites or remote access to a company's computer network, the US Federal Bureau of Investigation and Homeland Security Department said on Tuesday

Apple's new iOS will predict what you type — including, it seems, your passwords (Quartz) Apple customers may be feeling especially protective of their personal information, given the recent questions surrounding the iCloud's security. What then to make of QuickType, Apple's new predictive text keyboard for iOS8? The keyboard is wonderfully creepy

Academia

To Bridge the Skills Gap, Focus On Improving Computer Science's Image (TechCrunch) It's becoming increasingly clear that computer science education grapples with a stubborn image problem. And it's one that we simply cannot afford to ignore any longer

Raytheon recognizes 27 'Math Heroes' (Providence Journal) Twenty-seven middle and high-school math professionals are being recognized by Raytheon as "Math Heroes" for their creative and interactive techniques to make math real and relatable for their students. The Raytheon Company program provides winners with a $2,500 award and a matching grant for his or her school

How Pace University is Building the Next Generation of Cyber Security Analysts (Recorded Future) Cyber threat intelligence is a young area of security. Relatively few universities offer formalized instruction to prepare analysts for this specific problem set, and these curriculums are rapidly evolving. Yet, the demand for analysts with these skills is growing and organizations are facing serious hiring and retention challenges

Huntsville City Schools monitoring students' online activity since January (WHNT) They say it started with a call from the NSA. In May 2013 Al Lankford, a schools security official, took a call from someone he said identified themselves as with the National Security Agency. They warned of a student who had posted tweets threatening violence against an assistant principal as well as two teachers

Litigation, Investigation, and Enforcement

Which countries ask Google for users' data most often, and which countries are most successful in getting it (Quartz) Last week, Google released its latest transparency report showing the number of user data requests the company received in the first six months of 2014. Google says it fielded roughly 32,000 requests for information and complied (in whole or in part) 65% of the time

B.C. class action lawsuit filed against Home Depot over credit-card cyber attack (The Province) A class action lawsuit has been filed in B.C. against Home Depot arising from a cyber-attack on the company's computer network that compromised the credit and debit cards of millions of customers

Netflix deadlocked with broadcast regulator over "confidential" subscriber data (Naked Security) Things are getting testy between Netflix and Canada's broadcast regulator, which is mulling taxing Netflix for having the cheek to serve a whole lot of non-Canadian content that Canadian viewers really want to see

$1.66M in Limbo After FBI Seizes Funds from Cyberheist (Krebs on Security) A Texas bank that's suing a customer to recover $1.66 million spirited out of the country in a 2012 cyberheist says it now believes the missing funds are still here in the United States — in a bank account that's been frozen by the federal government as part of an FBI cybercrime investigation

Design and Innovation

Why the Heyday of Credit Card Fraud Is Almost Over (Wired) In 1960, an IBM engineer named Forrest Parry was developing a new type of ID card for the CIA when he had an epiphany

Beyond the internet: moves to set up a 'third network' (Sydney Morning Herald) The public internet is ubiquitous, you can connect from anywhere to anywhere but it's a decentralised, best-effort service, with poor security

Escape From the Data Center: The Promise of Peer-to-Peer Cloud Computing (IEEE Spectrum) Today, cloud computing takes place in giant server farms owned by the likes of Amazon, Google, or Microsoft — but it doesn't have to

Why Are Private Clouds Failing? (Gartner Blogs: Thomas Bittman) I recently wrote a research note to explain what we've been seeing from our client base. In thousands of interactions, there are very specific patterns for private cloud successes and failures. The top ten reasons (in no particular order) that private clouds are failing are

Small Signs of Progress on DNSSEC (Threatpost) DNS doesn't have a lot of friends. It's old, it's kind of creaky and it has some insecurity issues

Rithmio Nabs The Cash Needed To Build A Gesture Recognition Platform (TechCrunch) Rithmio hopes to build and release the first gesture recognition platform that other companies can build into their products. Co-founded by Adam Tilton and Prashant Mehta PhD at the University of Illinois at Urbana Champaign, the company just announced that it secured $650k in seed funding to make it happen

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

Workshop on Cryptographic Hardware and Embedded Systems 2014 (CHES 2014) (Busan, Korea, September 23 - 26, 2014) The annual CHES workshop highlights new results in the design and analysis of cryptographic hardware and software implementations. CHES provides a valuable connection between the research and cryptographic engineering communities and attracts participants from industry, academia, and government organizations

VB2014 (, January 1, 1970) Over its 24-year history, the VB conference has become a major highlight of the IT security calendar, with many of its regular attendees citing it as the security event of the year. The conference provides a focus for the industry, representing an opportunity for experts in the field to share their research interests, discuss methods and technologies and set new standards, as well as meet with - and learn from - those who put their technologies into practice in the real world.

DerbyCon 4.0 (Louisville, Kentucky, USA, September 24 - 28, 2014) Welcome to DerbyCon 4.0 — "Family Rootz". This is the place where security professionals from all over the world come to hang out. DerbyCon 4.0 will be held September 24-28th, 2014. DerbyCon 2013 pulled in over 2,000 people with an amazing speaker lineup and a family-like feel. We've listened to your feedback and plan on making this conference even better this year

BruCON 2014 (Ghent, Belgium, September 25 - 26, 2014) BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker community.

ROOTCON 8 (, January 1, 1970) ROOTCON is the first hacking convention in the Philippines. A hacker conference and not a seminar, training or a workshop. It will feature the following tracks: advanced HTTP header security analysis, browser extension malware extend cybercrime capabilities, new techniques: email-based threat and attacks, shellcode exploit analysis: tips and tricks, the Necurs rootkit, social engineering: hacking the mind, an hacking your way to ROOTCON.

INTEROP (New York, New York, USA, September 29 - October 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect Summit, Collaboration, Infrastructure, Mobility, Risk Management & Security, and Software-Defined Networking (SDN)

Indianapolis SecureWorld (Indianapolis, Indiana, USA, October 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute, will deliver the opening keynote. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

Suits and Spooks New York (, January 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks New York will return to Soho House on October 2-3, 2014. Stay tuned for our speaker list and agenda coming this summer.

Open Analytics Summit (Dulles, Virginia, USA, October 7, 2014) Open Analytics Summits are for Developers, Engineers, Data Scientists, CMOs, Data Analysts, CTOs, Architects, Brand Managers, and anyone passionate about open source technologies, big data, or data analytics

MIRcon 2014 (Washington, DC, USA, October 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily

Cyber Security, Meet Workforce Development (Silver Spring, Maryland, USA, October 8, 2014) Per Scholas convenes leaders in the Nation's Capital to develop a blueprint for building today's entry-level cyber security workforce

Technology & Cyber Security Day (Hill Air Force Base, Utah, October 8, 2014) The Armed Forces Communications & Electronics Association (AFCEA) Wasatch Chapter will once again host the 5th Annual Information Technology & Cyber Security Day at Hill AFB. This annual event is an excellent way to network with key personnel including IT, Communications, Cyber, Engineers and Contracting Officers at Hill AFB

Cyber Security EXPO (, January 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing sensitive data and function closer to the user and away from traditional controls. Cyber crime is at an all-time high, attackers are using highly sophisticated methods taking advantage of a hyper-connected world. The challenge of securing corporate data and networks to mitigate risk is greater than ever. CISOs need new tools, new thinking and policies to meet these challenges. Cyber Security Expo 2014 has been designed to do just that. Cyber Security Expo will have a dedicated conference as well as five highly focused theatres and a significant exhibition. Major themes examined include: Internet & Network Security, Social and Consumer Trends, Cyber Crime, Log Data & Advanced Analytics, Identity & Access Management, Privacy & Data Protection, Cloud Security & Governance and Mobile Device Management.

InfoSec 2014 (Kuala Terengganu, Malaysia, October 8 - 10, 2014) You are invited to participate in The International Conference on Information Security and Cyber Forensics (InfoSec 2014) that will be held at Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu, Malaysia on October 8-10, 2014. The event will be held over three days, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lecture

Hacktivity 2014 (Budapest, Hungary, October 10 - 11, 2014) Official and alternative representatives of the information security profession meet with all those interested in this field in framework which is at the same time informal and informative, and sometimes very in-depth technological.

Ruxcon (Melbourne, Australia, October 26 - 27, 2013) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities and demonstrations presented by security experts from the Aus-Pacific region and invited guests from around the world. Ruxcon is widely regarded as a leading computer security conference within Australia attracting all facets of the security landscape from industry, academics, to enthusiasts.

Critical Infrastructure Cyber Community (C3) Voluntary Program Meeting (San Diego, California, USA, October 13, 2014) Join stakeholders from across the cyber community to discuss building a cyber risk management program, using DHS resources, and to learn how organizations of all sizes are using the Cybersecurity Framework

Hack-in-the-Box Malaysia (Kuala Lumpur, Malaysia, October 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia and Amsterdam in The Netherlands, HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events routinely feature two days of trainings and a two-day multi-track conference featuring cutting-edge hardcore technical talks delivered by some of the most respected names in the computer security industry. HITBSecConf is a place where ideas are exchanged, talent discovered and genius celebrated

FS-ISAC Fall Summit 2014 (Washington, DC, USA, October 13 - 16, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. Its Fall Summit will feature sessions of interest to both security professionals and the financial sector

CYBERSEC 2014 (, January 1, 1970) CYBERSEC is a 4-day event geared toward helping you achieve your cybersecurity goals. Whether your focus is on cybersecurity management, investigation, defense, or offense we are offering specialty cybersecurity information tracks just for you.

Black Hat Europe 2014 (, January 1, 1970) The premier conference on information security returns to the beautiful city of Amsterdam, Netherlands in October, 2014. Professionals from all over the world gather for two days of intense Trainings and two thought-provoking days of Briefings brought to you by some of the brightest minds in the industry.

Denver SecureWorld (Denver, Colorado, USA, October 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

TechCrunch Disrupt Europe Hackathon (London, England, UK, October 18 - 19, 2014) For the second year in a row, TechCrunch is jumping across the pond and bringing the iconic Disrupt and our Hackathon to Europe. We're heading your way, London

CSEC 2014 Cyber Security Summit (Kingdom of Bahrain, October 20 - 22, 2014) At the Inaugural Cyber Security Summit 2014, you will have the opportunity to seek ways to reset your IT security and risk strategy for success; stay relevant as IT security and risk are redefined; implement BCM best practices for threat resilience; mitigate the risks of new social collaboration tools; craft strategy for emerging BYOD and mobile threats; learn new regulatory compliance requirements; and more. This year's CSEC Summit attendees will: hear the latest presentations from the Information Security community on today's most pressing topics, attend workshops run by expert analysts and industry leaders, hear real-life experiences during peer case studies, engage in analyst-user roundtables and one-on-one meetings with industry experts, and check out the latest solutions in our Solution Showcase

2014 ICS Cyber Security Conference (, January 1, 1970) The 14th ICS Cyber Security Conference (sometimes known as "Weisscon") will be held October 20-23, 2014 at Georgia Tech in Atlanta, GA. Cyber Security is becoming a critical infrastructure issue with implications that go far beyond the plant fence. Plant engineers, corporate officers, insurance company executives and more will be handling cyber security issues in the coming years. This conference is essential attendance for people in the manufacturing or utility environment.

Cyber Security Summit 2014 (, January 1, 1970) Cyber security breaches have a profound impact on all areas of society. Join the discussion at Cyber Security Summit 2014. For two days, leaders from the public and private sectors meet to identify cyber threat issues and their countermeasures.

Collaborative Approaches for Medical Device and Healthcare Cybersecurity; Public Workshop (Arlington, Virginia, USA, October 21 - 22, 2014) The Food and Drug Administration (FDA) is announcing the following public workshop entitled "Collaborative Approaches for Medical Device and Healthcare Cybersecurity." FDA, in collaboration with other stakeholders within the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS), seeks broad input from the Healthcare and Public Health (HPH) Sector on medical device and healthcare cybersecurity

ISSA International Conference (Orlando, Florida, USA, October 22 - 23, 2014) Join us for solution oriented, proactive and innovative sessions focused on security as a vital part of the business.

Hack.lu 2014 (Dommeldange, Luxembourg, October 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society

ToorCon San Diego (San Diego, California, USA, October 22 - 26, 2014) For hackers like you, because what could possibly go wrong?

FOCUS 14: Empowering the Connected World (Las Vegas, Nevada, USA, October 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while reducing costs, streamlining processes, and driving efficiencies in the daily administration of their networks and systems. Network with security peers who share your challenges, concerns and issues, and learn more about their own success strategies

Dallas SecureWorld (Dallas, Texas, USA, October 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

CyberMaryland 2014 (Baltimore, Maryland, USA, October 29 - 30, 2014) Entrepreneurs, investors, academia and government will convene in Maryland — the nation's epicenter for cybersecurity for the fourth annual CyberMaryland Conference.

Cyber Job Fair (Baltimore, Maryland, USA, October 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals held the first day of the conference

ekoparty Security Conference 10th edition (Buenos Aires, Argentina, October 29 - 31, 2014) ekoparty — Electronic Knock Out Party — Security Conference, is a one of a kind event in South America; an annual security conference held in Buenos Aires, where security specialists from all over Latin America (and beyond) have the chance to get involved with state-of-art techniques, vulnerabilities, and tools in a relaxed environment never seen before.

Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.

Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, October 30 - November 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed for non-technical and technical executives who seek to gain a deeper understanding of not just the technical aspects of data breach prevention, but also the important role that insurance, crisis management, legal and human resources play. Speakers include Dr. Ed Schlesinger, Dean of Johns Hopkins University's Whiting School of Engineering, Dr. Andy Ozment, Assistant Secretary of the Office of Cybersecurity and Communications, Department of Homeland Security, and Mr. Eric Joost, Chief Operating Officer, Willis North America

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.