The CyberWire Daily Briefing 09.26.14
The cyber world continues to react to Shellshock. Various patches and preventive measures have been released, all of them so far incomplete, but better than nothing. Apple promises a patch to address the Bash bug even as it seeks to reassure OS X users that most of them remain safe. Various web-application firewall and intrusion detection system vendors have updated their products with rules designed to ward off exploitation. Analysts advise taking prompt, prudent action to protect your systems, but recognize that closing this vulnerability will be a labor-intensive process requiring long-term attention to fixes under development.
Shellshock is already being exploited in the wild, with the first reports of malicious activity surfacing within a few hours of the bug's disclosure (AusCERT was among the first to sound warnings). Kaspersky detected reverse-shell exploits, and AlienVault's honeypot picked up two attempts to use the vulnerability to assemble botnets.
BlackEnergy malware, found in attacks against Ukrainian government systems, shows a striking convergence of the political and criminal in its employment. Some observers are calling it "privateering" with Russian attack tools. The Russian government continues to spook its neighbors with a warning to Latvia that it would do well to treat its ethnic Russian minority well. (The Netherlands, at least, draws a public lesson from Russian policy, avowing a Dutch offensive cyber capability as a common-sense military measure.)
Middle Eastern cyber combatants maintain their focus on information operations.
Malvertising rises in the ranks of cyber threats, with some seeing it eclipsing exploit kits.
A note to our readers: We began publishing the CyberWire in September 2012, and today marks our second anniversary. Thanks to all of you for following and subscribing to the CyberWire. Thanks especially for your many supportive emails, tweets, and face-to-face talks. We hope to continue delivering what we promised two years ago: a relevant and intelligently organized daily digest of the critical news happening across the global cyber security domain.
Notes.
Today's issue includes events affecting Australia, Bulgaria, Czech Republic, European Union, Hungary, Iran, Latvia, NATO/OTAN, Netherlands, Romania, Russia, Singapore, Ukraine, United Kingdom, and United States.
Cyber Attacks, Threats, and Vulnerabilities
Alert (TA14-268A) GNU Bourne Again Shell (Bash) 'Shellshock' Vulnerability (CVE-2014-6271, CVE-2014-7169) (US-CERT) A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple's Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability
ESB-2014.1657 — ALERT [UNIX/Linux][Debian] bash: Execute arbitrary code/commands — Remote/unauthenticated (AUSCERT External Security Bulletin Redistribution) AusCERT has received reports that this vulnerability is currently being exploited in the wild. Administrators should patch vulnerable systems as soon as possible
Shellshock and its early adopters (Securelist) Shortly after disclosure of the Bash bug called "Shellshock" we saw the first attempts by criminals to take advantage of this widespread vulnerability also known as CVE-2014-6271
Honeypot Snares Two Bots Exploiting Bash Vulnerability (Threatpost) A honeypot run by researchers at AlienVault Labs has snared two separate pieces of malware attempting to exploit the Bash vulnerability
Hackers Are Already Using the Shellshock Bug to Launch Botnet Attacks (Wired) With a bug as dangerous as the "shellshock" security vulnerability discovered yesterday, it takes less than 24 hours to go from proof-of-concept to pandemic
Bashed and Shellshocked: Early Reports of Exploitation in the Wild (Recorded Future) Lots of IT security teams are at work right now to patch the Shellshock vulnerability (CVE-2014-6271) ASAP — while keeping an eye on their threat intelligence sources for exploitation in the wild. And the reports are coming in
Bash Exploit Reported, First Round of Patches Incomplete (Threatpost) The urgency to patch systems against the Bash zero-day vulnerability has been cranked to 10 after reports of an exploit in the wild have been made public by AusCERT, the Computer Emergency Response Team of Australia. This seems to reflect a similar finding posted by a researcher who goes by the handle Yinette who found a malware sample that points to a bot being distributed by the exploit
What is a specific example of how the shellshock bash bug could be exploited? (Information Security) I read some articles about the shellshock bash bug (CVE-2014-6271 reported Sep 24, 2014) and have a general idea of what the vulnerability is and how it could be exploited. To better understand the implications of the bug, what would be a simple and specific example of an attack scenario that could exploit the bug?
Shellshock — How Bad Can It Get? (TrendLabs Security Intelligence Blog) In the immediate aftermath of the Bash vulnerability known as Shellshock, we have already seen some attacks using it to deliver DDoS malware onto Linux systems. However, given the severity of this vulnerability, it is almost certain that we will see bigger, more severe attacks. What are some of the scenarios we could potentially see?
Update on CVE-2014-6271: Vulnerability in bash (shellshock) (Internet Storm Center) Yesterday, a vulnerability in bash was announced, that was originally found by Stephane Schazelas. The vulnerability allows for arbitrary code execution in bash by setting specific environment variables. Later Travis Ormandy released a second exploit that will work on patched systems. Demonstration that the patch released yesterday is incomplete
Bash Vulnerability Leads to Shellshock: What it is, How it Affects You (TrendLabs Security Intelligence Blog) A serious vulnerability has been found in the Bash command shell, which is commonly used by most Linux distributions. This vulnerability — designated as CVE-2014-7169 — allows an attacker to run commands on an affected system. In short, this allows for remote code execution on servers that run these Linux distributions
GNU Bash Shell Function Definitions OS Commands Injection Vulnerability (Secunia) A vulnerability has been reported in GNU Bash, which can be exploited by malicious people to compromise a vulnerable system
Bash 'shellshock' flaw is serious because fixing it will depend on manual intervention (TechWorld) Comparisons with Heartbleed miss the point. Expecting admins to retrofix security is a recipe for perpetual weakness
In Heartbleed's wake, Bash shell flaw puts Linux, Mac OS users at risk (TechTarget) Experts say a 20-year-old vulnerability uncovered in the Bash shell, found in Unix-based operating systems including Linux and Mac OS, could lead to a dangerous worm outbreak unlike anything seen in more than a decade
What is the Shellshock bug? Is it worse than Heartbleed? (Guardian) Security experts have warned that a serious flaw could be about to affect many of the world's web users. Here's what you should do
'Shellshock' Bug Spells Trouble for Web Security (Krebs On Security) As if consumers weren't already suffering from breach fatigue: Experts warn that attackers are exploiting a critical, newly-disclosed security vulnerability present in countless networks and Web sites that rely on Unix and Linux operating systems. Experts say the flaw, dubbed "Shellshock," is so intertwined with the modern Internet that it could prove challenging to fix, and in the short run is likely to put millions of networks and countless consumer records at risk of compromise
This is how the "Shell Shock" bug imperils the whole Internet (Quartz) It's a hacker's wet dream: a software bug discovered in the practically ubiquitous computer program known as "Bash" makes hundreds of millions of computers susceptible to hijacking. The impact of this bug is likely to be higher than that of the Heartbleed bug, which was exposed in April. The National Vulnerability Database, a US government system which tracks information security flaws, gave the bug the maximum score for "Impact" and "Exploitability," and rated it as simple to exploit
Bash Bug is a critical risk to entire Internet infrastructure (Security Affairs) Bash Bug is a critical flaw remotely Exploitable which affects Linux, Unix and Apple Mac OS X and that is threatening the global Internet infrastructure
Apple knew of iCloud API weakness months before celeb photo leak broke (Ars Technica) Security researcher reported brute force attacks were possible in March
BlackEnergy Malware Linked to Targeted Attacks (Security Week) New research is shining a light on the ongoing evolution of the BlackEnergy malware, which has been spotted recently targeting government institutions in the Ukraine
Russian malware used by 'privateer' hackers against Ukrainian government (Guardian) Attackers were carrying out hits to make money, but were 'co-opted' into carrying out state espionage, say security researchers
Kremlin warns about Russian minorities (Washington Post) As top Kremlin officials have sounded ominous new warnings that they will defend ethnic Russians wherever they live, Latvia, the NATO nation with the highest proportion of Russians, is feeling in the crosshairs
A Deep Dive Into the Ayatollah's Twitter Hate for America (Slate) Iranian President Hassan Rouhani spoke at the U.N. General Assembly today as his country negotiates with the United States over their nuclear program and works to normalize relations with the international community. At a press conference during last year's Assembly, Rouhani attempted to offer the Iranian regime a softer image, hailing the United States as a "great nation" and asking that the two countries "stop the escalation of tensions." The country's actual decision maker, though, is Supreme Leader Ayatollah Ali Khamenei and he has continued to take a hardline
ISIS Videos Employ 'Good Cop, Bad Cop' Approach (NPR) While we are just learning about the Khorasan group, ISIS has been actively spreading its message through propaganda videos. This week it released a second video featuring the British hostage John Cantlie
Anonymous Lashes Out at ISIS, calls them Gangsters and Killers (HackRead) Anonymous, a loose collective of hacktivists, have called Islamic State militants (ISIS) as gangsters who have hijacked Islam and have launched a social media campaign against them, according to reports
Malvertising Could Rival Exploit Kits (Dark Reading) Spate of malvertising campaigns gain steam in recent months, including the Kyle and Stan network, which researchers now believe is nine times bigger than initially estimated
Optimized Mal-Ops: Hack the ads network like a boss (Bromium Labs) In this research we perform an in-depth analysis of malicious web ads with the focus on Flash banners. We investigate various possibilities for an attacker to leverage ad networks to spread malware. Then we showcase that from the attackers perspective ad networks are no different and may be even better than exploit kits and thus it's a viable candidate for the next primary attack vector. And finally we explore how current security technologies are ineffective against attacks propagated through ad networks
Cyber Criminals Using Fake Government E-Mail to Perpetrate Scam (IC3) Cyber criminals posing as Internet Crime Complaint Center (IC3) employees are defrauding the public. The IC3 has received complaints from victims who were receiving e-mails purported to be from the IC3. This advisory informs readers how the scheme works, offers measures to help mitigate the threat, and advises how to report incidents to law enforcement
SMB Employees Targeted With Fake Termination Emails: Bitdefender (SecurityWeek) Bitdefender is warning the employees and IT administrators of small and medium-sized businesses (SMBs) to be on the lookout for fake emails designed to distribute information-stealing malware
Arris Cable Modem Backdoor — I'm a technician, trust me. (Console Cowboys) Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable
Cyber Thieves Targeting Flower Shops Across Southern California (ABC 7 Los Angeles) Angel Flowers and Gifts in Riverside fell victim to cyber thieves. The business' identity was hijacked, and a website that dupes customers into believing they're ordering from the real flower shop, is in fact stealing their business
Breached Retailers Harden PoS, For Now (Dark Reading) Yet another point-of-sale (POS) breach at a major retail chain, and the victim adds encryption
Home Depot: Could The Impact Of The Data Breach Be Significant? (Forbes) Falling unemployment rates, rising builders' confidence and increasing number of housing starts — all bode well for the U.S. housing industry in the near term. In turn, this trend should benefit the largest home improvement retailer, Home Depot, which depends on consumers who look to buy home improvement goods and services to furbish their newly bought/rented homes. However, in light of the recent news of a massive data breach at the retailer, the expected rise in sales for the retailer in the latter half of the year could be drastically hurt
Security Patches, Mitigations, and Software Updates
Apple to release fix for Bash bug (ComputerWeekly) Apple has confirmed that its Mac OS X operating system is vulnerable to the newly reported Bash bug that experts estimate puts up to 500 million Unix-based computers at risk
'Vast majority' of Mac users safe from Shellshock bash bug, Apple says (C/NET) Apple says users of its OS X operating system are "safe by default" from the new security vulnerability, which has been described as bigger than Heartbleed
iOS 8.0.2 released to fix TouchID, cell network woes on newest iPhones (Ars Technica) Patch notes otherwise resemble those from yesterday's yanked 8.0.1 update
Cyber Trends
The Rise of the Hacker Bounty Hunter (New York Magazine) One night earlier this year, while playing around with a new anonymous-sharing app called Secret, Benjamin Caudill was gripped by a familiar sensation: This thing is not secure
'Bitcoin Jesus' Offers Bounties to Hunt Down Hackers and Thieves (Wired) Roger Ver is so well known for his role in the rise of the world's most popular digital currency that some people call him "The Bitcoin Jesus." That makes him a prime target for hackers. They've stolen his money, and they've broken into his email account. But the Bitcoin Jesus is becoming the Bitcoin Vigilante
Consumers increasingly blame companies for data breaches (Help Net Security) Moving forward, every company involved in a major data breach — those actually attacked, such as retailers Home Depot, Target, Goodwill and Neiman Marcus, as well as banks, healthcare, insurance and Internet Service Providers, etc. — is going to pay an even higher price when customers' information is compromised. In fact, each high-profile hack will take its toll on the executive suite and the bottom line alike, say the results of a poll conducted by HyTrust
Energy IT pros show surprising optimism (Help Net Security) Tripwire announced the results of a survey of 104 attendees at the EnergySec Security Summit in Texas
Malware attack complexity prompts partnerships between enterprises and MSS providers (FierceITSecurity) In response to the growing complexity of malware attacks, managed security service, or MSS, providers are playing a more active role in threat remediation for enterprises in Europe, the Middle East and Africa (EMEA), notes market research firm Frost & Sullivan
Online privacy: It's time for a new security paradigm (FCW) Compounding the challenge is the fact that verifying identity, relationships and authorization typically involves evaluating sensitive and proprietary information about us and our relationships. Often, that information is more sensitive than the content to be accessed
Do we need to 'disrupt' the cybersecurity status quo? (Nextgov) Next Wednesday marks the beginning of the 11th annual Cybersecurity Awareness Month
Businesses, governments value local skills in joint malware fight: BAE SAI (CSO) Establishment and expansion of Australian information-security centres of excellence is becoming increasingly appealing to private and public-sector organisations that are finding them invaluable partners in the race to keep up with malware threats, according to the regional head of cyber security at BAE Systems Applied Intelligence (SAI)
National Security Agency: No risk to Bulgaria's banking system (Standart News) "At the moment no serious risk is facing the banking system," assured National Security Agency director Vladimir Pisanchev after participating in an international conference on information security and data storage in Sofia. "We see no cardinal threat to the banking system in terms of cyber security," he added
Marketplace
Updates and 'bendgates' spell a very bad week for Apple (MicroScope) With Apple being forced to withdraw the iOS 8.0.1 update after widespread reports of it bricking iPhones, it's apparent that 'measure twice, cut once' is not an adage that has ever made it to Cupertino
General Motors appoints its first cybersecurity chief (Reuters) General Motors Co (GM.N) on Tuesday named an engineer to serve as its first cybersecurity chief as the No. 1 U.S. automaker and its rivals come under increasing pressure to better secure their vehicles against hackers
Cyber-Ark Jumps 87% On Nasdaq Debut (Bidness etc.) Cyber-Ark made its public debut on the Nasdaq today, and its shares closed up almost 87% after pricing its IPO at $16 earlier in the day
In-Q-Tel Eyes MemSQL's In-Memory Database for Gov't Agencies (ExecutiveBiz) In-Q-Tel has invested in MemSQL to develop in-memory distributed database for U.S. government applications
Jindal and CSC Officials Break Ground on 800-Job Technology Center in NELA (MyArkLaMiss) Today, Governor Bobby Jindal, CSC executive John DeSimone and local officials broke ground on CSC's 116,000-square-foot, next-generation technology center at the National Cyber Research Park in Bossier City. The project will create 800 new direct jobs over the next four years, as CSC becomes an anchor tenant of the 3,000-acre research park being developed by the Cyber Innovation Center, a not-for-profit research corporation
China Mobile selects Gemalto NFC security tech for Beijing mass transit services (Finextra) Gemalto (Euronext NL0000400653 GTO), the world leader in digital security, has been selected by China Mobile to offer its UpTeq NFC Multi-tenant SIMs to protect consumer credentials used for mobile contactless applications, starting with mass transit services in Beijing
Products, Services, and Solutions
Symantec Unveils Norton Security for Threat Protection (Zacks) IT security provider Symantec Corporation (SYMC - Analyst Report) recently rolled out an enhanced personalized security service product named Norton Security, which is expected to protect consumers across multiple devices
Oxygen Forensic Suite 2014 Adds New Mobile Device Acquisition Methods (Forensic Focus) Oxygen Forensics has updated its flagship mobile evidence discovery solution, Oxygen Forensic Suite 2014, with additional extraction options
FireEye and Mandiant unite to deliver industry's first global security as a service solution with FireEye as a Service (ITWeb) Introduces next-generation threat intelligence suite for deeper insights into cyber attacks
FireEye Introduces New FireEye App for Splunk Enterprise (MarketWatch) FireEye, Inc. FEYE, -3.35% the leader in stopping today's advanced cyber attacks, today announced the new FireEye App for Splunk® Enterprise
Technologies, Techniques, and Standards
What to do about Shellshock Bash bug on Mac OS X, web servers, routers, and more (We Live Security) A serious software vulnerability called the "Bash Bug" or "Shellshock" has just come to light and it affects a wide range of computers and digital devices, many of which will need to be fixed to prevent them leaking information or being taken over by malicious persons. The systems affected include Mac OS X computers, many web servers, and some home networking devices like routers
The BASH Bug and You — Lessons in Providing Patches (Digital Bond) There is a truism in information security, and it is that everything will eventually be found to be vulnerable
New Forensic Subcommittee on Digital Evidence Added to NIST OSAC (Forensic Focus) Digital evidence, one of the fastest growing areas of forensic science, will now have its own subcommittee in the National Institute of Standards and Technology (NIST)-administered Organization of Scientific Area Committees (OSAC). NIST is establishing the OSAC to identify and develop national standards and guidelines for forensic science practitioners to strengthen forensic science in the United States
The New World of Mobile Investigations: Finding Important Evidence in Third-Party Applications (Magnet Forensics) Over the last few years, we have seen a massive shift in the mobile communications market. Smartphones have taken over the world, and mobile users spend the majority of time on their devices emailing, browsing the web, using social media and/or chatting with others using various applications
The FBI's big, bad identification system (CSO) The FBI's formidable Next Generation Identification is up and running
Design and Innovation
Spotlight: Threat Visualizations (Arbor Insight Blog) Research firm Software Advice has published a review of Threat Visualizations. According to the firm, "When deciding which Threat Maps to feature, we were seeking maps that combined innovative designs with informational clarity, so that the viewer could clearly see what attack information was being presented. Visual elegance, interactivity, user friendly qualities, and organization were all also taken into consideration"
Research and Development
Why you're terrible at calculating risk (Quartz) It's a typical afternoon, which means that you're on Facebook instead of doing whatever it is you're supposed to be doing
Academia
Lockheed Martin CEO Outlines Technology Priorities (Lockheed Martin) Lockheed Martin [NYSE: LMT] Chairman, President and Chief Executive Officer Marillyn Hewson shared her vision for the future in a speech to 500 of the Corporation's top engineering, technical and scientific professionals
Leidos Invests $200K in UMd Innovation (InTheCapital) The University of Maryland received a generous donation from a national security, health and engineering solutions company Wednesday. According to the College Park school, Leidos is investing $200,000 to support research, programs, activities and fellowships that help facilitate high-quality education and innovation on campus
Cyber school: The future of protecting your info online (KING 5 News) Why students at The University of Washington see a future in protecting your information and what you can learn from it
Legislation, Policy, and Regulation
Ukraine Pushes for NATO Membership as Gas Talks Commence (Bloomberg) Ukraine kick-started the process to strengthen its ties with NATO and will strive to join the alliance in the "short term," its government said, a day after its president declared the worst of its separatist war was over
Hungary 'indefinitely' turns off gas supplies to Ukraine (Russia Today) Natural gas deliveries to neighboring Ukraine have been halted "indefinitely", said Hungary's prime minister, Viktor Orban, a day after securing a new deal with Russian gas giant Gazprom
Defense Dept. Expands Digital Warfare (Netherlands Times) A special Cyber Command has been established so that the Dutch army may now shut down opponents' computer networks using viruses
Terror laws clear Senate, enabling entire Australian web to be monitored and whistleblowers to be jailed (Sydney Morning Herald) Australian spies will soon have the power to monitor the entire Australian internet with just one warrant, and journalists and whistleblowers will face up to 10 years' jail for disclosing classified information
National Crime Agency to feed UK banks real-time cyber-alerts (TechWorld) Financial Crime Alerts Service to launch in 2015
Business and academia urged to help safeguard Singapore's 'cyber ecosystem' (Out-Law) Singapore's government has called on businesses, public sector bodies and academia to work together to boost cyber security, as "key stakeholders" in strengthening the country's "cyber ecosystem"
Ramping Up Medical Device Cybersecurity (HealthcareInfoSecurity) FDA initiates risk assessment effort
Terror warning: FBI director sweating over Google and Apple privacy (IT Pro Portal) FBI Director James Comey is concerned about the new privacy features on Apple and Google devices, although tech companies are still able to hand over cloud storage data to the police
HRC may shut some personnel systems down, command says (Army Times) The Human Resources Command is working with Army Cyber Command, the Army Network Enterprise Technology Command and the Army G6 (chief information officer) to resolve a "significant and complex" information technology challenge that may result in several key personnel services systems being pulled off line, HRC officials said Thursday morning
Governors Cuomo and Christie Sign Bi-State Memorandum of Understanding to Increase Security for New York and New Jersey (LongIsland[.]com) Shared infrastructure of both states requires coordinated security, communications and intelligence-gathering to protect public safety, assets and commerce
Litigation, Investigation, and Law Enforcement
Yahoo reports a drop in government data requests (IDG via CSO) The amount of personal information held by firms like Google and Facebook has made them ripe targets for data-hungry governments and intelligence agencies. But the bull's-eye on Yahoo's back may be losing its appeal
Health Insurance Marketplaces Generally Protected Personally Identifiable Information but Could Improve Certain Information Security Controls (Office of the Inspector General, US Department of Health and Human Services) This summary report provides an overview of the results of three reviews of the security of certain information technology at the Federal, Kentucky, and New Mexico Health Insurance Marketplaces
Home Depot breach leads to fraudulent transactions, class-action lawsuits (SC Magazine) The retailer's massive breach has spawned multiple lawsuits and reports of fraudulent transactions. In the wake of Home Depot's breach, reports of fraudulent transactions have surfaced on the heels of two class-action lawsuits, one filed in Canada by a consumer and the other filed in Florida on behalf of financial institutions
Law Professor Claims Any Internet Company 'Research' On Users Without Review Board Approval Is Illegal (TechDirt) For many years I've been a huge fan of law professor James Grimmelmann. His legal analysis on various issues is often quite valuable, and I've quoted him more than a few times. However, he's now arguing that the now infamous Facebook happiness experiment and the similarly discussed OkCupid "hook you up with someone you should hate" experiments weren't just unethical, but illegal
And there he stood, with a smoking datum in his hand (Fortune) In the growing field of digital forensics, any device you use can and will be held against you in a court of law
United Kingdom: Four Men Jailed For Carbon Credit Cyber-Heist (hetq) Four British men have been sentenced to jail for aiding the sophisticated theft of US$ 9.4 million worth of EU carbon credits in an international cyber-attack
For a complete running list of events, please visit the Event Tracker.
Newly Noted Events
U.S. Army ITA Security Forum (Fort Belvoir, Virginia, USA, Oct 20, 2014) The U.S. Army Information Technology Agency Security Forum is taking place at the Ft. Belvoir site and will be a one day event focusing on cyber security education and training for the workforce. The exhibits will take place in the Warrior Conference Room and the training sessions will take place in the Heroes Auditorium
Upcoming Events
Workshop on Cryptographic Hardware and Embedded Systems 2014 (CHES 2014) (Busan, Korea, Sep 23 - 26, 2014) The annual CHES workshop highlights new results in the design and analysis of cryptographic hardware and software implementations. CHES provides a valuable connection between the research and cryptographic engineering communities and attracts participants from industry, academia, and government organizations
VB2014 (, Jan 1, 1970) Over its 24-year history, the VB conference has become a major highlight of the IT security calendar, with many of its regular attendees citing it as the security event of the year. The conference provides a focus for the industry, representing an opportunity for experts in the field to share their research interests, discuss methods and technologies and set new standards, as well as meet with - and learn from - those who put their technologies into practice in the real world.
DerbyCon 4.0 (Louisville, Kentucky, USA, Sep 24 - 28, 2014) Welcome to DerbyCon 4.0 — "Family Rootz". This is the place where security professionals from all over the world come to hang out. DerbyCon 4.0 will be held September 24-28th, 2014. DerbyCon 2013 pulled in over 2,000 people with an amazing speaker lineup and a family-like feel. We've listened to your feedback and plan on making this conference even better this year
BruCON 2014 (Ghent, Belgium, Sep 25 - 26, 2014) BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker community.
ROOTCON 8 (, Jan 1, 1970) ROOTCON is the first hacking convention in the Philippines. A hacker conference and not a seminar, training or a workshop. It will feature the following tracks: advanced HTTP header security analysis, browser extension malware extend cybercrime capabilities, new techniques: email-based threat and attacks, shellcode exploit analysis: tips and tricks, the Necurs rootkit, social engineering: hacking the mind, an hacking your way to ROOTCON.
INTEROP (New York, New York, USA, Sep 29 - Oct 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect Summit, Collaboration, Infrastructure, Mobility, Risk Management & Security, and Software-Defined Networking (SDN)
Indianapolis SecureWorld (Indianapolis, Indiana, USA, Oct 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute, will deliver the opening keynote. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
Suits and Spooks New York (, Jan 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks New York will return to Soho House on October 2-3, 2014. Stay tuned for our speaker list and agenda coming this summer.
Open Analytics Summit (Dulles, Virginia, USA, Oct 7, 2014) Open Analytics Summits are for Developers, Engineers, Data Scientists, CMOs, Data Analysts, CTOs, Architects, Brand Managers, and anyone passionate about open source technologies, big data, or data analytics
MIRcon 2014 (Washington, DC, USA, Oct 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily
Cyber Security, Meet Workforce Development (Silver Spring, Maryland, USA, Oct 8, 2014) Per Scholas convenes leaders in the Nation's Capital to develop a blueprint for building today's entry-level cyber security workforce
Technology & Cyber Security Day (Hill Air Force Base, Utah, Oct 8, 2014) The Armed Forces Communications & Electronics Association (AFCEA) Wasatch Chapter will once again host the 5th Annual Information Technology & Cyber Security Day at Hill AFB. This annual event is an excellent way to network with key personnel including IT, Communications, Cyber, Engineers and Contracting Officers at Hill AFB
Cyber Security EXPO (, Jan 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing sensitive data and function closer to the user and away from traditional controls. Cyber crime is at an all-time high, attackers are using highly sophisticated methods taking advantage of a hyper-connected world. The challenge of securing corporate data and networks to mitigate risk is greater than ever. CISOs need new tools, new thinking and policies to meet these challenges. Cyber Security Expo 2014 has been designed to do just that. Cyber Security Expo will have a dedicated conference as well as five highly focused theatres and a significant exhibition. Major themes examined include: Internet & Network Security, Social and Consumer Trends, Cyber Crime, Log Data & Advanced Analytics, Identity & Access Management, Privacy & Data Protection, Cloud Security & Governance and Mobile Device Management.
InfoSec 2014 (Kuala Terengganu, Malaysia, Oct 8 - 10, 2014) You are invited to participate in The International Conference on Information Security and Cyber Forensics (InfoSec 2014) that will be held at Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu, Malaysia on October 8-10, 2014. The event will be held over three days, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lecture
Hacktivity 2014 (Budapest, Hungary, Oct 10 - 11, 2014) Official and alternative representatives of the information security profession meet with all those interested in this field in framework which is at the same time informal and informative, and sometimes very in-depth technological.
Ruxcon (Melbourne, Australia, Oct 26 - 27, 2013) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities and demonstrations presented by security experts from the Aus-Pacific region and invited guests from around the world. Ruxcon is widely regarded as a leading computer security conference within Australia attracting all facets of the security landscape from industry, academics, to enthusiasts.
Critical Infrastructure Cyber Community (C3) Voluntary Program Meeting (San Diego, California, USA, Oct 13, 2014) Join stakeholders from across the cyber community to discuss building a cyber risk management program, using DHS resources, and to learn how organizations of all sizes are using the Cybersecurity Framework
Hack-in-the-Box Malaysia (Kuala Lumpur, Malaysia, Oct 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia and Amsterdam in The Netherlands, HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events routinely feature two days of trainings and a two-day multi-track conference featuring cutting-edge hardcore technical talks delivered by some of the most respected names in the computer security industry. HITBSecConf is a place where ideas are exchanged, talent discovered and genius celebrated
FS-ISAC Fall Summit 2014 (Washington, DC, USA, Oct 13 - 16, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. Its Fall Summit will feature sessions of interest to both security professionals and the financial sector
CYBERSEC 2014 (, Jan 1, 1970) CYBERSEC is a 4-day event geared toward helping you achieve your cybersecurity goals. Whether your focus is on cybersecurity management, investigation, defense, or offense we are offering specialty cybersecurity information tracks just for you.
Black Hat Europe 2014 (, Jan 1, 1970) The premier conference on information security returns to the beautiful city of Amsterdam, Netherlands in October, 2014. Professionals from all over the world gather for two days of intense Trainings and two thought-provoking days of Briefings brought to you by some of the brightest minds in the industry.
Denver SecureWorld (Denver, Colorado, USA, Oct 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
TechCrunch Disrupt Europe Hackathon (London, England, UK, Oct 18 - 19, 2014) For the second year in a row, TechCrunch is jumping across the pond and bringing the iconic Disrupt and our Hackathon to Europe. We're heading your way, London
CSEC 2014 Cyber Security Summit (Kingdom of Bahrain, Oct 20 - 22, 2014) At the Inaugural Cyber Security Summit 2014, you will have the opportunity to seek ways to reset your IT security and risk strategy for success; stay relevant as IT security and risk are redefined; implement BCM best practices for threat resilience; mitigate the risks of new social collaboration tools; craft strategy for emerging BYOD and mobile threats; learn new regulatory compliance requirements; and more. This year's CSEC Summit attendees will: hear the latest presentations from the Information Security community on today's most pressing topics, attend workshops run by expert analysts and industry leaders, hear real-life experiences during peer case studies, engage in analyst-user roundtables and one-on-one meetings with industry experts, and check out the latest solutions in our Solution Showcase
2014 ICS Cyber Security Conference (, Jan 1, 1970) The 14th ICS Cyber Security Conference (sometimes known as "Weisscon") will be held October 20-23, 2014 at Georgia Tech in Atlanta, GA. Cyber Security is becoming a critical infrastructure issue with implications that go far beyond the plant fence. Plant engineers, corporate officers, insurance company executives and more will be handling cyber security issues in the coming years. This conference is essential attendance for people in the manufacturing or utility environment.
Cyber Security Summit 2014 (, Jan 1, 1970) Cyber security breaches have a profound impact on all areas of society. Join the discussion at Cyber Security Summit 2014. For two days, leaders from the public and private sectors meet to identify cyber threat issues and their countermeasures.
Collaborative Approaches for Medical Device and Healthcare Cybersecurity; Public Workshop (Arlington, Virginia, USA, Oct 21 - 22, 2014) The Food and Drug Administration (FDA) is announcing the following public workshop entitled "Collaborative Approaches for Medical Device and Healthcare Cybersecurity." FDA, in collaboration with other stakeholders within the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS), seeks broad input from the Healthcare and Public Health (HPH) Sector on medical device and healthcare cybersecurity
ISSA International Conference (Orlando, Florida, USA, Oct 22 - 23, 2014) Join us for solution oriented, proactive and innovative sessions focused on security as a vital part of the business.
Hack.lu 2014 (Dommeldange, Luxembourg, Oct 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society
ToorCon San Diego (San Diego, California, USA, Oct 22 - 26, 2014) For hackers like you, because what could possibly go wrong?
FOCUS 14: Empowering the Connected World (Las Vegas, Nevada, USA, Oct 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while reducing costs, streamlining processes, and driving efficiencies in the daily administration of their networks and systems. Network with security peers who share your challenges, concerns and issues, and learn more about their own success strategies
Dallas SecureWorld (Dallas, Texas, USA, Oct 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
CyberMaryland 2014 (Baltimore, Maryland, USA, Oct 29 - 30, 2014) Entrepreneurs, investors, academia and government will convene in Maryland — the nation's epicenter for cybersecurity for the fourth annual CyberMaryland Conference.
Cyber Job Fair (Baltimore, Maryland, USA, Oct 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals held the first day of the conference
ekoparty Security Conference 10th edition (Buenos Aires, Argentina, Oct 29 - 31, 2014) ekoparty — Electronic Knock Out Party — Security Conference, is a one of a kind event in South America; an annual security conference held in Buenos Aires, where security specialists from all over Latin America (and beyond) have the chance to get involved with state-of-art techniques, vulnerabilities, and tools in a relaxed environment never seen before.
Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.
Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, Oct 30 - Nov 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed for non-technical and technical executives who seek to gain a deeper understanding of not just the technical aspects of data breach prevention, but also the important role that insurance, crisis management, legal and human resources play. Speakers include Dr. Ed Schlesinger, Dean of Johns Hopkins University's Whiting School of Engineering, Dr. Andy Ozment, Assistant Secretary of the Office of Cybersecurity and Communications, Department of Homeland Security, and Mr. Eric Joost, Chief Operating Officer, Willis North America