The CyberWire Daily Briefing 09.29.14
Privateers, useful idiots, or intelligence services — take your pick, but F-Secure and others are attributing the BlackEnergy attacks on Ukraine to a Russian operation.
Chinese security services, facing widespread discontent and civil disobedience (particularly in Hong Kong) is using iFrame-based redirection attacks to install remote-access Trojans into the networks of not-for-profits and NGOs active in or around China. (FireEye devotes its customary attention to Chinese cyber ops.) The government is also cracking down on social media in Hong Kong; activists there work to evade censorship and monitoring.
Over the weekend the SANS Internet Storm Center raised its "InfoCon" to "Yellow" in response to the proliferation of Shellshock-exploiting worms and botnets across the Internet. Vendors and hackers are currently engaged in a race to control the holes Shellshock opened, and observers expect this to continue for the foreseeable future. Much advice on mitigating Shellshock risk is on offer, starting with ways of determining how vulnerable your systems may be.
Apple security receives scrutiny, some but not all of it Shellshock-related. The brand is heavily phished, and its latest iOS anti-phone-tracking feature may not work quite as expected.
Trendy social medium Ello sustains a successful denial-of-service attack.
A third-party point-of-sale vendor may be implicated in the recent Jimmy John's breach. Observers advise the vendor's other customers to look to their security.
The US financial sector announces a new collaborative approach to developing threat intelligence product.
Law firms in the UK consider their cyber vulnerability, and also their more general "duty to inform."
Notes.
Today's issue includes events affecting Australia, Canada, China, France, Germany, Laos, Oman, Russia, Turkey, Ukraine, United Kingdom, and United States.
Cyber Attacks, Threats, and Vulnerabilities
BlackEnergy Cyber Attacks Against Ukrainian Government Linked to Russia (International Business Times) A Russian cybercrime gang called Quedagh is behind a persistent cyber-attack against the Ukrainian government that harvested sensitive information
Ruskies use commercial crimeware to mask 'patriotic' Ukraine hacks (Register) Political hack-attacks are being made to look like bread-and-butter financial fleecing scams, according to researcher F-Secure, after watching Russian hacker collective Quedagh's use of the popular BlackEnergy exploit kit
iFrame-based redirection attacks used to monitor Chinese organizations (Security Affairs) Security Experts at FireEye discovered a new malicious campaign which is targeting Chinese organizations with iFrame traffic redirection to serve RAT
Aided Frame, Aided Direction (Because it's a redirect) (FireEye) On September 24 2014, FireEye observed a new strategic web compromise (SWC) campaign that we believe is targeting non-profit organizations and non-governmental organizations (NGO) by hosting iframes on legitimate websites
Amid Crackdowns, Protestors In Hong Kong Take To Tech To Publicize #OccupyCentral and #OccupyHK (TechCrunch) Amid reports of a crackdown by the Chinese Government on social media outlets like Instagram in mainland China to suppress distribution of images of student protests in Hong Kong, the hashtag #OccupyCentral has become one of the top trends on Twitter
Hong Kong has entered a state of mass civil disobedience (Quartz) Tens of thousands of pro-democracy demonstrators are surging through the streets of Hong Kong to protest against Beijing's influence over how the semi-autonomous territory elects its top officials
Arab Twitter users dislike Iran even more than they dislike the US (Quartz) After decades of bombings, invasions, and other military interventions, it's no surprise that attitudes toward the United States are overwhelmingly negative in the Arab world. But according to a recent study, there's at least one country that's less popular than the US in the region — that would be Iran, at least on Twitter
Why We Have Moved to InfoCon:Yellow (Internet Storm Center) At the Storm Center, we are strict and judicious on moving the InfoCon status. We felt, after dialog, that Yellow is warranted in this case as we are seeing signs of worm/botnet activity. This combined with so many systems are impacted [worm], with no signs of letting up [met]
Malicious Shellshock Traffic Invades the Web (Infosecurity Magazine) Security experts are urging firms to patch the Shellshock bug as soon as possible, after spotting a "significant amount" of malicious traffic exploiting the Bash vulnerability made public last week
Bash Bots Waste No Time (AppRiver Blog) It took less than one day after the news was publically released about a major flaw in the bash command line interpreter before a botnet leveraging this flaw, referred to as ShellShock, has been spotted in the wild
Shellshock Exploit Attempts Continue in China (TrendLabs Security Intelligence Blog) It seems like the floodgates have truly opened for Shellshock-related attacks. We have reported on different attacks leveraging the Bash bug vulnerability, ranging from botnet attacks to IRC bots
First Shellshock botnet attacks Akamai, US DoD networks (SC Magazine via IT News) Wopbot on the rampage
Attackers quick to exploit Bash bug, security industry responds quicker (SC Magazine) Attackers moved quickly to exploit the 'Bash Bug,' or Shellshock, security researchers said, but the industry moved quicker, issuing patches after the vulnerability was revealed this week
Attacks against Shellshock continue as updated patches hit the Web (CSO) From Thursday on, several security firms reported a drastic uptick in the number of attacks that leverage the recently disclosed vulnerability in GNU Bash (CVE-2014-6271), widely known as Shellshock
VoIP phone systems at risk of Shellshock Bash attacks (CSO) Companies should check whether their VoIP system's SIP server has the widespread vulnerability
Shellshock: A Technical Report (Trend Micro) On September 24, 2014, Stephane Chazelas discovered that Bash incorrectly handled trailing code in function definitions, as described in CVE-2014-6271
Still more vulnerabilities in bash? Shellshock becomes whack-a-mole (Ars Technica) Latest patch fixed one test case, but more vulnerabilities remain, say experts
Shellshock Vulnerability: What Mac OS X Users Need to Know (Intego) The vulnerability is called Shellshock, and it has rocked the security industry to its core. A flaw in the "Bash" shell — the command line interpreter for Unix-based systems including Linux and Mac OS X — has sent server administrators scrambling to patch their systems
Bash "Shellshock" bug: Who needs to worry? (Help Net Security) As expected, attackers have begun exploiting the GNU Bash "Shellshock" remote code execution bug (CVE-2014-6271) to compromise systems and infect them with malware
Shellshocked: A Future Of 'Hair On Fire' Bugs (Dark Reading) Most computers affected by Bash will be updated within 10 years. The rest will be vulnerable for the lifespans of all humans now living. This should concern us. But then, global warming should also concern us
Why Shellshock Bug Is Way Nastier Than Heartbleed (eWeek) Expert says that if your operating system is not patched automatically, install an update as soon as possible
The Internet Is Broken, and Shellshock Is Just the Start of Our Woes (Wired) Brian Fox drove from Boston to Santa Barbara, with two tapes stashed in his trunk
5 More Mac Malware Myths and Misconceptions (Intego) There are plenty of myths about malware in general, but Macs especially seem to attract an extra dose of mythos due to a smug sense of invulnerability among the Mac community
Apple suffers more phishing attacks than any other internet company, says new report (Independent) Apple's susceptibility to attacks has come under increased scrutiny after high profile attacks
Ello Users Experience Further Downtime After DDoS Attack (TechCrunch) The suddenly hip social networking site Ello experienced its first major outage today, suffering a Distributed Denial of Service attack that brought it down for approximately 45 minutes. The company says that it was able to fix the issue by blocking the IP addresses responsible for the attack
Nisa is rocked by password thefts (Sunday Times) Preparations for Nisa Retail's annual meeting tomorrow have been disrupted by a damaging leak of members' data
Signature Systems Breach Expands (Krebs On Security) Signature Systems Inc., the point-of-sale vendor blamed for a credit and debit card breach involving some 216 Jimmy John's sandwich shop locations, now says the breach also may have jeopardized customer card numbers at nearly 100 other independent restaurants across the country that use its products
Viator breach highlights susceptibility of online payments: CipherCloud (Reseller) Cloud information protection company points to weak encryption as the reason for the intrusion
Beyond Home Depot: Cyberthieves target smaller companies (CNBC) Data breaches at big retailers including Home Depot and Target may be grabbing attention, but mom-and-pop businesses shouldn't feel like they're in the clear. Hackers also have their eye on smaller businesses, according to experts
The Fappening 3: More Nude Photos of Jennifer Lawrence Leaked Online (Hack Read) It seems as if hackers are not happy with the Hollywood celebrities
Bulletin (SB14-272) Vulnerability Summary for the Week of September 22, 2014 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information
Security Patches, Mitigations, and Software Updates
Check Point Protects Customers Against Shellshock (Sys-Con Media) Check Point® Software Technologies Ltd. (NASDAQ: CHKP), the worldwide leader in securing the internet, today announced that it has issued an IPS protection against the GNU Bourne Again Shell (Bash) 'Shellshock' Vulnerability, securing the integrity of its customers' network data
Microsoft exec: 'Windows 9' to be announced next week (PCWorld) Although Microsoft is widely expected to reveal Windows 9 next week, the company is staying tight-lipped on its exact plans for the September 30 press event
Apple's new feature to curb phone tracking won't work if you're actually using your phone (Washington Post) A highly praised privacy function in Apple's latest operating system that is designed to thwart tracking may not be as effective as originally thought, according to a new post from Bhupinder Misra, a principal systems engineer of the WiFi analytics firm AirTight Networks
National Security Agency Locked Out of Apple iPhone (International Business Times) After the release of the iPhone 6 models, the internet is a buzz trying to bring down the product. If it is not the iOS flaws, it is the bendgate or the problems faced with the Touch ID. There is some negative concern or the other regarding these smartphone models
Cyber Trends
US Banks Get Serious on Security Information Sharing (Infosecurity Magazine) The US financial services industry is finally getting tough on cybercrime, with the announcement of a new body to be tasked with developing threat intelligence products
Insurers look to secure digital borders without inhibiting growth (PropertyCasualty360°) Insurers trying to contain cyber risks face a tricky balancing act between the desire to build an impenetrable digital fortress and demands from staff, intermediaries, and consumers for faster and easier data access
Cyber security peer panel: A duty to inform (The Lawyer) The Information Commissioner's Office has intensified its focus on lawyers with respect to data breaches, and mandatory breach notification is on the way
Microsoft's security chief in Nashville: Data security responsibility has moved 'up the chain' (Nashville Business Journal) Bret Arsenault, chief information security officer for Microsoft, has a pretty clear idea of his job's culpability
Q&A: Southeast Asian governments face advanced persistent threats online, says FireEye (Techgoondu) Hardly a week passes these days without news of yet another high-profile cyber attack or a potential loophole being exploited by increasingly sophisticated online criminals
Call for awareness to prevent cyber security frauds (Times of Oman) The Muscat Chapter of the Institute of Chartered Accountants of India (ICAI) organised an information technology seminar at the College of Banking and Financial studies
Marketplace
State IT suppliers face cyber security requirement (Contractor UK) All businesses must from next month meet a cyber security standard if they want to bid for government contracts involving handling information and providing IT services
Maritime Security Market to Grow 8.4% Through 2019 (ExecutiveBiz) A new MarketsandMarkets report forecasts the maritime security market to reach $20.87 billion in value in 2019 at a compound annual growth rate of 8.4 percent over the next five years
Stephane Chazelas: the man who found the web's 'most dangerous' internet security bug (The Age) It was a bug that lurked in software found on hundreds of millions of devices for 21 years, leaving them vulnerable to hackers, who may have known of its existence
Wave Of Selling Hits Stocks; IPO CyberArk Extends Gains (Investor's Business Daily) Buyers were in short supply in early-afternoon trading Thursday as another wave of institutional selling hit the Nasdaq
CyberArk Software: Growth, Growth Prospects And Profits, But Appeal? (Seeking Alpha) CyberArk Software witnessed a very successful public offering this week
Proofpoint Receives Average Recommendation of "Buy" from Brokerages (WKRB) Proofpoint (NASDAQ:PFPT) has been given an average recommendation of "Buy" by the fourteen analysts that are covering the stock, StockRatingsNetwork reports
Duo Security VC round caps season (Crain's Detroit Business) It was a good summer for Dug Song, CEO and co-founder of Duo Security Inc., an Ann Arbor-based, fast-growing provider of highly secure, cloud-based authentication services for companies
Spy Agencies Urge Caution on Phone Deal (New York Times) An obscure federal contract for a company charged with routing millions of phone calls and text messages in the United States has prompted an unusual lobbying battle in which intelligence officials are arguing that the nation's surveillance secrets could be at risk
Cisco tops in security, but McAfee, Fortinet, Check Point make strides (Channel Partners) Cisco once again topped Infonetics Research's "Network and Content Security Vendor Scorecard," which profiles, analyzes and ranks the eight leading global vendors of network and content security solutions. But the Silicon Valley giant better watch its back
We're arriving at the endgame for BlackBerry (Quartz) The BlackBerry was the first truly modern smartphone, the king of Personal Information Management On The Go. But under its modern presentation lurked its most fatal flaw, a software engine that couldn't be adapted to the Smartphone 2.0 era
Symantec Appoint Michael Brown As CEO (ValueWalk) The Mountain View, California-based company have given the interim CEO the job on a permanent basis, marking the end of a six month search
Products, Services, and Solutions
Lookingglass Cyber Solutions Now Available on NETCENTS-2 Contract Vehicle (BusinessWire) Lookingglass expands ability to support U.S. Government through threat intelligence
Symantec gives IT pros a simulated strategy for preventing cyber crimes (Financial Post) When a company is under cyber attack, it may be the first time its security personnel have a chance to do anything that even resembles real-world investigation, or to see what the bad guys are actually up to. That may handicap them in their investigations
Prelert's Machine Learning Analytics to be Included in Alert Logic's Security-as-a-Service (Inside Big Data) Prelert, the anomaly detection company and Alert Logic, a leading provider of Security-as-a-Service solutions for the cloud, has announced an OEM partnership
ESET Announces Remote Administrator Plug-in for Kaseya (Channelnomics) Anti-virus firm ESET has announced the general availability of its Remote Administrator plug-in for Kaseya's Virtual System Administrator (VSA)
Apps to easily encrypt your text messaging and mobile calls (Gizmag) Mobile phone users are becoming more savvy to the potential security risks of standard, unencrypted text messaging and wary of government intrusion into everyday communications
ScoutBot (LANSec) ScoutBot is a must have application for penetration testers who are looking for an easy and inconspicuous way of gathering info on a target's network
Drozer — Security Testing Framework for Android (Ethical Hacking) Unquestionably we can say that Android is one the leading mobile operating system, but nobody is secure; so Android also has vulnerabilities and there are methods to exploit them. Since there are vulnerabilities, so we have a reason to study and fix them. Drozer can make your life easy because it is a framework to test the security of Android OS
MITMF — Framework for Man-in-the-Middle Attacks (SecTechno Blog) MITMF is another framework that can be used for man-in-the-middle attack. the tool is python based and have several plugins that adds more functionality during a penetration test
One way to tell whether incredible news you read online is really true (Quartz) Did you hear the thing about the Florida woman who implanted a third breast in order to be "unattractive to men"? The one who is filming "her daily life in Tampa to show the struggles she faces because of her surgery"?
Technologies, Techniques, and Standards
Shellshock: Vulnerable Systems you may have missed and how to move forward (Internet Storm Center) By now, I hope you are well on your way to patch your Linux systems for the bash code injection vulnerabilities. At this point, you should probably dig a bit deeper and try to find more "hidden" places that may be vulnerable. First of all, a quick list of things that are not vulnerable
How to Mitigate Shellshock Risks (BankInfoSecurity) Security leaders outline response strategies
Shellshock: How to protect your Unix, Linux and Mac servers (ZDNet) The Unix/Linux Bash security hole can be deadly to your servers. Here's what you need to worry about, how to see if you can be attacked, and what to do if your shields are down
Safe from Shellshock: How to protect your home computer from the Bash shell bug (PCWorld) On the surface, the critical "Shellshock" bug revealed this week sounds devastating. By exploiting a bug in the Bash shell command line tool found in Unix-based systems, attackers can run code on your system
Deep Discovery — Alerting you to Shellshock exploits (Trend Micro: Simply Security) Today we are releasing new Deep Discovery rules to detect attacks attempting to exploit the recently exposed Shellshock (CVE-2014-6271 and CVE-2014-7169) vulnerability
What have Bash and Heartbleed Taught Us? (Internet Storm Center) Two significant vulnerabilities affecting a wide range of systems that couldn't be patch fast enough were released in the past few months
When Layers On Layers Of Security Equals LOL Security (Dark Reading) Defense-in-depth is often poorly executed when architecture is not carefully considered
Breach Awareness Made Easy (Dark Reading) What if companies had to disclose breach history in the same way food companies display nutritional information?
My iOS 8 Update-Gate Survival Story (InformationWeek) Like many others, I fell victim to Apple's botched update to iOS 8. Here's how I brought my iPhone back to life
Make your cloud safer: How to enable two-factor authentication for the most popular cloud services (ZDNet) Step-by-step instructions to help you tighten security and dramatically reduce the risk that crucial cloud services will be compromised. If you use a Microsoft or Google account, Office 365, Dropbox, Facebook, or Twitter, keep reading
What Can Open Source Intelligence Tell You about a Threat Actor in 30 Minutes or Less? (Cyveillance) All of us who work in the risk, security, or compliance space would love a crystal ball to predict threats — to know who's trying to attack us, what their motivations are, and what tactics they'll use. In the absence of that, one of your best options to stay proactive and respond to threats quickly is by studying groups or individuals that pose a risk to your organization or industry using Open Source Intelligence (OSINT)
Beyond NERC: best practices for worst-case scenarios (IntelligentUtility) Is your utility compliant with NERC's latest bulk security requirements? Congratulations! Are you fully prepared for all potential risks to your electric grid? If complying with NERC's physical security standards is all you've done, the answer is no
Security of Third-Party Keyboard Apps on Mobile Devices (Lenny Zeltzer on Information Security) Major mobile device platforms allow users to replace built-in keyboard apps with third-party alternatives, which have the potential to capture, leak and misuse the keystroke data they process. Before enabling the apps, their users should understand the security repercussions of third-party keyboards, along with the safeguards implemented by their developers
Research and Development
Harvard researchers take aim at Shellshock-like woes with new scripting language (IT World) The Shill scripting language limits the rights of shell programs to what is necessary to get the job done
Life after server-side flash: What comes next? (Register) Flash suffers from a steadily shorter working life, slower access speed and shorter working life the smaller the actual cells the NAND become
Academia
Are we producing too few or too many science and technology grads? (Ars Technica) According to a new report, the answer is "both"
How do you stop a cyber-criminal? Think like one (CBS) In his lab at the University of Southern Maine, Charles Largay asks his classroom to identify the biggest difference between the Home Depot and Target breaches
Legislation, Policy, and Regulation
U.S., China talk cybersecurity despite military hack attack (Washington Free Beacon via the Washington Times) Chinese officials held closed-door talks in Washington last week with U.S. cybersecurity counterparts despite Beijing's formal cutoff of talks on the subject after the federal indictments of Chinese military hackers
Laos Joins Southeast Asian Neighbors in Imposing Stricter Internet Controls (Global Voices) Laos Prime Minister Thongsing Thammavong has signed a new decree imposing stricter Internet control in the country. Signed last September 16, 2014, the new regulation promotes responsible and "constructive" use of the Internet among Lao netizens
Changes to Australia's security legislation to impact privacy: CipherCloud (ARN) Cloud security company suggests local and international businesses re-evaluate their approach to data
Director of National Intelligence Unveils 2014 National Intelligence Strategy (Small Wars Journal) Director of National Intelligence James R. Clapper unveiled last week the 2014 National Intelligence Strategy — the blueprint that will drive the priorities for the nation's 17 intelligence community (IC) components over the next four years
Litigation, Investigation, and Law Enforcement
Conflict of Interest Argued in Russia Hacking Case (AP via ABC News) A federal judge is set to hear arguments on whether lawyers for the son of a Russian lawmaker charged with hacking into U.S. businesses will be allowed to stay on the case
Crimtrac Acorn system could enable cybercrime reporting by mouse click (Guardian) Police agency will launch website to enable reporting of cybercrime such as cyberbullying and illegal online material
Microsoft Reveals New Information on Government Requests for User Data (China Topix) Computer giant Microsoft on Friday disclosed substantial data about how governments around the world have requested for users' account information in the first half of the year
Using new Corvette's valet-recording tech could be a felony in some states (Ars Technica) GM is sending updated software to make Valet Mode less legally questionable
Child abuser sues Facebook and page admin over allegedly posting his address (Naked Security) A convicted child rapist in Northern Ireland is suing both Facebook and a Facebook page administrator, claiming that the admin posted his exact address to a paedophile-monitoring page
For a complete running list of events, please visit the Event Tracker.
Newly Noted Events
Secure 2014 (Warsaw, Poland, Oct 21 - 23, 2014) NASK and CERT-Polska offer this conference on telecommunications and IT security. Speakers from government, industry, and universities around the world will offer insights into research, policy, and security trends
Upcoming Events
INTEROP (New York, New York, USA, Sep 29 - Oct 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect Summit, Collaboration, Infrastructure, Mobility, Risk Management & Security, and Software-Defined Networking (SDN)
Indianapolis SecureWorld (Indianapolis, Indiana, USA, Oct 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute, will deliver the opening keynote. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
Suits and Spooks New York (, Jan 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks New York will return to Soho House on October 2-3, 2014. Stay tuned for our speaker list and agenda coming this summer.
Open Analytics Summit (Dulles, Virginia, USA, Oct 7, 2014) Open Analytics Summits are for Developers, Engineers, Data Scientists, CMOs, Data Analysts, CTOs, Architects, Brand Managers, and anyone passionate about open source technologies, big data, or data analytics
MIRcon 2014 (Washington, DC, USA, Oct 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily
Cyber Security, Meet Workforce Development (Silver Spring, Maryland, USA, Oct 8, 2014) Per Scholas convenes leaders in the Nation's Capital to develop a blueprint for building today's entry-level cyber security workforce
Technology & Cyber Security Day (Hill Air Force Base, Utah, Oct 8, 2014) The Armed Forces Communications & Electronics Association (AFCEA) Wasatch Chapter will once again host the 5th Annual Information Technology & Cyber Security Day at Hill AFB. This annual event is an excellent way to network with key personnel including IT, Communications, Cyber, Engineers and Contracting Officers at Hill AFB
Cyber Security EXPO (, Jan 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing sensitive data and function closer to the user and away from traditional controls. Cyber crime is at an all-time high, attackers are using highly sophisticated methods taking advantage of a hyper-connected world. The challenge of securing corporate data and networks to mitigate risk is greater than ever. CISOs need new tools, new thinking and policies to meet these challenges. Cyber Security Expo 2014 has been designed to do just that. Cyber Security Expo will have a dedicated conference as well as five highly focused theatres and a significant exhibition. Major themes examined include: Internet & Network Security, Social and Consumer Trends, Cyber Crime, Log Data & Advanced Analytics, Identity & Access Management, Privacy & Data Protection, Cloud Security & Governance and Mobile Device Management.
InfoSec 2014 (Kuala Terengganu, Malaysia, Oct 8 - 10, 2014) You are invited to participate in The International Conference on Information Security and Cyber Forensics (InfoSec 2014) that will be held at Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu, Malaysia on October 8-10, 2014. The event will be held over three days, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lecture
Hacktivity 2014 (Budapest, Hungary, Oct 10 - 11, 2014) Official and alternative representatives of the information security profession meet with all those interested in this field in framework which is at the same time informal and informative, and sometimes very in-depth technological.
Ruxcon (Melbourne, Australia, Oct 26 - 27, 2013) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities and demonstrations presented by security experts from the Aus-Pacific region and invited guests from around the world. Ruxcon is widely regarded as a leading computer security conference within Australia attracting all facets of the security landscape from industry, academics, to enthusiasts.
Critical Infrastructure Cyber Community (C3) Voluntary Program Meeting (San Diego, California, USA, Oct 13, 2014) Join stakeholders from across the cyber community to discuss building a cyber risk management program, using DHS resources, and to learn how organizations of all sizes are using the Cybersecurity Framework
Hack-in-the-Box Malaysia (Kuala Lumpur, Malaysia, Oct 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia and Amsterdam in The Netherlands, HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events routinely feature two days of trainings and a two-day multi-track conference featuring cutting-edge hardcore technical talks delivered by some of the most respected names in the computer security industry. HITBSecConf is a place where ideas are exchanged, talent discovered and genius celebrated
FS-ISAC Fall Summit 2014 (Washington, DC, USA, Oct 13 - 16, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. Its Fall Summit will feature sessions of interest to both security professionals and the financial sector
CYBERSEC 2014 (, Jan 1, 1970) CYBERSEC is a 4-day event geared toward helping you achieve your cybersecurity goals. Whether your focus is on cybersecurity management, investigation, defense, or offense we are offering specialty cybersecurity information tracks just for you.
Black Hat Europe 2014 (, Jan 1, 1970) The premier conference on information security returns to the beautiful city of Amsterdam, Netherlands in October, 2014. Professionals from all over the world gather for two days of intense Trainings and two thought-provoking days of Briefings brought to you by some of the brightest minds in the industry.
Denver SecureWorld (Denver, Colorado, USA, Oct 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
TechCrunch Disrupt Europe Hackathon (London, England, UK, Oct 18 - 19, 2014) For the second year in a row, TechCrunch is jumping across the pond and bringing the iconic Disrupt and our Hackathon to Europe. We're heading your way, London
U.S. Army ITA Security Forum (Fort Belvoir, Virginia, USA, Oct 20, 2014) The U.S. Army Information Technology Agency Security Forum is taking place at the Ft. Belvoir site and will be a one day event focusing on cyber security education and training for the workforce. The exhibits will take place in the Warrior Conference Room and the training sessions will take place in the Heroes Auditorium
CSEC 2014 Cyber Security Summit (Kingdom of Bahrain, Oct 20 - 22, 2014) At the Inaugural Cyber Security Summit 2014, you will have the opportunity to seek ways to reset your IT security and risk strategy for success; stay relevant as IT security and risk are redefined; implement BCM best practices for threat resilience; mitigate the risks of new social collaboration tools; craft strategy for emerging BYOD and mobile threats; learn new regulatory compliance requirements; and more. This year's CSEC Summit attendees will: hear the latest presentations from the Information Security community on today's most pressing topics, attend workshops run by expert analysts and industry leaders, hear real-life experiences during peer case studies, engage in analyst-user roundtables and one-on-one meetings with industry experts, and check out the latest solutions in our Solution Showcase
2014 ICS Cyber Security Conference (, Jan 1, 1970) The 14th ICS Cyber Security Conference (sometimes known as "Weisscon") will be held October 20-23, 2014 at Georgia Tech in Atlanta, GA. Cyber Security is becoming a critical infrastructure issue with implications that go far beyond the plant fence. Plant engineers, corporate officers, insurance company executives and more will be handling cyber security issues in the coming years. This conference is essential attendance for people in the manufacturing or utility environment.
Cyber Security Summit 2014 (, Jan 1, 1970) Cyber security breaches have a profound impact on all areas of society. Join the discussion at Cyber Security Summit 2014. For two days, leaders from the public and private sectors meet to identify cyber threat issues and their countermeasures.
Collaborative Approaches for Medical Device and Healthcare Cybersecurity; Public Workshop (Arlington, Virginia, USA, Oct 21 - 22, 2014) The Food and Drug Administration (FDA) is announcing the following public workshop entitled "Collaborative Approaches for Medical Device and Healthcare Cybersecurity." FDA, in collaboration with other stakeholders within the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS), seeks broad input from the Healthcare and Public Health (HPH) Sector on medical device and healthcare cybersecurity
ISSA International Conference (Orlando, Florida, USA, Oct 22 - 23, 2014) Join us for solution oriented, proactive and innovative sessions focused on security as a vital part of the business.
Hack.lu 2014 (Dommeldange, Luxembourg, Oct 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society
ToorCon San Diego (San Diego, California, USA, Oct 22 - 26, 2014) For hackers like you, because what could possibly go wrong?
FOCUS 14: Empowering the Connected World (Las Vegas, Nevada, USA, Oct 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while reducing costs, streamlining processes, and driving efficiencies in the daily administration of their networks and systems. Network with security peers who share your challenges, concerns and issues, and learn more about their own success strategies
Dallas SecureWorld (Dallas, Texas, USA, Oct 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
CyberMaryland 2014 (Baltimore, Maryland, USA, Oct 29 - 30, 2014) Entrepreneurs, investors, academia and government will convene in Maryland — the nation's epicenter for cybersecurity for the fourth annual CyberMaryland Conference.
Cyber Job Fair (Baltimore, Maryland, USA, Oct 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals held the first day of the conference
ekoparty Security Conference 10th edition (Buenos Aires, Argentina, Oct 29 - 31, 2014) ekoparty — Electronic Knock Out Party — Security Conference, is a one of a kind event in South America; an annual security conference held in Buenos Aires, where security specialists from all over Latin America (and beyond) have the chance to get involved with state-of-art techniques, vulnerabilities, and tools in a relaxed environment never seen before.
Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.
Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, Oct 30 - Nov 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed for non-technical and technical executives who seek to gain a deeper understanding of not just the technical aspects of data breach prevention, but also the important role that insurance, crisis management, legal and human resources play. Speakers include Dr. Ed Schlesinger, Dean of Johns Hopkins University's Whiting School of Engineering, Dr. Andy Ozment, Assistant Secretary of the Office of Cybersecurity and Communications, Department of Homeland Security, and Mr. Eric Joost, Chief Operating Officer, Willis North America