The CyberWire Daily Briefing 09.30.14

Summary

By The CyberWire Staff

The ISIS cyber threat to infrastructure may be low, but the Islamic State continues to show considerable aptitude for information operations more broadly considered. (The Washington Post, for one, boggles at barbarism's appeal in the marketplace of ideas.) US Central Command, responsible for the US air campaign against ISIS and other elements in the Levant, reports a great deal of social media interaction over targeting, most of it from Kurds urgently nominating jihadist targets for prompt servicing.

Chinese authorities block Instagram as Hong Kong's "umbrella protests" continue. The government also appears to have increased its use of mobile spyware against dissidents.

Peace talks between Colombia's government and FARC rebels undergo another eavesdropping hack; the government promises to upgrade security.

Shellshock exploits proliferate; fresh Bash bugs surface. Proof-of-concept exploits are now widely available, and security analysts forecast a wave of large-scale attacks. Apple issues a patch to close the vulnerability in OS X. The Harvard Business Review calls Shellshock a "wake-up call" that should summon enterprises to collaborative security.

Malware Must Die reports another Linux vulnerability unrelated to (but obscured by) Shellshock. Investigation is in its early stages, but researchers claim to have found Chinese criminals exploiting an ELF weakness for denial-of-service.

A malvertising campaign spreads CryptoWall ransomware.

The US Department of Health and Human Services warns of coming attacks against healthcare IT networks. FDA works more closely with DHS on device security.

Europol warns of a burgeoning criminal service industry. InvoCode's CEO is arrested for allegedly enabling stalkers with StealthGenie.

Notes.

Today's issue includes events affecting Australia, Brazil, China, Colombia, Cuba, European Union, Iraq, Iran, Russia, Syria, Turkey, United Kingdom, United States

Selected Reading

Cyber Trends

Eugene Kaspersky: traditional crime 'is coming to cyberspace' (Telegraph) Cybercrime has historically focused on causing disruption in cyberspace, but Eugene Kaspersky, founder of Kaspersky Lab, tells Sophie Curtis that traditional 'real world' criminals are also moving online

Washington Debrief: More Cyber Attacks Forthcoming, Warns OCR (Healthcare Informatics) Federal officials in the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) last week expressed their expectations that the healthcare sector will endure increased cyber attacks in the coming year. Meanwhile, officials at the FDA announced a new partnership with a Department of Homeland Security-supported organization and separately announced plans to hold a summit on device cybersecurity in October

Data breaches popping up all over (FierceCFO) Forty-three percent of companies say they experienced a data breach, up from 33 percent last year

An Experiment In Common Courtesy In The Age Of Google Glass Everywhere (Fast Company) It's not a far-fetched idea that we could all be wearing cameras one day. How will we handle privacy then? A new study gives hope: Even your average college kid doesn't want to be a glasshole

Legislation, Policy and Regulation

UK government demands suppliers meet cyber security standards (Supply Management) Suppliers bidding for government contracts that require handling sensitive and personal information will need to comply with cyber security controls from 1 October

New documents show legal basis for NSA surveillance programs (Reuters via the Bangor Daily News) Documents released by the U.S. government show it views an executive order issued in 1981 as the basis of most of the National Security Agency's surveillance activities, the American Civil Liberties Union said on Monday

The toughest case: What if Osama bin Laden had an iPhone? (Washington Post) In rebuking Apple and Google for their new smartphone encryption polices on Thursday, FBI Director James B. Comey became the latest law enforcement official to evoke worst-case scenario arguments: What of the child predator, the murderer, the terrorist? Wouldn't you want police to be able to get into their phones?

Tim Berners-Lee calls for internet bill of rights to ensure greater privacy (Guardian) Web inventor says world needs an online 'Magna Carta' to combat growing government and corporate control

Crowding under one security umbrella is unsafe (The Australian) At times of heightened national security concern, governments become receptive to a seductive whisper: that by merging all of their security agencies they can increase the country's security preparedness. That's what happened after September 11 in the US: the creation of the Department of Homeland Security, a whopping $38 billion bureaucratic monster, the third largest agency in the US government

The Many, Many Ideas to Fix the Broken Security Clearance Process (Government Executive) In just a few months beginning mid-2013, the American people's confidence in the federal government's ability to administer security clearances was upended

Pentagon quietly works to bolster cybersecurity accountability (Inside Cybersecurity) A White House official's call for the U.S. military, agencies and industry to boost accountability for cybersecurity has after a month elicited only a terse comment from the Defense Department, but the Pentagon is taking initial steps to address the thorny problem, according to documents and a former DOD policy chief

Moving from signal to cyber (C4ISR & Networks) The Army Signal Center of Excellence at Fort Gordon, Georgia, is being augmented by the Army Cyber Center of Excellence and designation as the center for all Army cyber activities

Every Army Soldier, civilian, contractor critical part of cyber defense (US Army) During cybersecurity awareness month in October, the Army will be focusing on cybersecurity policies, practices and training to improve overall readiness. As part of this effort, commanders at all levels will lead cybersecurity awareness activities

Products, Services, and Solutions

Palo Alto Networks Leverages Cyvera Acquisition in New Endpoint Protection Solution (SecurityWeek) Enterprise network security firm Palo Alto Networks today announced the availability of a new security solution designed to prevent sophisticated cyber attacks targeting endpoints

Sysinternals and Microsoft Windows: An Overview (eSecurity Planet) Sysinternals' new Sysmon tool adds logging functionality to Microsoft's security toolbox. Other tools give IT administrators deep insight into the inner workings of Windows

CloudFlare offers free SSL encryption (Help Net Security) Web performance and security company CloudFlare today launched Universal SSL, making Secure Socket Layer (SSL) encryption available to anyone at no cost

Seagate Surveillance HDD features recovery services (Help Desk Security) Seagate released a dedicated surveillance HDD featuring Seagate Rescue services. Engineered specifically for surveillance and video analytics applications, the Surveillance HDD is a drive that employs data recovery services designed to restore data from malice or accidental failure, keeping systems in the field longer and reducing post deployment expenses

Hakabana v0.2.1 — Visualization Tool Released (ToolsWatch) Visualize Haka traffic in real-time using Kibana and Elasticsearch. Haka is an open source security oriented language which allows to describe protocols and apply security policies on (live) captured traffic

Apache Storm is ready for prime time (ZDNet) Storm, a real-time framework for dealing with Big Data, has become an Apache top level project

Beijing says yes to iPhone 6, despite NSA backdoor fears (Register) But are Chinese consumers BUYING it?

Technologies, Techniques, and Standards

Six key defenses against Shellshock attacks (CSO) Experts from the SANS Institute offer advice of defending against Shellshock attacks

Whack-A-Bash: New Vulnerabilities add to Patch Confusion (Invincea Security Ledger) The good news about the rapid, industry response to the revelations about exploitable security holes in GNU Bash (Bourne Again Shell) (aka "Shellshock") is that Linux users had a fix in hand almost as soon as they became aware of the problem those patches addressed

Can an SSH Honeypot Be Used to Attract Attackers and Improve Security? (Security Intelligence) Sometimes, there is a valid business reason to directly expose an SSH server on the Internet and make it a target for an attack. We would like to know how these attacks are being performed. Are they scripted or performed by hand? How often is a server attacked? From which IP address do the attacks originate?

WPSCAN Vulnerability Database a New Wordpress Security Resource (Threatpost) WordPress' popularity as a content management system (44 percent of CMS market share) is matched in parallel by the number of security vulnerabilities afflicting the open source platform, as well as its versatile plug-ins and themes

Key Web Application Security Metrics (Accunetix) How's your web application security program measuring up today? If you're like many people, you're simply going through the motions of periodic vulnerability scans and problem resolution. It's a vicious cycle that may or may not be delivering the results you're looking for

Education is the key to increasing mobile security (Help Net Security) The swathes of high-profile security breaches in recent months have only served to highlight the need to educate the public on the inadequacies of the security systems currently in general use. For too long people have relied on simple to remember PINs and passwords and used lax security practices on their connected devices

FBI opens Malware Investigator portal to industry (Register) Agency trades malware samples for intel reports

Coordinated Attacks Call For More Sophisticated Cyber Defense (InformationWeek) Agencies and industry are rethinking how they defend against coordinated attacks by teams of specialized hackers

3 essential security tasks — have you done them yet? (Naked Security) As part of National Cyber Security Awareness Month last October, we suggested three essential tasks you could do for your family to improve their cyber security

Attention All Shipping (Analogies Project) I think everybody in the world probably knows the name Charles Darwin and most would be aware of The Beagle; the ship that carried him to Tierra del Fuego and the Galapagos Island where he studied finches in his work towards the now famous tome On the origin of species. What you may not be aware of are the two other gentlemen on the ship who went on to greatness, namely Francis Beaufort (of the famous wind scale) and one Robert Fitzroy, the captain of the ship. On his return to the UK, the Admiralty asked Fitzroy to deal with the loss of shipping in the inshore waters of the UK

Marketplace

Fewer Cyber Pros, More Cyber Problems (Nextgov) Technology decision-makers within the U.S. government are at a critical juncture

Investors Drive $4Mn into Car Cybersecurity (Infosecurity Magazine) Days after GM announced the appointment of a chief security officer, automotive cybersecurity has gotten another boost with a $4 million Series A funding shot for car-focused Argus Cyber Security

One year later: The tale of SAIC and Leidos (Washington Post) Two summers ago, Science Applications International Corp., one of the Washington's region's biggest companies, made a surprising announcement

Hush-Hush Data Firm Palantir Snags ICE Case-Tracking Deal (Nextgov) Immigration and Customs Enforcement has awarded secretive data-mining firm Palantir a $42 million contract to redo the investigation agency's failed case filing system

Lenovo: IBM x86 acquisition 'tough' (CRN) Revealing comment made by executives at Ingram Micro ONE shindig

Wes Brown Joins Lookingglass Cyber Solutions as Distinguished Engineer (Broadway World) Wes Brown Joins Lookingglass Cyber Solutions as Distinguished Engineer Lookingglass Cyber Solutions, an innovator in global network situational awareness and threat intelligence management, announced today the appointment of Wes Brown as Distinguished Engineer

Former Cisco Security Exec Christopher Young to Head Intel Security; Renee James Comments (GovConWire) Christopher Young, former senior vice president of Cisco's (Nasdaq: CSCO) global security and government group, has joined Intel (Nasdaq: INTC) as SVP and general manager of Intel Security and member of the management committee

James Bahel named Leidos Vice President of Business Development (MarketWatch) Leidos LDOS, +0.23% a national security, health and engineering solutions company, announced that James Bahel has been appointed Vice President of Business Development for the Integrated Systems Group (ISG)

CipherCloud Expands Management Team with Key Executives to Lead Products and Human Resources (PRNewswire) CipherCloud, the leader in cloud information protection, today announced two executive appointments to propel the company to its next phase of growth

Security Patches, Mitigations, and Software Updates

Apple releases Mac OS X patches for Shellshock Bash bug (ComputerWeekly) Apple has released security updates for its Mac OS X operating system to protect users from the newly reported Shellshock Bash bug affecting all Unix-based computers

Amazon readies major cloud server reboot (NetworkWorld) Customers should check to see if their AWS cloud instances are affected; Xen hypervisor security bug could be to blame

Cyber Attacks, Threats, and Vulnerabilities

What Cyberthreat Does ISIS Pose? (GovInfoSecurity) Deborah Kobza voices a concern about the potential cyberthreat posed by the terrorist group Islamic State

Post-modern warfare: Tweets attempt to influence Centcom airstrikes (Tampa Tribune) As a fierce battle rages between Kurds and the Islamic State in the Syrian town of Kobane, the fight has another front, aimed at U.S. Central Command headquarters at MacDill Air Force Base

Islamic State's bloody message machine (Washington Post) The Islamic State may practice medieval barbarism in Syria and Iraq, but its worldwide media operations are 21st century

Al Nusrah Front leader says Americans and Europeans will pay the 'tax' of war (Long War Journal) Abu Muhammad al Julani, the emir of the Al Nusrah Front, has released an audio message discussing the US-led airstrikes in Syria. Julani threatens civilians in the US and Europe, saying they should not be tricked into believing they are "safe from the strikes of the mujahideen" simply because Western leaders say that their "soldiers will not be on the ground, and that they will strike from afar"

China blocks Instagram as Hong Kong protesters take over the streets (Naked Security) China has blocked Facebook's photo-sharing site Instagram, as pro-democracy protesters flooded the Central financial district in Hong Kong on Monday and chronicled it all by flooding social media sites with #OccupyCentral hashtagged images

A mobile spyware used to track activists in Hong Kong (Security Affairs) A Fake Occupy Central app containing a spyware is used by unknown to track activists in Hong Kong. Evidences suggest the involvement of Chinese entities

Colombia to increase peace talks cyber security after new attack (Colombia Reports) The Colombian government has promised to increase internet security measures after it was discovered on Saturday that hackers infiltrated the email accounts of a key negotiator in the Havana peace talks

New Bash Bugs Surface (Dark Reading) Time to patch again: Newly discovered flaws in Bash put Linux-based systems at risk

Businesses left Shellshocked as hackers Bash systems after faulty fix (V3) Hackers are exploiting the Bash vulnerability, codenamed Shellshock, to mount a variety attacks across the world, according to researchers at FireEye and Trend Micro. To make matters worse, the initial patch fix has proved ineffective

Shellshock DDoS Attacks Spike (GovInfoSecurity) Four bugs now found in 'shockingly obsolete' code

Bash Shellshock bug: More attacks, more patches (Help Net Security) As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens

Shellshock: 'LARGER SCALE ATTACK' on its way, warn securo-bods (Register) Not just web servers under threat — though TENS of THOUSANDS have been hit

Shellshock in the Wild (FireEye) The exploitation of the BASH bug, now widely referred to as "Shellshock", is in full swing. Attackers have mobilized — multiple proof-of-concept scripts are available, including a Metasploit module, making this vulnerability very accessible. The ease of exploitation, the simplicity of the vulnerability, and the extremely widespread install base of BASH, make this bug so deadly — and shows why enterprises need to apply patches as soon as possible. We have observed a significant amount of overtly malicious traffic leveraging BASH

'Bash' Shellshocks the Internet — Here's What You Should Know (Webroot Threat Blog) As of last week, there's a new security bug in the news, and it's wreaking havoc on the Internet

The Bash Bug Is a Wake-Up Call (Harvard Business Review) By now we've all heard about the immediate threat posed by the Bash bug, which a security researcher discovered last week. Also known as the Shellshock bug, the software flaw exploits a vulnerability in a standard piece of software code called the Bash Shell, whose functions give users command over computer systems that are based on Linux and Unix. That means attackers can take control of your systems and run any command they wish

Fuzzy reversing a new China ELF "Linux/XOR.DDoS" (Malware Must Die) During the rush of #shellshock we saw another new threat emerged. We saw an attack log of one-liner shell script being injected via ssh connection. By the attack source+CNC IP and the payload, this looks like a China crook's new hack scheme to spread new ELF DDoS'er threat. This is spotted silently spread during the ‪#‎shellshock waves, noted: it was NOT using #shellshock exploit itself

Malvertising campaign delivers digitally signed CryptoWall ransomware (IDG via CSO) The cybercriminals behind the CryptoWall ransomware threat have stepped up their game and are digitally signing new samples before using them in attacks in an attempt to bypass antivirus detection

Same Origin Policy Bypass Vulnerability Has Wider Reach Than Thought (TrendLabs Security Intelligence Blog) Independent security researcher Rafay Baloch recently disclosed a serious vulnerability in Android's built-in browser. The vulnerability allows the same origin policy of the browser to be violated. This could allow a dangerous universal cross-site scripting (UXSS) attack to take place

Radeditor Web Editor Vulnerable to XSS Attacks (Threatpost) All versions of an HTML editor used in several Microsoft technologies, including ASP.NET, suffer from a high-risk cross-site scripting (XSS) vulnerability that could allow an attacker to inject malicious script and glean private information

Hacker Group Lizard Squad Takes Down Destiny, Call of Duty, FIFA And More (Forbes) It's been over a full month since hacker collective 'Lizard Squad' rose to notoriety for taking down Sony's PlayStation Network, Xbox Live and other gaming servers, but above all else attracting the FBI's attention for tweeting out a bomb threat to a Sony executive's American Airlines flight, which grounded the plane and launched a nationwide hunt for the group

Second cyberattack hits SuperValu grocery stores' payment systems (IDG via CSO) SuperValu, the grocery store operator hit by a cyberattack in June and July, has suffered a second attack on its payment processing system, it said Monday

PoS vendor confirms Jimmy John's breach was their fault (Help Net Security) Signature Systems, the PoS system vendor that has been named as the likely point of origin of the Jimmy John's payment data breach, has confirmed that the attacker(s) gained access to a user name and password the company used to remotely access POS systems

We Take Your Privacy and Security. Seriously. (Krebs On Security) "Please note that [COMPANY NAME] takes the security of your personal data very seriously." If you've been on the Internet for any length of time, chances are very good that you've received at least one breach notification email or letter that includes some version of this obligatory line. But as far as lines go, this one is about as convincing as the classic break-up line, "It's not you, it's me"

StealthGenie — the app that helps jealous partners and stalkers spy on you and your online conversations (Hot for Security) There's a shady industry out there of businesses that sell spyware apps that market themselves to jealous partners, domestic abusers and stalkers, keen to spy upon others

Academia

Chunk of $450 million aimed at job training goes to cyber (FCW) A significant portion of the $450 million in federal job training grants announced Sept. 29 for community colleges and other educational institutions around the country will be spent on IT and cybersecurity career fields

Litigation, Investigation, and Enforcement

Europol warns about organised crime service providers (Inquirer) Have a go scammers hire black hats by the blag

Organised crime groups exploiting hidden internet in online criminal service industry (Europol Media Corner) The 2014 iOCTA (Internet Organised Crime Threat Assessment), published today by Europol's European Cybercrime Centre (EC3), describes an increased commercialisation of cybercrime

EPIC seeks enforcement action over Arizona data breaches (IDG via CSO) A privacy watchdog filed a complaint with the Federal Trade Commission against a community college district in Arizona that lost the personal data of 2.5 million students and employees in two data breaches

Spyware executive arrested, allegedly marketed mobile app for "stalkers" (Ars Technica) StealthGenie was "expressly designed for use by stalkers and domestic abusers"

Yet More IRS Employees Busted for Stealing Taxpayers' Identities (Reason) It's hard to keep up with the privacy-threatening shenanigans at the Internal Revenue Service, but let's give it a try

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

NGA Cyber Security Day (Springfield, Virginia, USA, October 6, 2014) The National Geospatial-Intelligence will be hosting the 2014 Cyber Security Day at the NGA Headquarters in Springfield, VA. Featuring government and industry speakers, the focus will include such topics as continuous monitoring, cloud migration, software assurance, insider threat, wireless and mobility security, and emerging threats. Exhibitors will be given exposure to the in agency Intelligence Community as a whole in this full day exposition. Exhibitors will also have the opportunity to present an abstract for approval for the day's agenda; contact your FBC representative for further details. Tech topics that are applicable include big data, network security, cyber security and training, securing mobile devices, and cloud computing security

Cybergamut Tech Tuesday: Software-Defined Networking Security (Columbia, Maryland, USA, October 28, 2014) Security-Defined Routing combines cyber analytics and SDN to protect the network: SDR technology assists organizations in scaling the delivery of network traffic to analytic security applications. When incidents are detected, changing the network forwarding tables through SDR techniques can provide an immediate remediation to network attacks, while automating the delivery of suspect traffic for transaction monitoring and archiving data for regulatory compliance and advance troubleshooting

upcoming Events

INTEROP (New York, New York, USA, September 29 - October 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect Summit, Collaboration, Infrastructure, Mobility, Risk Management & Security, and Software-Defined Networking (SDN)

Indianapolis SecureWorld (Indianapolis, Indiana, USA, October 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute, will deliver the opening keynote. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

Suits and Spooks New York (, January 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks New York will return to Soho House on October 2-3, 2014. Stay tuned for our speaker list and agenda coming this summer.

Open Analytics Summit (Dulles, Virginia, USA, October 7, 2014) Open Analytics Summits are for Developers, Engineers, Data Scientists, CMOs, Data Analysts, CTOs, Architects, Brand Managers, and anyone passionate about open source technologies, big data, or data analytics

MIRcon 2014 (Washington, DC, USA, October 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily

Cyber Security, Meet Workforce Development (Silver Spring, Maryland, USA, October 8, 2014) Per Scholas convenes leaders in the Nation's Capital to develop a blueprint for building today's entry-level cyber security workforce

Technology & Cyber Security Day (Hill Air Force Base, Utah, October 8, 2014) The Armed Forces Communications & Electronics Association (AFCEA) Wasatch Chapter will once again host the 5th Annual Information Technology & Cyber Security Day at Hill AFB. This annual event is an excellent way to network with key personnel including IT, Communications, Cyber, Engineers and Contracting Officers at Hill AFB

Cyber Security EXPO (, January 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing sensitive data and function closer to the user and away from traditional controls. Cyber crime is at an all-time high, attackers are using highly sophisticated methods taking advantage of a hyper-connected world. The challenge of securing corporate data and networks to mitigate risk is greater than ever. CISOs need new tools, new thinking and policies to meet these challenges. Cyber Security Expo 2014 has been designed to do just that. Cyber Security Expo will have a dedicated conference as well as five highly focused theatres and a significant exhibition. Major themes examined include: Internet & Network Security, Social and Consumer Trends, Cyber Crime, Log Data & Advanced Analytics, Identity & Access Management, Privacy & Data Protection, Cloud Security & Governance and Mobile Device Management.

InfoSec 2014 (Kuala Terengganu, Malaysia, October 8 - 10, 2014) You are invited to participate in The International Conference on Information Security and Cyber Forensics (InfoSec 2014) that will be held at Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu, Malaysia on October 8-10, 2014. The event will be held over three days, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lecture

Hacktivity 2014 (Budapest, Hungary, October 10 - 11, 2014) Official and alternative representatives of the information security profession meet with all those interested in this field in framework which is at the same time informal and informative, and sometimes very in-depth technological.

Ruxcon (Melbourne, Australia, October 26 - 27, 2013) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities and demonstrations presented by security experts from the Aus-Pacific region and invited guests from around the world. Ruxcon is widely regarded as a leading computer security conference within Australia attracting all facets of the security landscape from industry, academics, to enthusiasts.

Critical Infrastructure Cyber Community (C3) Voluntary Program Meeting (San Diego, California, USA, October 13, 2014) Join stakeholders from across the cyber community to discuss building a cyber risk management program, using DHS resources, and to learn how organizations of all sizes are using the Cybersecurity Framework

Hack-in-the-Box Malaysia (Kuala Lumpur, Malaysia, October 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia and Amsterdam in The Netherlands, HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events routinely feature two days of trainings and a two-day multi-track conference featuring cutting-edge hardcore technical talks delivered by some of the most respected names in the computer security industry. HITBSecConf is a place where ideas are exchanged, talent discovered and genius celebrated

FS-ISAC Fall Summit 2014 (Washington, DC, USA, October 13 - 16, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. Its Fall Summit will feature sessions of interest to both security professionals and the financial sector

CYBERSEC 2014 (, January 1, 1970) CYBERSEC is a 4-day event geared toward helping you achieve your cybersecurity goals. Whether your focus is on cybersecurity management, investigation, defense, or offense we are offering specialty cybersecurity information tracks just for you.

Black Hat Europe 2014 (, January 1, 1970) The premier conference on information security returns to the beautiful city of Amsterdam, Netherlands in October, 2014. Professionals from all over the world gather for two days of intense Trainings and two thought-provoking days of Briefings brought to you by some of the brightest minds in the industry.

Denver SecureWorld (Denver, Colorado, USA, October 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

TechCrunch Disrupt Europe Hackathon (London, England, UK, October 18 - 19, 2014) For the second year in a row, TechCrunch is jumping across the pond and bringing the iconic Disrupt and our Hackathon to Europe. We're heading your way, London

U.S. Army ITA Security Forum (Fort Belvoir, Virginia, USA, October 20, 2014) The U.S. Army Information Technology Agency Security Forum is taking place at the Ft. Belvoir site and will be a one day event focusing on cyber security education and training for the workforce. The exhibits will take place in the Warrior Conference Room and the training sessions will take place in the Heroes Auditorium

CSEC 2014 Cyber Security Summit (Kingdom of Bahrain, October 20 - 22, 2014) At the Inaugural Cyber Security Summit 2014, you will have the opportunity to seek ways to reset your IT security and risk strategy for success; stay relevant as IT security and risk are redefined; implement BCM best practices for threat resilience; mitigate the risks of new social collaboration tools; craft strategy for emerging BYOD and mobile threats; learn new regulatory compliance requirements; and more. This year's CSEC Summit attendees will: hear the latest presentations from the Information Security community on today's most pressing topics, attend workshops run by expert analysts and industry leaders, hear real-life experiences during peer case studies, engage in analyst-user roundtables and one-on-one meetings with industry experts, and check out the latest solutions in our Solution Showcase

2014 ICS Cyber Security Conference (, January 1, 1970) The 14th ICS Cyber Security Conference (sometimes known as "Weisscon") will be held October 20-23, 2014 at Georgia Tech in Atlanta, GA. Cyber Security is becoming a critical infrastructure issue with implications that go far beyond the plant fence. Plant engineers, corporate officers, insurance company executives and more will be handling cyber security issues in the coming years. This conference is essential attendance for people in the manufacturing or utility environment.

Cyber Security Summit 2014 (, January 1, 1970) Cyber security breaches have a profound impact on all areas of society. Join the discussion at Cyber Security Summit 2014. For two days, leaders from the public and private sectors meet to identify cyber threat issues and their countermeasures.

Collaborative Approaches for Medical Device and Healthcare Cybersecurity; Public Workshop (Arlington, Virginia, USA, October 21 - 22, 2014) The Food and Drug Administration (FDA) is announcing the following public workshop entitled "Collaborative Approaches for Medical Device and Healthcare Cybersecurity." FDA, in collaboration with other stakeholders within the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS), seeks broad input from the Healthcare and Public Health (HPH) Sector on medical device and healthcare cybersecurity

Secure 2014 (Warsaw, Poland, October 21 - 23, 2014) NASK and CERT-Polska offer this conference on telecommunications and IT security. Speakers from government, industry, and universities around the world will offer insights into research, policy, and security trends

Hack.lu 2014 (Dommeldange, Luxembourg, October 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society

ISSA International Conference (Orlando, Florida, USA, October 22 - 23, 2014) Join us for solution oriented, proactive and innovative sessions focused on security as a vital part of the business.

ToorCon San Diego (San Diego, California, USA, October 22 - 26, 2014) For hackers like you, because what could possibly go wrong?

FOCUS 14: Empowering the Connected World (Las Vegas, Nevada, USA, October 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while reducing costs, streamlining processes, and driving efficiencies in the daily administration of their networks and systems. Network with security peers who share your challenges, concerns and issues, and learn more about their own success strategies

Dallas SecureWorld (Dallas, Texas, USA, October 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.

Cyber Job Fair (Baltimore, Maryland, USA, October 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals held the first day of the conference

CyberMaryland 2014 (Baltimore, Maryland, USA, October 29 - 30, 2014) Entrepreneurs, investors, academia and government will convene in Maryland — the nation's epicenter for cybersecurity for the fourth annual CyberMaryland Conference.

ekoparty Security Conference 10th edition (Buenos Aires, Argentina, October 29 - 31, 2014) ekoparty — Electronic Knock Out Party — Security Conference, is a one of a kind event in South America; an annual security conference held in Buenos Aires, where security specialists from all over Latin America (and beyond) have the chance to get involved with state-of-art techniques, vulnerabilities, and tools in a relaxed environment never seen before.

Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.

Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, October 30 - November 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed for non-technical and technical executives who seek to gain a deeper understanding of not just the technical aspects of data breach prevention, but also the important role that insurance, crisis management, legal and human resources play. Speakers include Dr. Ed Schlesinger, Dean of Johns Hopkins University's Whiting School of Engineering, Dr. Andy Ozment, Assistant Secretary of the Office of Cybersecurity and Communications, Department of Homeland Security, and Mr. Eric Joost, Chief Operating Officer, Willis North America

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.