The CyberWire Daily Briefing 10.15.14
Anonymous claims successful hacks of Chinese government Websites (defacements and data leaks) in solidarity with Hong Kong pro-democracy activists. Reports that Hong Kong authorities have arrested suspected members of Anonymous suggest the claims may be more than the collective's usual gasconade.
Sandworm, the Russian group that long exploited now-patched Windows vulnerability CVE-2014-4114, will continue to prey upon unpatched systems, then turn to fresh exploits. Attribution remains provisional, but few doubt that Sandworm's working for Russian security services.
A team of cyber security companies takes action against exploit kits used by the Hidden Lynx group (run by Chinese security organs). Symantec, one of the teammates, calls the action "creation of comprehensive, multi-vendor protection." See also Cisco's profile of "Group 72 for more insights into Chinese threat actors. CrowdStrike notes that another group, Hurricane Panda, has just had its favorite vulnerability (Windows CVE-2014-4113) patched.
The SSLv3 bug, long rumored and much tweeted over, is finally disclosed. The Google researchers who discovered it have given it the tortured acronym "POODLE" (Padding Oracle on Downgraded Legacy Encryption). Opinions about POODLE's severity differ sharply, but the SANS Internet Storm Center's advice is direct: "Disable SSLv3."
Dropbox continues to reassure users that it wasn't hacked, that the reported breach isn't real, and owes its appearance to third-party problems and poor password hygiene (basically, password reuse).
JPMorgan tells investors it sees no elevated fraud levels post hacking incident, which leaves the continuing puzzle: what were the attackers after?
Much industry talk of threat intelligence and its uses.
Notes.
Today's issue includes events affecting China, Israel, NATO, Republic of Korea, Poland, Russia, Taiwan, Ukraine, United Kingdom, and United States.
Cyber Attacks, Threats, and Vulnerabilities
#OpHK: Anonymous Takes Down Chinese Government Websites, Leaks Data (Hack Read) In support of pro-democracy protests in Hong Kong, the online hacktivist Anonymous previously announced 'Operation Hong Kong' against the government and its supporters
The "Sandworm" malware — what you need to know (Naked Security) You may have heard or seen mention of the latest catchily-named malware attack: "Sandworm"
Russian hackers suspected of Kremlin ties used Windows bug 'to spy on west' (Guardian) Cyber-threat intelligence firm iSight says 'Sandworm Team' used unknown bugs from 2009 to steal EU and Nato documents
Security vendors take action against Hidden Lynx malware (Symantec Security Response) A coordinated operation involving Symantec and a number of other security companies has delivered a blow against Backdoor.Hikit and a number of other malware tools used by the Chinese-based cyberespionage group Hidden Lynx. Dubbed Operation SMN, this cross-industry collaboration has seen major security vendors share intelligence and resources, resulting in the creation of comprehensive, multi-vendor protection which may significantly blunt the effectiveness of this malware. The organizations involved in this operation include Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Symantec, ThreatConnect, Tenable, ThreatTrack Security, and Volexity
Security vendors claim progress against Chinese group that hacked Google (PCWorld) A group of security companies say a collaborative effort has helped counter several hacking tools used by a China-based group most known for provoking strong condemnation from Google four years ago
Threat Spotlight: Group 72 (Cisco Blogs) Everyone has certain characteristics that can be recognised. This may be a way of walking, an accent, a turn of phrase or a style of dressing. If you know what to look for you can easily spot a friend or acquaintance in a crowd by knowing what characteristics to look for. Exactly the same is true for threat actors
'Hurricane Panda' hackers used Microsoft zero-day, CrowdStrike says (PCWorld) One of the zero-day flaws patched by Microsoft on Tuesday had been used for some time by a group with suspected Chinese government ties that targets technology companies, CrowdStrike's chief executive said Tuesday
New POODLE SSL 3.0 Attack Exploits Protocol Fallback Issue (Threatpost) A new attack on the SSLv3 protocol, disclosed Tuesday, takes advantage of an issue with the protocol that enables a network attacker to recover the plaintext communications of a victim. The attack is considered easier to exploit than similar previous attacks against SSL/TLS, such as BEAST and CRIME, and can enable an attacker to retrieve a supposedly secure cookie
SSL broken, again, in POODLE attack (Ars Technica) Yet another flaw could prove to be the final nail in SSLv3's coffin
Dreaded SSLv3 bug no monster, only a POODLE (CSO) Hype for the vulnerability in SSLv3 was all bark and little bite
There Is a New Security Vulnerability Named POODLE, and It Is Not Cute (Wired) On a day when system administrators were already taxed addressing several security updates released by Microsoft, Oracle, and Adobe, there is now word of a new security hole discovered in a basic protocol used for encrypting web traffic. Its name is POODLE, which stands for Padding Oracle on Downgraded Legacy Encryption, and it was discovered by three Google security researchers — Bodo Moller, Thai Duong, and Krzysztof Kotowicz
Don't believe the Dropbox breach hype (CSO) A thread posted on Reddit today claiming a massive hack of 7 million Dropbox accounts. The post contained hundreds of usernames and passwords as a tease to "prove" the veracity of the claim. Dropbox, however, says the claims are false
Dropbox Blames Security Breach on Password Reuse (Wall Street Journal Digits) Dropbox urged users to enable a security measure called two-step authentication amid reports that the login credentials for millions of its users had been compromised
Hacked Snapchat Website Demands Bitcoin to Talk About Getting Hacked (Motherboard) If you run a third-party site that was just accused of allowing thousands of private videos — some of them likely to be child porn — to be hacked from your server, do you A) fess up and apologize, B) go into hiding and let the thing blow over, or C) demand Bitcoin in exchange for interviews about how you f[**]ked up?
BRIEF-JPMorgan CFO: no elevated fraud seen due to cyber attack (Reuters) JPMorgan Chase & Co Chief Financial Officer Marianne Lake and Chief Executive Jamie Dimon held a call with journalists to discuss third-quarter earnings. These are some highlights
Fallout coming from JPMorgan hack attack (Washington Examiner) The large-scale hacking attack against Wall Street this summer was more significant than the public realizes, analysts say
Cybersecurity mystery at JPMorgan Chase: What were hackers after? (Yahoo! News) The massive online security breach at JPMorgan Chase has confounded investigators because only customers' contact information appears to have been taken. And there is no evidence that funds were stolen
FDIC to Banks: Prep for "Urgent" Threat of Cyberattacks (JD Supra) Financial institutions are facing an "urgent" threat of hacks and cyberattacks causing regulators to take a closer look at banks' efforts to combat such concerns, the Federal Deposit Insurance Corporation (FDIC) Chairman recently cautioned
FinFisher Shell Extension and Drivers Analysis (Coding and Security) As requested on reddit and twitter, this time I'm going to analyze final pieces of FinFisher malware: shell extension, driverw.sys and mssounddx.sys. No time to waste, so let's begin
CMS Plug-Ins Put Sites At Risk (Dark Reading) Content management systems are increasingly in attackers' crosshairs, with plug-ins, extensions, and themes broadening the attack surfaces for these platforms
The Evolution Store suffers data breach (CSO) When I first read about this breach I could not help but to think of various Darwin related jokes. I opted not to run with them in the end. A data breach is no laughing matter
Spammers spreading new Wolf of Wall Street scam (Help Net Security) Millions of penny stock spam emails have been flooding inboxes, spreading a new 'Wolf of Wall Street' scam and inflating the stock values of a mineral deposit company, according to Bitdefender's Antispam Lab
Personal info of 850k Oregon jobseekers potentially compromised (Help Net Security) 85, 322 individuals who used Oregon Employment Department's WorkSource Oregon Management Information System (WOMIS) will soon be receiving notices that they information might have been compromised due to a recently discovered vulnerability
Attacker takes over Facebook page set up for 'Bucket List Baby' Shane, posts porn (Naked Security) A Facebook page set up to chronicle the extremely short life of a baby with the rare, terminal condition of anencephaly was hijacked within days of the infant's death and set to display lewd images
Security Patches, Mitigations, and Software Updates
OpenSSL Releases OpenSSL 1.0.1j, 1.0.0o and 0.9.8zc (Internet Storm Center) This update to the OpenSSL Library addresses 3 vulnerabilities. One of these is the "POODLE" vulnerability announced yesterday
SSLv3 POODLE Vulnerability Official Release (Internet Storm Center) Finally we got an official announcement. For all the details, jump straight to the original announcement
Mozilla Releases Security Updates for Firefox and Thunderbird (US-CERT) The Mozilla Foundation has released security updates to address multiple vulnerabilities in Firefox and Thunderbird. Exploitation of these vulnerabilities may allow an attacker to obtain sensitive information, bypass same-origin policy and key pinning, cause an exploitable crash, conduct a man-in-the-middle attack, or execute arbitrary code
Microsoft Releases October 2014 Security Bulletin (US-CERT) Microsoft has released updates to address vulnerabilities in Windows, Office, Office Services and Web Apps, Developer Tools, .NET Framework, and Internet Explorer as part of the Microsoft Security Bulletin Summary for October 2014. These vulnerabilities could allow remote code execution, elevation of privilege, or security feature bypass
Oracle Releases October 2014 Security Advisory (US-CERT) Oracle has released its Critical Patch Update for October 2014 to address 154 vulnerabilities across multiple products
Adobe Releases Security Updates for ColdFusion and Flash Player (US-CERT) Adobe has released security updates to address multiple vulnerabilities in ColdFusion and Flash Player. Exploitation could allow attackers to take control of a vulnerable system
Cyber Trends
Cost Of A Data Breach Jumps By 23% (Dark Reading) Cleanup and resolution after a breach take an average of one month to complete, a new Ponemon Institute report finds
The threat intelligence problem (FierceITSecurity) Dave Aitel argues that 'threat intelligence' recycles a dead security product model
From scaremongering to business enablement: reframing the cyber security debate (Information Age) Security must move from 'cleaning up after the breach' to 'empowering digital businesses'
Marketplace
Startup Risk I/O secures $4M for data-driven security intelligence, names new CEO (Silicon Angle) Risk I/O today announced that it has raised an additional $4 million as part of its Series A financing round, bringing the company's total capital raised to date to $10.5 million. The startup also today announced that it has named Silicon Valley security veteran Karim Toubba as its new CEO
ZeroFOX Joins Black Hat as a Sustaining Partner (ZeroFOX) ZeroFOX is thrilled to support the global cyber security community as a Black Hat sustaining partner. Black Hat is an innovative hub of industry experts and thought leaders, and ZeroFOX is excited to facilitate the conversation around social media and its associated risks
Officials: Cooperation needed to meet cyber jobs' demands (Gazette.Net) Education, government and business leaders must collaborate to take advantage of the region's standing as a national leader in cyber security job openings, officials said during a meeting in Silver Spring last week
RiskIQ Appoints Arian Evans Vice President of Product Strategy (Herald Online) Leading provider of customer facing threat detection technology taps former WhiteHat Security executive to head up innovation development
Products, Services, and Solutions
How one company is getting smartphones to rat out their criminal owners (ZDNet) Digital forensics firm Cellebright has moved from copying contacts on mobile phones to digital forensics, helping police collar the bad guys along the way
Demand for Cyber Security Qualifications Dictates Course Offering in IT Governance's Autumn-Winter Catalogue (EIN) IT Governance has reported that the selection of courses in its autumn-winter catalogue has been informed by the growing demand for cyber security qualification
HP, Webroot Partner for Predictive Threat Intelligence (MSPMentor) The Webroot BrightCloud IP Reputation Service will now be offered as part of the HP Enterprise Security Products portfolio
Cyber Squared Inc. Partners with Centripetal Networks to Deliver Superior Threat Intelligence Solution (Sys-Con Media) Cyber Squared Inc., provider of security services and the leading Threat Intelligence Platform, ThreatConnect®, announced a partnership with Centripetal Networks to integrate ThreatConnect's customizable threat intelligence into Centripetal's RuleGate® appliance
Vorstack Accelerates Adoption of Threat Intelligence Strategies (Virtual-Strategy Magazine) Vorstack, a provider of a new breed of enterprise security products, announced today during the FS-ISAC Fall Summit in Washington D.C., that it is demonstrating Version 5.0 of the Vorstack Automation and Collaboration Platform (ACP)
Drew Morin: TCS-LR Kimball Team to Offer Gov't Agencies Net Security Services (ExecutiveBiz) TeleCommunication Systems has partnered with CDI Engineering Solutions' infrastructure services business unit L.R. Kimball to offer cybersecurity services for government customer networks at the state and local levels
FlowTraq partners with A10 Networks to speed and automate DDoS attack detection and mitigation (CSO) Partnership combines FlowTraq's high volume network traffic analysis capabilities with A10's traffic shaping expertise
Duo Security Introduces API Edition of Its Two-Factor Authentication Service (Dark Reading) Enables developers to quickly add strong authentication to Web and mobile apps
U.S. Army Testing Lockheed Martin Upgrades To Battlefield Intelligence Enterprise (MarketWatch) The U.S. Army's primary intelligence system is testing software developed by Lockheed Martin LMT, -1.06% that will help them sort through terabytes of intelligence gleaned from manned and unmanned sources, improving their ability to efficiently analyze data
The secure smartphone that won't get you beaten with rubber hoses (Ars Technica) A new take on the secure smartphone, with a secure messaging app to go with it
Technologies, Techniques, and Standards
ONC interoperability road map draft outlines governance, certification standards goals (FierceHealthIT) An updated draft version of the Office of the National Coordinator for Health IT's 10-year road map to interoperability, published online late Monday, outlines goals for governance and certification standards and calls for "unprecedented collaboration" in ensuring that technology can seamlessly support the health of patients on a day-to-day basis
HIMSS seeks specific guidance from NIST on cybersecurity framework (FierceHealthIT) The healthcare industry needs the National Institute of Standards and Technology (NIST) to get specific about how to implement its cybersecurity framework, HIMSS writes in a letter to NIST Acting Director Willie E. May
Oil and Gas Industry Unites to Pull Plug on Cyberintruders (TheStreet) Companies in the U.S. oil and gas industry are moving to work together to fight the onslaught of cybersecurity marauders infiltrating their computer network systems
Questioning the chain of trust: investigations into the root certificates on mobile devices (Bluebox) All SSL connections rely on a chain of trust. This chain of trust, a part of PKI, is established by certificate authorities (CAs), which serve as trust anchors to verify the validity of who a device thinks it is talking to
Leveraging network intelligence for cybersecurity (GSN) When it comes to cybersecurity, boldface security organizations can seem just as susceptible to hacks as anyone else
Mastering Security Analytics (Dark Reading) Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
New rules aim to prevent IoT devices from taking down mobile networks (PCWorld) The dream of an Internet of things could turn into a nightmare for mobile operators, if sloppily written apps or chatty smartmeters were to overload their networks with signaling traffic. To avert such a scenario, a number of operators are backing a new set of network usage guidelines for device manufacturers and app developers
Protecting Point-of-Sale Devices in the Face of Attacks (SecurityWeek) In recent years, point-of-sale (PoS) systems have become a point of emphasis for attackers looking to steal credit and debit card information
5 steps to lock down your webmail account (Naked Security) For most people, webmail is their main personal account — used for everything from keeping in touch with friends and relatives to dealing with banks, government, shopping sites and other online services
Research and Development
New tech transforms transparency into privacy (CSO) Preserving privacy by keeping information secret isn't working. Consumers give away precious data for online baubles. Data breaches, large and small, spill data all over the Web. Marketers indiscriminiately gather details about the online lives of people in their target markets
Academia
Grooming Students for A Lifetime of Surveillance (Model View Culture) The same technologists who protest against the NSA's metadata collection programs are the ones profiting the most from the widespread surveillance of students
Schoolgirl aged 15 left humiliated when teachers showed her bikini photo in assembly (Hot for Security) Remember when you were a teenager? And you had thousands of friends on Facebook?
Legislation, Policy, and Regulation
EU-Funded Study: Electronic Mass Surveillance Fails — Drastically (Just Security) Electronic mass surveillance — including the mass trawling of both metadata and content by the US National Security Agency — fails drastically in striking the correct balance between security and privacy that American officials and other proponents of surveillance insist they are maintaining
New Russian Cyber Spying Campaign Bolsters Need for Continued NSA Use of Software Holes (Washington Free Beacon) Former NSA official says Windows vulnerability shows Russian cyber attack capabilities
Air Force to step up recruiting, shorten training for cyber airmen (Air Force Times) The Air Force may shorten the training time for cyber airmen to move them into their jobs faster — and airmen with existing cyber certifications would get a head start
Litigation, Investigation, and Law Enforcement
Cybercrime is a 'freebie' for thieves in other countries attacking Americans: FBI (New York Daily News) FBI Director James Comey warned that most cyberthieves are operating in countries where they're immune from U.S. prosecution. In an interview Sunday on CBS' '60 Minutes,' he said the FBI is working with other countries to tackle the problem
Debate: Does Mass Phone Data Collection Violate The 4th Amendment? (NPR) The Fourth Amendment to the U.S. Constitution guarantees that "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated"
For a complete running list of events, please visit the Event Tracker.
Newly Noted Events
2014 Omaha Cyber Security Event (Omaha, Nebraska, USA, Oct 23, 2014) Better Business Bureau and its partners present a panel discussion on how to stay safe online — it's our shared responsibility! Learn the risks, how to spot potential problems and how our online actions impact our safety. Panelists include professionals from the: US Secret Service, FBI, National Cyber Security Alliance and Nebraska Sate Information Office
NICE 2014 Conference and Expo (Columbia, Maryland, USA, Nov 5 - 6, 2014) Cybersecurity has emerged as one of the leading creators of jobs and opportunity for all economic sectors. An ecosystem of technology providers, policy makers, legal expertise, banking, insurance, devices, educational programs and devices have emerged to deal with the cyber security issues that have become commonplace. In turn, the marketplace has responded by demanding a new workforce capable of taking on this challenge
INFILTRATE Security Conference (Miami Beach, Florida, USA, Apr 16 - 17, 2015) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Groundbreaking researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere. INFILTRATE is the single-most important event for those who are focused on the technical aspects of offensive security issues, for example, computer and network exploitation, vulnerability discovery, and rootkit and trojan covert protocols. INFILTRATE eschews policy and high-level presentations in favor of just hard-core thought-provoking technical meat
Upcoming Events
Hack-in-the-Box Malaysia (Kuala Lumpur, Malaysia, Oct 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia and Amsterdam in The Netherlands, HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events routinely feature two days of trainings and a two-day multi-track conference featuring cutting-edge hardcore technical talks delivered by some of the most respected names in the computer security industry. HITBSecConf is a place where ideas are exchanged, talent discovered and genius celebrated
FS-ISAC Fall Summit 2014 (Washington, DC, USA, Oct 13 - 16, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. Its Fall Summit will feature sessions of interest to both security professionals and the financial sector
CYBERSEC 2014 (, Jan 1, 1970) CYBERSEC is a 4-day event geared toward helping you achieve your cybersecurity goals. Whether your focus is on cybersecurity management, investigation, defense, or offense we are offering specialty cybersecurity information tracks just for you.
Black Hat Europe 2014 (, Jan 1, 1970) The premier conference on information security returns to the beautiful city of Amsterdam, Netherlands in October, 2014. Professionals from all over the world gather for two days of intense Trainings and two thought-provoking days of Briefings brought to you by some of the brightest minds in the industry.
Social Security Administration Security Awareness Day (Baltimore, Maryland, USA, Oct 15, 2014) This event, hosted by the Office of Information Security is intended to raise general computer security awareness for the end-users at SSA
Denver SecureWorld (Denver, Colorado, USA, Oct 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
TechCrunch Disrupt Europe Hackathon (London, England, UK, Oct 18 - 19, 2014) For the second year in a row, TechCrunch is jumping across the pond and bringing the iconic Disrupt and our Hackathon to Europe. We're heading your way, London
U.S. Army ITA Security Forum (Fort Belvoir, Virginia, USA, Oct 20, 2014) The U.S. Army Information Technology Agency Security Forum is taking place at the Ft. Belvoir site and will be a one day event focusing on cyber security education and training for the workforce. The exhibits will take place in the Warrior Conference Room and the training sessions will take place in the Heroes Auditorium
CSEC 2014 Cyber Security Summit (Kingdom of Bahrain, Oct 20 - 22, 2014) At the Inaugural Cyber Security Summit 2014, you will have the opportunity to seek ways to reset your IT security and risk strategy for success; stay relevant as IT security and risk are redefined; implement BCM best practices for threat resilience; mitigate the risks of new social collaboration tools; craft strategy for emerging BYOD and mobile threats; learn new regulatory compliance requirements; and more. This year's CSEC Summit attendees will: hear the latest presentations from the Information Security community on today's most pressing topics, attend workshops run by expert analysts and industry leaders, hear real-life experiences during peer case studies, engage in analyst-user roundtables and one-on-one meetings with industry experts, and check out the latest solutions in our Solution Showcase
2014 ICS Cyber Security Conference (, Jan 1, 1970) The 14th ICS Cyber Security Conference (sometimes known as "Weisscon") will be held October 20-23, 2014 at Georgia Tech in Atlanta, GA. Cyber Security is becoming a critical infrastructure issue with implications that go far beyond the plant fence. Plant engineers, corporate officers, insurance company executives and more will be handling cyber security issues in the coming years. This conference is essential attendance for people in the manufacturing or utility environment.
National Archives and Records Administration (NARA) IT Security Day (College Park, Maryland, USA, Oct 21, 2014) FBC and NARA are working together to coordinate the 6th Annual National Archives and Records Administration (NARA) Information Technology Day. Exhibitors will be on-site to share information and demonstrate their latest security products
Cyber Security Summit 2014 (, Jan 1, 1970) Cyber security breaches have a profound impact on all areas of society. Join the discussion at Cyber Security Summit 2014. For two days, leaders from the public and private sectors meet to identify cyber threat issues and their countermeasures.
Collaborative Approaches for Medical Device and Healthcare Cybersecurity; Public Workshop (Arlington, Virginia, USA, Oct 21 - 22, 2014) The Food and Drug Administration (FDA) is announcing the following public workshop entitled "Collaborative Approaches for Medical Device and Healthcare Cybersecurity." FDA, in collaboration with other stakeholders within the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS), seeks broad input from the Healthcare and Public Health (HPH) Sector on medical device and healthcare cybersecurity
Secure 2014 (Warsaw, Poland, Oct 21 - 23, 2014) NASK and CERT-Polska offer this conference on telecommunications and IT security. Speakers from government, industry, and universities around the world will offer insights into research, policy, and security trends
Hack.lu 2014 (Dommeldange, Luxembourg, Oct 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society
ISSA International Conference (Orlando, Florida, USA, Oct 22 - 23, 2014) Join us for solution oriented, proactive and innovative sessions focused on security as a vital part of the business.
ToorCon San Diego (San Diego, California, USA, Oct 22 - 26, 2014) For hackers like you, because what could possibly go wrong?
DOE Germantown Cybersecurity Awareness Day (Germantown, Maryland, USA, Oct 23, 2014) The Department of Energy Germantown Building will be hosting a Cyber Security Awareness Day featuring a technology expo. DoE will be looking for a wide range of cyber security industry experts to showcase their latest technologies. Reaching the professional community within this location can be extremely challenging and this event will provide a great opportunity to provide product demonstrations to this hard-to-reach group, as well as position your company's information to the Department of Energy
Library of Congress Cybersecurity Awareness Expo (Washington, DC, USA, Oct 23, 2014) The Library of Congress (LOC)is hosting its annual cyber security awareness days during October and the exposition is an important part of their education and outreach effort to industry
NASA Glenn Research Center Cyber Security Expo (Cleveland, Ohio, USA, Oct 23, 2014) In recognition of National Cyber Security Awareness Month, an Awareness Day event will be held at Glenn Research Center in Cleveland, Ohio. This event will provide participants with information and resources on today's vulnerabilities, incidents, and security threats, as well as how to protect against them. Live demos and informational booths by top vendors will give participants a look at current trends in cyber security. Exhibitors will have the opportunity to network with government personnel and industry partners to discuss critical issues
FOCUS 14: Empowering the Connected World (Las Vegas, Nevada, USA, Oct 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while reducing costs, streamlining processes, and driving efficiencies in the daily administration of their networks and systems. Network with security peers who share your challenges, concerns and issues, and learn more about their own success strategies
Cybergamut Tech Tuesday: Software-Defined Networking Security (Columbia, Maryland, USA, Oct 28, 2014) Security-Defined Routing combines cyber analytics and SDN to protect the network: SDR technology assists organizations in scaling the delivery of network traffic to analytic security applications. When incidents are detected, changing the network forwarding tables through SDR techniques can provide an immediate remediation to network attacks, while automating the delivery of suspect traffic for transaction monitoring and archiving data for regulatory compliance and advance troubleshooting
USDA Cyber Security Symposium and Expo 2014 (Washington, DC, USA, Oct 28 - 29, 2014) The Summit will provide participants with information and resources on today's vulnerabilities, incidents, security lifecycle, risks and mitigations; it will also identify ways to work together and build a solid security foundation program to meet future challenges and trends in cyber security. The Cybersecurity Expo, running in conjunction to the Summit, will provide live demos and informational booths focused around the summit topics
Cyber Security and IT Day at Fort Carson (Colorado Springs, Colorado, USA, Oct 28, 2014) The Information Systems Security Association (ISSA) Colorado Springs Chapter ill once again host the 5th Annual Cyber Security & Information Technology Days set to take place at Fort Carson on Tuesday, October 28, 2014 and at Peterson AFB on Wednesday, October 29, 2014. Both events are being conducted in October to coincide with National Cyber Security Awareness Month as a way to encourage collaboration between local military personnel and industry partners. Government and Industry experts will be on hand to brief attendees on the latest trends, best practices and remediation strategies, in the cyber security field. These one day forums will offer Cyber Security & Information Technology personnel a unique, local opportunity to get up-to-date informaton on rapidly evolving security security challenges
Cyber Security and IT Days at Peterson AFB (Colorado Springs, Colorado, USA, Oct 29, 2014) The Information Systems Security Association (ISSA) Colorado Springs Chapter will once again host the 5th Annual Cyber Security & Information Technology Days. Government and Industry experts will be on hand to brief attendees on the latest trends, best practices and remediation strategies, in the cyber security field. These one day forums will offer Cyber Security and Information Technology personnel a unique, local opportunity to get up-to-date informaton on rapidly evolving security security challenges
Dallas SecureWorld (Dallas, Texas, USA, Oct 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
Cyber Job Fair (Baltimore, Maryland, USA, Oct 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals held the first day of the conference
CyberMaryland 2014 (Baltimore, Maryland, USA, Oct 29 - 30, 2014) Entrepreneurs, investors, academia and government will convene in Maryland — the nation's epicenter for cybersecurity for the fourth annual CyberMaryland Conference.
ekoparty Security Conference 10th edition (Buenos Aires, Argentina, Oct 29 - 31, 2014) ekoparty — Electronic Knock Out Party — Security Conference, is a one of a kind event in South America; an annual security conference held in Buenos Aires, where security specialists from all over Latin America (and beyond) have the chance to get involved with state-of-art techniques, vulnerabilities, and tools in a relaxed environment never seen before.
Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.
Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, Oct 30 - Nov 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed for non-technical and technical executives who seek to gain a deeper understanding of not just the technical aspects of data breach prevention, but also the important role that insurance, crisis management, legal and human resources play. Speakers include Dr. Ed Schlesinger, Dean of Johns Hopkins University's Whiting School of Engineering, Dr. Andy Ozment, Assistant Secretary of the Office of Cybersecurity and Communications, Department of Homeland Security, and Mr. Eric Joost, Chief Operating Officer, Willis North America
FS-ISAC EU Summit 2014 (London, England, UK, Nov 3 - 5, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. Its EU Summit will feature sessions of interest to both security professionals and the financial sector
POC2014 (Seoul, Republic of Korea, Nov 4 - 7, 2014) POC (Power of Community) started in 2006 and has been organized by Korean hackers & security experts. It is an international security & hacking conference in Korea. POC doesn't pursue money. POC concentrates on technical and creative discussion and shows real hacking and security. POC wears both black hat and white hat. POC will share knowledge for the sake of the power of community. POC believes that the power of community will make the world safer.
Open Source Digital Forensics Conference 2014 (Herndon, Virginia, USA, Nov 5, 2014) This conference focuses on tools and techniques that are open source and (typically) free to use. It is a one day event with short talks packed with information. There are both tool developers and users in attendance, and this is a unique opportunity to learn about new tools and provide feedback
Bay Area SecureWorld (Santa Clara, California, Nov 5, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
Managing BYOD & Enterprise Mobility USA 2014 (San Francisco, California, USA, Nov 5 - 6, 2014) The Managing BYOD & Mobility USA 2014 conference will provide a unique networking platform, bringing together top executives from USA and beyond. They come together not only to address mobility challenges and set the precautions framework, but most importantly to provide the necessary tools, insights and methodological steps for constructing a successful mobility policy. These policies will fulfill the BYOD prophecy of increased productivity, employee satisfaction, cost savings and corporate competitive advantage
Journal of Law and Cyber Warfare First Annual Cyber Warfare One Day Symposium (New York, New York, USA, Nov 6, 2014) The Journal of Law and Cyber Warfare is proud to present the First Annual Cyber Warfare One Day Symposium. Join us as senior lawyers, technology chiefs, government officials, and academics discuss the current threat of cyber security and how it is affecting US corporations. CLE credit is available on certain panels
RiseCON 2014 (Rosario, Santa Fe, Argentina, Nov 6 - 7, 2014) Rosario Information Security Conference: es el primer y mayor evento de seguridad informática y hacking realizado en la ciudad de Rosario, con nivel y trascendencia internacional
Israel HLS 2014 (Tel Aviv, Israel, Nov 9 - 12, 2014) The third International Conference on Homeland Security will bring together government officials, public authorities, and HLS industry leaders from around the world to share their knowledge and experience. They will participate in high-level discussions on securing the safety of citizens and protecting critical infrastructure and property, and explore Israel's advanced HLS technologies and systems.
Critical Infrastructure Cyber Community (C3) Voluntary Program Meeting (San Diego, California, USA, Oct 13, 2014) Join stakeholders from across the cyber community to discuss building a cyber risk management program, using DHS resources, and to learn how organizations of all sizes are using the Cybersecurity Framework
i-Society 2014 (London, England, UK, Nov 10 - 12, 2014) i-Society 2014 is a global knowledge-enriched collaborative effort that has its roots from both academia and industry. The conference covers a wide spectrum of topics that relate to information society, which includes technical and non-technical research areas.
Seattle SecureWorld (Seattle, Washington, USA, Nov 12 - 13, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
AVAR 2014 (, Jan 1, 1970) The 17th Association of anti-Virus Asia Researchers International Conference: Security Down Under. Topics will include case studies of targeted attacks, real-life attack demonstrations, web-inject attacks/code insertion attacks, man-in-the-browser attacks, targeted advanced persistent threats, dedicated advanced evasion techniques, and mitigations to all of these. The conference will also take up identification and investigation of targeted threats, how to spot targeted attacks in collections, COINTEL (counter intelligence) on determined adversaries (e.g, detecting the attacker, running honeypots, etc.), mobile malware, and security policies.
ZeroNights 2014 (Moscow, Russia, Nov 13 - 14, 2014) ZeroNights is an international conference dedicated to the practical side of information security. It will show new attack methods and threats, showcase new possibilities of attack and defense, and suggest out-of-the-box security solutions. ZeroNights gathers experts, infosecurity practitioners, analysts, and hackers from all over the world
Cyber Security Awareness Week Conference (New York, New York, USA, Nov 13 - 15, 2014) Get ready for CSAW: the largest student-run cyber security event in the nation, with a research conference that attracts some of the biggest names in the industry, and a career fair with an impressive list of corporate partners. It's a weekend of competitions, keynote talks and cyber security events, designed to prepare best-performing students with the skills and knowledge to shape the future of the industry
Ground Zero Summit, India (New Dehli, India, Nov 13 - 16, 2014) Ground Zero Summit (GOS) 2014 in its second year promises to be Asia's largest Information Security gathering and proposes to be the ultimate platform for showcasing researches and sharing knowledge in the field of cyber security. GOS rationale: The increasing volume and complexity of cyber threats - including phishing scams, data theft, and online vulnerabilities, demand that we remain vigilant about securing our systems and information. Enterprises and governments worldwide are grappling the grim reality of data and critical systems being exploited. This summits aims at addressing these new forms of cyber attack and formulate solutions
Deepsec 2014 (Vienna, Austria, Nov 18 - 21, 2014) DeepSec is an annual European two-day in-depth conference on computer, network, and application security. This is a non-product, non-vendor-biased conference event. Our aim is to present the best research and experience from the fields' leading experts.
BugCON (Mexico City, Mexico, Nov 19, 2014) BugCON Security Conference is hardcore technical conference focused on the technical side of the security. Running since 2008 BugCON is the oldest forum where researchers, students and professionals shows their latest research and projects
International Cyber Warfare and Security Conference (Ankara, Turkey, Nov 19 - 20, 2014) In-depth discussions will cover: new emerging threats and challenges on cyber warfare, the policy of leading cyber nations in cyber warfare and security, legal aspects of cyber warfare, industrial perspective in cyber warfare and security, new trends, new developments, technologies and solutions, and the next generation of cyber attacks—mapping the future threat environment.
EDSC 2014 (Seattle, Washington, USA, Nov 20 - 21, 2014) EDSC is a security conference focusing on embedded systems, hardware, and anything behind the silicon curtain. Embedded testing is a rapidly expanding area of the security industry staying current is important for engineers, researchers, and testers alike. EDSC will bring the top thought leaders in the embedded security field together for two days to share knowledge, techniques, and research.
Ethiopia Banking and ICT Summit (Addis Ababa, Ethiopia, Nov 21, 2014) he one day summit is designed to highlight the key Investment opportunities especially in the Banking & ICT Sectors. As an emerging economic capital for the region, Ethiopia is leading the way in industrial growth, international trade and global integration for sub-Saharan Africa as a whole.
BSidesVienna (Vienna, Austria, Nov 22, 2014) BSidesVienna will open it's doors again in 2014. Be part of it and stay tuned