The CyberWire Daily Briefing 11.06.14
news from the National Initiative for Cybersecurity Education conference
Several of yesterday's afternoon sessions took up issues of certification, and, more generally, the challenge of determining that cyber workers actually have the skills necessary for their jobs.
Organizers of cyber competitions described how competitions support and inspire STEM education. Such competitions are vehicles to support the larger STEM workforce's growth over time, but they also seek to redress immediate labor shortfalls. If competitions help schools teach essential skills, students will find that careers follow. In any case, precise career planning is difficult: stories, panelists agreed, were much more useful.
A panel on certification took pains to distinguish certificates from certifications. Certficates confirm learning. They're not tested, validated, or aligned with needs, as are certifications.
Certification is inevitably bound up with professionalization. Resolving current confusion over which certifications are valuable depends upon, first, recognizing that one can't professionalize an entire field as disparate as cybersecurity. There are too many kinds of jobs. We professionalize occupations to remediate deficiencies, and so we should begin in cyber by identifying occupational deficiencies, and only then evolving standards and practices to remediate them.
The medical profession offers good analogy for cyber: there are many disparate occupations (consider nurses, surgeons, etc., and the various specialties within those careers.
All professions place entry level practitioners in a safe environment under senior supervision. So should cyber. And all cyber specialties aren't equally mature, or equally crucial. Recognizing this should shape professionalization. Certifications, to be adequate, must capture craft elements of occupations, and verify that cyber practitioners have them.
A session on Centers of Academic Excellence continued this line of thought. Such centers are attractive sources of cyber labor because their graduates are known commodities.
The conference's second and final day was opened by LifeJourney CEO Rick Geritz, who reported on yesterday's meeting of the NICE 365 Board (a corporate advisory group). There was considerable interest in and commitment to STEM education; the challenge now is coordinating corporate support. Geritz introduced one coordination aid: the online NICE Cyber Education Map, an interactive tool showing cyber education programs.
Howard Community College President Hetherington spoke next, describing a cyber education role for community colleges (her own college, of course, furnishing examples thereof). She emphasized the importance of "soft skills" education to cyber, and the importance of integrating it into STEM programs. (She noted that ethics and communication were particularly important.)
USA Today's Vinnie Polito delivered the morning keynote, "Why Cyber Security is STEM." He noted that unemployment is in many ways a supply-side problem: many remain unemployed because they lack skills, and that lack of skills creates the cyber labor shortage. Skill training, including key craft skill training, should begin in middle school and high school.
There's no lack of expressed commitment to STEM education. "USA TODAY's been covering the education market for decades," Polito said. "There's a STEM program for every conceivable interest group." But too many of these are one-offs, and haven't shown an ability to scale. We're in a post-Sputnik moment with respect to national concerns about STEM education. But worry won't serve as an effective spur to action unless we develop the ability to develop and scale educational best practices.
We'll report on this afternoon's sessions in tomorrow's issue of the CyberWire.
Other jihadist groups are reported to be taking a page from ISIS's social media playbook, conducting "money jihad" fundraisers over Twitter (so far without ISIS's growing OPSEC wariness).
Researchers are looking into a bug in VMWare's ESXi hypervisor that could corrupt virtual machines. VMWare knows about the problem and addressed it with an advisory early last month; Veeam and other firms are evaluating the adequacy of the fix.
CSO reports that Apple's XProtect fix for the iWorm may be incomplete. The Rootpipe OS X vulnerability continues to induce security headaches. (Rootpipe could be exploited to give attackers control of Macs without the need to enter a password.) These issues, as well as the WireLurker malware Palo Alto finds infecting Apple devices in China, move many observers to predict a coming era of insecurity for Apple users.
A version of the Dridex banking malware revives an old-school attack technique: infected MS Word macros.
eSecurity Planet draws a lesson from Shellshock and extends it to other software with deep pre-Internet roots. What were features in the old days are dangerously buggy in today's connected world.
Samsung answers NIST's warning about the alleged vulnerability in the manufacturer's Find My Mobile service.
Vectra Networks wonders what attackers do after they're inside a network's perimeter, and looks a five-month's worth of incident data to see what's trending. Command and control is the most common activity, exfiltration the least.
Raytheon buys Blackbird Technologies.
The Chinese ambassador to the US accuses the Americans of cyber bad faith.
Today's issue includes events affecting Brazil, China, Colombia, India, Israel, Japan, Netherlands, Palestinian Territories, Russia, South Africa, Spain, United Kingdom, United States, and and Vietnam.
Columbia, Maryland: the latest from the National Initiative for Cybersecurity Education conference
NICE Conference and Expo (Federal Business Council) Cybersecurity has emerged as one of the leading creators of jobs and opportunity for all economic sectors. An ecosystem of technology providers, policy makers, legal expertise, banking, insurance, devices, educational programs and devices have emerged to deal with the cyber security issues that have become commonplace. In turn, the marketplace has responded by demanding a new workforce capable of taking on this challenge
NICE Cyber Education Map (National Initiative for Cybersecurity Education) The NICE Cyber Education Map is an interactive map that highlights schools, teachers, companies and agencies supporting Cyber Education in America
Live Threat Map (Norse) Norse delivers continuously-updated, unique Internet and darknet attack intelligence that helps organizations block attacks that other systems miss. The Norse live attack map is a visualization of a tiny portion (<1%) of the data processed by the Norse DarkMatter™ platform every day
Are STEM mentors really helping students? (eCampusNews) New study highlights institutional problems preventing STEM mentors from being effective
FMA Survey: Cyber Training Top Priority Among Federal Civilian, Defense Agencies (Executive Gov) A new survey from the Fort Meade Alliance indicates that cybersecurity personnel training is a top investment priority for more than 60 percent of federal civilian and defense agencies
Professionalizing Cybersecurity: A path to universal standards and status (Pell Center for International Relations and Public Policy) The Internet, together with the information communications technology (ICT) that underpins it, has revolutionized our world and opened new opportunities for the global economy and civilization at large. Our reliance on this complex infrastructure, however, has also exposed new vulnerabilities and opened the door to a wide range of nefarious cyber activities by a spectrum of hackers, criminals, terrorists, state and non-state actors
Tech's new blue collar: Good-paying jobs that don't require a 4-year degree (IT World) Traditional manufacturing work may be mostly offshored, but there are plenty of tech-industry jobs that don't require a bachelor's degree and can provide a middle-class life
AirPatrol CEO, Cleve Adams Joins Advisory Board of NICE Cyber Education Map (Benzinga) Cleve Adams, CEO of AirPatrol Corporation, a Sysorex (NASDAQ: SYRX) subsidiary, and a developer of mobile device detection and locationing systems, has joined the National Initiative for Cybersecurity Education (NICE) Cybersecurity Map's advisory board
Cyber Attacks, Threats, and Vulnerabilities
Gaza Jihadis Launch Twitter Fundraising Drives To Arm And Supply Their Men (MEMRI) Salafi-jihadi groups in the Gaza Strip have recently launched Twitter fundraising campaigns to finance their activities, with the stated goal of purchasing weapons and ammunition, paying jihad fighters' salaries, financing military activity, and otherwise aiding in waging the war against Israel. The campaigns remind supporters that the "money jihad" is religiously important and propagate the idea that while it is not equal to active participation in jihad, assisting the jihad via financial contributions is still a religious obligation
VMware's ESXi Has Backup Bug (InformationWeek) The version of VMware's hypervisor that's embedded in shipping servers has a bug that under certain circumstances corrupts backup virtual machines
Apple's iWorm fix still leaves major hole (CSO) XProtect isn't protecting against everything
Unpatched bug in Mac OS X gives root access to untrusted people (Ars Technica) Rootpipe allows attackers to take control of Macs without entering a password
Apple customers face 'new era' of cyber attacks (Telegraph) Cyber security company Palo Alto Networks discovers new malware that targets Apple devices and acts like a traditional virus
Malware Discovered In China Could Herald 'New Era' Of iOS And Mac Threats (TechCrunch) Conventional wisdom suggests that the vast majority of mobile malware cases impact Android devices. Or at least that those who do not jailbreak their iPhones are safe most threats — even Apple CEO Tim Cook has bashed Android for "dominating" the mobile malware market. Yet a new virus found in China by US-based researchers could herald the first serious security threat to Apple devices
Experts: Don't use Apple Pay, CurrentC until crooks get a shot at them (Network World via CSO) Despite designers' diligence, these payment systems haven't been tested by real-world criminals
Nov 5 Root Cause Analysis of CVE-2014-1772 — An Internet Explorer Use After Free Vulnerability (TrendLabs Security Intelligence Blog) We see many kinds of vulnerabilities on a regular basis. These range from user-after-free (UAF) vulnerabilities, to type confusion, to buffer overflows, to cross-site scripting (XSS) attacks. It's rather interesting to understand the root cause of each of these vulnerability types, so we looked at the root cause of an Internet Explorer vulnerability — CVE-2014-1772
'Dridex' malware revives Microsoft Word macro attacks (IDG via CSO) A recent piece of malware that aims to steal your online banking credentials revives a decade-old technique to install itself on your PC
Is Shellshock a Feature, not a Bug? (eSecurity Planet) The Shellshock flaw highlights a major security issue. Software created before mass adoption of the Internet is highly susceptible to today's security risks
Experts troubled by Drupal's latest security snafu (FierceContentManagement) Drupal's latest cyberattack may have affected as many as 12 million websites, leaving security experts concerned that similar future exploits could create a ripple effect compromising thousands more sites
Still Spamming After All These Years (KrebsOnSecurity) A long trail of spam, dodgy domains and hijacked Internet addresses leads back to a 37-year-old junk email purveyor in San Diego who was the first alleged spammer to have been criminally prosecuted 13 years ago for blasting unsolicited commercial email
Samsung Fires Back at NIST, Says Find my Mobile Service Safe (Threatpost) Samsung this week tried to quell recent reports that its Find My Mobile service is vulnerable to hacking, firing back at NIST (National Institute of Standards and Technology) who warned last month that the feature could be exploited
What attackers do after bypassing perimeter defenses (Help Net Security) Vectra Networks collected data over five months from more than 100,000 hosts within sample organizations to gain a deeper understanding of breaches that inevitably bypass perimeter defenses, and what attackers do once inside networks
Reflected File Download a New Web Attack Vector (Trustwave's SpiderLabs) Attackers would LOVE having the ability to upload executable files to domains like Google.com and Bing.com. How cool would it be for them if their files are downloaded without ever being uploaded! Yes, download without upload! RFD is a new web based attack that extends reflected attacks beyond the context of the web browser. Attackers can build malicious URLs which once accessed, download files, and store them with any desired extension, giving a new malicious meaning to reflected input, even if it is properly escaped. Moreover, this attack allows running shell commands on the victim's computer
Tearing down CryptoWall (Cylance) There are not many things that can ruin a day as much as an attacker holding your files for ransom. There are feelings of violation, as they have clearly tampered with your private data, a pit in your stomach when you see how much it will cost to get your files back, and overwhelming guilt as you weigh the pros and cons of actually paying these low life criminals. Many have been feeling these emotions lately as CryptoWall has been on the rise, most recently with the campaign infecting users via malvertising on sites such as Yahoo and AOL
Which Government Websites Host the Most Phishing Attacks? (Cyveillance Blog) Last month we shared some data from a year's worth of collected phishing URLs. In that post, we described the relationship between Alexa rankings and the likelihood that a URL leads to a phishing attack. In this post we'll examine another insight gained from examining that data
Guy Fawkes Night special: The ultimate 2014 guide to hacking and cyber terrorism (IT Pro Portal) It's now over 409 years since Guy Fawkes and his band of conspirators plotted to blow up the Houses of Parliament with King James I inside. Since then, the world of crime and terrorism has come a long way, and perhaps a modern day Guy Fawkes would be more interested in hacking the parliamentary computer system rather than blowing it to pieces
Cyber Espionage — China in the Crosshairs (Check and Secure) The business world is getting bigger and it is long since known that in this globalised world, the markets in the far east are of vital importance to any company wanting to expand internationally
Alaska's Online Voting Leaves Cybersecurity Experts Worried (IEEE Spectrum) Some Americans who lined up at the ballot boxes on Tuesday may have wished for the convenience of online voting. But cybersecurity experts continue to argue that such systems would be vulnerable to vote tampering — warnings that did not stop Alaska from allowing voters to cast electronic ballots in a major election that had both a Senate seat and the governorship up for grabs
Is Easy WiFi Access Putting You at Risk? (Tripwire: The State of Security) Throughout National Cyber Security Awareness Month (NCSAM), I must admit I realized I was reading the same advice we have always pushed out — the same obvious methodologies and procedures to help keep us all nice and secure
LUS says Internet service outage result of cyber attack (KATC) The loss of services many users of Lafayette Utility Systems' fiber Internet experienced since Tuesday was the result of a cyber attack, LUS said in a news release Wednesday
Canadian church website hacked with hate messages by pro-ISIS hackers (HackRead) A group of pro-ISIS hackers hacked and defaced the website of a Inniswood Baptist Church in Barrie city of Canada, Monday afternoon
Capital One Acknowledges Insider Breach (eSecurity Planet) An employee improperly accessed an undisclosed number of customers' names, account numbers and Social Security numbers
Security Patches, Mitigations, and Software Updates
Cisco patches serious vulnerabilities in small business RV Series routers (IDG via CSO) Cisco Systems released patches for its small business RV Series routers and firewalls to address vulnerabilities that could allow attackers to execute arbitrary commands and overwrite files on the vulnerable devices
Cybersecurity 2014: Breaches and costs rise, confidence and budgets are low (CSO) Following a year of high confidence in their enterprise security programs, CSOs were met with a tough year of stagnant budgets, an increasingly vulnerable Internet, and more successful attacks
Cybersecurity's All-Seeing Eye (Bloomberg BusinessWeek) One sobering reality of cybersecurity is that defense is far more difficult than offense
Chertoff: Cybersecurity takes teamwork (CSO) Former Homeland Security secretary tells Advanced Cyber Security Center audience in Boston that relying on prevention only spells 'doom'
Are today's leaders prepared for cyberwarfare? (Australian Broadcasting Corporation) One reason the First World War got so bogged down over four years was that generals used to 19th century warfare took so long to understand the new technologies of air and tank warfare
Mobile security breaches impacted 68% of organizations (Help Net Security) Mobile security breaches have affected 68 percent of organizations in the last 12 months, according to a new global study from BT. Despite this, organizations are still not taking sufficient security measures to protect themselves against mobile threats, such as lost or stolen devices and malware infections
Security issues in collaboration platforms (Help Net Security) CipherPoint revealed the results of its second annual survey on security issues in collaboration platforms such as Microsoft SharePoint, Office 365, and Google Apps
More than one third of Americans don’t use basic malware protection, Bitdefender study shows (Hot for Security) Advanced security technologies such as VPN and two-factor authentication are used by less than one in 10 Americans
Anthony Hilton: Are cyber-attacks the real threat to banks? (London Evening Standard) A banker told me the other day of a stress test his organisation had to perform at the request of the Prudential Regulation Authority as part of its efforts to develop a regime where no one is too big to fail
Former NSA lawyer: the cyberwar is between tech firms and the US government (Guardian) Stewart Baker said that Apple and Google could be restricting their business in markets like China and Russia by encrypting user data
Security Buyer Beware: Breach Detection Market Contains Unproven Tech (CRN) The market for breach-detection technologies is growing rapidly, but an NSS Labs market study warns organizations that fledgling security startups bearing unproven platforms are flooding it
Cyber security is essential in today’s marketplace (National Journal) On 5 November, Francis Maude, Minister for the Cabinet Office with responsibility for the UK Cyber Security Strategy, co-hosted a summit of CEOs from the UK's insurance sector in conjunction with Marsh, the insurance broker and risk adviser, to discuss how the sector can help ensure that the UK is one of the safest places to do business in cyberspace
As company plans to split, Symantec posts mixed Q2 earnings (ZDNet) Symantec's revenue and earnings were both down from the same quarter last year, and the outlook for the next three months looks a bit soft
FireEye's (FEYE) Disappointing Third Quarter Hits Cyber Security Stock Hard (Equities) Cyber security has been a particularly hot topic over the last year. When Target (TGT) had to admit that millions of credit card numbers had been compromised, it seemed like the retailer was in hot water — and It was. Yet, at this point, enough major box stores have admitted to similar security breaches that not having one could just as easily be a sign a store has failed to expose their leak rather than it not existing
Debunking the BlackBerry Security Myth (Seeking Alpha) Let me start by saying BlackBerry's (NASDAQ:BBRY) security for mobile devices and MDM is top-notch. No one is debating that, and in fact, BlackBerry has had likely the best mobile security for quite some time
Dell Makes Security a Business Enabler with Innovation and Integration Across Solution Portfolios (BusinessWire) With an approach based on simplicity, efficiency and connectivity, Dell is rapidly unifying the fragmented security market, making security a true business enabler
Raytheon acquires special operations and cybersecurity firm Blackbird Technologies (Raytheon Media Room) Enhances offerings in persistent surveillance, secure tactical communications and cybersecurity solutions in intelligence and special operations markets
Palerra Emerges From Stealth, Changes Its Names And Jumps On The Security Bandwagon (Forbes) I'm always a little dubious about companies that change their names even before they launch. It seems a little presumptuous to me and, in my view, plays to the Silicon Valley bubble where a good name and sufficient use of buzzwords gives a company a better chance of success. Despite my skepticism, it's worth having a look at newly emerged Palerra, which is also newly renamed from its previous incarnation as Apprity
Spanish cybersecurity firm S2 Grupo to begin operating in Colombia in 2015 (Fox News Latino) Spanish cybersecurity firm S2 Grupo will begin operating in Colombia in the first quarter of 2015 as part of an expansion effort that also includes plans to set up shop elsewhere in Latin America and other parts of Europe later this decade
Global Rise in Privileged Account Abuse Drives Record Growth for Thycotic (Virtual Strategy) Thycotic, a provider of smart and effective privileged account management solutions for global organizations, today announced that more than 180,000 IT professionals worldwide are now using the company's Secret Server solution
Symantec and Deloitte establish Cyber Security Alliance to include Middle East (Albawaba) Symantec Corp. in alliance with Deloitte announced today an innovative cyber threat vulnerability management service. The integrated offering will pair Symantec's cyber intelligence and information protection technologies with Deloitte's consulting services to help businesses address concerns around cyber security and information protection. The alliance will focus on growth markets across EMEA, including Middle East as a priority region given it is a hub of targeted cyber crime activity
IBM looks beyond its uneasy IoT pact with GE (Rethink Wireless) While the IT giant is a founder of GE's Industrial Internet Consortium, it also needs IoT groups it can control itself
Microsoft and VNISA cooperate on information security and privacy in Vietnam (VietNamNet Bridge) Microsoft Vietnam and the Vietnam Information Security Association (VNISA) today signed a Memorandum of Understanding (MoU), aimed at strengthening information security and privacy in Vietnam while addressing increasing security risks in the country
Safe-T Appoints Derek Schwartz as CEO (PRNewswire) Safe-T Data, the provider of Unified Secure Data Exchange Solutions desgined to securely bridge the gap between the Enterprise and The Cloud, announced today the appointment of Derek Schwartz as CEO. In his role, Mr. Schwartz will lead Safe-T and be responsible for growing Safe-T's business around the world with a strong focus on the Americas, while continuing to deliver innovative products to market
CrowdStrike™ Appoints Johanna Flower as Chief Marketing Officer (PRNewswire) CrowdStrike Inc., a leading provider of next-generation endpoint threat protection, intelligence, and services announced today that Johanna Flower has joined the leadership team as Chief Marketing Officer
Products, Services, and Solutions
Watchful Software Releases TypeWATCH for Individuals Delivering e-Biometrics to the Mass Market (Realwire) e-Biometric application is now available to protect against fraudulent systems from compromised credentials
WatchGuard Technologies Partners with Fujitsu Fsas to Deliver Managed Network Security Solutions in Japan (Virtual Strategy) WatchGuard Next Generation Firewalls and Unified Threat Management appliances selected for breadth of security services, system management and real-time visibility tools
Microsoft releases free Antimalware for Azure (ZDNet) The service, using the same engine and signatures as Microsoft's other offerings, is now available to most Azure virtual machines. The software is free, but use of it may cost money
Alert Logic Announces Security Solutions for IBM SoftLayer (MarketWatch) Alert Logic first to deliver fully managed IDS and log management capabilities to SoftLayer customers
Halcyon Tackles IBM i Security with New Products (IT Jungle) Halcyon Software moved further into the IBM i security business last month with the release of two new products, including Exit Point Manager and Password Reset Manager. The new software will help organizations secure their IBM i environments, while giving Halcyon additional products to sell to its customer base
South River Technologies Releases New Version of DMZedge Server (Marketwired) South River Technologies, Inc. (SRT), an innovator in secure file transfer, today announced v6.0 of its DMZedge Server product
Boeing tests new cyber warfare anti-jamming technology (Examiner) A Boeing release this morning out of El Segundo, California, indicates the 98-year-old multi-faceted aerospace company has just completed a successful test of new anti-jamming technology. The unnamed piece of equipment will enable the military to send and receive secure communications using either ground-based or satellite-based networking hubs
ZMap 1.2.1 — The Internet Scanner (Kitploit) ZMap is an open-source network scanner that enables researchers to easily perform Internet-wide network studies. With a single machine and a well provisioned network uplink, ZMap is capable of performing a complete scan of the IPv4 address space in under 45 minutes, approaching the theoretical limit of gigabit Ethernet
Technologies, Techniques, and Standards
U.S. Mulls New Tactics to Stem Wave of Cyberattacks (SecurityWeek) As hacking attacks reach epidemic proportions, the US cybersecurity community is looking at new ways to step up defense, including counterattacking the hackers themselves
Stem the Onslaught of System Wide Attacks (Sarbanes-Oxley Compliance Journal) "By introducing this service, American Express confirms that contemporary data-centric security approaches are necessary to stem the onslaught of system-wide attacks that traditional payment card data defenses cannot sustain on their own," said Mark Bower, Vice President of Product Management, Voltage Security
How to clear out cookies, Flash cookies and local storage (Naked Security) This quick fix will show you how to clear out cookies and the cookie-like things that can be used to track you online
Research and Development
The Next Big Thing To Fight Hackers? Self-Healing Computers (Defense One) Now that the Department of Homeland Security has ponied up $6 billion for governmentwide, automated computer safeguards, a top National Security Agency cybersecurity official says the approach has its shortcomings
Getting Inside the Adversary's OODA Loop: Automation and Information Sharing for Cyber Defense (The CyberWire) The CyberWire interviewed Mr. Philip Quade, Chief Operating Officer of NSA's Information Assurance Directorate, who participated in SINET ITSEF 2014. The NSA's Information Assurance Directorate is responsible for the security of US national security systems. He shared his views on Active Cyber Defense, and how it depends upon automation and information sharing for a risk-based approach to Sensing, Sense-making, Decision-making, and Acting in cyberspace
Legislation, Policy, and Regulation
This Country Is Sending the U.S. a Strong Message About NSA Surveillance (Blaze) Brazilian President Dilma Rousseff doesn't approve of the U.S. National Security Agency's surveillance techniques. She's making that much clear by overseeing the construction of a $185 million overseas fiber-optic cable which will stretch across the Atlantic Ocean from Fortaleza, Brazil to Lisbon, Portugal
Chinese ambassador: US has broken cyber faith (The Hill) It's the U.S., not China, that needs to repair tense relations over cybersecurity between the two countries, according to the Chinese ambassador
Spy Chiefs Launch Operation Social Media (Bloomberg View) There is no doubt that Robert Hannigan, the newly appointed chief of the U.K.'s electronic intelligence agency, GCHQ, wants social networks such as Facebook and Twitter to cooperate more closely with his agency. The big question is why he wants to tell them that in public
NSA Director Says Agency Shares Vast Majority of Bugs it Finds (Threatpost) When the National Security Agency discovers a new vulnerability that looks like it might be of use in penetrating target networks, the agency considers a number of factors, including how popular the affected software is and where it's typically deployed, before deciding whether to share the new bug. The agency shares most of the bugs it finds, NSA Director Mike Rogers said, but not all of them
Impact of GOP Win on Cyber Lawmaking (GovInfoSecurity) A look at Sen. Ron Johnson's cybersecurity credentials
Why Mark Udall's Senate Defeat In Colorado Could Slow NSA Reforms (International Business Times) Senator Mark Udall, D-Colo., has been one of the most vocal critics of U.S. intelligence agencies since before anyone ever heard of Edward Snowden. The senator has blasted the National Security Agency, CIA and FBI all while trying to walk the tightrope between transparency and security. Now that he's been voted out of office, critics of America's national security policy are wondering what happens next
Medical Device Security: More Scrutiny (GovInfoSecurity) Watchdog agency outlines 2015 audit plans
Litigation, Investigation, and Law Enforcement
Government demands for Facebook user data soar by 24% (Naked Security) Government requests for Facebook's user data rose by almost a quarter in the first half of 2014 compared with the second half of the previous year, according to the social network
Alleged Russian hacker one step closer to facing justice in U.S. (CBS News) The Dutch government has approved the extradition to the United States of a Russian citizen accused of participating in a hacking ring that penetrated computer networks of more than a dozen corporations and stole at least 160 million credit and debit card numbers
STD dating site PositiveSingles.com faces $16.5 million fine for sharing user profiles (Naked Security) The claimant signed up with a dating site for people with sexually transmitted diseases (STDs) that promised "100% anonymity"
For a complete running list of events, please visit the Event Tracker.
POC2014 (Seoul, Republic of Korea, Nov 4 - 7, 2014) POC (Power of Community) started in 2006 and has been organized by Korean hackers & security experts. It is an international security & hacking conference in Korea. POC doesn't pursue money. POC concentrates on technical and creative discussion and shows real hacking and security. POC wears both black hat and white hat. POC will share knowledge for the sake of the power of community. POC believes that the power of community will make the world safer.
National Initiative for Cybersecurity Education Conference and Expo (Columbia, Maryland, USA, Nov 5 - 6, 2014) The NICE 2014 Conference and Expo features thought leaders from education, government, industry and non-profits to address the future cybersecurity education needs of the nation
Managing BYOD & Enterprise Mobility USA 2014 (San Francisco, California, USA, Nov 5 - 6, 2014) The Managing BYOD & Mobility USA 2014 conference will provide a unique networking platform, bringing together top executives from USA and beyond. They come together not only to address mobility challenges and set the precautions framework, but most importantly to provide the necessary tools, insights and methodological steps for constructing a successful mobility policy. These policies will fulfill the BYOD prophecy of increased productivity, employee satisfaction, cost savings and corporate competitive advantage
Journal of Law and Cyber Warfare First Annual Cyber Warfare One Day Symposium (New York, New York, USA, Nov 6, 2014) The Journal of Law and Cyber Warfare is proud to present the First Annual Cyber Warfare One Day Symposium. Join us as senior lawyers, technology chiefs, government officials, and academics discuss the current threat of cyber security and how it is affecting US corporations. CLE credit is available on certain panels
RiseCON 2014 (Rosario, Santa Fe, Argentina, Nov 6 - 7, 2014) Rosario Information Security Conference: es el primer y mayor evento de seguridad informática y hacking realizado en la ciudad de Rosario, con nivel y trascendencia internacional
Israel HLS 2014 (Tel Aviv, Israel, Nov 9 - 12, 2014) The third International Conference on Homeland Security will bring together government officials, public authorities, and HLS industry leaders from around the world to share their knowledge and experience. They will participate in high-level discussions on securing the safety of citizens and protecting critical infrastructure and property, and explore Israel's advanced HLS technologies and systems.
Critical Infrastructure Cyber Community (C3) Voluntary Program Meeting (San Diego, California, USA, Oct 13, 2014) Join stakeholders from across the cyber community to discuss building a cyber risk management program, using DHS resources, and to learn how organizations of all sizes are using the Cybersecurity Framework
i-Society 2014 (London, England, UK, Nov 10 - 12, 2014) i-Society 2014 is a global knowledge-enriched collaborative effort that has its roots from both academia and industry. The conference covers a wide spectrum of topics that relate to information society, which includes technical and non-technical research areas.
Seattle SecureWorld (Seattle, Washington, USA, Nov 12 - 13, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged as one of North America's most vital cyber-security conference, providing globally relevant education, training and networking for cyber-security professionals on a regional level. SecureWorld provides more content and facilitates more professional connections than any other event in the cyber-security industry. Established in 2002, SecureWorld offers many different continuing professional education sessions over two days in 14 cities throughout the United States.
AVAR 2014 (, Jan 1, 1970) The 17th Association of anti-Virus Asia Researchers International Conference: Security Down Under. Topics will include case studies of targeted attacks, real-life attack demonstrations, web-inject attacks/code insertion attacks, man-in-the-browser attacks, targeted advanced persistent threats, dedicated advanced evasion techniques, and mitigations to all of these. The conference will also take up identification and investigation of targeted threats, how to spot targeted attacks in collections, COINTEL (counter intelligence) on determined adversaries (e.g, detecting the attacker, running honeypots, etc.), mobile malware, and security policies.
ZeroNights 2014 (Moscow, Russia, Nov 13 - 14, 2014) ZeroNights is an international conference dedicated to the practical side of information security. It will show new attack methods and threats, showcase new possibilities of attack and defense, and suggest out-of-the-box security solutions. ZeroNights gathers experts, infosecurity practitioners, analysts, and hackers from all over the world
Cyber Security Awareness Week Conference (New York, New York, USA, Nov 13 - 15, 2014) Get ready for CSAW: the largest student-run cyber security event in the nation, with a research conference that attracts some of the biggest names in the industry, and a career fair with an impressive list of corporate partners. It's a weekend of competitions, keynote talks and cyber security events, designed to prepare best-performing students with the skills and knowledge to shape the future of the industry
Ground Zero Summit, India (New Dehli, India, Nov 13 - 16, 2014) Ground Zero Summit (GOS) 2014 in its second year promises to be Asia's largest Information Security gathering and proposes to be the ultimate platform for showcasing researches and sharing knowledge in the field of cyber security. GOS rationale: The increasing volume and complexity of cyber threats - including phishing scams, data theft, and online vulnerabilities, demand that we remain vigilant about securing our systems and information. Enterprises and governments worldwide are grappling the grim reality of data and critical systems being exploited. This summits aims at addressing these new forms of cyber attack and formulate solutions
Cyber Threats to Critical Infrastructure: A Discussion of Challenges, Responses and Next Steps (Herndon, Virginia, USA, Nov 18, 2014) The vulnerability of the nation's critical infrastructure to cyber attack or disruption, whether from nation-states, non-state actors, hackers or disgruntled insiders, is of increasing concern to both the government and the private sector. INSA's Homeland Security Intelligence Council and Cyber Council are bringing together a panel of nationally-recognized experts to respond to a fictional scenario involving a cyber attack on critical infrastructure in the energy sector
Deepsec 2014 (Vienna, Austria, Nov 18 - 21, 2014) DeepSec is an annual European two-day in-depth conference on computer, network, and application security. This is a non-product, non-vendor-biased conference event. Our aim is to present the best research and experience from the fields' leading experts.
BugCON (Mexico City, Mexico, Nov 19, 2014) BugCON Security Conference is hardcore technical conference focused on the technical side of the security. Running since 2008 BugCON is the oldest forum where researchers, students and professionals shows their latest research and projects
Navy Now Forum: Admiral Rogers (Washington, DC, USA, Nov 19, 2014) Leaders from the Navy will present new initiatives in-depth, providing the audience with a thorough knowledge of the Navy's future plans. During the luncheon, military personnel and industry leadership will provide feedback on these initiatives to help chart the Navy's direction. This luncheon will feature NSA Director Admiral Michael Rogers
International Cyber Warfare and Security Conference (Ankara, Turkey, Nov 19 - 20, 2014) In-depth discussions will cover: new emerging threats and challenges on cyber warfare, the policy of leading cyber nations in cyber warfare and security, legal aspects of cyber warfare, industrial perspective in cyber warfare and security, new trends, new developments, technologies and solutions, and the next generation of cyber attacks—mapping the future threat environment.
EDSC 2014 (Seattle, Washington, USA, Nov 20 - 21, 2014) EDSC is a security conference focusing on embedded systems, hardware, and anything behind the silicon curtain. Embedded testing is a rapidly expanding area of the security industry staying current is important for engineers, researchers, and testers alike. EDSC will bring the top thought leaders in the embedded security field together for two days to share knowledge, techniques, and research.
Cyber Security World Conference 2014 (New York, New York, USA, Nov 21, 2014) Welcome to Cyber Security World Conference 2014 where renowned information security authorities and innovative service providers will bring their latest thinking to hundreds of senior executives focused on protecting today's enterprises. Cyber security experts will discuss topics such as protecting individuals and companies against cyber-attacks, biometrics as the future of security, risks brought by mobile computing, and protecting corporate and national infrastructure against foreign attacks
Ethiopia Banking and ICT Summit (Addis Ababa, Ethiopia, Nov 21, 2014) he one day summit is designed to highlight the key Investment opportunities especially in the Banking & ICT Sectors. As an emerging economic capital for the region, Ethiopia is leading the way in industrial growth, international trade and global integration for sub-Saharan Africa as a whole.
BSidesVienna (Vienna, Austria, Nov 22, 2014) BSidesVienna will open it's doors again in 2014. Be part of it and stay tuned
BSidesToronto (Toronto, Ontario, Canada, Nov 22, 2014) This year the conference is bigger, better, faster and…well, still one day in length but, we have an awesome line up. And no I'm not just paying "lip service"
DefCamp5 (Bucharest, Romania, Nov 25 - 29, 2014) DefCamp is the most important conference on Hacking & Information Security in Central Eastern Europe. The goal is bringing hands-on talks about latest research and practices from the INFOSEC field, gathering under the same roof security specialists, entrepreneurs, academic, private and public sectors