The CyberWire Daily Briefing for 4.16.2014
As Ukraine mobilizes and Russian provocation intensifies, Mashable speculates about a role for cyber operations in battlespace preparation (and in marshaling irregular forces).
Stanching Heartbleed continues to preoccupy enterprises. Government Security News sees a long road of discovery and recovery ahead. (One minor exploit is worth mentioning as an example of inviting Nemesis into one's life: a commenter on a newspaper site pooh-poohed Heartbleed and put his security where his mouth was by posting his passwords. He was, of course, promptly hacked.) Dell, HP, and IBM have all issued software and firmware patches.
Some analysts wonder whether OpenSSL's Heartbleed problems originate in certain kinds of open source business models (bluntly characterized as "panhandling" by ZDNet's Seltzer) and development styles (which Pro Publica's Angwin likens to a "Wikipedia volunteer project").
Insurers continue to warn the energy sector that it's got a cyber security problem. Responsibility and liability for security are being slowly sorted in retail and mobile markets.
JPMorgan announces a major investment in cyber security, committing $250M to upgrades that will include at least three SOCs.
The US Government and the aviation industry announce a major step in cyber information sharing with the formation of the Air Domain Intelligence Integration Center.
BAE will open a cyber software development hub in Malaysia.
Both the UK and Saudi Arabia are getting new intelligence leaders as Prince Bandar Bin Sultan is out at the Saudi Arabian Intelligence Agency, Robert Hannigan in at GCHQ.
Quartz offers good tips on recognizing recruitment for espionage.
Notes.
Today's issue includes events affecting Canada, European Union, Israel, Malaysia, Poland, Russia, Saudi Arabia, Turkey, Ukraine, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Could Russia Use Cyberwarfare to Further Destabilize Ukraine? (Mashable) Eastern Ukraine is full of rioters ready to separate from their nation's government in Kiev — at least, that's the message the Russian government may want to project to the world. And analysts believe the Kremlin could use cyberattacks to create more chaos and support its objectives
Heartbleed prognosis: Long, laborious discovery, recovery (GCN) As the initial shock from the April 7 revelation of the OpenSSL Heartbleed bug receded, it was replaced with a sense of foreboding over what the long-term impact will be. No one, it seemed, was willing to cast this as just another hiccup in the evolution of online security
Heartbleed: routers and phones also at risk, says security expert (The Guardian) Manufacturers must patch routers, video conferencing software and desktop phones, as scale of software vulnerability continues to grow
Ottawa downplays cyber-bug (Winnipeg Free Press) The cyber-bug that facilitated the theft of 900 Canadian social insurance numbers seems also to have disabled the government's tongue
These legal websites had the Heartbleed security flaw (ABA Journal) The Heartbleed security flaw has affected several websites popular with lawyers
Heartbleed undermines Bitcoin client, developers advise update (FierceITSecurity) Fully digital currencies exhibit many strengths by existing solely online: quick transfers, safety from analog danger and transparency across the market, to name a few. But what happens when a digital threat undermines the security users have built their e-stockpiles on?
Think tank challenges Heartbleed handwringing (CSO) Recent opinion piece has researchers debating seriousness of the OpenSSL flaw
Man who made light of 'Heartbleed thingamajig' hacked within minutes (Telegraph) A man who said that he "couldn't give a flying fig about the Heartbleed thingamajig" and openly posted his passwords in a comment under a news story about the vulnerability has, unsurprisingly, had several of his online accounts hacked
LaCie admits hackers have been stealing its customer information… for the last year (Graham Cluley) If you visit the company profile page on the website of hardware manufacturer LaCie, you'll find this message from the company's chairman
Cyber extortionists swipe cosmetic surgery records, try to blackmail Harley Medical Group (Naked Security) Cyber crooks may have broken into Harley Medical Group, a cosmetic surgery firm with 21 clinics in the UK, to filch the intimate details of about 480,000 potential patients and then try to extort money from the company
Announced Cyber Attack On Israel Fizzled (HS Today) The international hacking group "Anonymous" and other groups of hackers declared Monday April 7 would be a day of cyber attacks on Israel in retaliation for Israeli attacks on Gaza. But they're much touted cyber assault on the Jewish state didn't succeed in bringing down many Israeli-based websites
Your medical files may be at risk (Military Times) After veteran Aaron Alexis shot and killed a dozen people at the Washington Navy Yard last September, the Air Force noted a spike in the number of personnel dipping into his electronic medical file. The snooping — illegal under the Health Insurance Portability and Accountability Act, or HIPAA — was so pervasive that it prompted Air Force Medical Operations Agency Director Brig. Gen. Sean Murphy to issue an Air Force medical command reminder of policy and law
Clydesdale Bank Still Running Windows XP, Says It's Using a Firewall (Softpedia) Windows XP is an operating system that no longer receives support and security patches, but Microsoft is well aware that many users are still running it, so it continues to issue warnings and recommendations for those who need to upgrade. A number of banks, however, are making serious efforts to move all their PCs from Windows XP to Windows 7 or Windows 8, even though it's a very expensive process that also involves hardware upgrades
Security Patches, Mitigations, and Software Updates
Server makers rushing out Heartbleed patches (CSO) Dell, HP and IBM issue firmware and software updates for servers affected by the Heartbleed bug
Oracle Critical Patch Update Advisory — April 2014 (Oracle) A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes
No Heartbleed holes in Java, but here comes a sea of patches anyway (Naked Security) Oracle's quarterly Patch Tuesday updates for April 2014 are out
Google patches Android icon permissions attack (CSO) FireEye found malware that could change other icons, sending victims to phishing sites
Cyber Trends
Ukraine tensions could hurt international security efforts, Kaspersky says (PCWorld) International conflicts such as the current tensions over Ukraine could stand in the way of global cooperation on cybersecurity, according to the founder of Kaspersky Lab
Energy Firms Unprotected for Major Cyber Events: Willis (Insurance Journal) Energy companies have no insurance against major cyber attacks, reinsurance broker Willis said, likening the threat to a "time bomb" that could cost the industry billions of dollars
Financial Services Companies Facing Varied Threat Landscape (Threatpost) Many of the stories about attacks on banks, payment processors and other portions of the financial services system around the world depict these intrusions as highly sophisticated operations conducted by top-level crews. However, the majority of the attacks these companies see aren't much more advanced than a typical malware attack, experts say
Target and the Security Liability Blame Game (Tripwire: The State of Security) They say the reality is based on everyone's unique perspective. This belief is certainly solidified with a major retailer who sustained a breach in 2013. As the majority of our industry closely scrutinizes this event and subsequent legal actions, we must remember what a game changer is for some may mean absolutely nothing for others
Mobility: Who Bears The Brunt Of Data Security & Privacy (Dark Reading) OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible
Mobile Malware: 10 Terrible Years (Trend Micro) We all just want to enjoy using our mobile devices without worries, which would only be possible if we didn't have to think about malware. Despite the hassle they bring though, mobile malware should be appreciated for what they've done. That doesn't mean celebrating the fact that cybercriminals use them to prey on mobile users for profit. Rather, they made us smarter, savvier technology users. Because 2014 marks mobile malware's tenth year anniversary, let's take a trip down memory lane to see just how much they've evolved
Privacy could 'crash' big data if not done right (FierceHealthIT) Privacy has the potential to crash big data before there's a chance to get it right, and finding the right balance is key to future success, experts argued at a Princeton University event earlier this month
Websense 2014 threat report: Emerging trends in cyber-attack methodology (CIOL) Key findings shed light on cybercriminal services, emerging threat ecosystem and key stages for attack interception
Former Homeland Security chief: C-Suite needs to get a grip on cyber risks (ZDNet) The former Homeland Security chief outlined two conditions we're going to be dealing with as companies, countries, and individuals: the global scourge of terrorism and the digital "forevermore"
Human Autonomous Zones — The Real Role of Hackers (Cyberwarzone) How the role of hackers in society has changed. They used to be a necessary counterbalance to corporate and government power. Now, it's more like hackers are the only ones who understand the technology. They have become a balance to the power of technology itself
Who Do You Trust, Now? (BankInfoSecurity) Identifying Who's Left to Trust in Cyberspace
Marketplace
JPMorgan to invest £150 million on boosting cyber security (ComputerWorld) Fighting cyber crime is a 'never-ending battle', says CEO Dimon
Aviation Industry and Government to Share Cyber Threats in New Intelligence Center (Wall Street Journal) The aviation industry and the government announced Tuesday the creation of new platforms to share information about cyber security. The Air Domain Intelligence Integration Center and an accompanying analysis center are the latest examples of how industry and government are starting to ramp up efforts to share information related to cyber threats as the problem continues to grow
Case study: How one broker took on a tough cyber risk and won (Insurance Business America) The cyber insurance market is a state of flux, with new carriers entering the market and offering products so different, it can make a producer's head spin. To learn more about the process of placing risk in this environment, Insurance Business America asked Christine Marciano of Cyber Data-Risk Managers in New York to tell us about a particularly challenging case and the methods she used to crack it
BAE Shifts Cyber Software Development to Malaysia (Defense News) BAE Systems Applied Intelligence business is moving the center of its cyber software development activities to Malaysia as part of a strategy that will see the Southeast Asian location emerge as a key component of its growing security business, according to Richard Watson, the division's Asia Pacific region managing director
Why Twitter Just Bought Social Data Provider Gnip (Fast Company) It seems Twitter hopes to increase revenue by giving companies access to valuable tweet data about potential customers
Check Point's latest A/NZ strategy targets partners, SMBs (ARN) Security vendor broadens its scope following several local appointments
Raytheon wins $4.7M contract to continue State cyber-protection support (Washington Technology) Raytheon Oakley Systems received a $4.7 million task order from the State Department for continued support of the Raytheon InnerView software. The task order was a sole-source award because of proprietary information needed to continue operation of the InnerView security monitoring infrastructure required to support mission-critical systems
Fortinet Leads Industry in Zero-Day Discoveries (MarketWatch) Since 2006, Company's FortiGuard Labs has uncovered 143 zero-day vulnerabilities, 18 in 2013 alone
KeyW Corp. expands in Hanover and Severn (Capital Gazette) KEYW Corp. has leased 90,000-square-feet of additional office space in Hanover to expand its Advanced Cyber Research and Training Center
Richard Coleman Jr Named to Ciber's Board of Directors; Paul Jacobs Comments (GovConWIre) Richard Coleman Jr., a private investor and business adviser, has been appointed to Ciber's (NYSE: CBR) board of directors and succeeds Archibald McGill, who retired Thursday after 16 years in the role
Akamai Appoints Seksom Suriyapa as Head of Corporate and Business Development (MarketWatch) Former COO at SuccessFactors, Suriyapa brings over 20 years of strategic, operational, and financial experience transforming companies into market leaders
Chad Tilbury Joins CrowdStrike as Technical Director (IT Business Net) Brings more than a decade of advanced forensics and incident response experience to CrowdStrike's services team
(ISC)² launches cyber forensics credential in Europe (ComputerWeekly) Information and software security professional body (ISC)² has announced the availability of its Certified Cyber Forensics Professional certification in Europe
Products, Services, and Solutions
VMware Offers Disaster Recovery As A Service (InformationWeek) VMware disaster recovery service lets customers automatically replicate business systems and data in one of VMware's five vCloud Hybrid Service datacenters
Which ZoneAlarm Is Best for You? (PC Magazine) There's a common pattern found in the product line of many security vendors. They'll start with a simple, standalone antivirus product. Next up is a security suite, with additional features that may include a firewall, spam filtering, parental control, and more. At the top of the product line is what I call a mega-suite, which may add encryption, backup, PC tuneup, or just about anything remotely security-related. I typically review all three levels
ESET Continue to support Windows XP Operation System for 32-Bit and 64-Bit Versions till April 2017 (Pardaphash) ESET, global provider of security solutions for businesses and consumers, announced today that ESET commits to support the Microsoft Windows XP operating system for 32-bit and 64-bit versions till April 8, 2017. ESET will also be providing regular virus signature updates, and customer care support to Windows XP users
ESET launches online store for antivirus and IT (CIOL) Global IT security solutions vendor anticipates 10 percent of Middle East sales will be redirected via the newly established online channel
Advanced Endpoint Threat Protection (Dell SecureWorks) The advanced threat actor will evade information security controls and most CISOs acknowledge this reality
SparkCognition: Let machines address security threats (ZDNet) Can machine learning, predictive analytics and big data analysis ferret out security threats before they can harm an organization's IT assets?
Splunk App for VMware® Delivers Insights Beyond Virtualization (MarketWatch) New features bring comprehensive operational visibility across multiple technology tiers
Bradford Networks Integrates With FireEye Threat Prevention Platform to Deliver Customized Solution for Rapid Threat Response (MarketWatch) Network Sentry/RTR for FireEye correlates high fidelity security alerts from the FireEye NX platform to contain advanced cyber threats on compromised endpoints in seconds
Technologies, Techniques, and Standards
Did open source matter for Heartbleed? (ZDNet) Open source does not provide a meaningful inherent security benefit for OpenSSL and it may actually discourage some important testing techniques. Also, panhandling is not a good business model for important software like OpenSSL
The U.S. Government: Paying to Undermine Internet Security, Not to Fix It (Pro Publica) One lesson of the Heartbleed bug is that the U.S. needs to stop running Internet security like a Wikipedia volunteer project
Programming Language Security Examined (Threatpost) When building an enterprise Web application, the most foundational decision your developers make will be the language in which the app is written. But is there a barometer that measures the security of the programming languages developers have at their disposal, or are comfortable with, versus other options?
Don't Blame It On The Web Programming Platform (Dark Reading) New data shows no one Web development platform generates more vulnerabilities than another — and website security is still a problem
HIPAA security risk assessment tool: Small provider needs (HealthITSecurity) Though the Department of Health and Human Services (HHS) released its HIPAA security risk assessment tool a few weeks ago, it's still unclear how healthcare organizations will use the tool as part of their HIPAA Security Rule compliance strategy
Should you be sandboxing cyber threats? (CBR) Gabi Reish, global head of product development at network security specialist Check Point, talks to Duncan MacRae about the IT threat landscape and how 'sandboxing' should be part of everyone's defence
Social Media Monitoring and Compliance: Five Best Ways to Navigate Complexity in the Workplace, Part IV (Cyveillance) In our previous post, we discussed why it's important to be transparent when establishing social media monitoring and why you should have a formal social media policy. In our fourth and final post, we'll take a look at how a third-party monitoring service can be helpful
Looking for malicious traffic in electrical SCADA networks — part 1 (Internet Storm Center) When infosec guys are performing intrusion detection, they usually look for attacks like portscans, buffer overflows and specific exploit signature. For example, remember OpenSSL heartbleed vulnerability? The following is the snort alert for this vulnerability, taken from the snort community rules
Design and Innovation
How the Internet Could Have Predicted the Invasion of Ukraine (DefenseOne) In the buildup to the annexation of Crimea, Russian forces surprised many in Washington by maintaining strict radio silence. The United States was caught off guard in its inability to intercept Russian military communications, suggesting a failure of official intelligence, but also a new opportunity for public intelligence
The plot to kill the password (The Verge) The world's most powerful companies want you to log in with fingerprints and eyescans
Microsoft brings a "data culture" to the Internet of Things (Ars Technica) Azure Intelligent Systems Service designed to manage data from any device
Academia
Big bucks going to universities to solve pressing cybersecurity issues (Network World) During a week in which everyone seemed to be searching for answers amid revelations of the Heartbleed bug, several universities and their partners announced new efforts to explore IT security advances
Maryland colleges aren't making the grade in developing cyber talent (Baltimore Business Journal) There are about 20 colleges in Maryland that offer degrees in computer science and information technology. Yet, those programs are failing to produce a viable workforce, says Homer Minnick, director of the Center for Cybersecurity at UMBC Training Centers
Legislation, Policy, and Regulation
Saudi Intel Chief Relieved of Duties (Defense News) The Saudi Arabian intelligence chief, Prince Bandar Bin Sultan, has been "exempted from his duties" today, according to a Royal decree issued by King Abdullah Bin Abdel Aziz
UK Names New Head of GCHQ After Snowden Leaks (AFP via SecurityWeek) Britain Tuesday named a top foreign ministry official as the new head of GCHQ, the electronic eavesdropping agency that came under scrutiny after leaks by former US analyst Edward Snowden
More heartache from Heartbleed (National Post) But the National Security Agency is doing its level best to convince everyone it did knew nothing about the loophole created by the Heartbleed bug
House bill to support Ukraine includes cybersecurity (Inside Cybersecurity) House leaders on defense and intelligence issues are backing legislation intended to boost U.S. support for Ukraine in its struggles with Russia, which includes provisions for hardening cyber networks in the United States
Note to Government: Mandate Cybersecurity, Then Get Out of the Way (Xconomy) The digital economy stands on uncertain ground
Connecticut issues cybersecurity plan, setting stage for regulation (Inside Cybersecurity) Connecticut Gov. Dannel Malloy (D) has released a cybersecurity plan for the state's utilities developed with industry, drawing on the recently released federal framework for protecting critical infrastructure in cyberspace and perhaps paving the way for new standards
Twitter agrees to shutter some accounts, Turkey says (CNET) The company will not, however, open an office in Turkey just yet, despite requests from the Turkish government
Litigation, Investigation, and Law Enforcement
Routine leaks ubiquitous but poorly understood, law professor says (FierceGovernment) Routine leaks to Congress, the press and advocacy groups play a vital and underappreciated role in oversight and presidential power, says an article published in the Georgia Law Review
Four ways to tell if you're being recruited to become a Chinese spy (Quartz) Glenn Duffie Shriver, a US citizen currently serving four years in federal prison for conspiring to commit espionage on behalf of the Chinese government in 2010, has offered some advice for fellow Americans: Don't be fooled by friendly Chinese intelligence agents
Mt.Gox Will Reportedly File For Liquidation Instead Of Bankruptcy (TechCrunch) Mt.Gox has filed for liquidation in a Tokyo court instead of going forward with its plans to rebuild under bankruptcy protection
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
MeriTalk's Cyber Security Brainstorm (Washington, DC, USA, Jun 18, 2014) This second annual event will take place on Wednesday, June 18 2014 at the Newseum in Washington D.C. The event will bring together Federal cyber security experts to share best practices, collaborate on challenges, and discuss what is needed for the future of cyber security. This year's program will begin with a keynote from White House Federal Agency Cybersecurity Director John Banghart, followed by panel sessions on continuous diagnostics & mitigation (CDM), data breach, and identity management.
NSA Procurement in today's business arena (Elkridge, Maryland, USA, Apr 16, 2014) An opportunity to gain inside perspective on market trends in NSA Procurement. The guest speaker will be William Reybold, National Security Agency's Deputy Senior Acquisition Executive (SAE), who manages all Agency procurements, from off-the -shelf supplies to developing and deploying large, highly technical, and complex new system. He is directly accountable for delivery of all major systems acquisitions and includes as part of the organization, the NSA Contacting Group.
Suits and Spooks San Francisco (, Jan 1, 1970) S3+: Surveillance, Security, Sovereignty and other Critical Issues. Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. CFP is now open. If you're interested in being a speaker at Suits and Spooks San Francisco, please send an email with your topic title, short abstract, and your bio by February 15th.
US News STEM Solutions: National Leadership Conference (, Jan 1, 1970) The STEM crisis in the United States demands solutions—and nowhere is the search more concentrated than at U.S. News STEM Solutions. Now in its third year, this premier national leadership conference is an outcome-focused forum for the entire network of experts, advocates and change-makers who are proactively working to fill jobs now and advance the future of the STEM workforce. More than a broad-based discussion of the issues, this year's conference will zero in on tangible results, real successes and collaborative strategies that are already moving the needle. If you have a vested interest in the development of the STEM pipeline, make your voice heard where it will have the most impact.
East Africa Banking and ICT Summit (Kampala, Uganda, Apr 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations, and unique networking opportunities.
National Collegiate Defense Cyber Competition (, Jan 1, 1970) Registration for the 2014 CCDC season is underway! Visit your region's website or contact your regional for registration and competition information.
InfoSecIndy (Indianapolis, Indiana, USA, Apr 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
United States Cyber Crime Conference 2014 (, Jan 1, 1970) This is the only event of its kind that provides both hands-on digital forensics training and an interactive forum for cyber professionals to network. The conference covers the full spectrum of topics facing defenders as well as law enforcement responders. All aspects of computer crime will be covered, including intrusion investigations, cyber crime law, digital forensics, information assurance, along with research and development, and testing of digital forensic tools.
Infosecurity Europe 2014 (, Jan 1, 1970) Infosecurity Europe is Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000 visitors from every segment of the industry, it's the most important date in the calendar for Information Security professionals across Europe.
Cyber COMSEC and IT Day at Fort Huachuca (, Jan 1, 1970) This one-day vendor expo is a unique opportunity to demonstrate your products and services to military and civilian personnel at Fort Huachuca. Exhibitors will have a casual atmosphere to share ideas, concerns and build relationships with the men and women of Fort Huachuca.
Kirtland AFB — Cyber Security Seminar & Information Technology Expo (Albuquerque, New Mexico, USA, May 7, 2014) Join FBC and the Armed Forces Communications & Electronics Association (AFCEA)-Albuquerque Chapter for the Cyber Security Seminar & Information Technology Expo set to take place at Kirtland Air Force Base. This is the only yearly event officially sponsored by AFCEA at Kirtland AFB. The goal of this expo is to stimulate exchanges of information between industry partners and Kirtland AFB Information Management Officers', Information Technology personnel, Contracting Officers' as well as end-users, developers, scientists, researchers and project managers in the areas of cyber security and information technology.
US Secret Service Cybersecurity Awareness Day (Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to the agency. In addition, this event will be widely attended by the majority of personnel at the USSS HQ building. Attendance is expected to be over 300 for the event.
SANS Security West (, Jan 1, 1970) SANS Security West will arm information security professionals with the necessary insight to prepare their organization for today and the future. Attendees will have the opportunity to advance their information security skill set by learning innovative ideas and techniques to fend off today's most challenging cyber threats as well as emerging threats.
Eurocrypt 2014 (, Jan 1, 1970) Eurocrypt 2014 is the 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques. It is devoted to all aspects of cryptology.
ISPEC 2014 (Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and their integration with IT systems in various vertical sectors.
GovSec 2014 (Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of protecting our critical infrastructures, key assets, communities and the nation.
Cyber Security for National Defense Symposium (, Jan 1, 1970) DSI's Cyber Security for National Defense Symposium is designed as an educational and training "Town Hall" forum, where thought leaders and key policy-makers across military and civilian organizations can come together for actionable discussions and debate. The symposium will focus on increasing the security and resiliency of the Nation's critical networks, operating freely in the Cyber Domain, and the protection of infrastructure in support of national defense and homeland Security.
INFILTRATE (, Jan 1, 1970) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Groundbreaking researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere. INFILTRATE is the single-most important event for those who are focused on the technical aspects of offensive security issues, for example, computer and network exploitation, vulnerability discovery, and rootkit and trojan covert protocols. INFILTRATE eschews policy and high-level presentations in favor of just hard-core thought-provoking technical meat.
Security BSides Denver 2014 (Denver, Colorado, USA, May 16, 2014) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.
Security Start-up Speed Lunch NYC (New York, New York, USA, May 19, 2014) Our goal for this inaugural event is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology and transportation sector companies in a novel way: the speed lunch.
CEIC 2014 (Las Vegas, Nevada, USA, May 19 - 22, 2014) It's no exaggeration to say that CEIC is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills development. From sessions on acquiring evidence from mobile devices to international e-discovery to cyber security intelligence, there's simply no other training or seminar series available that packs so much relevant and practical information from so many expert speakers into a single four-day period.
The Device Developers' Conference: Bristol (Bristol, England, UK, May 20, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.
Positive Hack Days (, Jan 1, 1970) Positive Hack Days is the international venue for the unification of progressive forces of the IT industry. It is about innovators interested in information security problems; it is fresh blood and bright eyes, the atmosphere of a huge research ground, communication between people sharing the same views and their opponents, minimum formalities and maximum practice.
Georgetown Law: Cybersecurity Law Institute (, Jan 1, 1970) A day does not go by where cybersecurity is not in the news. In fact, according to a recent national survey conducted by FTI Consulting, cybersecurity is the number one issue on the minds of general counsels of American companies. Last year's inaugural Cybersecurity Law Institute received positive reviews for its unique simulation approach that prepared attendees on actions to take if their company faced a cyber-attack.
NSA Mobile Technology Forum (MTF) 2014 (, Jan 1, 1970) The Mobile Technologies Forum is an annual event that attracts SIGINT, Information Assurance, HUMINT, Federal Law Enforcement, Counterintelligence and Government personnel from the United States, Australia, Canada, New Zealand, and United Kingdom focused in mobile technologies. Those companies who specialize in both current and future mobile features and equipment or have efforts that benefit NSA's efforts should participate as a commercial vendor; conference attendance is limited to government employees.
CyberMontgomery Forum: Center of Gravity (Rockville, Maryland, USA, May 22, 2014) Cybersecurity will be a major growth engine in the region for many years to come. With solid federal government, industry and academic assets already in place in the region, there is still a need to bring them together so that they can coalesce and elevate the cyber ecosystem to a level of national prominence. CyberMontgomery Forum events will provide clear direction on finding business opportunities, contracting, forecasted demand areas, workforce development, recruiting & staffing, legal responsibilities for businesses, updates on technologies being developed in MoCo and summary updates regarding our NCCoE neighbors, federal civilian agencies and commercial sector leaders.
Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.
The Device Developers' Conference: Cambridge (Cambridge, England, UK, May 22, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.
Fort Meade Technology Expo (, Jan 1, 1970) The Ft. Meade Technology Expo is a one-day event held at the Officers' Club (Club Meade) on base. Industry vendors will have the unique opportunity to showcase their products and services to personnel that may otherwise be unattainable.
CANSEC (, Jan 1, 1970) CANSEC is Canada's foremost defence tradeshow. A two-day event, CANSEC will feature 120,000 square feet of indoor exhibits by Canada's leading edge defence companies, as well as an outdoor static display. This tradeshow targets a wide audience of customers that includes Government agencies and departments with an interest in the defence sector.
Hack in The Box Security Conference (HITBSecConf) Amsterdam (, Jan 1, 1970) HITBSecConf Amsterdam is a gathering of network security professionals and enthusiasts who come from all corners of the globe to discuss the next generation of attacks and defense techniques. This is not an event you come to for 'security 101' talks or marketing hype. We cover stuff that hasn't made it into the news — yet. Potential security issues coming our way in the next 12 months.