The CyberWire Daily Briefing 04.23.14

Summary

By The CyberWire Staff

Heartbleed patching continues as exploits circulate. The vulnerability raises questions about OpenSSL's long-term viability, even among some OpenSSL longtime creators and collaborators.

Users of Microsoft OneDrive for Business (née SkyDrive) may face a data integrity issue: OneDrive for Business appears to alter some files when it syncs.

A bogus Facebook app carries a malware payload that enables Android spying and financial account pilferage.

The Cydia Substrate (née MobileSubstrate) add-on "Unflod" continues to threaten jailbroken iOS devices. (Best defense? Don't jailbreak them in the first place.) Some analysts have tentatively attributed Unflod to Chinese operators, but this remains speculation.

The Snorters at VRT Blog publish an update on the Snake (a.k.a. Turla, a.k.a. Uroburos) rootkit.

More Internet-of-things concerns surface. Ars Technica reports that anesthesia devices can become cyber-virus ridden should smartphones be connected to their USB ports, then wonders, first, why anyone would connect a phone to a medical device (lazy charging?) and second, why anesthesia devices have USB ports in the first place (easier patching?). Bloomberg worries that widespread wireless connectivity has increased the ease with which criminals can extract money from ATM skimmers. And Wired says a couple of guys have built "Conversnitch," a device that impersonates a light bulb, but which actually eavesdrops and livetweets conversations in its vicinity.

In industry news, more talk of cyber insurance. QinetiQ continues to pursue focus through disassembly of North American operations.

Australia, India, and Brazil moot new cyber laws.

An FTC lawsuit is expected to clarify what counts as "reasonable protection."

Notes.

Today's issue includes events affecting Australia, Brazil, China, India, Ireland, Russia, Ukraine, United States.

Selected Reading

Cyber Trends

Homeland Security encourages guarding oilfield against cyber threats (Odessa American) A lot of oilfield work relies on computer systems, whether controlling production at the well head or tracking arrival of crude to wholesale market

"Each One Is a Potential Attack Point": Study Could Assess Cyber Security in Basin Oil and Gas Industry (CBS7KOSA) We often hear about cyber-attacks against banks and credit card companies, but now Homeland Security wants to work on a plan to keep technology in the oilfield in the right hands

IT Security in Utilities (Intelligent Utility) Modern energy and utility companies are becoming vulnerable in ways they are not familiar with: via cyber-attacks. A Symantec report in January said that in the first half of 2013, energy was the fifth most targeted sector worldwide. It experienced 7.6 per cent of all cyber-attacks. During the same period, the Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT) said that cyber-attacks had doubled and significantly, 53% of those attacks were against the energy sector

Bulletproofing the Grid (IEEE Spectrum) A gun attack on a Silicon Valley substation has utilities looking to boost physical security

Cyber attacks move to cloud with increased adoption, report shows (ComputerWeekly) Cyber attacks on cloud environments have almost reached the same level as attacks on traditional IT, with increased adoption of cloud-based services by the enterprise, a study shows

Traditional brute force attacks, vulnerability scans found targeting cloud environments (Techienews) A research report resulting from a survey of over 2,200 customers of security-as-a-service provider Alert Logic reveals that cyber attacks on cloud environments are increasing at an alarming level as more and more enterprises move their data to the cloud

Bringing the Board Onboard for Cybersecurity (CSG Insights Blog) Who hasn't seen a team with the top players in the sport—a seemingly undefeatable team—lose when it's all on the line? Ultimately, despite their many advantages, the team's strategy unravels

The rate of cybercrime is on the rise, with some firms losing nearly €4 million because of it (Business ETC) The study from PWC found that cybercrime in Ireland has risen from 24 per cent to 45 per cent since 2011

People Matter in Cybersecurity (American News Report) What's the biggest challenge facing cybersecurity for companies and organizations? "Often it's their own people," said Mansur Hasib, author of "Cybersecurity Leadership" which was released this spring

Teachers cyberbullied by students and their parents (Naked Security) One in five UK teachers have been cyberbullied by students and/or their parents, according to a survey published by the teachers' union NASUWT

Bots Attack US Mainly During Dinnertime (Dark Reading) Most bot-infected machines hail from the US and wage attacks there between 6 and 9 p.m. Eastern Time, new report finds

Legislation, Policy and Regulation

Should Australians prepare for rubber-hose cryptanalysis? (ComputerWorld) Law enforcement peak body wants to make it easier to decrypt communications

Brazil Passes Trailblazing Internet Privacy Law (SecurityWeek) Brazil's Congress on Tuesday passed comprehensive legislation on Internet privacy in what some have likened to a web-user's bill of rights, after stunning revelations its own president was targeted by US cyber-snooping

India backs 'new cyber law regime' (Indian Express) The note stresses that governments, organisations and individuals must take steps to enhance the security of information technology

US to surrender control of ICANN (Euractiv) A global conference in Brazil on the future of the Internet in the wake of US spying revelations might be much less anti-American than first thought, after Washington said it was willing to loosen its control

NSA Finally Reveals How PRISM Works, But It's Nothing New (Mashable) The NSA has finally decided to tell the world how the Internet surveillance program PRISM works, though it's been almost a year since its existence was revealed by one of the very first Edward Snowden leaks

Poor security policies put national security at risk at defense intelligence agencies, IG says (Washington Examiner) Defense intelligence agencies have allowed contract employees fired for misconduct to regain access to classified information, posing a threat to national security, according to a new report by the Defense Department's inspector general

GAO criticizes SEC over cybersecurity (FierceFinanceIT) The U.S. Government Accountability Office (GAO) has sent a 25-page report to the Securities and Exchange Commission detailing numerous weaknesses in the agency's cybersecurity controls over the nation's Securities markets. The report was the result of a security audit conducted by the GAO during the 2012 and 2013 fiscal years

Increased trust boosts Pentagon-industry info sharing (FCW) The Defense Department hopes an information-sharing program it launched in 2007 has matured into a potent weapon for mitigating cyber threats that are becoming too numerous to count. Speaking before a group of contractors and agency workers April 22, senior DOD officials made the case that the Defense Industrial Base Cybersecurity Information Assurance program has done just that

A Two-Way Flow of Information: Public-Private Partnership for Cyber Defense (The CyberWire) The CyberWire interviewed Mr. Alejandro Mayorkas, Deputy Secretary of Homeland Security, who participated in SINET ITSEF 2014. Deputy Secretary Mayorkas described his Department's role in US cyber security, in particular its responsibility for security the .gov space, and how the Department has taken point on sharing information with the private sector

Products, Services, and Solutions

Google refunds Android users who bought fake Virus Shield app (Naked Security) Earlier this month an Android anti-virus app, named Virus Shield, managed to fool thousands of customers into buying it, despite not having any anti-virus capabilities

Google reportedly wants to make email encryption easier, but don't hold your breath (PC World) Still responding to the National Security Agency surveillance revelations, Google is reportedly preparing to help users beef up Gmail security with end-to-end encryption. The search giant is working on a way to make Pretty Good Privacy (PGP) encryption easier to use for Gmail fans, according to a report by Venture Beat

Facebook's Sheryl Sandberg: targeted ads don't trample on privacy (Naked Security) Facebook Bigwig Sheryl Sandberg wants us all to know that, targeted advertising or no, the Zuckerbergians are hovering over our private data like an anxious mother bird protecting her fluffy nestlings from voracious advertising raptors

Update To FORBES' Anonymous Document Drop In Response To Heartbleed (Forbes) The days of meeting reporters in an underground garage to exchange sensitive information are back. Emailing materials without taking proper precautions is now dangerously vulnerable to surveillance. For those who'd rather not troll maps for the perfect meeting place, FORBES has an easy solution. It's called SafeSource

Lunarline Announces New Training Program to Help DoD Adapt to the new RMF for DoD IT (MarketWatch) Lunarline's Rebecca Onuskanich: "We make this easy. Well, almost"

Belden Protects Critical Industrial Infrastructure with Advanced Cyber Security Toolkit (Wall Street Journal) Belden Inc. (NYSE: BDC), a global leader in signal transmission solutions for mission-critical applications, has released the Tofino Enforcer Software Development Kit (SDK), a toolkit that allows third parties to create next generation cyber security solutions using the company's patented Deep Packet Inspection (DPI) technology. Tofino Enforcer modules developed with the SDK protect difficult-to-secure supervisory control and data acquisition (SCADA) and industrial control system (ICS) protocols and improve the overall reliability and safety of industrial systems

Technologies, Techniques, and Standards

Is OpenSSL secure… in its dominance? (ZDNet) All it will take is one major player to endorse LibreSSL as compatible and functional and OpenSSL adoption will crumble

A guide to cloud encryption and tokenization (Help Net Security) Cloud adoption shows every sign of continuing to grow. The sharing of resources helps businesses achieve savings and agility based on economies of scale but there's a problem: cloud computing can also be an attractive target for cyber thieves

Cloud security still the missing link in M2M (ZDNet) With cloud the main enabler of machine-to-machine communications, questions about data security that remain unaddressed will continue to hinder wider deployment of Internet of Things

Hardware-Based Solutions Counter Medical Device Security Concerns (Medical Design Technology) The rapid growth of personal healthcare and medical products has focused renewed attention on the security of underlying device hardware and software. Ensuring authorized use and protecting critical data within these devices depends on deep security features that cannot be bypassed by traditional software methods. With the availability of hardware-based security features in microcontrollers (MCUs) and devices targeted for medical applications, engineers can harden designs for health-critical systems and devices

How can we create a culture of secure behavior? (Help Net Security) It's a busy day in your company and everyone is rushing around trying to respond to requests. Audrey gets an email that looks like it's from a partner asking her to look into a recently placed order. She clicks on the PDF to check it out. But instead of seeing the partner's order, she sees a landing page from the company's security team letting her know she fell prey to a simulated phishing attack. As she looks around the room, she sees that a few co-workers also have stunned looks on their faces

Social Media and Regulatory Compliance: Is Your Company Protected? (Cyveillance) Proofpoint hosted an excellent webinar a few weeks ago on "Tweets, Feeds, & Chatter: Social Media and Regulatory Compliance in 2014", which I've summarized here. Presenter Nick Hayes, an analyst at Forrester Research, discussed a number of regulatory pitfalls companies should be aware of as they navigate this challenging landscape

Bank of England to simulate cyber attacks to test threat response (ITPro) The attacks will test how prepared 20 of the UK's major banking institutions are. The Bank of England will test banking vulnerabilities with a number of high-profile institutions to test how prepared they are should a cyber attack occur Read more:

Typed passwords are no defense (Federal Times) With the flick of his wrist and a few keystrokes, Edward Snowden hand-typed other people's passwords and initiated data downloads in what has become the greatest national security information breach in U.S. history

Biometric Authentication: Still Waiting for Identity 2.0 (Recorded Future) It took just four days for German researchers to give the latex finger to the new Samsung Galaxy S5 and crack its fingerprint authentication. We should not be surprised, after recalling the similarly swift exploit of the iPhone by Chaos Computer Club last fall. We learn that phones with higher resolution scanners create demand for higher resolution fake fingers

7 Tips To Improve 'Signal-to-Noise' In The SOC (Dark Reading) When security analysts are desensitized to alerts because of sheer volume, they miss the true positives that can prevent a large-scale data breach. Here's how to up your game

Marketplace

Cyber insurance protects against data breach damage (The Tennessean) Cyber insurance may evoke ideas of science fiction, but for businesses, the risk associated with data breaches is very real

QinetiQ To Sell US Services Division (Defense News) QinetiQ has agreed to sell its US services division to the SI Organisation in a deal that could net the British defense technology company up to US $215 million

China's Huawei says reports of NSA spying won't impact growth (The Independent) The world's No.2 telecoms equipment maker, Huawei, shrugged off analysts' concerns that its growth will suffer from media reports alleging the United States accessed servers at its Shenzhen headquarters

Cyber firm Integrata Security is raising money, planning move to Federal Hill or Baltimore County (Baltimore Business Journal) Integrata Security is in the midst of raising anywhere from $1.1 million to $1.6 million, which will be used for product development

Security Patches, Mitigations, and Software Updates

iPhones and Macs get fix for extremely critical "triple handshake" crypto bug (Ars Technica) Flaw makes it possible for attackers to bypass some HTTPS protections

Apple pushes out critical security fixes for OS X, iOS and Apple TV (Naked Security) Apple has been listening to Sophos Naked Security! Half-listening, anyway

Microsoft dramatically lowers price for Windows XP custom support (FierceCIO:TechWatch ) It has emerged that Microsoft has reduced the fees that large enterprises have to pay for custom support, just weeks before the official retirement of the venerable Windows XP operating system. According to a report on Computerworld, Microsoft dramatically reduced top-end price caps from as much as $5 million per organization to just $250,000

Cyber Attacks, Threats, and Vulnerabilities

Hackers seen exploiting Heartbleed to steal session tokens (Fierce CIO: TechWatch) Barely two weeks after the revelation of a critical vulnerability in the widely-used OpenSSL library, and active exploits by hackers have already been observed being conducted against businesses. In a nutshell, the serious vulnerability can be exploited to leak the memory contents of an affected server—and vice versa. Repeatedly sieving through the memory of the targeted server could hence yield sensitive data such as usernames and passwords, or even result in the recovery of the private keys used by the server

OpenSSL code beyond repair, claims creator of "LibreSSL" fork (Ars Technica) OpenBSD developers "removed half of the OpenSSL source tree in a week"

Microsoft OneDrive for Business can Alter Your Files as It Syncs (CollaboristaBlog) Microsoft OneDrive for Business, which until recently used to go by the name of SkyDrive Pro, is making headlines today for all the wrong reasons

Fake Facebook app attack can lead to your Android being spied upon, and your bank account being hacked (We Live Security) Are you a Facebook user? If so, be on your guard if you see a screen like the following popping up on your screen

Mysterious malware steals Apple credentials from jailbroken iOS devices (CSO) A malware campaign of yet-to-be-determined origin is infecting jailbroken iPhones and iPads to steal Apple account credentials from SSL encrypted traffic

Snake Campaign: A few words about the Uroburos Rootkit (VRT Blog) Over the past few days, analyzing the new Uroburos (aka Turla) rootkit has been exciting. That's because the sample dropper (MD5: a86ac0ad1f8928e8d4e1b728448f54f9) includes a lot of clever features. We don't want to rehash research already publicly available, but we will expand on some features that have not been covered in previous publications (like the driver loading strategy and the main dropper architecture)

Has your AOL account been spewing out diet spam? You're not alone… (Graham Cluley) It seems there is a big spam problem involving AOL accounts right now. You only have to check out the #AOLHacked hashtag on Twitter to see many people complaining

Bug can cause deadly failures when anesthesia device is connected to cell phones (Ars Technica) No, it's not clear why anyone would ever connect a phone to a medical device

What Happens When the 'Internet of Things' Comes to ATM Skimmers (Bloomberg) When Cisco Systems CEO John Chambers extols the virtues of the so-called Internet of Things, this clearly isn't what he has in mind

An Eavesdropping Lamp That Livetweets Private Conversations (Wired) Brian House and Kyle McDonald's creation, the Conversnitch, impersonates a lightbulb or lamp while eavesdropping on and livetweeting nearby conversations. As former NSA director Michael Hayden learned on an Amtrak train last year, anyone with a smartphone instantly can become a livetweeting snoop. Now a whole crowd of amateur eavesdroppers could be as close as the nearest light fixture

Michaels Data Breach Response: 7 Facts (Ars Technica) Could the retailer have done more to spot the eight-month intrusion in the first place?

Fake Reviews Trick Google Play Users (Webroot Threat Blog) Here at Webroot, we are constantly on the lookout for malevolent Android apps. In most cases, you do something malicious with your app and you get marked accordingly, but it's not always that simple. Two weeks ago an app called "Virus Shield" popped up on the Google Play store. Within days, Virus Shield became Google Play's #1 paid app. With thousands of reviews and a 4.7 star rating, who would question it? Well, a few people did, the code was looked at, and Google pulled it from the store. They have even gone as far as to make amends with those

Iowa State discloses data breach — attackers wanted to mine for coin (CSO) The IT staff at Iowa State University have disclosed a data breach involving five departmental servers on campus

NCO Financial Acknowledges Data Breach (eSecurity Planet) Customer names, addresses, Social Security numbers and account numbers were mistakenly exposed

Academia

Northrop Grumman, The University of Sydney Announce Partnership (MarketWatch) Northrop Grumman Corporation NOC +0.03% and the University of Sydney have signed a Memorandum of Understanding to work together to explore areas of common interest in providing educational, research initiatives and training programs that build local capacity across various sectors in Australia

Litigation, Investigation, and Enforcement

Sensitive Data: What Constitutes 'Reasonable Protection'? (InformationWeek) NIST's Cybersecurity Framework takes on new context for industry execs in light of FTC lawsuit against the Wyndham hotel chain over data security lapses

Cyber War News Shuts Down Following DOJ Request (eSecurity Week) 'Site n email contacts all gone for good,' the publisher tweeted earlier this week

Government Employees Cause Nearly 60% of Public Sector Cyber Incidents (Nextgov) About 58 percent of cyber incidents reported in the public sector were caused by government employees, according to an annual data breach report compiled by Verizon. The findings — stripped of identifying information — do not mention ex-contractor Edward Snowden's mammoth leak of national secrets

Rubio calls Snowden scandal 'most damaging' espionage case in U.S. history. Is it? (Tampa Bay Times) Florida Sen. Marco Rubio makes it clear where he stands on Edward Snowden's exposure of the National Security Agency's spying programs: The situation couldn't be more dire. "The single most damaging revelation of American secrets in our history." Rubio said when asked about the matter after a foreign policy speech at the University of Texas on April 15

In questioning Russia's Putin about surveillance, Snowden misses the point (Washington Post) The question Edward Snowden should have asked Russian President Vladimir Putin on Thursday was: "Would you please describe how the three versions of SORM operate and what is done with the intercepted phone, e-mail and other electronic media those systems collect?"

Edward Snowden is not of the left (Los Angeles Post Examiner) National Security Agency leaker Edward Snowden recently asked Vladimir Putin via teleconference, "Does Russia intercept or store the communications in any way of millions of individuals?" Putin, a former officer in the former Soviet Union's KGB intelligence agency, replied, "You are a former spy so we will talk one professional language. Our intelligence efforts are strictly regulated by our law. We have to get permission to stalk any particular person"

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

US News STEM Solutions: National Leadership Conference (, January 1, 1970) The STEM crisis in the United States demands solutions—and nowhere is the search more concentrated than at U.S. News STEM Solutions. Now in its third year, this premier national leadership conference is an outcome-focused forum for the entire network of experts, advocates and change-makers who are proactively working to fill jobs now and advance the future of the STEM workforce. More than a broad-based discussion of the issues, this year's conference will zero in on tangible results, real successes and collaborative strategies that are already moving the needle. If you have a vested interest in the development of the STEM pipeline, make your voice heard where it will have the most impact.

East Africa Banking and ICT Summit (Kampala, Uganda, April 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations, and unique networking opportunities.

National Collegiate Defense Cyber Competition (, January 1, 1970) Registration for the 2014 CCDC season is underway! Visit your region's website or contact your regional for registration and competition information.

InfoSecIndy (Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.

United States Cyber Crime Conference 2014 (, January 1, 1970) This is the only event of its kind that provides both hands-on digital forensics training and an interactive forum for cyber professionals to network. The conference covers the full spectrum of topics facing defenders as well as law enforcement responders. All aspects of computer crime will be covered, including intrusion investigations, cyber crime law, digital forensics, information assurance, along with research and development, and testing of digital forensic tools.

Infosecurity Europe 2014 (, January 1, 1970) Infosecurity Europe is Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000 visitors from every segment of the industry, it's the most important date in the calendar for Information Security professionals across Europe.

Cyber COMSEC and IT Day at Fort Huachuca (, January 1, 1970) This one-day vendor expo is a unique opportunity to demonstrate your products and services to military and civilian personnel at Fort Huachuca. Exhibitors will have a casual atmosphere to share ideas, concerns and build relationships with the men and women of Fort Huachuca.

cybergamut Technical Tuesday: Malware Reverse Engineering (Columbia, Maryland, USA, May 6, 2014) An introduction to the tools, workflows, and tricks of the trade to attack sophisticated malware by Dale Robson of CyberPoint. Industry standard cyber security products do a good job in blocking and defending against recognized or suspicious malware. Yet increasingly, advanced malware is customized to evade detection and remediation; and even those that are caught can have deeper and more dangerous capabilities. In order to truly understand the malware's capabilities and to assess its success in gaining access to an enterprise, cyber security professionals should reverse engineer the binary to expose its secrets. But organizations may forgo reverse engineering and rely on industry solutions to characterize and defend against the threat. Reverse engineering is done by exception and within the constraints of budget, time, and available professional talent, if it is done at all. However, reverse engineering malware can be an integral part of every security team's calculus. This session provides a technical review of the tools, workflows, and advanced analytic insight a senior reverse engineer brings to the fight.

Kirtland AFB — Cyber Security Seminar & Information Technology Expo (Albuquerque, New Mexico, USA, May 7, 2014) Join FBC and the Armed Forces Communications & Electronics Association (AFCEA)-Albuquerque Chapter for the Cyber Security Seminar & Information Technology Expo set to take place at Kirtland Air Force Base. This is the only yearly event officially sponsored by AFCEA at Kirtland AFB. The goal of this expo is to stimulate exchanges of information between industry partners and Kirtland AFB Information Management Officers', Information Technology personnel, Contracting Officers' as well as end-users, developers, scientists, researchers and project managers in the areas of cyber security and information technology.

US Secret Service Cybersecurity Awareness Day (Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to the agency. In addition, this event will be widely attended by the majority of personnel at the USSS HQ building. Attendance is expected to be over 300 for the event.

SANS Security West (, January 1, 1970) SANS Security West will arm information security professionals with the necessary insight to prepare their organization for today and the future. Attendees will have the opportunity to advance their information security skill set by learning innovative ideas and techniques to fend off today's most challenging cyber threats as well as emerging threats.

HackMiami 2014 (Miami Beach, Florida, USA, May 9 - 11, 2014) The HackMiami 2014 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools, techniques, and methodologies that are at the forefront of the global threat landscape.

Eurocrypt 2014 (, January 1, 1970) Eurocrypt 2014 is the 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques. It is devoted to all aspects of cryptology.

ISPEC 2014 (Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and their integration with IT systems in various vertical sectors.

CyberWest (Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations and Governments to a complex threat environment including hacktivists to trans-national crime organizations and advanced persistent threats. Join experts from government, industry and academia in discussing how we are making our future more secure.

GovSec 2014 (Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of protecting our critical infrastructures, key assets, communities and the nation.

Cyber Security for National Defense Symposium (, January 1, 1970) DSI's Cyber Security for National Defense Symposium is designed as an educational and training "Town Hall" forum, where thought leaders and key policy-makers across military and civilian organizations can come together for actionable discussions and debate. The symposium will focus on increasing the security and resiliency of the Nation's critical networks, operating freely in the Cyber Domain, and the protection of infrastructure in support of national defense and homeland Security.

FOSE Conference (Washington, DC, USA, May 13 - 15, 2014) Spend 1 day or 3 days at the FOSE conference and leave with actionable information, covering a broad spectrum of trending topics including: Cybersecurity, Cloud and Virtualization, Mobile Government, Big Data and Business Intelligence, Project Management, Procurement and Acquisition and more. (free-of-charge for government personnel).

INFILTRATE (, January 1, 1970) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Groundbreaking researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere. INFILTRATE is the single-most important event for those who are focused on the technical aspects of offensive security issues, for example, computer and network exploitation, vulnerability discovery, and rootkit and trojan covert protocols. INFILTRATE eschews policy and high-level presentations in favor of just hard-core thought-provoking technical meat.

Security BSides Denver 2014 (Denver, Colorado, USA, May 16, 2014) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

Security Start-up Speed Lunch NYC (New York, New York, USA, May 19, 2014) Our goal for this inaugural event is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology and transportation sector companies in a novel way: the speed lunch.

CEIC 2014 (Las Vegas, Nevada, USA, May 19 - 22, 2014) It's no exaggeration to say that CEIC is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills development. From sessions on acquiring evidence from mobile devices to international e-discovery to cyber security intelligence, there's simply no other training or seminar series available that packs so much relevant and practical information from so many expert speakers into a single four-day period.

The Device Developers' Conference: Bristol (Bristol, England, UK, May 20, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.

Positive Hack Days (, January 1, 1970) Positive Hack Days is the international venue for the unification of progressive forces of the IT industry. It is about innovators interested in information security problems; it is fresh blood and bright eyes, the atmosphere of a huge research ground, communication between people sharing the same views and their opponents, minimum formalities and maximum practice.

Georgetown Law: Cybersecurity Law Institute (, January 1, 1970) A day does not go by where cybersecurity is not in the news. In fact, according to a recent national survey conducted by FTI Consulting, cybersecurity is the number one issue on the minds of general counsels of American companies. Last year's inaugural Cybersecurity Law Institute received positive reviews for its unique simulation approach that prepared attendees on actions to take if their company faced a cyber-attack.

NSA Mobile Technology Forum (MTF) 2014 (, January 1, 1970) The Mobile Technologies Forum is an annual event that attracts SIGINT, Information Assurance, HUMINT, Federal Law Enforcement, Counterintelligence and Government personnel from the United States, Australia, Canada, New Zealand, and United Kingdom focused in mobile technologies. Those companies who specialize in both current and future mobile features and equipment or have efforts that benefit NSA's efforts should participate as a commercial vendor; conference attendance is limited to government employees.

CyberMontgomery Forum: Center of Gravity (Rockville, Maryland, USA, May 22, 2014) Cybersecurity will be a major growth engine in the region for many years to come. With solid federal government, industry and academic assets already in place in the region, there is still a need to bring them together so that they can coalesce and elevate the cyber ecosystem to a level of national prominence. CyberMontgomery Forum events will provide clear direction on finding business opportunities, contracting, forecasted demand areas, workforce development, recruiting & staffing, legal responsibilities for businesses, updates on technologies being developed in MoCo and summary updates regarding our NCCoE neighbors, federal civilian agencies and commercial sector leaders.

Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.

The Device Developers' Conference: Cambridge (Cambridge, England, UK, May 22, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.

Fort Meade Technology Expo (, January 1, 1970) The Ft. Meade Technology Expo is a one-day event held at the Officers' Club (Club Meade) on base. Industry vendors will have the unique opportunity to showcase their products and services to personnel that may otherwise be unattainable.

CANSEC (, January 1, 1970) CANSEC is Canada's foremost defence tradeshow. A two-day event, CANSEC will feature 120,000 square feet of indoor exhibits by Canada's leading edge defence companies, as well as an outdoor static display. This tradeshow targets a wide audience of customers that includes Government agencies and departments with an interest in the defence sector.

Hack in The Box Security Conference (HITBSecConf) Amsterdam (, January 1, 1970) HITBSecConf Amsterdam is a gathering of network security professionals and enthusiasts who come from all corners of the globe to discuss the next generation of attacks and defense techniques. This is not an event you come to for 'security 101' talks or marketing hype. We cover stuff that hasn't made it into the news — yet. Potential security issues coming our way in the next 12 months.

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.