The CyberWire Daily Briefing for 4.24.2014
Cyber criminal informants prove to be as blowback-prone as regular wiseguy snitches. "Sabu" provides exhibit A: the New York Times reports that while he was an FBI informant, Sabu continued to exploit zero-days, some against Brazilian, Syrian, and Iranian government sites.
Enterprises continue to mop up Heartbleed. Many Android apps remain leaky, but some are found protected, ironically, by a common implementation coding error. The number of direct exploits still seems small in comparison with the scope and potential of the vulnerability. Clean-up itself presents at least two problems: some fragile SSL implementations have been disabled when scanned for Heartbleed, and the frenzy to find and close Heartbleed holes has provided hackers with useful misdirection, particularly in attacks on US universities. And, of course, Heartbleed continues to provide useful phishbait to spammers.
The unrelated but very large We_heart_it diet spam campaign has oozed from AOL over to Twitter. Its origins remain obscure, but it's become a significant nuisance.
Many US physicians have suffered identity theft recently, which, Krebs suggests, hints at problems in some commonly used service.
Bkav claims to have found serious vulnerabilities in Amazon's Cloud IaaS Service.
Medical devices and maritime shipping remain, sector analysts say, dangerously open to cyber attack even though the worst bogeymen have yet to materialize. Electrical utilities move toward a consensus that cyber risks are more serious than physical ones.
Insurers find many retailers remain oblivious to cyber risk. Financial analysts warn against cascading effects of widespread failure to insure against cyber losses.
Notes.
Today's issue includes events affecting Brazil, Cambodia, European Union, Iran, Russia, Syria, Tunisia, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
FBI knew of zero-day attack on websites, let hackers use it (Ars Technica) NY Times reports Sabu directed attacks with Plesk exploit after arrest. Hector Xavier Monsegur, the hacker known as "Sabu," became a confidential FBI informant following his 2011 arrest. But he continued to direct other hackers to attack more than 2,000 Internet domains in 2012, including sites operated by the Iranian, Syrian, and Brazilian governments
Heartbleed Security Cyber Attacks Roundup (Gadget Gestures) If you paid attention to the information flooding your news feed that warned you over and over again about the Heartbleed security bug that makes your passwords and personal data vulnerable to theft and all sorts of cyber attacks, then you know the problem is serious and affects more people that one could have imagined in the beginning
While Heartbleed distracts, hackers hit US universities (CSO) The panic over the Heartbleed bug is proving to be a convenient distraction for hackers using standard techniques in a fresh wave of attacks targeting at least 18 U.S. universities, according to a computer security researcher
Be Careful what you Scan for! (Internet Storm Center) After some fun and games at one customer site in particular, I found that the SSL services on the earlier versions of the HP Proiliant Servers iLo ports (iL01 and iLO2) are not susceptible to heartbleed. However, their implementation of SSL is fragile enough that scanning them for the Heartbleed vulnerability will render them inoperable. This affects Proliants from G1 all the way up to G6, as well as many of the HP Bladesystems
Android Heartbleed Alert: 150 Million Apps Still Vulnerable (Dark Reading) Android developers are starting to patch OpenSSL flaws. Meanwhile, Apple ships an SSL fix for iOS and OS X
Coding error protects some Android apps from Heartbleed (CSO) Some Android apps thought to be vulnerable to the Heartbleed bug were spared because of a common coding error in the way they implemented their own native OpenSSL library
How To Detect Heartbleed Mutations (Dark Reading) The nightmare of Heartbleed is not the chaos of fixing the bug. It's identifying hundreds, possibly thousands, of small mutations still hiding in the network
States: Spike in Tax Fraud Against Doctors (Krebs on Security) An unusual number of physicians in several U.S. states are just finding out that they've been victimized by tax return fraud this year, KrebsOnSecurity has learned. An apparent spike in tax fraud cases against medical professionals is fueling speculation that the crimes may have been prompted by a data breach at some type of national organization that certifies or provides credentials for physicians
Amazon Cloud IaaS Service servers riddled with vulnerabilities (Help Net Security ) An investigation spurred by one of the customers of their security product has lead researchers of security company Bkav to an unexpected discovery: the servers provided by Amazon's Cloud IaaS Service are riddled with vulnerabilities
Mystery attack drops avalanche of malicious messages on Twitter (Ars Technica) Scammers abuse thousands of compromised accounts linked to third-party services
We Heart It attack spills out into Twitter diet spam tidalwave (Graham Cluley) Twitter and We Heart ItDiet spammers are not just exploiting AOL accounts to spread their unwanted adverts for miracle weight loss products, they have been flooding Twitter too
Japan airport staff dash to replace passcodes after security cock-up (The Register) Haneda employee drops key codes ahead of Obama visit
Intimidating new Internet fraud reported in AC (Arizona City Independent) New type of malicious computer virus known as 'ransomware'
Six Degrees datacentre suffers outage for more than 12 hours (ComputerWeekly) Customers using Six Degrees Group's datacentre and hosting services faced downtime on Tuesday — a crucial business day after the Easter weekend — as the datacentre, hosting and managed services provider suffered an outage for more than 12 hours
Medical devices at risk from cyber attack (Business Technology) A pacemaker designed to send life-saving electrical pulses to your heart and provide your doctor with vital information about your health can also unfortunately be a target of a sinister cyber attack
Global Shipping Exposed to Cyber Threats (MarineLink) The next hacker playground: the open seas — and the oil tankers and container vessels that ship 90 percent of the goods moved around the planet
Dissecting the unpredictable DDoS landscape (Help Net Security) DDoS attacks are now more unpredictable and damaging than ever, crippling websites, shutting down operations, and costing millions of dollars in downtime, customer support and brand damage, according to Neustar
Banking Trojans, Bitcoins and Espionage Dominate Recent Cyber-threats (InfoSecurity Magazine) Mobile banking trojans! Bitcoin wallet attacks! Cyber-espionage threats! It turns out that these three cyber-baddies are developing their attack trajectories exactly as predicted for 2014
Security Patches, Mitigations, and Software Updates
HP firmware bricks ProLiant server models (ComputerWeekly) HP has released a server patch that it has admitted will kill 100 of its server models and 14 network adapters upon installation
Apple users left exposed to serious threats for weeks, former employee says (Ars Technica) Patch delay comes two months after previous lapse for critical "goto fail" fix
Apple + Patching = You're Doing It Wrong :( (Kristin Paget's Blog) Apple just released iOS 7.1.1, which contains a bunch of security fixes for a wide range of things. Of particular interest is the list of issues they fixed in WebKit, which includes
Cyber Trends
Verizon DBIR 2014: Incident patterns show industry-specific threats (TechTarget) "We may be able to reduce the majority of attacks by focusing on a handful of attack patterns." That's the thought that Verizon used to tantalize readers of the 2013 iteration of its Data Breach Investigations Report, but as it turns out, the 2014 version found that more than nine out of ten data breaches can be described by just one of nine attack patterns, an enticing claim for enterprise information security teams
Cybersecurity quickly trumping physical security (FierceSmartGrid) Security is becoming an important part of the day-to-day operations of every utility across the United States, and a recent ruling by the Department of Justice (DOJ) is meant to make it easier for companies to keep their assets secure while keeping the lights on
Demand for BYOD access control leads to NAC resurgence (TechTarget) Network access control technology has come a long way from its days of being derided as an expensive and difficult tool that only succeeds in locking users out of the network. As the number of devices and the diversity of the users hitting networks across all industries grows, NAC security is becoming a must-have technology for any corporate environment
Ponemon Institute Survey Finds Exchanging Threat Intelligence Could Have Prevented Recent Cyberattacks (Broadway World) IID, securing the Internet with shared cyber intelligence, today announced the immediate availability of a Ponemon Institute survey that the company sponsored entitled, "Exchanging Cyber Threat Intelligence: There Has to Be a Better Way"
Intelligence-Sharing Suffers Growing Pains (Dark Reading) For most organizations, intelligence-sharing remains mainly ad-hoc and informal — and thus fraught with frustration and pitfalls, new report from Ponemon finds
Heartbleed as Metaphor (Lawfare) I begin with a paragraph from Wikipedia: Self-organized criticality is one of a number of important discoveries made in statistical physics and related fields over the latter half of the 20th century, discoveries which relate particularly to the study of complexity in nature…That may or may not leave you cold. I begin with those lines because they say that complexity in the large can arise from locally simple things
UK businesses fail to prepare for upcoming changes to EU data laws (CSO) UK businesses are unprepared for next year's changes to EU data protection laws, a survey has found
Report: Some Retail Firms Still Don't Recognize Cyber Security Risks (Dark Reading) Nearly 10 percent of retail firms have not reported any cyber security exposure to the SEC since 2011, Willis Group says
Lack of cyber risk insurance could lead to "global financial shock" (We Live Security) The financial damage caused by a large data breach or malicious employee activity can be enormous, but while more than three-quarters of organizations say they have become more concerned about information security and privacy in the past three years, the lack of cyber risk insurance could lead to a "global" shock
CyberSlang: The "@ to Zero-Day" Guide to Geek Speak (Raytheon) "Bot herders" have nothing to do with sheep. "Pentesting" is not what you do with a dried-out ballpoint. And "Air Gap" is not a 1980s easy-listening duo from Australia
Marketplace
A strong information security program is a competitive gain, not just a cost (TechTarget) CIOs are often asked to quantify the value of technology investments, but the CIO of an East Coast company was caught off guard by one such recent request and whom it came from. "The marketing chief wanted to know if we should use our security and privacy measures as a competitive differentiator to market our business and services," said the CIO, who is still in the midst of his research and asked not to be named
DHS inquiry into cyber solutions for small businesses stirs ideas, pushback from tech sectors (Inside Cybersecurity) With the Department of Homeland Security conducting a public meeting May 6 on its inquiry into cybersecurity solutions that meet the unique needs of small and mid-sized companies, Inside Cybersecurity is pulling together its exclusive coverage of a process that kicked off with a February request for information
Thomson Reuters Again Wins Operational Risk Software Provider of the Year Award in Operational Risk and Regulation Awards 2014 (MarketWatch) Thomson Reuters, the world's leading source of intelligent information for businesses and professionals, today announced that it has been awarded the Operational Risk Software Provider of the Year Award in the Operational Risk and Regulation Awards, 2014. This is the second consecutive year that Thomson Reuters has been awarded this achievement
Venture Capital: The Lifeblood Behind Security Innovation (Dark Reading) Want to know where the next generation of IT security innovation and technology is coming from? Follow the money
Cybersecurity's new frontier (Daily Record) The exterior walls of Luminal's downtown Frederick headquarters office are made of brick. But the company isn't focused on walls. Its software aims to make a computer system more secure from the inside, instead of relying only on exterior defenses
Raytheon tackles nation's STEM workforce challenge during "STEM Week" in Washington, D.C. (MarketWatch) What can the U.S. do to prepare today's students to take on STEM jobs in the future? To help answer that question, U.S. News and Raytheon Company RTN -4.96% today launched the STEM Index to measure just that. It's the first comprehensive index measuring the key factors related to STEM jobs and education
Thomson Reuters uncovers internal engineering talent with crowdsourcing (TechTarget) Thomson Reuters Corp. has hit upon an effective way to find engineering talent. The media and information company has figured out a way to crowdsource for problem solvers — from behind the firewall
South-East police forces on the hunt for information assurance services in £20m tender (Computing) The police and crime commissioner for Surrey has issued a tender on behalf of police forces within the South East Regional Information Security Management Group including: British Transport Police, Civil Nuclear Constabulary, Essex Police, Hampshire Police, Hertfordshire Police, Kent Police, Metropolitan Police Service, Surrey Police, Sussex Police and Thames Valley Police
Mark Forman Returns to TASC as IT, Cloud Services VP; Bruce Phillips Comments (GovConWire) Mark Forman, co-founder and former CEO of Government Transaction Services LLC, has joined TASC as vice president for information technology and cloud services
Products, Services, and Solutions
AIG Expands Cyber Coverage to Include Physical Risks Posed by Cyber Attacks, Security Failures (Wall Street Journal) American International Group, Inc. (AIG) insurers today announced an expansion of their cyber insurance offering to include property damage and bodily injury exposures. This is a market-leading cyber offering that provides commercial customers a way to manage physical risks to their operations from cyber attacks and cyber security failures
Google Adding Security Checks to Non-OAuth 2.0 Compliant Apps (Threatpost) Google announced today that in the coming months it will be more stringent in securing users when they log in to their accounts by applying additional authorization checks
Cisco's RTP ops fueling new cybersecurity solution (Triangle Business Journal) Cisco's just-launched Managed Threat Defense service is relying on two operations centers to protect your data — one of which is in Research Triangle Park
Splunk App Promises Data Center Managers Complete Visibility (Datacenter Dynamics) Data center intelligence provider Splunk has launched version 3.1 of its operational information system, Splunk App for VMware
Rapid7 announces security certifications for Metasploit and Nexpose (Help Net Security) Rapid7 is launching certification programs for Nexpose administrators and Metasploit Pro specialists
Forescout launches new PSN compliance package (UK Authority) A programme to help local authorities and government departments to meet the requirements of the Public Service Network (PSN), the secure network enabling local and central government organisations to communicate electronically has been launched today
CrowdStrike offers new free Heartbleed Scanner tool (CSO) In the wake of the Heartbleed vulnerability revelation, many security vendors raced to provide tools to help businesses and individuals test for the flaw on their own systems. Unfortunately, many of those tools used flawed logic, or delivered inaccurate results—either causing undue alarm, or providing an unwarranted sense of security. CrowdStrike has developed a new free Heartbleed Scanner tool that delivers more comprehensive information to help you understand which systems or applications are at risk
eScan Launches a unique online tool to identify Heartbleed bug affected websites (OpenPR) eScan, one of the leading Anti-Virus and Content Security Solution providers has launched an online tool to identify the latest vulnerability, Heartbleed bug which has been creating chaos in the cyber security landscape. This tool introduced by eScan can be used by IT users to check whether the website they are browsing is affected with the Heartbleed bug or not
New NIST Tool Streamlines Government App Vetting (Threatpost) Developers who produce apps intended for use on internal networks at government agencies are getting a vetting process of their own called AppVet
Technologies, Techniques, and Standards
Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL (Ars Technica) IBM, Intel, Microsoft, Facebook, Google, and others pledge millions to open source
FedRAMP program office releases transition plan to new controls baseline (FierceGovIT) Private sector cloud providers with a FedRAMP provisional authorization making them eligible to sell services to federal agencies will have about a year to implement the new minimum set of security controls
Is CyberSec Framework Doomed to Fail? (infoRisk Today) Researcher Touts Market-Driven Approach as Alternative. A George Mason University research fellow says the cybersecurity framework, issued earlier this year by the National Institute of Standards and Technology, is likely to cause more problems than it solves
Dr. Larry Ponemon on How Security Survey Research Is Done (eSecurity Planet) Head of the Ponemon Institute details the process and the challenges of conducting modern security surveys
Verizon breach report makes case for behavioral analytics (CSO) Behavioral analytics technology defends against Web application attacks by flagging and stopping unusual user activity
PCI DSS — Why it fails (Naked Security) The Payment Card Industry Data Security Standard (PCI DSS) is a globally agreed standard of compliance for any company that accesses, stores or transmits cardholder data (CHD) and personally identifiable information (PII). I've written a contrasting article about the successes of the PCI DSS, but in this article I want to highlight five reasons I think it fails in its goal
PCI DSS - Why it works (Naked Security) The Payment Card Industry Data Security Standard (PCI DSS) is a document that sets the de facto standard of compliance for any company that accesses, stores or transmits cardholder data (CHD) and personally identifiable information (PII). The PCI DSS's founding members — American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. — sought to replace their individual data security compliance programs in favour of a globally agreed standard
Workplace Data Privacy Vs. Security: The New Balance (Dark Reading) Is it time to rethink the traditional lock-down approach to employee use of corporate networks at work?
Learning from others (Help Net Security) The old saying "one man's misfortune is another man's gain" is eminently applicable in the information security industry. When an organization becomes the victim of a security breach, its misfortune should be viewed as an opportunity for the rest of us to learn how to improve the security of our own systems
How to prevent RATs from taking over your Mac (ITProPortal) My partner and I have seven pet rats at home and I love every single one of them. But there is one kind of rat I am keen on keeping out of my home — and my computer — and that's a Remote Access Trojan. These nasty, malicious applications let attackers use your computer as if they were sitting right in front of it, giving them complete access to your files, your network, and your personal information
Fun with Passphrases! (Internet Storm Center) As systems administrators and security folks, we've all had our fill of our users and customers using simple passwords. Most operating systems these days now enforce some level of password complexity by default, with options to "beef up" the password requirements for passwords
Design and Innovation
Ultraprivate Smartphones (MIT Technology Review) New models built with security and privacy in mind reflect the Zeitgeist of the Snowden era
Researcher proposes alert tool for managing online privacy risks (Help Net Security) As more and more of our daily life happens online, the issue of online privacy should be of prime importance to each of us. Unfortunately, it's not
Designing a Prize for Usable Cryptography (Electronic Frontier Foundation) In an era when email and messaging services are being regularly subject to attacks, surveillance, and compelled disclosure of user data, we know that many people around the world need secure end-to-end encrypted communications tools so that service providers and governments cannot read their messages. Unfortunately, the software that has traditionally been used for these purposes, such as PGP and OTR, suffers from numerous usability problems that make it impractical for many of the journalists, activists and others around the world whose lives and liberty depend on their ability to communicate confidentially
Inside the 'DarkMarket' Prototype, a Silk Road the FBI Can Never Seize (Wired) The Silk Road, for all its clever uses of security protections like Tor and Bitcoin to protect the site's lucrative drug trade, still offered its enemies a single point of failure. When the FBI seized the server that hosted the market in October and arrested its alleged owner Ross Ulbricht, the billion-dollar drug bazaar came crashing down
Research and Development
Error-Free Quantum Computing Made Possible in New Experiment (IEEE Spectrum) For quantum computing to ever fulfill its promise, it will have to deal with errors. That's been a real problem until now, because although scientists have come up with error correction codes, the quantum machines available couldn''t make use of them. But researchers report today that they've created a small quantum computing array that for the first time performs with enough accuracy to allow for error correction—paving the way toward practical machines that could outperform ordinary computers
Academia
Guidance Software to Sponsor the National Collegiate Cyber Defense Competition (Wall Street Journal) Guidance Software, Inc. (NASDAQ:GUID) announced today that it is sponsoring and participating in the National Collegiate Cyber Defense Competition (NCCDC). The three day-event, which is being held April 25-27 in San Antonio, Texas, provides a real-time educational venue where students can apply theoretical and practical skills that they've learned in the classroom to real-world cybersecurity scenarios. Students from 180 colleges and universities in ten regions competed at the qualifying and regional levels. The top team from each region will compete at this national competition
Legislation, Policy, and Regulation
Vision is needed at NETmundial (Center for Democracy and Technology) The Global Multistakeholder Meeting on the Future of Internet Governance, a.k.a. the NETmundial meeting, starts today in Sao Paulo, Brazil. The NETmundial meeting has two goals: 1) articulate a set of Internet governance principles, and 2) propose a roadmap for the future development of the Internet governance ecosystem. The meeting comes a short 7 months after Brazilian President Dilma Rousseff gave a scathing speech at the UN General Assembly on NSA surveillance in which she called for mechanisms that would reinforce key principles related to Internet governance and use
Net neutrality dead for good? FCC may endorse pay-for-play deals (Ars Technica) ISPs could charge for improved access as long as they don't block Web services
Litigation, Investigation, and Law Enforcement
Lloyds TSB bank clerks accused of installing hardware device to help them steal £2 million (Graham Cluley) Three Lloyds TSB employees have been accused of conspiring to steal over £2 million from bank accounts, after allegedly installing a hardware device to steal passwords from the banking group
Snowden 'plays' at being watchdog (The Tennessean) Edward Snowden missed a chance to earn redemption when he played into Vladimir Putin's press conference
Obamas NSA: Edward Snowden Is Not A Hero (Fits News) Let's get one thing straight. Edward Snowden is a hero
Saravá Collective protests against data surveillance (Saravá: por uma internet livre) We from Saravá Group are worried about arbitrary and reckless action of the Public Prosecutor's Office. The Office is requesting access to content we host
Aereo argues that ruling against it could hurt cloud storage business (IT World) The steaming video service argues it does not violate US copyright law by giving subscribers access to over-the-air TV
DOJ immigration office unable to access case databases (FierceGovIT) The Justice Department can't currently handle some of its immigration cases because of a hardware failure that's left the agency unable to access databases
Two Alleged Members of Anonymous Cambodia Arrested (Softpedia) A couple of 21-year-old students believed to be members of Anonymous Cambodia have been arrested. Local authorities collaborated with the FBI on the investigation
Maricopa Community Colleges Sued Over Data Breach (eSecurity Planet) The lawsuit claims that MCCCD 'failed to notify victims of the data breach in a reasonable or timely manner'
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
US News STEM Solutions: National Leadership Conference (, Jan 1, 1970) The STEM crisis in the United States demands solutions—and nowhere is the search more concentrated than at U.S. News STEM Solutions. Now in its third year, this premier national leadership conference is an outcome-focused forum for the entire network of experts, advocates and change-makers who are proactively working to fill jobs now and advance the future of the STEM workforce. More than a broad-based discussion of the issues, this year's conference will zero in on tangible results, real successes and collaborative strategies that are already moving the needle. If you have a vested interest in the development of the STEM pipeline, make your voice heard where it will have the most impact.
East Africa Banking and ICT Summit (Kampala, Uganda, Apr 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations, and unique networking opportunities.
National Collegiate Defense Cyber Competition (, Jan 1, 1970) Registration for the 2014 CCDC season is underway! Visit your region's website or contact your regional for registration and competition information.
InfoSecIndy (Indianapolis, Indiana, USA, Apr 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
United States Cyber Crime Conference 2014 (, Jan 1, 1970) This is the only event of its kind that provides both hands-on digital forensics training and an interactive forum for cyber professionals to network. The conference covers the full spectrum of topics facing defenders as well as law enforcement responders. All aspects of computer crime will be covered, including intrusion investigations, cyber crime law, digital forensics, information assurance, along with research and development, and testing of digital forensic tools.
Infosecurity Europe 2014 (, Jan 1, 1970) Infosecurity Europe is Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000 visitors from every segment of the industry, it's the most important date in the calendar for Information Security professionals across Europe.
Cyber COMSEC and IT Day at Fort Huachuca (, Jan 1, 1970) This one-day vendor expo is a unique opportunity to demonstrate your products and services to military and civilian personnel at Fort Huachuca. Exhibitors will have a casual atmosphere to share ideas, concerns and build relationships with the men and women of Fort Huachuca.
cybergamut Technical Tuesday: Malware Reverse Engineering (Columbia, Maryland, USA, May 6, 2014) An introduction to the tools, workflows, and tricks of the trade to attack sophisticated malware by Dale Robson of CyberPoint. Industry standard cyber security products do a good job in blocking and defending against recognized or suspicious malware. Yet increasingly, advanced malware is customized to evade detection and remediation; and even those that are caught can have deeper and more dangerous capabilities. In order to truly understand the malware's capabilities and to assess its success in gaining access to an enterprise, cyber security professionals should reverse engineer the binary to expose its secrets. But organizations may forgo reverse engineering and rely on industry solutions to characterize and defend against the threat. Reverse engineering is done by exception and within the constraints of budget, time, and available professional talent, if it is done at all. However, reverse engineering malware can be an integral part of every security team's calculus. This session provides a technical review of the tools, workflows, and advanced analytic insight a senior reverse engineer brings to the fight.
Kirtland AFB — Cyber Security Seminar & Information Technology Expo (Albuquerque, New Mexico, USA, May 7, 2014) Join FBC and the Armed Forces Communications & Electronics Association (AFCEA)-Albuquerque Chapter for the Cyber Security Seminar & Information Technology Expo set to take place at Kirtland Air Force Base. This is the only yearly event officially sponsored by AFCEA at Kirtland AFB. The goal of this expo is to stimulate exchanges of information between industry partners and Kirtland AFB Information Management Officers', Information Technology personnel, Contracting Officers' as well as end-users, developers, scientists, researchers and project managers in the areas of cyber security and information technology.
US Secret Service Cybersecurity Awareness Day (Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to the agency. In addition, this event will be widely attended by the majority of personnel at the USSS HQ building. Attendance is expected to be over 300 for the event.
SANS Security West (, Jan 1, 1970) SANS Security West will arm information security professionals with the necessary insight to prepare their organization for today and the future. Attendees will have the opportunity to advance their information security skill set by learning innovative ideas and techniques to fend off today's most challenging cyber threats as well as emerging threats.
HackMiami 2014 (Miami Beach, Florida, USA, May 9 - 11, 2014) The HackMiami 2014 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools, techniques, and methodologies that are at the forefront of the global threat landscape.
Eurocrypt 2014 (, Jan 1, 1970) Eurocrypt 2014 is the 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques. It is devoted to all aspects of cryptology.
ISPEC 2014 (Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and their integration with IT systems in various vertical sectors.
CyberWest (Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations and Governments to a complex threat environment including hacktivists to trans-national crime organizations and advanced persistent threats. Join experts from government, industry and academia in discussing how we are making our future more secure.
GovSec 2014 (Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of protecting our critical infrastructures, key assets, communities and the nation.
Cyber Security for National Defense Symposium (, Jan 1, 1970) DSI's Cyber Security for National Defense Symposium is designed as an educational and training "Town Hall" forum, where thought leaders and key policy-makers across military and civilian organizations can come together for actionable discussions and debate. The symposium will focus on increasing the security and resiliency of the Nation's critical networks, operating freely in the Cyber Domain, and the protection of infrastructure in support of national defense and homeland Security.
FOSE Conference (Washington, DC, USA, May 13 - 15, 2014) Spend 1 day or 3 days at the FOSE conference and leave with actionable information, covering a broad spectrum of trending topics including: Cybersecurity, Cloud and Virtualization, Mobile Government, Big Data and Business Intelligence, Project Management, Procurement and Acquisition and more. (free-of-charge for government personnel).
INFILTRATE (, Jan 1, 1970) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Groundbreaking researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere. INFILTRATE is the single-most important event for those who are focused on the technical aspects of offensive security issues, for example, computer and network exploitation, vulnerability discovery, and rootkit and trojan covert protocols. INFILTRATE eschews policy and high-level presentations in favor of just hard-core thought-provoking technical meat.
Security BSides Denver 2014 (Denver, Colorado, USA, May 16, 2014) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.
Security Start-up Speed Lunch NYC (New York, New York, USA, May 19, 2014) Our goal for this inaugural event is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology and transportation sector companies in a novel way: the speed lunch.
CEIC 2014 (Las Vegas, Nevada, USA, May 19 - 22, 2014) It's no exaggeration to say that CEIC is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills development. From sessions on acquiring evidence from mobile devices to international e-discovery to cyber security intelligence, there's simply no other training or seminar series available that packs so much relevant and practical information from so many expert speakers into a single four-day period.
The Device Developers' Conference: Bristol (Bristol, England, UK, May 20, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.
Positive Hack Days (, Jan 1, 1970) Positive Hack Days is the international venue for the unification of progressive forces of the IT industry. It is about innovators interested in information security problems; it is fresh blood and bright eyes, the atmosphere of a huge research ground, communication between people sharing the same views and their opponents, minimum formalities and maximum practice.
Georgetown Law: Cybersecurity Law Institute (, Jan 1, 1970) A day does not go by where cybersecurity is not in the news. In fact, according to a recent national survey conducted by FTI Consulting, cybersecurity is the number one issue on the minds of general counsels of American companies. Last year's inaugural Cybersecurity Law Institute received positive reviews for its unique simulation approach that prepared attendees on actions to take if their company faced a cyber-attack.
NSA Mobile Technology Forum (MTF) 2014 (, Jan 1, 1970) The Mobile Technologies Forum is an annual event that attracts SIGINT, Information Assurance, HUMINT, Federal Law Enforcement, Counterintelligence and Government personnel from the United States, Australia, Canada, New Zealand, and United Kingdom focused in mobile technologies. Those companies who specialize in both current and future mobile features and equipment or have efforts that benefit NSA's efforts should participate as a commercial vendor; conference attendance is limited to government employees.
CyberMontgomery Forum: Center of Gravity (Rockville, Maryland, USA, May 22, 2014) Cybersecurity will be a major growth engine in the region for many years to come. With solid federal government, industry and academic assets already in place in the region, there is still a need to bring them together so that they can coalesce and elevate the cyber ecosystem to a level of national prominence. CyberMontgomery Forum events will provide clear direction on finding business opportunities, contracting, forecasted demand areas, workforce development, recruiting & staffing, legal responsibilities for businesses, updates on technologies being developed in MoCo and summary updates regarding our NCCoE neighbors, federal civilian agencies and commercial sector leaders.
Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.
The Device Developers' Conference: Cambridge (Cambridge, England, UK, May 22, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.
Fort Meade Technology Expo (, Jan 1, 1970) The Ft. Meade Technology Expo is a one-day event held at the Officers' Club (Club Meade) on base. Industry vendors will have the unique opportunity to showcase their products and services to personnel that may otherwise be unattainable.
CANSEC (, Jan 1, 1970) CANSEC is Canada's foremost defence tradeshow. A two-day event, CANSEC will feature 120,000 square feet of indoor exhibits by Canada's leading edge defence companies, as well as an outdoor static display. This tradeshow targets a wide audience of customers that includes Government agencies and departments with an interest in the defence sector.
Hack in The Box Security Conference (HITBSecConf) Amsterdam (, Jan 1, 1970) HITBSecConf Amsterdam is a gathering of network security professionals and enthusiasts who come from all corners of the globe to discuss the next generation of attacks and defense techniques. This is not an event you come to for 'security 101' talks or marketing hype. We cover stuff that hasn't made it into the news — yet. Potential security issues coming our way in the next 12 months.