The CyberWire Daily Briefing 05.06.14

Summary

By The CyberWire Staff

The next step in ransomware's evolution seems to be a jump over to Android: the criminal Reveton team is preparing a suitable variant of "Police Locker." It's a low-grade evolution, detectable by most standard AV tools and requiring user intervention to install, but Police Locker's creep into Android is a healthy reminder that malware and its masters don't stand still.

The last word on Covert Redirect is out: it won't be patched because it's not a bug. The last advice? Exercise care in granting applications access to your systems.

Now that the CVE-2014-0515 zero day is patched, TrendLabs offers its analysis of how the recently disclosed Adobe Flash vulnerability was exploited in the wild.

Threatpost reports a new iPhone passcode bypass.

Dog-bites-man, but cave cyber-canem: Sophos's itinerant war-biker visits Las Vegas and finds—surprise—that unsecured public Wi-Fi is risky. (And who would have thought Las Vegas risky?)

ComputerWorld runs a warning against "offensive forensics," a kind of cyber reconnaissance-in-force attackers use to prepare subsequent assaults on networks and systems.

The Target CEO's resignation, seen as a move to restore customer (and partner, and investor) trust in the wake of last year's data breach, is also seen as a warning to other CEOs: cyber security problems can be expected to exact a high toll. Some large companies (like IBM) frame security offerings with this in mind.

Remember ham radio? Someone claiming to speak for Anonymous thinks it's a potential source of secure bandwidth.

Interesting reports on Friday's Deshowitz-Hayden-Greenwald-Ohanian surveillance debate.

Notes.

Today's issue includes events affecting Canada, European Union, Iran, United Kingdom, United States.

Selected Reading

Cyber Trends

White House Big Data Report: 5 Privacy Takeaways (InformationWeek) Big data raises serious privacy concerns that need to be addressed, sooner rather than later, report says

The ABCs of the Internet of Things (ComputerWorld) What it is, how it works and why it may not succeed

Internet Of Things: What's Holding Us Back (InformationWeek) The likes of Union Pacific, GE Power & Water, and ConocoPhillips are turning IoT hype into reality, but they want to do more. Here's what's still getting in the way

3 Key Risk Areas in the Internet of Things (RSA: Speaking of Security) Your office knows to turn on the lights when you arrive and turn them off when you leave. Your copier knows when to order more toner. Your car knows the best path to your next client meeting. Your building management system detects who is where and the optimal environmental controls. These Internet of Things (IoT) devices are all great, until someone hacks them and turns them against you. From cars to buildings to medical devices to the infrastructure that supports all of it—as we become more dependent on technology, we become more exposed to those technologies being turned against us

Cyber Cavalry Rides to the Rescue of Internet of Things (Wall Street Journal) As the "Internet of things" puts more and more products and devices online, cybersecurity risks threaten more than data. But in their eagerness to get technology-enabled devices to market, companies often neglect security, as demonstrated by hackers who have exposed vulnerabilities in cars, medical devices, and other products

Interconnected cars add unique privacy concerns (CSO) Imagine you're driving down a street in your town, and as you pass through an intersection you see a flash out of the corner of your eye just before a car running the red light broadsides you. Now, imagine that your vehicle was in communication with the other vehicle, and your car automatically stopped or took evasive action to avoid the accident. That would be pretty amazing—and that is just the sort of car-to-car communication technology the Department of Transportation wants to make mandatory for all passenger vehicles. However, the technology may also invade your privacy and put you at risk

Convergence of physical and cyber security (Help Net Security) The concept of security convergence, where physical and cyber security issues overlap, has been around for more than a decade. But it has only been in the last few years that the IP-enablement of everyday business functions has forced companies to come to terms with the fact that physical and cyber security must be treated in a unified manner

Enterprises are not monitoring access to sensitive data (ComputerWorld) If you want to make a cybersecurity professional uncomfortable, simply utter these two word: 'Data exfiltration.' Why will this term garner an emotional response? Because data exfiltration is a worst-case outcome of a cyber-attack — think Target, the NY Times, Google Aurora, Titan Rain, etc. Simply stated, 'data exfiltration' is a quasi-military term used to describe the theft of sensitive data like credit card numbers, health care records, manufacturing processes, or classified military plans

RedSocks, An interesting vision on Malware trend in Q1 (Security Affairs) Dutch malware detection company RedSocks has issued its first Malware Trend Report related to the malicious code trends observed in the first quarter of 2014

Legislation, Policy and Regulation

A reporter, a reddit founder, a lawyer, and an ex-NSA chief walk into a debate (Ars Technica) Four major surveillance thinkers argue the merits of our post-Snowden world in Toronto

Is state surveillance a legitimate defense of our freedoms? (Nextgov) Is state surveillance a legitimate defense of our freedoms? The question was put to Michael Hayden, former director of the NSA and the CIA, during a debate Friday evening in Toronto. Alan Dershowitz joined him to argue the affirmative. Glenn Greenwald and Reddit co-founder Alexis Ohanian argued against the resolution

No One Opposes All Surveillance: False Equivalence on the NSA (The Atlantic) But contra Alan Dershowitz, history shows how dangerous uncritical support for surveillance can be

House Judiciary to move on NSA reform bill (The Hill) The House Judiciary Committee this week will mark up a stalled bill to rein in the National Security Agency (NSA) and other intelligence operations. The move announced on Monday amounts to a major step forward for reform at the embattled spy agency, after months of scrutiny from Capitol Hill and international outrage over its surveillance programs

Will new amendment to USA Freedom Act bar bulk data seizures? (Volokh Conspiracy in the Washington Post) The National Journal reports: "House to Advance Bill to End Mass NSA Surveillance"

How federal bill C-13 could give CSIS agents — or even Rob Ford — access to your personal online data (National Post) A wide-ranging new federal bill that will allow Internet and cellphone providers to hand over your personal data without a warrant has privacy advocates concerned about just how many officials will have access to that information, a list that could range from CSIS agents to Toronto Mayor Rob Ford

Policies should focus on 'managing,' not 'solving' cybersecurity problems, says NRC (FierceGovernmentIT) Public policy can help address U.S. cybersecurity, but it should not be viewed as an issue that can be solved through legislation or regulation. Rather, public policy can help improve cybersecurity management, says a new report from the National Research Council

Policy debate looms on U.S. role in market for 'zero-day' cyber threats (Inside Cybersecurity) In a bid to address questions about the federal government's willingness to conceal and exploit cybersecurity vulnerabilities for intelligence purposes, the White House last week issued a statement on how it decides whether to reveal such a flaw, noting a key factor is protecting critical infrastructure. But there remains a looming policy debate about how to control the proliferation of zero-day exploits and whether the United States is in some ways contributing to the problem

Heartbleed: What it told us about US stockpiling of potential cyber-weapons (Christian Science Monitor via the Alaska Dispatch) Heartbleed, the recently divulged cyber-vulnerability that exposed websites to a gaping hole in computer security across half the Internet, exposed something else: a shift in US policy over when to keep such vulnerabilities secret — to be exploited by government spies only — and when to disclose and fix them

Products, Services, and Solutions

IBM launches new cybersecurity services (Daily Journal) IBM on Monday announced comprehensive new security software products and services for large enterprises

CEOs May Look Twice At IBM's New Security Suite, Services As Target's Head Rolls (CIO) New security products and services from Big Blue are aimed at preventing nightmare data theft scenarios

Symantec Unveils New Advanced Threat Protection (Dark Reading) Integrated approach and roadmap of organic innovation produce unparalleled defenses and more value

iSIGHT Partners Automates Integration With HP ArcSight Platform (MarketWatch) ThreatScape® API enables interoperability between leading cyber threat intelligence solution and HP ArcSight, the premiere security information and event management solution

EFF invites users to test online tracking blocker (Help Net Security) The Electronic Frontier Foundation is on a mission: give users a tool that will help them disallow/block trackers contained within the Web pages they visit

How Should Enterprises Score Security? (eSecurity Planet) Qualys CTO Wolfgang Kandek discusses his firm's Web application firewall and security scoring efforts and hints at future security technologies to come

Mobile phone security transformed with 4 new encryption apps (Help Net Security) Following the high profile breaches of mobile phone security that have hit the headlines in recent years, a British company has launched a new range of mobile phone apps that provide the last word in encryption security for incoming and outgoing voice and data calls

Technologies, Techniques, and Standards

Anonymous develops secure data over ham radio scheme (The Register) Trading bandwidth for freedom on a pirate channel. Anonymous — or, at least, entities claiming Anonymous affiliation — has put together a secure communications project using the open source ham-radio Fldigi modem controller

NIST updates Transport Layer Security (TLS) guidelines (Help Net Security) The National Institute of Standards and Technology (NIST) has released an update to a document that helps computer administrators maintain the security of information traveling across their networks

How a security expert handles identity-theft protection (Reuters) You won't find security expert Michael Chertoff doing silly everyday things like using public WiFi, logging in with the same password on every site he uses, clicking on dubious links or falling for a phishing scam

Privacy groups look to 'reset Net' to blunt NSA spying (ComputerWorld) Privacy groups call on Web users to deploy security and encryption tools

Booz Allen Helps Utilities Update Cybersecurity Standards and Strengthen Performance (Wall Street Journal) When the North American Electric Reliability Corporation (NERC) signed Order 791 in January 2014, more than 400 utilities suddenly faced a tight timetable to plan for and comply with version 5 of the Critical Infrastructure Protection (CIP) cybersecurity standards

Marketplace

Venture capitalists hearing the cybersecurity gospel from NPPD (FierceHomelandSecurity) Venture capitalists and merger and acquisition lawyers have been the object lately of cybersecurity outreach from the National Protection and Programs Directorate

FireEye Earnings Surprise in T-Minus 35 Hours (Wall Street Daily) With the recent pullback in the tech sector, this is your opportunity to scoop up strong industry leaders at insane bargains

Target CEO resigns, latest executive fallout from card breach (Naked Security) Target CEO Gregg Steinhafel managed to hold onto his job for nearly six months after the disclosure that more than 110 million records had been stolen by hackers in December 2013

Did Target's CEO Need to Go? (BankInfoSecurity) Resignation a sign of change in cybersecurity perspectives

Target CEO resignation highlights cost of security blunders (CSO) Chief Executive Gregg Steinhafel's fall will heighten the attention CEOs in retail give to C-level security pros

Do you really think the CEOs resignation from Target was due to security? (CSO) Celebrating the resignation of Target's CEO as a win for security is wrong and harmful for our industry. Instead, consider the entire situation and take these actions to start the right conversations in your company

The NSA sent a mysterious coded tweet. Here's the decrypted message. (Washington Post) The Internet was abuzz this morning over a cryptic tweet sent by the National Security Agency's careers account, which looked like (1) a particularly bad pocket tweet, (2) the latest from Rakesh Agrawal, or (3) a coded message containing national secrets/spy instructions/something else out of the FX drama "The Americans"

Dress Like A Gnome: 6 Security Training Essentials (Dark Reading) Offer home security clinics, make security messages fit for Twitter, and don't be afraid to dress up, say Infosecurity Europe presenters

SE Solutions Hires Leading Expert to serve as Technical Director for Data Analytics (Broadway World) Strategic Enterprise Solutions, Inc. (SE Solutions) announced today its expansion in homeland security strategic and mission-specific services with the addition of Mr. Eric Hagopian as Technical Director for Data Analytics

Research and Development

US Navy Sees Bitcoin As An 'Evolving Threat' (ValueWalk) A general solicitation is looking for better ways to monitor the flow of digital currencies

MC2 Researchers Awarded MURI for Work on Hardware Security (Maryland Cybersecurity Center) Researchers at the University of Connecticut, the University of Maryland, and Rice University have been awarded a five-year, $7.5 million grant via an Air Force Office of Scientific Research (AFOSR) MURI to address the topic of "Security Theory for Nano-Scale Devices." Ten researchers in multiple disciplines across the three institutions will collaborate to analyze and develop new security protections for nano-scale computer hardware

Security Patches, Mitigations, and Software Updates

Google experimenting with hiding URLs in Chrome (ZDNet) In an effort to make phishing attacks more evident to the user, Chrome Canary is taking a tip from iOS Safari, emphasizing the domain and hiding the rest of the URL

And the Web it keeps Changing: Recent security relevant changes to Browsers and HTML/HTTP Standards (Internet Storm Center) As we all know, web standards are only leaving "draft" status once they start becoming irrelevant. It is a constant challenge to keep up with how web browsers interpret standards and how the standards themselves keep changing. We are just going through one of the perpetual updates for our "Defending Web Applications" class, and I got reminded again about some of the changes we had to make over the last year or so

Cyber Attacks, Threats, and Vulnerabilities

Android "Police Locker" ransomware set to attack (Help Net Security) Android users might soon become victims of "Police Locker" ransomware, if they haven't already, warns the researcher behind the Malware don't need Coffee blog

Evolution of Encrypting Ransomware (Webroot Threat Blog) Recently we've seen a big change in the encrypting ransomware family and we're going to shed light on some of the newest variants and the stages of evolution that have led the high profile malware to where it is today. For those that aren't aware of what encrypting ransomware is, its a cryptovirus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes decryption without the key impossible. Paying the ransom will net you the key which in turn leads to getting your data back

Researchers debunk severity of OAuth "Covert Redirect" bug (Help Net Security) Late last week, a Ph.D. student at the Nanyang Technological University in Singapore made the information security world pause for a moment by claiming that he had found a "serious" OAuth 2.0 and OpenID security flaw that could be attackers to obtain sensitive information from both providers and clients

'Covert Redirect' OAuth flaw more chest-beat than Heartbleed (The Register) Giving a bug a logo doesn't make it more important

Analyzing CVE-2014-0515 — The Recent Flash Zero-Day (TrendLabs Security Intelligence Blog) Last week, Adobe released an advisory disclosing a new zero-day vulnerability in Flash Player. Looking into the exploit code used in attacks targeting this vulnerability, we found several interesting ties to other vulnerabilities — not all of them for Flash Player, either. To explain this, we will discuss the highlights of how this exploit was performed

Passcode Bypass Bug and Email Attachment Encryption Plague iOS 7.1.1 (Threatpost) Another iPhone passcode bypass is making the rounds this week that reportedly allows users to trick Siri into skirting around the device's usual lockscreen to view, edit and call any of the phone's contacts

Dropbox users leak tax returns, mortgage applications and more (Graham Cluley) If you are using file-sharing systems like Dropbox and Box without proper care and attention, there is a risk that you could be unwittingly leaking your most private, personal information to others

Cyber-security expert's experiment shows Wi-Fi users in Las Vegas vulnerable to hacking (Las Vegas Sun) James Lyne calls his road bike "The Beast," and he's brought it to Las Vegas to find out just how vulnerable wireless networks in the city and their users are to hackers

Researchers Reveal Windows Flaw Allowing Employees to Access Corporate Data After Accounts Are Supposedly Revoked (Digital Journal) Logs and Security Incident and Event Management (SIEM) products do not have the proper visibility to contain this type of threat

Hackers capture dynamic data to prepare for effective, stealthy attacks (ComputerWorld) "Offensive forensics is an attack technique hackers use to capture non-static data that can be useful in performing further attacks," says Joe Sremack, Principal, Berkeley Research Group, LLC, a computer forensics and e-discovery firm

Defending Against Identity Theft In The Military (Dark Reading) Our military troops are twice as likely to be victims of identity theft as the general population. The reason is in the structure of military culture

Affinity Gaming reports payment system was hacked (AP via the Washington Post) A Las Vegas company that owns casinos in four states says its system for processing credit and debit card information has been hacked

University of North Carolina Hacked (eSecurity Planet) An undisclosed number of names, addresses and Social Security numbers may have been accessed

Portland Homeless Charity Acknowledges Insider Breach (eSecurity Planet) A former employee copied clients' information in order to use the data to file fraudulent tax returns

Academia

Local students learning cyber security (KSDK) Malicious hackers can wreak havoc, making security breaches extremely costly to companies and government agencies, so people who know how to protect computer systems against hackers and viruses are in high demand

Litigation, Investigation, and Enforcement

Can we trust anyone with our personal info? (Naked Security) In the last few weeks, two very different criminal cases have concluded on opposite sides of the Atlantic, each of them showing how vulnerable our personal information is to those eager to exploit it

Cuffing darknet-dwelling cyberscum is tricky. We'll 'disrupt' crims instead, warns top cop (The Register) Hackers. If you can't beat 'em, join 'em? Europe's top cyber-cop has called for a shift in focus from the prosecution of online crims to the disruption of their activities

Cops get serious about cybercrime, and not before time (Naked Security) The world's police forces are, it seems, starting to appreciate the scale and significance of the cybercrime problem. The director of the FBI, James Comey, told journalists last week that cyber threats were a major priority for his agency

Iran's Tech Bloggers Caught In the Political Crossfire (Aljazeera America) Five bloggers who activists say were 'apolitical' have been imprisoned for 150 days

Ridenhour Prize for Truth-Telling awarded to pair who detail their fears and concerns (ValueWalk) NSA whistleblower Edward Snowden and journalist Laura Poitras were awarded The Ridenhour Prize for Truth-Telling at a ceremony in Washington, DC

Cartels, Terrorists, and Prisoners: Why Do Criminals "Like" Social Media? (Cyveillance) Funny cat videos. Beautiful vacation scenes. Food photos. High school buddies. Your niece just scored 1,000 points on Candy Crush. When you think of social media, those are just some of the things that may spring to mind. Cartels, prisoners, and gangs probably aren't the first thought, at least for most people. However, just as social media is being used by millions of companies around the world to engage with and better serve customers, organized criminal groups are using it to recruit members and to plan attacks. The following examples demonstrate just a few reasons why criminals like social media, too

Shareholder ends lawsuit against IBM over China risks, NSA scandal (Reuters via the Chicago Tribune) An IBM Corp shareholder has voluntarily ended a lawsuit accusing the company of concealing how its cooperation with a National Security Agency spying program cost it business in China and led to a nearly $13 billion plunge in the company's market value

2 men charged in Tulsa with hacking Navy, other government, education and business sites (AP via the Pendleton Times-Post) Federal prosecutors in Tulsa say two men are charged with conspiring to hack into computer systems of the Navy and more than 30 other government, business and university sites

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

Fraud Summit (Chicago, Illinois, USA, May 14, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology solutions designed to stop them.

3 Day Startup (San Antonio, Texas, USA, May 23 - 25, 2014) The nation faces tremendous challenges to our online security. Turn innovative ideas into startups that protect our information and our livelihood. 3 Day Startup is an entrepreneurship program designed with an emphasis on learning by doing. The idea is simple: start tech companies over the course of three days.

NRC Cyber Security Seminar/ISSO Security Workshop (Bethesda, Maryland, USA, June 16, 2014) NRC will be hosting its second NRC Semi-Annual All-Hands ISSO Workshop. This workshop will consist of computer security policy, standards, cybersecurity, guidance, FISMA compliance, and training updates. The event will be promoted agency-wide. Exhibit tables will be set-up just outside the Auditorium and companies will have the opportunity to demo their latest technologies to NRC's IT personnel. A complete agenda will be posted once all speakers are confirmed.

Resilience Week (Denver, Colorado, USA, August 19 - 21, 2014) Symposia dedicated to promising research in resilient systems that will protect critical cyber-physical infrastructures from unexpected and malicious threats—securing our way of life.

Defense Intelligence Agency (DIA)/National Intelligence University (NIU) Open House (Washington, DC, USA, September 17, 2014) On September 17, 2014, the National Intelligence University (NIU) will hold a Tech Expo as part of its annual "NIU OUTREACH DAY" in the Tighe Lobby of DIA Headquarters on Joint Base Bolling-Anacostia. This Tech Expo will be open to all personnel within the DIA Headquarters as well as the 600+ students and faculty of NIU. Several of the 'schools' within DIA are expected to participate with their own exhibitions, including: School of Intelligence Studies, School of Science and Technology Intelligence, Center for Strategic Intelligence Research and Center for International Engagement and the John T. Hughes Library.

Ft. Meade Technology Expo (Fort Meade, Maryland, USA, September 18, 2014) The Ft. Meade Technology Expo is a one-day event held at the Officers' Club (Club Meade) on base. Industry vendors will have the unique opportunity to showcase their products and services to personnel that may otherwise be unattainable. The target audience will be comprised of personnel from the ARMY, the newly headquartered DISA (Defense Information Systems Agency), DMA (Defense Media Activity), DINFOS (Defense Information School), and Ft. Meade's various military personnel. All of the above groups and military units around the base will receive promotions for this event.

STEM Café (Geneva, Illinois, USA, May 6, 2014) At the next STEM Café, Raimund Ege, associate professor in NIU's Department of Computer Science, will lead a lively discussion on how computer crime affects our everyday lives and what we can do to protect ourselves and our data. The event will take place from 6:30 to 8:30 p.m. Tuesday, May 6, at Claddagh Irish Pub, 1702 Commons Drive in Geneva.

cybergamut Technical Tuesday: Malware Reverse Engineering (Columbia, Maryland, USA, May 6, 2014) An introduction to the tools, workflows, and tricks of the trade to attack sophisticated malware by Dale Robson of CyberPoint. Industry standard cyber security products do a good job in blocking and defending against recognized or suspicious malware. Yet increasingly, advanced malware is customized to evade detection and remediation; and even those that are caught can have deeper and more dangerous capabilities. In order to truly understand the malware's capabilities and to assess its success in gaining access to an enterprise, cyber security professionals should reverse engineer the binary to expose its secrets. But organizations may forgo reverse engineering and rely on industry solutions to characterize and defend against the threat. Reverse engineering is done by exception and within the constraints of budget, time, and available professional talent, if it is done at all. However, reverse engineering malware can be an integral part of every security team's calculus. This session provides a technical review of the tools, workflows, and advanced analytic insight a senior reverse engineer brings to the fight.

Kirtland AFB — Cyber Security Seminar & Information Technology Expo (Albuquerque, New Mexico, USA, May 7, 2014) Join FBC and the Armed Forces Communications & Electronics Association (AFCEA)-Albuquerque Chapter for the Cyber Security Seminar & Information Technology Expo set to take place at Kirtland Air Force Base. This is the only yearly event officially sponsored by AFCEA at Kirtland AFB. The goal of this expo is to stimulate exchanges of information between industry partners and Kirtland AFB Information Management Officers', Information Technology personnel, Contracting Officers' as well as end-users, developers, scientists, researchers and project managers in the areas of cyber security and information technology.

US Secret Service Cybersecurity Awareness Day (Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to the agency. In addition, this event will be widely attended by the majority of personnel at the USSS HQ building. Attendance is expected to be over 300 for the event.

SANS Security West (, January 1, 1970) SANS Security West will arm information security professionals with the necessary insight to prepare their organization for today and the future. Attendees will have the opportunity to advance their information security skill set by learning innovative ideas and techniques to fend off today's most challenging cyber threats as well as emerging threats.

HackMiami 2014 (Miami Beach, Florida, USA, May 9 - 11, 2014) The HackMiami 2014 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools, techniques, and methodologies that are at the forefront of the global threat landscape.

Eurocrypt 2014 (, January 1, 1970) Eurocrypt 2014 is the 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques. It is devoted to all aspects of cryptology.

ISPEC 2014 (Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and their integration with IT systems in various vertical sectors.

CyberWest (Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations and Governments to a complex threat environment including hacktivists to trans-national crime organizations and advanced persistent threats. Join experts from government, industry and academia in discussing how we are making our future more secure.

GovSec 2014 (Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of protecting our critical infrastructures, key assets, communities and the nation.

Cyber Security for National Defense Symposium (, January 1, 1970) DSI's Cyber Security for National Defense Symposium is designed as an educational and training "Town Hall" forum, where thought leaders and key policy-makers across military and civilian organizations can come together for actionable discussions and debate. The symposium will focus on increasing the security and resiliency of the Nation's critical networks, operating freely in the Cyber Domain, and the protection of infrastructure in support of national defense and homeland Security.

FOSE Conference (Washington, DC, USA, May 13 - 15, 2014) Spend 1 day or 3 days at the FOSE conference and leave with actionable information, covering a broad spectrum of trending topics including: Cybersecurity, Cloud and Virtualization, Mobile Government, Big Data and Business Intelligence, Project Management, Procurement and Acquisition and more. (free-of-charge for government personnel).

INFILTRATE (, January 1, 1970) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Groundbreaking researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere. INFILTRATE is the single-most important event for those who are focused on the technical aspects of offensive security issues, for example, computer and network exploitation, vulnerability discovery, and rootkit and trojan covert protocols. INFILTRATE eschews policy and high-level presentations in favor of just hard-core thought-provoking technical meat.

Security BSides Denver 2014 (Denver, Colorado, USA, May 16, 2014) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

Security Start-up Speed Lunch NYC (New York, New York, USA, May 19, 2014) Our goal for this inaugural event is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology and transportation sector companies in a novel way: the speed lunch.

CEIC 2014 (Las Vegas, Nevada, USA, May 19 - 22, 2014) It's no exaggeration to say that CEIC is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills development. From sessions on acquiring evidence from mobile devices to international e-discovery to cyber security intelligence, there's simply no other training or seminar series available that packs so much relevant and practical information from so many expert speakers into a single four-day period.

The Device Developers' Conference: Bristol (Bristol, England, UK, May 20, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.

Mobile Network Security in Europe (London, England, UK, May 21, 2014) Following on from two successful events in the United States, this first Light Reading conference on Mobile Network Security in Europe will again focus on the key role of the network in safeguarding the mobile carrier's network assets while protecting its customers from security attacks. The conference will also consider the case for distributing and coordinating security strategies across the end-user device, the mobile network, and the cloud as carriers look to prevent attackers from triggering outages and degradations or from stealing sensitive customer information.

Positive Hack Days (, January 1, 1970) Positive Hack Days is the international venue for the unification of progressive forces of the IT industry. It is about innovators interested in information security problems; it is fresh blood and bright eyes, the atmosphere of a huge research ground, communication between people sharing the same views and their opponents, minimum formalities and maximum practice.

Georgetown Law: Cybersecurity Law Institute (, January 1, 1970) A day does not go by where cybersecurity is not in the news. In fact, according to a recent national survey conducted by FTI Consulting, cybersecurity is the number one issue on the minds of general counsels of American companies. Last year's inaugural Cybersecurity Law Institute received positive reviews for its unique simulation approach that prepared attendees on actions to take if their company faced a cyber-attack.

NSA Mobile Technology Forum (MTF) 2014 (, January 1, 1970) The Mobile Technologies Forum is an annual event that attracts SIGINT, Information Assurance, HUMINT, Federal Law Enforcement, Counterintelligence and Government personnel from the United States, Australia, Canada, New Zealand, and United Kingdom focused in mobile technologies. Those companies who specialize in both current and future mobile features and equipment or have efforts that benefit NSA's efforts should participate as a commercial vendor; conference attendance is limited to government employees.

CyberMontgomery Forum: Center of Gravity (Rockville, Maryland, USA, May 22, 2014) Cybersecurity will be a major growth engine in the region for many years to come. With solid federal government, industry and academic assets already in place in the region, there is still a need to bring them together so that they can coalesce and elevate the cyber ecosystem to a level of national prominence. CyberMontgomery Forum events will provide clear direction on finding business opportunities, contracting, forecasted demand areas, workforce development, recruiting & staffing, legal responsibilities for businesses, updates on technologies being developed in MoCo and summary updates regarding our NCCoE neighbors, federal civilian agencies and commercial sector leaders.

Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.

The Device Developers' Conference: Cambridge (Cambridge, England, UK, May 22, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.

Fort Meade Technology Expo (, January 1, 1970) The Ft. Meade Technology Expo is a one-day event held at the Officers' Club (Club Meade) on base. Industry vendors will have the unique opportunity to showcase their products and services to personnel that may otherwise be unattainable.

CANSEC (, January 1, 1970) CANSEC is Canada's foremost defence tradeshow. A two-day event, CANSEC will feature 120,000 square feet of indoor exhibits by Canada's leading edge defence companies, as well as an outdoor static display. This tradeshow targets a wide audience of customers that includes Government agencies and departments with an interest in the defence sector.

Hack in The Box Security Conference (HITBSecConf) Amsterdam (, January 1, 1970) HITBSecConf Amsterdam is a gathering of network security professionals and enthusiasts who come from all corners of the globe to discuss the next generation of attacks and defense techniques. This is not an event you come to for 'security 101' talks or marketing hype. We cover stuff that hasn't made it into the news — yet. Potential security issues coming our way in the next 12 months.

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.