
The CyberWire Daily Briefing for 5.9.2014
Cyber-snooping on FARC talks will be resolved in Colombia's courts even as it roils the presidential election.
Chinese security organs accuse an "unnamed foreign country" (but they're looking at you, America) of actively recruiting students as agents. Quartz describes how Millennials in both countries are peculiarly vulnerable to this old-yet-new form of social engineering.
Recorded Future begins a series on how al Qaeda is muffling its digital exhaust post-Snowden. (Compare British MP Rifkind's assessment: Snowden's leaks were tantamount to an attack on the US.)
Sysadmins were warned this week against compromise by sparrows and ravens, but some of them need no such inducement. A former US Navy sailor—sysadmin on USS Harry S Truman—is charged with having led the anti-military hacktivist crew "Team Digi7al" from his spaces aboard the warship. Apparently he did it for the lulz.
The upcoming FIFA World Cup opens vast opportunities for phishing and waterholing.
Analysts point to the rapid evolution of malware, the large tribe of cyber attackers, and potential targets' burgeoning attack surface as more evidence that greater automation is required for effective defense. They also note the simultaneous difficulty and indispensability of threat intelligence: if it's not timely and well-structured, it's just so much glare.
A great deal of industry news focuses on investors' views of companies in the sector. Those views aren't uninformed, but they represent an unfamiliar perspective. Entrepreneurs might consider investors (stock buyers, not VCs) a low-information audience.
Welcome to the industry, Keith Alexander, now a cyber security consultant.
Notes.
Today's issue includes events affecting Australia, Brazil, China, Colombia, Iran, Saudi Arabia, Switzerland, Thailand, Turkey, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Dirty tricks take over Colombian campaign (Buenos Aires Herald) Discovery of intel centre linked to Santos' rival comes just one day after aide's resignation. With presidential elections in Colombia just around the corner and the outcome still unclear, the main candidates' campaign teams have started resorting to dirty tricks
Man Accused of Cyber Spying on Colombian Government to Remain in Custody (Latino Daily News) A man arrested for conducting a clandestine cyber-espionage operation targeting the Colombian government's negotiations with leftist guerrillas will remain in custody pending trial, a judge ordered Wednesday
Foreign spies lure Chinese students (China.org.cn) China's security department has discovered overseas intelligence agencies are using the Internet and money to lure Chinese students to steal state secrets
China and the US are racing to turn poor, naive Millennials into spies (Quartz) Chinese state media are accusing an "unnamed foreign country" of recruiting spies at Chinese universities and through popular blogs and social media. This week, a series of news reports claim that unsuspecting Chinese, some of them as young as 16 years old, are being lured into working for foreign intelligence agents
How Al-Qaeda Uses Crypto Post-Snowden (Part 1) (Recorded Future) Since 2007, Al-Qaeda's use of encryption technology has been based on the Mujahideen Secrets platform which has developed to include support for mobile, instant messaging, and Macs. Following the June 2013 Edward Snowden leaks we observe an increased pace of innovation, specifically new competing jihadist platforms and three (3) major new encryption tools from three (3) different organizations — GIMF, Al-Fajr Technical Committee, and ISIS — within a three to five-month time frame of the leaks
Threats Get a Kick Out of 2014 FIFA World Cup Brazil Buzz (TrendLabs Security Intelligence Blog) Cybercriminals are well-versed in preying upon anyone curious about world events. Case in point: the upcoming 2014 FIFA World Cup in Brazil. While the world is waiting for this, cybercriminals are not wasting time and are now launching new threats that turn global followers into victims
Sefnit Accomplices Account For Spike In Malware Infections (Threatpost) Plenty has been written about the Sefnit malware family and its favor with using Tor to mask communication, as well as the money it's made for criminals via click-fraud schemes. Sefnit, however, has had a pair of accomplices that until recently were regarded as harmless programs by most security companies. The trio, which now includes two malware families Rotbrow and Brantall, are responsible for a startling jump in malware infections detected in the fourth quarter of last year, according to Microsoft
SNMP: The next big thing in DDoS Attacks? (Internet Storm Center) It started with DNS: Simple short DNS queries are easily spoofed and the replies can be much larger then the request, leading to an amplification of the attack by orders of magnitude. Next came NTP. Same game, different actors: NTP's "monlist" feature allows for small requests (again: UDP, so trivially spoofed) and large responses
Address bar tweak in early Chrome beta puts even savvy users at risk (Ars Technica) Bug allows attackers to hide addresses used to phish passwords or push malware
The prime target for malicious emails (Help Net Security) In the first quarter of 2014 spammers started imitating messages from mobile applications. They especially like the popular mobile messengers — WhatsApp, Viber and Google Hangouts. Notifications supposedly sent from these applications were used to spread both malware and harmless adverts
New iPhone lock screen flaw gives hackers full access to contact list data (ZDNet) iPhone users are vulnerable to a lock-screen flaw that allows a hands-on hacker to gain full access to a user's contacts list
Four weeks on, huge swaths of the Internet remain vulnerable to Heartbleed (Ars Technica) Some 300,000 systems remain susceptible to catastrophic exploits, one scan shows
OAuth, OpenID Flaw: 7 Facts (Dark Reading) Authentication-protocol implementation security flaws are not as serious as Heartbleed, but Facebook and other sites must be fixed, say security experts
Orange bitten by data breach, leaks personal data from promotional messaging server (Naked Security) Back in November 2013, telecomms company Orange signed a data protection charter
Bitly breached, gives (shortened) details to customers on blog (Naked Security) Popular URL shortener Bitly is the latest cloud service to say, "Er, looks like crooks have been wandering around in our network"
Mystery surrounds Bitly's urgent security warning following security breach (We Live Security) If you have an account with the URL-shortening service Bitly you should read the "urgent security update" they have just published
WooThemes hacked. Premium WordPress theme manufacturer warns of credit card leak (Hot for Security) There's potentially some rather bad news today if you are a customer of WooThemes, the popular WordPress theme manufacturer
Ground(ctrl) Hacked (eSecurityPlanet) Users' e-mail addresses, passwords, and the last four digits and expiration dates of their credit cards may have been accessed
Data Breach at Vendor Exposes DeKalb Health Patient Information (eSecurityPlanet) More than 1,300 people's information may have been accessed
UMass Memorial Medical Center Admits Insider Breach (eSecurityPlanet) 2,400 patients' names, birthdates, addresses and Social Security numbers may have been accessed
Check Point: 'Unknown malware' hits enterprise nets 53 times a day (NetworkWorld) Check Point's annual security report says attackers are automating 'unknown malware' generation
1 In 10 US Smartphone Users Victims of Theft (Dark Reading) And 10 percent of smartphone loss and theft victims lose confidential business information with their stolen devices
Security Patches, Mitigations, and Software Updates
Cisco Releases Security Advisory for WebEx Players (US-CERT) Cisco has released a security advisory to address multiple buffer overflow vulnerabilities in Cisco WebEx Recording Format and Advanced Recording Format Players. Successful exploitation of the vulnerabilities could cause an affected player to crash or allow a remote attacker to execute arbitrary code
No Windows XP, Office 2003 patches in May Patch Tuesday (ZDNet) The company will release eight bulletins, two of them critical, and five for Microsoft Windows. Windows XP is not scheduled to receive an update, nor is Office 2003 scheduled to receive either of the two Office updates
Adobe to release Acrobat/Reader update Tuesday (ZDNet) At least one critical vulnerability affecting supported versions of both Adobe Reader and Acrobat on both Mac and Windows will be patched next week
Anti-phishing in Google Chrome a shaky work in progress (CSO) Google's experimenting with anti-phishing in Chrome shows little progress in closing the gap with Microsoft's Internet Explorer
Cyber Trends
In the digital ocean, predators outnumber protectors (CSO) The Internet of Things offers almost magical convenience. But without better 'digital literacy,' it will be like swimming with sharks, says Josh Corman
Why Threat Intelligence Is Like Teenage Sex (Dark Reading) Everyone thinks everyone else is doing it, and most of the few people who are actually doing it aren't doing it all that well
Saudi Aramco Cyber Attacks a 'wake-up call', Says Former NSA Boss (Infosecurity Magazine) Gen. Keith Alexander warns of threat to CNI systems, but experts question whether 2012 incident was a game changer
CIOs fear compliance and regulation over IT failure to tackle big data (ComputerWeekly) Almost half (46%) of UK organisations are struggling to extract value from information due to current approaches to IT. As many as 87% of CIOs fear that failing to address their untapped intelligence will lead to issues with compliance and regulation, according to a research
Security Think Tank: KuppingerCole's security predictions for 2014 (ComputerWeekly) After the proliferation of Stuxnet, Duqu in 2012 and other Scada-focused attacks in 2013, industrial control system security will become an important topic in 2014, writes Robert Newby. Large-scale processes involving multiple sites over long distances will be increasingly subject to advanced persistent attack
Security Think Tank: ISF's top security threats for 2014 (ComputerWeekly) The top security threats global businesses will face in 2014 include bring your own device (BYOD) trends in the workplace, data privacy in the cloud, brand reputational damage, privacy and regulation, cyber crime and the continued expansion of ever-present technology
Network perimeter security still key despite virtualization shift: Watchguard (CSO) Increased use of virtualization may be driving many businesses to investigate internally focused data protection solutions, but customer appetite for hardware-based perimeter controls shows no sign of slowing, according to one solutions provider
Cloud app security exceptions have become the rule, says report (FierceITSecurity ) Cloud app security exceptions have become the rule, putting organizations' security at risk, warns the most recent Netskope Cloud Report. A disturbing 90 percent of cloud app usage is in apps that were blocked at the network perimeter but were granted exceptions, according to the report, which compiles data from Netscape Active Platform users
Microsoft: Deception Dominates Windows Attacks (Dark Reading) Deceptive downloads and ransomware tripled worldwide in Q4 2013, according to the new Microsoft Security Intelligence Report
Small businesses targeted with email-borne exploits (Help Net Security) Even though the data gathered by Microsoft points to the fact that cybercriminals now prefer deceptive tactics to exploits, it does not mean that the latter approach has been wholly abandoned
Growing dynamic in politically-motivated hacktivism (Help Net Security) While financial cybercrime becomes ever more entrenched through a consolidating demand and supply chain, the hacktivist landscape is more turbulent, vacillating constantly in tandem with geo-political turmoil
Chronic Disease Patients' Top Online Privacy Worries (InfomationWeek) Medical data privacy isn't as much of a worry as online banking data privacy for these patients, Accenture study finds
200 mn data records stolen in Jan-Mar 2014 globally: SafeNet (ZeeNews) Data breaches have witnessed a major surge this year with cyber criminals stealing around 200 million data in the first quarter, a whopping 233 per cent rise over the year-ago period, a report by SafeNet said on Wednesday
Marketplace
The Cyber Security Market Is Hot! Here's Why (Dark Reading) A dozen years ago the $3.5 billion security market was dominated by five vendors. Last year, VCs bankrolled 230 startups. My, how things have changed!
Startup Spotlight: Cloud Security Specialist Armor5 (eSecurity Planet) Most mobile security solutions utilize a traditional endpoint management approach, but not the cloud security service provided by startup Armor5
Want to be the next Mandiant and sell your company for $1 billion? Here's how not to do it. (Washington Business Journal) Things ended well for Alexandria-based Mandiant Corp., with a $1 billion acquisition by cybersecurity giant FireEye. But trying to follow too closely in the cyber company's footsteps will probably result in failure
Majority of data breach respondents did not have cyber insurance: Ponemon Institute (Canadian Underwriter) Only one in three companies surveyed by Ponemon Institute LLC have a cyber insurance policy to manage the risk of data breaches, but the average cost per compromised record was US$145, with some respondents reporting more than 100,000 compromised records
Data Breaches: a new source of worry and concern for company heads (AP via Detroit Legal News) Add hackers to the long list of things that give CEOs insomnia
Will Investors Regret Target's CEO Ouster? Compare to Sears, JCP (Forbes) There was much press this week about Target's CEO and Chairman, Gregg Steinhafel, being forced out. Blame reached the top job after the successful cyber attack on Target TGT +0.33% last year. But investors, and customers, may regret this somewhat Board level over-reaction to a mounting global problem
Open Source's Deep-Seated Conflict (InformationWeek) Heartbleed showed that it doesn't matter whether open source projects can patch bugs faster. The real issue is whether they can generate enough revenue to stay alive
Small firms invest big in content security to protect data (FierceITSecurity ) Faced with increasing threats to their data, small businesses are investing heavily in content security products
Firms have wasted millions on faulty IT security awareness programs, says ISF (FierceITSecurity) New training programs should focus on reducing risk rather than checking boxes
The Intelligence Community Needs a New Workforce Model (Nextgov) "Recognizing employees today and meeting unknown requirements for the future, strategic workforce planning is more important now than ever," said said Deborah Kircher, Chief Human Capital Officer for the Office of the National Director of Intelligence
Symantec Sales Forecast Shows Improving Security Demand (Bloomberg) Symantec Corp. (SYMC) is benefiting as hacking attacks fuel higher demand for cyber-security software, while cost cuts are bolstering profits
Symantec's 'Death of Antivirus' Is a Dangerous Marketing Ploy (Tom's Guide via Yahoo! News) Earlier this week, an executive of the antivirus software giant Symantec told a reporter from the Wall Street Journal that his company's core business model "is dead"
Why "AV is dead" is a dead end topic (Trend Micro Simply Security) It seems like not a day goes by without you hearing someone declare that "AV is dead." Most recently we've even seen people in our industry in the news making this claim
New buys for EMC may come in security, big data (PCWorld) EMC may be in the market for security and data analytics acquisitions as it builds out what it calls a federation of businesses among VMware, RSA Security, Pivotal and the company's traditional storage operations
Finjan Holdings To Begin Trading On The NASDAQ Capital Market (MarketWatch) Finjan Holdings, Inc. (otc mkt:FNJN) today announced it has received confirmation that its application to list the Company's common stock on The NASDAQ Capital Market has been approved by The NASDAQ Stock Market, a unit of the NASDAQ OMX Group
Procera Networks Inc Stock Downgraded (PKT) (The Street) Procera Networks (Nasdaq:PKT) has been downgraded by TheStreet Ratings from hold to sell. The company's weaknesses can be seen in multiple areas, such as its disappointing return on equity and generally disappointing historical performance in the stock itself
A**hat of the Year Award: Dave Dewalt, CEO of $FEYE (iBankCoin) I know it's early in the year and there will be plenty of gents worthy of this distinguished award. However, it would be impossible for anyone to steal this guy's thunder inside of the next 7 months of 2014
Ex-NSA chief Keith Alexander seeks post-Snowden second act (Politico) 'This effort is in its exploratory stages, and I look forward to the work ahead.' Former National Security Agency chief Gen. Keith Alexander is launching a consulting firm for financial institutions looking to address cybersecurity threats
Why Splunk Inc. Shares Went Splat Today (Motley Fool) What: Shares of intelligence software specialist Splunk Inc. (NASDAQ: SPLK) dropped nearly 13% early this morning, and then settled to close down around 6% as the broader tech sector pulled back
Doug Merritt Joins Splunk as Senior Vice President, Field Operations (MarketWatch) Tom Schodorf to retire at the end of FY15; Splunk delivers strong Q1 results
FTI Consulting Appoints Thomas Brown and Christopher Tarbell to Bolster its Cyber Security Solutions Offering (Broadway World) FTI Consulting, Inc. (NYSE: FCN), the global business advisory firm dedicated to helping organizations protect and enhance their enterprise value, today announced the appointment of Thomas Brown and Christopher Tarbell in the Company's Global Risk and Investigations Practice
Products, Services, and Solutions
Lockheed Martin Integrates Cyber Security Standards Into Open Source Platform for Automated Sharing (MarketWatch) Lockheed Martin LMT +0.27% announced its successful integration of the latest cyber security standards into an open source software platform
CipherCloud Announces Cloud Discovery Solution Latest Edition to Its Growing Portfolio (Bobsguide) New solution delivers visibility and risk scoring into Enterprise Cloud Application Usage
Technologies, Techniques, and Standards
Automated Traffic Log Analysis: A Must Have for Advanced Threat Protection (SecurityWeek) If there is a silver lining to the series of high-profile targeted attacks that have made headlines over the past several months, it is that more enterprises are losing faith in the "magic bullet" invulnerability of their prevention-based network security defense systems
Net tech bods at IETF mull anti-NSA crypto-key swaps in future SSL (The Register) 'Perfect example of how Snowden has improved our privacy' says professor
Heartbleed, IE Zero Days, Firefox vulnerabilities — What's a System Administrator to do? (Internet Storm Center) With the recent headlines, we've seen heartbleed (which was not exclusive to Linux, but was predominately there), an IE zero day that had folks over-reacting with headlines of "stop using IE", but Firefox and Safari vulnerabilities where not that far back in the news either
Using reputation-based security to mitigate IPv6 security risks (TechTarget) With the gradual switch to IPv6, I've read that attackers will have a basically infinite amount of unique IP addresses from which they will be able to send malicious traffic. Right now, my organization utilizes a reputation-based security system to filter out such traffic from known, malicious IPv4 addresses, but will that be possible once IPv6 uptake is in full swing? How should we change our network security posture to account for this new risk?
Cisco TelePresence vulnerability: Mitigate default credentials issues (TechTarget) A serious vulnerability was recently found in Cisco Systems Inc.'s TelePresence systems that could be triggered due to default credentials being left in place after system setup. Could you provide some security best practices that enterprises could implement for such systems, particularly in regard to the use of unique credentials?
Audit concerns when migrating from traditional firewall to NGFW (TechTarget) My organization is looking to transition from a traditional firewall to a next-generation firewall (NGFW), but I'm concerned about the overlap when both will be in use. Are there any inherent dangers involved with running them side-by-side during the transition? Or could there even be advantages depending on how we write our firewall policies?
Inside United Airlines' nerve center (IT World) From a desk in downtown Chicago, United dispatchers can talk to pilots anywhere in the world
The State of Cryptography in 2014, Part 2: Hardware, Black Swans, and What To Do Now (TrendLabs Security Intelligence Blog) Is hardware security any better? We closed the first post by asking: is hardware any more trustworthy? One would think that it is… but it's not. Recently, chip vendors have been incorporating cryptography into their CPUs or chipsets. Usually, this is an implementation of a "standard" cipher (like AES) or a pseudorandom number generator (PRNG)
Design and Innovation
2014 NBIA Incubation Award Finalists (NBIA) …Cyber Incubator at bwtech@UMBC, Baltimore, Md., Alexandra Gold, incubator manager…Achievements: bwtech's Cyber Incubator has been financially stable due to diligent oversight by its staff and Board of Directors, by its ability to negotiate a below market rent for the incubator with the building owner and due to support from the State of Maryland for leasehold improvements, says Alexandra Gold, incubator manager
Research and Development
World's First Covert Communications System with Camouflage Guaranteed (MIT Technology Review) Sometimes encrypting messages isn't enough, and the very act of sending them must be hidden as well. Now physicists have discovered how to camouflage messages and guarantee that they remain hidden
No God In The Machine (InformationWeek) Artificial intelligence cannot replicate human consciousness, say Irish researchers in new study
Scientific computing's future: Can any coding language top a 1950s behemoth? (Ars Technica) Cutting-edge research still universally involves Fortran; a trio of challengers wants in
RAND: Navy should adopt a cloud-based system to help it better collect, analyze and distribute sensor data (FierceGovernmentIT) The Navy should adopt a cloud-based system to keep pace with the growing demand for intelligence, surveillance and reconnaissance data that are needed for situational awareness and other mission-critical tasks, said researchers in a new RAND report
Legislation, Policy, and Regulation
MPs call for spy agency oversight reforms (ComputerWeekly) Parliament's cross-party home affairs select committee is calling for wide and radical reforms of intelligence agency oversight mechanisms to improve accountability
The life of National Councillor Balthasar Glättli under surveillance (Digitale Gesellschaft) Interactive visualisation of data retention in Switzerland
Turkey has censored more than 100 tweets in the past week (The Verge) More than a month after Turkey lifted its Twitter block, the country's government is still keeping a close eye on any potentially embarrassing tweets. This week alone, Turkish courts have filed five separate takedown motions to Twitter HQ, requesting the removal of over a hundred tweets
ADF to embrace cyber warfare in future military operations (Sydney Morning Herald) The Australian Defence Force has embraced cyber warfare, deception and disinformation through the internet as key elements of future military operations. However, newly declassified ADF papers provide no guidance on how efforts to influence and deceive adversaries will not also mislead the Australian public and media
Google, Amazon and other online giants warn FCC on net neutrality (IT World) Weaker net neutrality rules will pose a 'grave threat' to the Internet, they say
Regulating User-Generated Health Information, Privacy an Uphill Battle (Threatpost) The proliferation of wearable devices coupled with smartphone apps that monitor heart rates and other health metrics raises an important question: How exactly should the information generated by these devices be regulated? If there's a fist fight in a bar can a person's Fitbit accelerator be subpoenaed? How much user-manufactured data can companies share or integrate into advertising?
State CIOs call for federal collaboration on cyber security (Business Insurance) Members of the National Association of State Chief Information Officers urged more federal collaboration on cyber security issues during the Kentucky-based organization's midyear conference
NASA Reports Most Cyber Incidents But Gets an 'A' for Compliance (Wall Street Journal) The National Aeronautics Space Administration reported the highest number of cybersecurity incidents in 2013. Paradoxically, it also has one of the best track records among federal agencies of complying with security regulations, according to a May 1 report to Congress by the Office of Management and Budget. Analysts say NASA's cybersecurity situation is a sign the government is measuring the wrong things
Litigation, Investigation, and Law Enforcement
US Navy sysadmin charged with 'Team Digi7al' hacktivist attacks on military (CSO) A sysadmin who worked in the nuclear reactor department of a US warship used his privileged access to hack Navy databases before boasting of the exploits on Twitter, US Government prosecutors have alleged
U.K. Intelligence Watchdog Says Snowden Leak Was Attack on U.S. (Bloomberg BusinessWeek) Malcolm Rifkind, the lawmaker running the parliamentary committee that oversees British spies, said Edward Snowden's leaks about the extent of surveillance by British and American agencies was an "attack on the U.S."
FTC Must Disclose Consumer Data Security Standards (InformationWeek) A company accused by the FTC of failing to provide adequate data security has the right to know the required security standards, administrative judge rules
Apple will notify customers when the law demands their personal data (Naked Security) Earlier this month, Apple joined other, growingly defiant tech companies with the decision to stop quietly going along with investigators' demands for its users' email and other electronic data
Legal Guidelines Say Apple Can Extract Data From Locked iOS Devices (Threatpost) If law enforcement gets hold of your locked iPhone and has some interest in its contents, Apple can pull all kinds of content from the device, including texts, contacts, photos and videos, call history and audio recordings
A county's only unsolved murder has a victim without a digital footprint (Ars Technica) It's now notable when a case has no digital evidence to speak of
Senator: S.C. hacker received $25,000 ransom (The State) A state senator said Thursday that he believes federal authorities paid a $25,000 ransom to the computer hacker who stole the personal data of 6.4 million residents from the South Carolina Department of Revenue
Server mishap results in largest HIPAA fine to date (FierceHealthIT) A breach of electronic protected health information impacting 6,800 individuals at two New York-area hospitals discovered in the summer of 2010 has resulted in the largest HIPAA settlement to date—$3.3 million
Snapchat agrees to settlement with FTC over privacy complaints (Naked Security) Snapchat and the US Federal Trade Commission (FTC) agreed to terms in a settlement over privacy complaints, including that the fast-growing mobile messaging service had "deceived users"
Saudi blogger sentenced to ten years in jail, $266K fine and 1,000 lashes for insulting Islam (HackRead) Raif Badawi, a Saudi blogger has been sentenced to prison for ten years plus 1,000 lashes as a punishment for allegedly insulting the religion of Islam on an online liberal forum he created. The criminal court in Jeddah also ordered Badawi to pay one million Saudi riyals (about $266,000) as a fine. Badawi's liberal forum was closed after his arrest in 2012
Swiss Bank Hacker Arrested in Thailand (eSecurity Planet) Mohamed Yassine Gharib is accused of involvement in the theft of more than $18 million from Swiss banks
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
How the SBIR/STTR Program Can Help Grow Your Business (Halethorp, Maryland, USA, May 27, 2014) The SBIR/STTR programs promote small business innovation and profitability while simultaneously meeting the government's research and development needs. Every year, small businesses receive millions of dollars in SBIR/STTR funds for research, development and commercialization purposes. This course will provide attendees with an overview of the SBIR/STTR programs; funding sources and eligibility requirements; best practices in SBIR/STTR proposals writing, involvement, and commercialization; and a discussion of how to protect your company's legal interests in either program.
SANS Security West (, Jan 1, 1970) SANS Security West will arm information security professionals with the necessary insight to prepare their organization for today and the future. Attendees will have the opportunity to advance their information security skill set by learning innovative ideas and techniques to fend off today's most challenging cyber threats as well as emerging threats.
Eurocrypt 2014 (, Jan 1, 1970) Eurocrypt 2014 is the 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques. It is devoted to all aspects of cryptology.
ISPEC 2014 (Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and their integration with IT systems in various vertical sectors.
GovSec 2014 (Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of protecting our critical infrastructures, key assets, communities and the nation.
Cyber Security for National Defense Symposium (, Jan 1, 1970) DSI's Cyber Security for National Defense Symposium is designed as an educational and training "Town Hall" forum, where thought leaders and key policy-makers across military and civilian organizations can come together for actionable discussions and debate. The symposium will focus on increasing the security and resiliency of the Nation's critical networks, operating freely in the Cyber Domain, and the protection of infrastructure in support of national defense and homeland Security.
CyberWest (Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations and Governments to a complex threat environment including hacktivists to trans-national crime organizations and advanced persistent threats. Join experts from government, industry and academia in discussing how we are making our future more secure.
Fraud Summit (Chicago, Illinois, USA, May 14, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology solutions designed to stop them.
INFILTRATE (, Jan 1, 1970) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Groundbreaking researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere. INFILTRATE is the single-most important event for those who are focused on the technical aspects of offensive security issues, for example, computer and network exploitation, vulnerability discovery, and rootkit and trojan covert protocols. INFILTRATE eschews policy and high-level presentations in favor of just hard-core thought-provoking technical meat.
Security BSides Denver 2014 (Denver, Colorado, USA, May 16, 2014) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.
Security Start-up Speed Lunch NYC (New York, New York, USA, May 19, 2014) Our goal for this inaugural event is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology and transportation sector companies in a novel way: the speed lunch.
CEIC 2014 (Las Vegas, Nevada, USA, May 19 - 22, 2014) It's no exaggeration to say that CEIC is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills development. From sessions on acquiring evidence from mobile devices to international e-discovery to cyber security intelligence, there's simply no other training or seminar series available that packs so much relevant and practical information from so many expert speakers into a single four-day period.
The Device Developers' Conference: Bristol (Bristol, England, UK, May 20, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.
Mobile Network Security in Europe (London, England, UK, May 21, 2014) Following on from two successful events in the United States, this first Light Reading conference on Mobile Network Security in Europe will again focus on the key role of the network in safeguarding the mobile carrier's network assets while protecting its customers from security attacks. The conference will also consider the case for distributing and coordinating security strategies across the end-user device, the mobile network, and the cloud as carriers look to prevent attackers from triggering outages and degradations or from stealing sensitive customer information.
Positive Hack Days (, Jan 1, 1970) Positive Hack Days is the international venue for the unification of progressive forces of the IT industry. It is about innovators interested in information security problems; it is fresh blood and bright eyes, the atmosphere of a huge research ground, communication between people sharing the same views and their opponents, minimum formalities and maximum practice.
Georgetown Law: Cybersecurity Law Institute (, Jan 1, 1970) A day does not go by where cybersecurity is not in the news. In fact, according to a recent national survey conducted by FTI Consulting, cybersecurity is the number one issue on the minds of general counsels of American companies. Last year's inaugural Cybersecurity Law Institute received positive reviews for its unique simulation approach that prepared attendees on actions to take if their company faced a cyber-attack.
NSA Mobile Technology Forum (MTF) 2014 (, Jan 1, 1970) The Mobile Technologies Forum is an annual event that attracts SIGINT, Information Assurance, HUMINT, Federal Law Enforcement, Counterintelligence and Government personnel from the United States, Australia, Canada, New Zealand, and United Kingdom focused in mobile technologies. Those companies who specialize in both current and future mobile features and equipment or have efforts that benefit NSA's efforts should participate as a commercial vendor; conference attendance is limited to government employees.
CyberMontgomery Forum: Center of Gravity (Rockville, Maryland, USA, May 22, 2014) Cybersecurity will be a major growth engine in the region for many years to come. With solid federal government, industry and academic assets already in place in the region, there is still a need to bring them together so that they can coalesce and elevate the cyber ecosystem to a level of national prominence. CyberMontgomery Forum events will provide clear direction on finding business opportunities, contracting, forecasted demand areas, workforce development, recruiting & staffing, legal responsibilities for businesses, updates on technologies being developed in MoCo and summary updates regarding our NCCoE neighbors, federal civilian agencies and commercial sector leaders.
Cyber Risk Summit (Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management. Topics to be discussed by expert speakers will include state and federal regulatory and legislative initiatives, efforts to develop a common cyber security framework, the threats from cyber espionage and terrorism, and the development of public and private mechanisms to finance and transfer losses from cyber events.
The Device Developers' Conference: Cambridge (Cambridge, England, UK, May 22, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.
Fort Meade Technology Expo (, Jan 1, 1970) The Ft. Meade Technology Expo is a one-day event held at the Officers' Club (Club Meade) on base. Industry vendors will have the unique opportunity to showcase their products and services to personnel that may otherwise be unattainable.
3 Day Startup (San Antonio, Texas, USA, May 23 - 25, 2014) The nation faces tremendous challenges to our online security. Turn innovative ideas into startups that protect our information and our livelihood. 3 Day Startup is an entrepreneurship program designed with an emphasis on learning by doing. The idea is simple: start tech companies over the course of three days.
CANSEC (, Jan 1, 1970) CANSEC is Canada's foremost defence tradeshow. A two-day event, CANSEC will feature 120,000 square feet of indoor exhibits by Canada's leading edge defence companies, as well as an outdoor static display. This tradeshow targets a wide audience of customers that includes Government agencies and departments with an interest in the defence sector.
Hack in The Box Security Conference (HITBSecConf) Amsterdam (, Jan 1, 1970) HITBSecConf Amsterdam is a gathering of network security professionals and enthusiasts who come from all corners of the globe to discuss the next generation of attacks and defense techniques. This is not an event you come to for 'security 101' talks or marketing hype. We cover stuff that hasn't made it into the news — yet. Potential security issues coming our way in the next 12 months.