The CyberWire Daily Briefing 01.21.15
Reports assert that Sony's hackers exploited a zero-day vulnerability in their assault on the film company. (What that zero-day may have been is left unspecified due to its "sensitivity.")
CyberBerkut is tied more closely to recent attacks on German government sites. One of their operatives, "Mink," is said to be Australian, which indicates how geographically broad a net governments cast when they trawl for useful idiots ("полезные дураки," as Lenin might or might not have called them) in cyberspace.
Recorded Future continues its look at Lizard Squad, and finds its members are about what one would expect.
ComRAT and CryptoWall 3.0 continue to operate against their targets, respectively military and civilian. Analysts describe the workings of Vawtrak and Tyupkin malware families.
New vulnerabilities and proof-of-concept attacks are described.
Oracle and Ubuntu issue patches.
Corporate boards take cyber risk management to heart.
The US President's State of the Union address, much anticipated by the cyber sector, appears to have driven a rise in security industry story stocks. Last night's speech prominently featured President Obama's proposed cyber legislation, which he pointedly dropped in Congressional laps. Observers like information sharing, are dubious about disclosure rules, and don't at all care for what many see as entrusting civil liberties in cyberspace to prosecutorial discretion. Defense Department cyber roles and missions will probably serve as a bellwether for legislative direction.
The US and UK make their already close cyber cooperation closer still. (The lads from Malvern really want a share of the US cyber market.)
Notes.
Today's issue includes events affecting Australia, China, France, Germany, Democratic Peoples Republic of Korea, Russia, Saudi Arabia, Ukraine, United Kingdom, and United States.
Cyber Attacks, Threats, and Vulnerabilities
Here's What Helped Sony's Hackers Break In: Zero-Day Vulnerability (Re/code) The hackers behind the devastating attack against Sony Pictures Entertainment late last year exploited a previously undisclosed vulnerability in its computer systems that gave them unfettered access and enabled them to reach and attack other parts of the studio's network
Hacktivist Group CyberBerkut Behind Attacks on German Official Websites (TrendLabs Security Intelligence Blog) A pro-Russian group called CyberBerkut claimed responsibility for a recent hack on certain German government websites in early January. We were able to gather some information on some of its members based on Pastebin data that had been leaked by the Ukrainian nationalist political party (Pravy Sektor)
Australian "Mink" link to pro-Russian attacks on Merkel's website (CSO) Australian "Mink" link to pro-Russian attacks on Merkel's website
Report: NSA not only creates, but also hijacks, malware (IDG via CSO) In addition to having its own arsenal of digital weapons, the U.S. National Security Agency reportedly hijacks and repurposes third-party malware
Lizard Squad: Two Bot Thugs (Recorded Future) Web intelligence has led to an analysis of Lizard Squad's Linux botnet, LizardStresser or lizardstresser.su. Further link analysis of an email address associated with LizardStresser led to the discovery of a Windows botnet on ernsthaft.su. Analysis of key cyber personas in Lizard Squad via their Twitter accounts through Recorded Future illuminated their interest in illegal drugs, thugs, guns, and Nazis
Mystery ComRAT cyber-surveillance tool still going strong, researchers confirm (TechWorld) Son of Agent.btz that stalked US military in 2008
Traffic Patterns For CryptoWall 3.0 (Internet Storm Center) Various sources have reported version 3 of CryptoWall has appeared. This malware is currently seen from exploit kits and phishing emails. CryptoWall is one of many ransomware trojans that encrypt the personal files on your computer and demand a bitcoin payment before you can unlock them
Navy: China has not attacked U.S. aircraft carrier (Military Times) The aircraft carrier George Washington has not been attacked, and World War III has not begun, despite what tweets from United Press International say, the Navy has confirmed
Tyupkin ATM Malware Analysis (Infosec Institute) Some time ago, Kaspersky discovered and reported a new type of malicious program called Tyupkin, which targets ATM machines by moving beyond targeting consumers with card skimmers that steal debit card numbers to directly getting cash from an ATM without the need for a counterfeit or stolen card
GoDaddy CSRF Vulnerability Allows Domain Takeover (Breaking Bits) An attacker can leverage a CSRF vulnerability to take over domains registered with GoDaddy. The vulnerability has been patched
Like a Nesting Doll, Vawtrak Malware Has Many Layers (Threatpost) Researchers have peeled back more layers on Vawtrak, a relatively new banking Trojan so complex that those who have taken it apart have likened it to a Matryoshka, or Russian nesting doll
Potential Code Execution Flaw Haunts PolarSSL Library (Threatpost) There is a vulnerability in PolarSSL, an open-source SSL library used in a variety of products, that could enable an attacker to execute arbitrary code under some circumstances
Memory Corruption Bugs Found in VLC Media Player (Threatpost) There are two memory corruption vulnerabilities in some versions of the VLC open-source media player that can allow an attacker to run arbitrary code on vulnerable machines
Academics Use Siri to Move Secrets Off Jailbroken iOS Devices (Threatpost) Attackers living on any network are all about one thing: persistence. They want to get on quietly and stay on quietly. But what about moving stolen data off a network? How quiet can that be?
Backdoor in a Public RSA Key (Kukuruku) Hello, %username%! When I saw how it works, say that I was shocked is to say nothing
Gamers hit with trojanized versions of official League of Legends releases (Help Net Security) Computer security experts often advise to users to download games, apps, documents, software and software updates directly from the original source (the manufacturer) or from reputable online stores
Hacker hits Australian travel insurer, leaks records of 800,000 customers (Help Net Security) Personal and limited financial information of over 800,000 customers of Australian travel insurance company Aussie Travel Cover have been stolen by a hacker that goes by the online handle "Abdilo" and is believed to be a member of the infamous Lizard Squad
Vivino wine-lovers' app leaked personal information (Hot for Security) Vivino, a popular smartphone app, that allows wine-lovers to scan their favourite bottles of plonk and share recommendations with their friends, has left a sour taste in the mouth — after a security researcher found a privacy vulnerability
"Cheaper car insurance" dongle could lead to a privacy wreck (Naked Security) US researcher Corey Thuen decided to take a closer look at an add-on ICS device plugged into his car?
11% of Android banking and finance apps are dangerous (Help Net Security) RiskIQ found that more than 40,000 of the 350,000 apps which reference banking in the world's top 90 app stores contain malware or suspicious binaries. Another 40,000 contained dangerous permissions
Dark Technology: Are You (Unknowingly) Putting Your Organization At Risk? (Tripwire: the State of Security) Dark Technology: Are You (Unknowingly) Putting Your Organization At Risk?
Looking Back (and Forward) at PoS Malware (TrendLabs Security Intelligence Blog) 2014 became the year that placed PoS (point-of-sale) threats in the spotlight. Make no mistake — PoS threats have existed for years. However, the Target data breach last January was the first incident that made the general public notice this threat
'123456' & 'Password' Are The 2 Most Common Passwords, Again (Dark Reading) New entrants to the top 25 show that bad password creators are fans of sports, superheroes, dragons, and NSFW numeral combos
Security Patches, Mitigations, and Software Updates
Big bag of fixes: Oracle's Critical Patches for Jan 2015 close 160 holes, 93 remotely exploitable (Naked Security) Unlike Microsoft, which wants to wean us all off the word "Patch" and onto the word "Update," Oracle has always embraced both those terms
Ubuntu Patches Several Security Flaws (Threatpost) Ubuntu has released a number of patches for security vulnerabilities in several versions of the OS, including some remote code execution flaws in Thunderbird, which is included with Ubuntu
Cyber Trends
Security priorities shifting to preventing breaches, improving internal controls (CSO) For the first time, companies are worried more about preventing a breach than on passing a compliance audit
Is social media the weak link in the fight against cyber attacks? (Conversation) Improved cybersecurity for governments and the private sector is expected to feature in US President Barack Obama?s annual State of the Union Address delivered on Tuesday night (US time) to Congress
Gap between perception and reality of cyberthreats widened in 2015 (CSO) There is a widening gap between what security executives believe to be true and the reality of cyberthreats
People are increasingly worried about privacy, say legal protections fall short (IDG via CSO) Internet users in countries such as France, Germany and the U.S. are increasingly worried about the impact technology has on privacy, and feel legal protections are insufficient?
Paper, Plastic or Compromised Security? The Point-of-Sale Risk in the Internet of Things (CIO) As technology becomes smarter and more intuitive, conveniences like tableside payment kiosks in busy restaurants have become more commonplace, leading to highly personalized (and time-saving) experiences for consumers. This is just one example of how the Internet of Things creates a unique opportunity to improve people's daily lives
Oh, the places IoT will go… or will it? (FireceCIO) Google's announcement about pulling Glass from the shelves is a reminder about how early we are in the process of IoT adoption
The next frontier of hacking: your car (Vox) Hacking is about to get more dangerous
World Economic Forum Warns About "Global Threat" of IoT Hacking (Gizmodo) You know that character in some horror films who warns unsuspecting (usually) teenage victims of their impending death? The World Economic Forum's Global Risks report is kind of like that guy, filled with doom but offering damn good advice on how to stay alive. This year, the report focused on the internet of things?
New Year, New Threats: Electronic Health Record Cyberattacks (Government Technology) The recent flood of cyberattacks means that hackers are relentless and more sophisticated than ever before
Organizations in KSA exposed to cybercrime risks as threats become sophisticated in 2015 (Saudi Gazette) While organizations in Saudi have existing security strategies in place that provide defense against a range of cyber attacks, today's sophisticated threat landscape exposes organizations to a number of risks for which they are not prepared
Obama talks cybersecurity, but Federal IT system breaches increasing [Updated] (Ars Technica) Security incidents on federal IT systems have increased more than 1,000 percent
Marketplace
Cybersecurity stocks gain on pending Obama proposals (Seeking Alpha) The White House has disclosed Pres. Obama will outline this week "a series of legislative proposals and executive actions that will be in his [Jan. 20] State of the Union that will tackle identity theft and privacy issues, cybersecurity, and access to the Internet."Several security tech plays, some of whom received a lift last month from the Sony hack and its fallout, are higher in spite of a 0.9% Nasdaq drop. FEYE +4.5%. CUDA +6.9%. PANW +1.2%. CYBR +1.7%. PFPT +1.3%
Cyber resilience core to safeguarding investment value (COOConnect) The warning by the Bank of England's Financial Policy Committee last month that financial firms in the UK are underestimating the threat of cybercrime, coupled with recent high-profile blow-by-blow media accounts of companies under attack, are set to keep cyber resilience firmly on corporate governance agendas. For private equity firms, such risks pose fundamental challenges. Cyber attacks have a significant impact on victims, with some 60% of small firms forced to close within six months of an attack, according to the US National Cyber Security Alliance
Cyber security finally has the attention of the boardroom (ITProPortal) The majority of companies feel that their board is fully on cyber issues, but a third deem it a "top risk"
IT security in 2015: Is this the year the boardroom actually cares? (ITProPortal) Following our look at the common prediction trends for 2015, and identifying both major flaws and expanding ransomware as trends worth looking at, the next timely trend looks at the boardroom
Don't delegate cyber risk management responsibility (Information Age) The responsibility of managing and overseeing the cyber risk in an organisation must sit at an the executive level
Lack of communication biggest hurdle to cyber risk awareness (Actuarial Post) Board communication within FTSE 350 remains biggest hurdle to cyber risk awareness
Failure by firms to understand security adds pressure to channel (MicroScope) Most of the research that came out of the research community last year seemed to be encouraging when it came to charting the progress of security onto the boardroom agenda
Microsoft Is Teaching Cybersecurity to Cities Around the World — For Free (Wired) Cybersecurity isn't just an issue for the feds and big companies like Google and Facebook. Cities of all sizes around the world are increasingly reliant on information systems that could be vulnerable to attack
Commando theft of Nazi radar turned English town into cyber valley (Stars and Stripes) On a winter's evening in 1942, a daring raid by British commandos to steal a German radar on the French coast set in motion a series of events that would see a small town, nestled in middle England, become a leading cyber-defense hub
UK goes to Hollywood: Cyber security firms brief Cameron and Obama in US (ITProPortal) The visit by the Prime Minister to Washington to discuss global security issues with President Obama saw a number of UK security firms attend and brief David Cameron
Amendment to Combined Synopsis/Solicitation — for Information Assurance, Operations and Compliance, Systems and Technology Support Services (Insurance News Net) This announcement is prepared and posted in accordance with Federal Acquisition Regulation (FAR) Subpart 5.2 to notify potential Offerors of a solicitation for services for the Defense Microelectronics Activity (DMEA). Solicitation number HQ0727-15-R-0003 requests proposals for for Information Assurance, Operations and Compliance, Systems and Technology Support Services for all Defense Microelectronics Activity (DMEA). The objective of this contract is to acquire services for Information Assurance, Operations and Compliance, Systems and Technology Support Services for all Defense Microelectronics Activity (DMEA) information technology,networking, communications, safety, surveillance, and critical infrastructure software, systems, and applications
Cybersecurity contractor opens center in Augusta (Augusta Chronicle) Chiron Technology Services, a Maryland-based cybersecurity company, opened a Regional Cybersecurity Development Center Jan. 1 on Interstate Parkway, according to local real estate company Sherman & Hemstreet
Cloud Security Startup Elastica Takes Channel Approach For Growth (CRN) Cloud security startup Elastica came out of stealth mode last year and new channel chief Jarrett Miller, who is building out the company's fledgling channel program, said this week that it inked a reseller deal with Accuvant
LockPath Prepares for 2015 by Doubling Executive Team (Marketwired) LockPath Inc. has added four members to its executive team in the past month to enhance the company's ability to serve its growing client base, lead its expanding workforce and execute its growth strategy in 2015
CyberSecurity.com Acquired by Adam Strong (Domain Investing) 2014 was a big year for Adam Strong. His company sold the high profile domain names Racing.com and BTC.com, and he also privately acquired quite a few keyword domain names, such as Strong.com
Recruit, Reward & Retain Cybersecurity Experts (Dark Reading) How to create a better working environment for security professionals
Products, Services, and Solutions
Startup Spotlight: ThreatStream's Threat Intelligence Platform (eSecurity Planet) Getting customers to share information with each other is a key part of ThreatStream's new spin on threat intelligence, a platform called Optics
Technologies, Techniques, and Standards
World Economic Forum Proposes New Cyber Risk Framework (SecurityWeek) With the annual World Economic Forum meeting in Switzerland just days away, the organization and its partners have released a new framework designed to help businesses calculate the impact of cyber-threats
Partnering for Cyber Resilience Towards the Quantification of Cyber Threats (World Economic Forum) Threats grow with the rapid expansion of data-driven technologies. The convergence of web, cloud, social, mobile and Internet of Things platforms is inherently oriented to sharing data, not security. As these technologies expand in use, so do the risks, making cyber risk management imperative to organizations today
Heightened cyber threat demands risk focus (Actuarial Post) Cyber and terrorism have been rated the most significant emerging risks facing the insurance and reinsurance sector in 2015, according to a survey of US industry executives. It is a sentiment reflected by the UK government, which last month convened a group of CEOs from the country's largest insurers, to encourage collaboration and "to make the UK one of the safest places to do business in cyberspace". While the insurance sector is set to play a key role in minimising the long-term financial fallout from an attack, cyber risks cannot be tackled with insurance alone
Network Segmentation: A Best Practice We Should All be Using (Infosec Island) It would be nice to be able to say that we are winning the war; that network security efforts are slowly getting the better of the bad guys. But I can't do that. Despite all the money being thrown at security tools and hosted services, the cyber-thugs are improving their game at a faster rate than we are. The ten worst known cyber security breaches of this century have all taken place since 2008, and 2013 and 2014 are notorious for their information security incidents
Bash data exfiltration through DNS (using bash builtin functions) (forsec) After gaining 'blind' command execution access to a compromised Linux host, data exfiltration can be difficult when the system ibinbash2s protected by a firewall. Sometimes these firewalls prevent the compromised host to establish connections to the internet. In these cases, data exfiltration through the DNS-protocol can be useful. In a lot of cases DNS-queries are not blocked by a firewall. I've had a real life situation like this, which I will describe later on
Exploit Pack — Open Source Security Project for Penetration Testing and Exploit Development (Kitploit) Exploit Pack, is an open source GPLv3 security tool, this means it is fully free and you can use it without any kind of restriction. Other security tools like Metasploit, Immunity Canvas, or Core Iimpact are ready to use as well but you will require an expensive license to get access to all the features, for example: automatic exploit launching, full report capabilities, reverse shell agent customization, etc. Exploit Pack is fully free, open source and GPLv3. Because this is an open source project you can always modify it, add or replace features and get involved into the next project decisions, everyone is more than welcome to participate. We developed this tool thinking for and as pentesters. As security professionals we use Exploit Pack on a daily basis to deploy real environment attacks into real corporate clients
Discovering and remediating an active but disused botnet (Colin Keigher) On a network I help manage, we kept getting malicious DNS alerts for "luna1.pw" on an appliance we had installed. Due to the way the network was configured, we were able to see the name request coming in but no traffic activity. This was unusual because the appliance was configured to monitor all traffic but why was it not picking up anything further than what it was reporting? Why didn't the supposed malware connect? Resolving the domain lead to an answer
Finding Privilege Escalation Flaws in Linux (Internet Storm Center) We often tend to ignore privilege escalation flaws. In order to take advantage of these vulnerabilities, an attacker first needs to have access to the system itself. But in particular for systems that many users have access to, it can be difficult to monitor them all for compromised credentials. Systems with web servers often suffer from web application flaws that can be used to execute code as the web server, which then can be used to gain root access via a privilege escalation flaw
Why Effective Computer Security Means Covering All Your Bases (eWeek) LinkedIn's head security honcho shares his proactive security strategy, which begins with everyone buying in
Design and Innovation
New Technology Detects Cyberattacks By Their Power Consumption (Dark Reading) Startup's "power fingerprinting" approach catches stealthy malware within milliseconds in DOE test
New technology that identifies users vulnerable to cyber attack based on behavioral and psychological characteristics (Phys.org) Fujitsu Limited and Fujitsu Laboratories Ltd. have announced the development of the industry's first technology for identifying users vulnerable to cyber attacks based on the ways they use their computers, such as their e-mail and web activities. This will make it possible to implement security measures tailored to individuals and organizations
Research and Development
Artificial-Intelligence Experts to Explore Turing Test Triathlon (IEEE Spectrum) Intelligentsia of AI will gather to come up with a battery of alternatives to the traditional Turing test
Does Facebook know you better than your friends and family do? (Naked Security) Image of experiment courtesy of ShutterstockWhat if a computer could predict your behavior and understand your personality better than your coworkers, friends, siblings, and even your spouse do?
Legislation, Policy, and Regulation
Hey France, Don't Do What We Did After 9/11 (Daily Beast) Were the Charlie Hebdo attacks France's 9-11? If so, France, then please: Don't follow our example, and don't become what we became
British Spy Agency Has Its Eye on Investigative Journalists (Sputnik News) As some of the West's most senior cyber-security defence chiefs meet in London, fresh documents revealed by former CIA contractor Edward Snowden — now living in Moscow — show that the UK intelligence agency GCHQ has hacked thousands of emails from journalists
GCHQ took less than 10 minutes to covertly scoop up 70,000 emails — and it's a disgrace (Hot for Security) It's a strange and disturbing world we are living in
Who's Got the Chops to Run a Transatlantic Cyberspy Cell? (Nextgov) The success of a newly announced U.S.-U.K. cyberspy unit in many ways will depend on its yet-to-be named leaders, who, digital investigators say, will be hard to find
First U.S.-U.K. Cyber 'War Game' to Target Banks (CFO) Financial institutions will be first up in the countries' new series of war games designed to thwart cyber-crime
Obama Calls for Tough Legislation to Combat Cyber-Attacks (Wall Street Journal) In State of the Union speech, President warns U.S. faces heightened risks if policy makers don't act
Obama Says Stricter Cybersecurity Laws Needed To Combat Hackers In His State Of The Union Speech (International Business Times) U.S. President Barack Obama said that new cybersecurity laws are necessary to address hacking, identity theft and cyberwarfare in his annual State of the Union address on Tuesday evening. Critics say the new laws are overly harsh and could impede computer security research in the U.S
The Pentagon Angle on Obama's State of the Union Cybersecurity Pitch (Roll Call) The role of the Pentagon in President Obama's proposed cybersecurity legislation — expected to get the spotlight in Tuesday evening's State of the Union speech — could decide its fate in Congress
State of the Union: President Obama's cyber-security ideas spark skepticism, fear among techies (Oregon Live) The president didn't do that. He held onto the mic and kept talking. For much of the speech he zeroed in on "middle-class economics": Tax reform, affordable childcare, paid sick leave, equal pay and, perhaps his signature proposal, free community college
7 Reasons Security Wonks Should Watch the State of the Union Tonight (Wired) President Obama has left few questions about what he plans to unveil in his State of the Union address tonight, having dropped several previews in the last two weeks about legislation the White House is proposing. He will undoubtedly go into more detail tonight at 9 p.m. ET, and we will be watching specifically to hear him expand on comments already made about proposed changes to cybersecurity legislation
Obama cybersecurity proposals: 'Devil is in the details' (Al Jazeera: the Scrutineer) In a preview of next Tuesday's State of the Union address, President Obama spent this week rolling out a long list of new cybersecurity initiatives that includes legislation to protect consumers' private data
The Hypocrisy of U.S. Cyber Policy (TechCrunch) The breakneck growth in internet usage over the past two decades has forced policymakers to confront a host of challenges, from how to regulate the sharing economy to who owns the infrastructure behind the "tubes" themselves. While tempers have flared on a number of these issues, I tend to give the benefit of the doubt to policymakers. The transformation of our society has been so complete and rapid, we simply can't expect the rebuilding of our laws to be a simple proposition
Bold reform needed to strengthen U.S cybersecurity (Help Net Security) Mr. President, the status quo in cybersecurity is failing the U.S. It is failing the commercial sector, which is being publicly breached on a weekly basis, and it is failing the government as well. It is time to take bold and decisive action to stop these dangerous and embarrassing hacks before they cause further damage and erode the confidence that is vital to the U.S. economy
GOP faces Patriot Act choice (The Hill) Republicans have a choice to make
Litigation, Investigation, and Law Enforcement
Microsoft Gave Data on Charlie Hebdo Probe to FBI in 45 Minutes (Bloomberg) Microsoft Corp. (MSFT) handed the FBI data linked to the Charlie Hebdo probe within an hour of being asked, showing that the system can work and that extra snooping should only happen if strictly regulated, the company's top lawyer said
Microsoft and the US government fight over data in the cloud (WinBeta) The battle of big business versus big government is being fought among the clouds or at least among Microsoft's international cloud servers. Microsoft's director of cyber security and cloud strategy has shared a post titled 'Privacy considerations in a cloudy world.' The post highlights points regarding Microsoft's cyber security made by their Chief Privacy Officer in a video (embedded below). Microsoft is amidst a battle with the government when it comes to protecting their user's data
UPDATE 1-Pentagon says classified data on U.S. F-35 jet fighter program remains secure (Reuters) The Pentagon on Tuesday said classified data about the $399 billion F-35 fighter jet program remains secure, despite fresh documents released by NSA whistleblower Edward Snowden last week which said China stole "many terabytes" of data about the jet
Nearly all US arms programs found vulnerable to cyber attack (IT News) Nearly every US weapons program tested in fiscal 2014 showed "significant vulnerabilities" to cyber attacks, including misconfigured, unpatched and outdated software, the Pentagon's chief weapons tester revealed in his annual report
DEA settles fake Facebook profile lawsuit without admitting wrongdoing (Ars Technica) Agents created bogus profile in woman's name in bid to nab other drug suspects
Silk Road Judge 'Eviscerates' Defense's Evidence That Mt. Gox CEO Was a Suspect (Wired) Last week produced a stunner in the Silk Road trial: the revelation that the Department of Homeland Security suspected Mt. Gox CEO Mark Karpeles of running the massive, anonymous narcotics market just months before settling instead on defendant Ross Ulbricht. But just as quickly as Ulbricht's defense revealed that alternate theory of the Silk Road's ownership, the prosecution and judge have shoved key elements of the story back into the closet
Gamergate target Zoe Quinn launches network to battle online harassment (Naked Security) Police were told to knock with their hands, not with their boots
How Was Your Credit Card Stolen? (KrebsOnSecurity) Almost once a week, I receive an email from a reader who has suffered credit card fraud and is seeking help figuring out which hacked merchant was responsible. I generally reply that this is a fruitless pursuit, and instead encourage readers to keep a close eye on their card statements and report any fraud. But it occurred to me recently that I've never published a primer on the types of card fraud and the likelihood with each of the cardholder ever learning how their account was compromised. This post is an effort to remedy that
For a complete running list of events, please visit the Event Tracker.
Newly Noted Events
Financial Services Cyber Security Summit: Middle East and North Africa (Dubai, UAE, Mar 9 - 10, 2015) Building on the success and feedback of our Cyber Security Summit in Europe — 180 attendees, 3 streams, CPE certified — we are pleased to invite you to the Financial Services Cyber Security Summit MENA — a highly interactive experience sharing platform for top experts from banks, insurance companies, monetary organizations and government institutions, accountancy companies, consumer finance, investment funds, stock brokerages and more
Cyber Security Summit: Industrial Sector & Governments (Prague, Czech Republic, Apr 14 - 15, 2015) Cyber Security Summit Europe — Industrial Sector & Governments brings together cyber security experts who will share their skills and know-how needed to address highly topical issues such as state-sponsored cyber-attacks and SCADA Security Assessment
Cyber Security Summit: Fnancial Services (Prague, Czech Republic, Apr 14 - 15, 2015) Cyber Security Summit Europe — Financial Services brings together cyber security experts across the financial sector to discuss topical security vulnerabilities as well as bring forward effective strategies and solutions to effectively mitigate them
Upcoming Events
FIC 2015 (Lille, France, Jan 20 - 21, 2015) The International Cybersecurity Forum (FIC) forms part of a thinking and exchange process that aims at promoting a pan-European vision of cybersecurity and strengthening the fight against cybercrime, a priority for the European Union as stated in the Stockholm Programme for 2010–2015. Its objective is to open up the cybersecurity debate by bringing together security and risk management experts with non-specialists to enable them to compare viewpoints and lessons learnt
IARPA Proposers' Day for the Cyber-attack Automated Unconventional Sensor Environment (CAUSE) Program (Washington, DC, metropolitan area, Jan 21, 2015) The Intelligence Advanced Research Projects Activity (IARPA) will host a Proposers' Day Conference for the Cyber-attack Automated Unconventional Sensor Environment (CAUSE) Program on January 21, 2015, in anticipation of the release of a new solicitation in support of the Program. The Conference will be held from 9:00 AM to 4:00 PM EDT in the Washington, DC metropolitan area. The purpose of the Conference will be to provide introductory information on CAUSE and the research problems that the Program aims to address, to respond to questions from potential proposers, and to provide a forum for potential proposers to present their capabilities and identify potential team partners
4th Annual Human Cyber Forensics Conference: Exploring the Human Element for Cloud Forensics (Washington, DC, USA, Jan 21 - 22, 2015) The Human Cyber Forensics Conference addresses the human element of cyber. Presentations will look at the tradecraft and efforts required to identify, understand, navigate, and possibly influence human behavior within and across networks. The conference will bring together subject matter experts to discover and share new means of recognizing human related cyber indicators, and the evolution of these human indicators in the coming decades. The Human Cyber Forensics Conference will focus on such topics as insider threat, next generation social engineering, progressive communications, neuroscience, social cognition, social media, and neuro-ethics
AppSec California (Santa Monica, California, USA, Jan 26 - 28, 2015) OWASP's AppSec California goes beyond "security for security?s sake" bringing application security professionals and business experts together with the objective of sharing new information that helps get the right work done faster, so organizations are better able to meet their goals
Financial Cryptography and Data Security 2015 (San Juan, Puerto Rico, USA, Jan 26 - 30, 2015) The goal of the conference is to bring security and cryptography researchers and practitioners together with economists, bankers, implementers and policy-makers. Intimate and colourful by tradition, the FC program features invited talks, academic presentations, technical demonstrations and panel discussions. In addition, several workshops will be held in conjunction with the FC conference
Starting a New Year: Financial Incentives for Cybersecurity Businesses (Columbia, Maryland, USA, Jan 27, 2015) Learn the details from the experts! How to apply for Cyber Tax Credits, Research Tax Credits, Security Clearance Tax Credits, Secured Space Tax Credits. Panelists include: Andrew Bareham, Principal, KatzAbosch; Elaine McCubbin, Tax Specialist DBED Maryland; Beth Woodring, Catalyst Fund Manager, HCEDA. The distinquished panel will by moderated by Lawerence F. Twele, CEO, Howard County Economic Development Authority
Cyber Security for Critical Assets: Chemical, Energy, Oil, and Gas Industries (Houston, Texas, USA, Jan 27 - 28, 2015) Cyber Security for Critical Assets Summit will connect Corporate Security professionals with Process Control professionals and serve to provide a unique networking platform bringing together top executives from USA and beyond. They are coming together not only to address the continuing cyber threats and set precautions framework, but most importantly to provide necessary tools, insights and methodological steps in constructing a successful secure policy. These policies will after all protect the critical assets needed to safeguard their company assets
Data Privacy Day San Diego — The Future of IoT and Privacy (San Diego, California, USA, Jan 28, 2015) Join the Lares Institute, Morrison & Foerster, and the National Cyber Security Alliance for Data Privacy Day in San Diego. DPD San Diego will bring together privacy luminaries to discuss fundamental issues facing consumers and business, including in-depth panel discussions on privacy, the Internet of Things (IoT), and many other critical topics
CSEAN Cyber Secure Nigeria 2015 Conference (Garki Abuja, Nigeria, Jan 29, 2015) The vast scope of cyber threats makes a compelling case for a multi-stakeholder collaboration in curbing domestic and International threat. "Cyber Secure Nigeria 2015" conference encapsulates various hot button topics around Cyber Security and sets precedence for constructive debates at a critical juncture when cyber crime's pervasiveness is a growing concern
Data Connectors Los Angeles 2015 (Los Angeles, California, USA, Jan 29, 2015) The Los Angeles Tech-Security Conference features 25-30 vendor exhibits and several industry experts discussing current tech-security issues such as email security, VoIP, LAN security, wireless security, USB drives security & more. There will be lots of give a ways and prizes such as iPods, $25, $50 and $100 gift cards, as well as cash prizes and lots more! This unique conference format will provide educational speaker sessions as well as tremendous networking opportunities. You'll come away with advice and knowledge you can start applying to your environment immediately. To register for this conference, click on the link in the left column. Your registration will include your breakfast, lunch, conference materials and entrance into the conference sessions and exhibit area. Scroll down to view the full conference agenda
Transnational Organized Crime as a National Security Threat (Washington, DC, USA, Jan 29, 2015) United Kingdom's National Crime Agency Director General Keith Bristow will discuss transnational organized crime as a national security threat, focusing on economic and cyber crimes, and digging into the challenges of 21st century policing
ISSA CISO Forum (Atlanta, Georgia, USA, Jan 29 - 30, 2015) Corporate Information Security and Legal programs must be closely aligned to be successful in today's world. Customer and vendor contracts require strong security language. Response to data breaches are often coordinated through Legal departments to protect privilege. Increasing global regulations drives change to Information Security practices. CISOs who have traditionally reported into IT organizations are moving into Legal departments. Join your Information Security, Legal and Privacy leadership peers as they come together to discuss these and many other topics related to "InfoSec and Legal Collaboration"
NEDForum > London "What we can learn from the Darknet" (London, England, UK, Jan 30, 2015) The 2nd NED Forum event comes to London on Friday 30th January 2015, the day of the White Hat Ball. The event will focus on the Darknet and where it provides a rich source of learning that can be applied to threat intelligence, attack detection and commercial opportunities
Cyber Threat Intelligence Summit (Washington, DC, USA, Feb 2 - 9, 2015) Join SANS for this innovative event as we focus on enabling organizations to build effective cyber threat intelligence analysis capabilities
Suits and Spooks (Washington, DC, USA, Feb 4 - 5, 2015) Suits and Spooks DC (Feb 4-5, 2015) is moving to the Ritz Carlton hotel in Pentagon City! We're expanding our attendee capacity to 200 and for the first time will be including space for exhibitors. We have an international panel of speakers from the public and private sectors and we'll be adding live-streaming via Webex for those who cannot attend in person
Nullcon 2015 (Goa, India, Feb 4 - 7, 2015) Nullcon discusses and showcase the future of information security, next-generation of offensive and defensive security technology as well as unknown threats
ICISSP 2015 (Angers, Loire Valley, France, Feb 9 - 11, 2015) The International Conference on Information Systems Security and Privacy aims at creating a meeting point of researchers and practitioners that address security and privacy challenges that concern information systems, especially in organizations, including not only technological issues but also social issues. The conference welcomes papers of either practical or theoretical nature, presenting research or applications addressing all aspects of security and privacy, such as methods to improve the accuracy of data, encryption techniques to conceal information in transit and avoid data breaches, identity protection, biometrics, access control policies, location information and mobile systems privacy, transactional security, social media privacy control, web and email vulnerabilities, trust management, compliance violations in organizations, security auditing, and so on. Cloud computing, big data, and other IT advances raise added security and privacy concerns to organizations and individuals, thus creating new research opportunities
2015 Cyber Risk Insights Conference — London (London, England, UK, Feb 10, 2015) The cyber threat landscape is undergoing rapid change. Lloyd's and the London market are at the forefront of developing insurance products to address the evolving exposures of organizations throughout the world. Privacy remains a key concern, but increasingly board members, corporate executives and risk professionals are focusing on a broader array of cyber-related risks. These include industrial espionage and various operational risks, including business interruption and contingent business interruption. Mark your diary for Advisen's 4th Annual Cyber Risk Insights Conference in London on Tues 10 Feb 2015. Graeme Newman of CFC Underwriting is the 2015 Conference Chairman. Sponsors include Swiss Re Corporate Solutions, Willis, and Epiq Systems
AFCEA West 2015 (San Diego, California, USA, Feb 10 - 12, 2015) Showcasing emerging systems, platforms, technologies and networks that will impact all areas of current and future Sea Service operations.
Cybersecurity: You Don't Know What You Don't Know (Birmingham, Alabama, USA, Feb 24 - 25, 2015) What: Connected World Conference in partnership with University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research (The Center) have teamed up to bring professionals together to discuss security and connected devices. Purpose: Convene the leading industry, government, and academia leaders. Chief Objective: Influence professionals from the most innovative and influential organizations in the world will meet to unravel the relationship between the connected society and cybersecurity