The CyberWire Daily Briefing 08.17.15
Hacktivists hit Saudi government websites with familiar more-in-sorrow-doing-this-to-inspire-better-security vandalism.
Software vendors continue to mop up last week's various disclosed vulnerabilities: OS X zero-days, imperfectly patched Android bugs, Dropbox issues, and firmware/bloatware problems.
Onapsis reports vulnerabilities in SAP Mobile.
The gang thought responsible for the recent Yahoo! malvertising campaign resumes activities and targets AdSpirit, thereby infecting many much-visited sites (among them Drudge, Weather Underground, and NetZero). Claims that "another billion+ users" are being targeted are breathlessly made, but the malvertising is undeniably a nuisance.
Also a nuisance is evolved distributed denial-of-service technique. BitTorrent seems to empower lone-wolf DDoS perpetrators, and a decline in search-engine impersonation is apparently not the feel-good story one might think. Krebs has an interesting piece on active interference with the DDoS criminal market.
The value of stolen Uber credentials continues to fall on the criminal market: they're now said to be worth forty cents a pop. Fortune looks at how cyber criminals are paid (Fortune leads with the insight that hackers don't receive Forms 1099, which suggests the contrarian conclusion that Fortune sees commonalities between criminal and capital gains) and sums the problem up as essentially one of fencing stolen goods. That problem lends itself to a wide variety of solutions highly dependent on local conditions.
Businesses increasingly add cyber experts to their boards. In the US, NSA serves as a cyber business incubator.
"Disgruntled" former employees say Kaspersky duped rivals into higher false-positive rates. Kaspersky dismisses the accusations as misrepresentation of an innocent, fully disclosed, experiment.
Notes.
Today's issue includes events affecting Australia, Bahamas, China, Dominican Republic, European Union, Israel, Italy, Jamaica, Russia, Saudi Arabia, United Kingdom, and United States.
Cyber Attacks, Threats, and Vulnerabilities
Hackers Target Saudi Government Websites with "Good Intentions" (HackRead) A group of hackers going with an online "Cyber of Emotion" hacked Saudi websites with "good intentions"
Italian teen finds two zero-day vulnerabilities in OS X (IDG via PCWorld) An Italian teenager has found two zero-day vulnerabilities in Apple's OS X operating system that could be used to gain remote access to a computer
Onapsis Uncovers Three New "High Risk" Vulnerabilities Affecting SAP Mobile (Onapsis) High-profile cyber-risks reveal unauthorized users could decrypt and modify sensitive configuration values used by SAP business applications putting Fortune 1000 companies at risk
Massive Malware Campaign Targets Another Billion+ Users (Infosecurity Magazine) The same cyber-crooks behind the recent malvertising attack on Yahoo! are at it again — this time, targeting AdSpirit, and infecting Drudge Report, Weather Underground, NetZero and other websites with malicious ads
Analysis of a piece of ransomware in development: the story of 'CryptoApp' (0x3a) Ransomware sure has had an uptick the past years; more and more variants appear while some have been leading the pack for the past years. This article is on a new 'strain', it dates to March this year from what I can tell. I haven't seen any write-up or info about it yet (nor had any major incidents at $dayjob or heard of it from any other analysts). From what I can tell its still under development, this article will tell the story of this ransomware
How BitTorrent could let lone DDoS attackers bring down big sites (Ars Technica) uTorrent, Mainline, and Vuze most susceptible to DoS abuse, researchers say
2015 Q2 DDoS Threat Landscape Report: The Downside Of The Decline Of Search Engine Impersonator Bots, And What It Means For DDoS Attacks (Young Upstarts) On the surface, the news that the use of search engine impersonator bots is down from 57% of all DDoS bot traffic in 2014 to a miniscule 0.9% in 2015 seems like good news. However, if life hasn't yet taught you to always look for the downside, then welcome to lesson number one
Stress-Testing the Booter Services, Financially (KrebsOnSecurity) The past few years have witnessed a rapid proliferation of cheap, Web-based services that troublemakers can hire to knock virtually any person or site offline for hours on end. Such services succeed partly because they've enabled users to pay for attacks with PayPal. But a collaborative effort by PayPal and security researchers has made it far more difficult for these services to transact with their would-be customers
PayPal Customers Hit with 'Changes to Legal Agreements' Phishing Scam (HackRead) A PayPal phishing scam can be tricky, but don't worry all you need to do is keep your eyes open and do what we tell you
UVa Completes Upgrades to IT Systems After Cyber Attack (Newsplex) The University of Virginia has completed a security upgrade to its IT systems after a cyber attack earlier this week, according to UVa officials
Carphone data breach is a wake-up call for consumers (Financial Times) Consumers have been urged to step up online security following a cyber attack affecting 2.4m customers of Carphone Warehouse who have been told that personal information and bank details may have been stolen by hackers
Keyless Security Not So Secure (InformationWeek) A suppressed security paper shines a light on the shortcomings of the cryptography used to protect keyless vehicle access systems
ESCGS to urge industry to safeguard against cyber attack during LISW (Hellenic Shipping News) ESC Global Security is set to warn the international shipping community attending this year's London International Shipping Week (LISW) of the security risks associated with the development of the autonomous ship. In its paper titled 'Phishing and Piracy on the Cyber Seas', to be presented during LISW Week at the Fathom-organised Ship Efficiency conference, ESCGS's Head of Cyber Security, Joseph Carson, will urge the industry to address the risk of a maritime cyber-attack, which could leave the unmanned ship losing its ability to navigate or, in the worst case, be controlled by third parties for illicit purposes
Cracked Uber accounts tumble to 40 cents on the dark web (Naked Security) Remember those cracked Uber accounts that were selling for as little as $1 on the dark web a few months ago?
How do hackers actually get paid for their services? (Fortune) Cyber-crooks don't receive 1099 forms or pay taxes like other freelancers. Instead they're paid in clever and often nefarious ways
Bulletin (SB15-229) Vulnerability Summary for the Week of August 10, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week
Security Patches, Mitigations, and Software Updates
Android's Stagefright Flaw Returns, Google Issues Patch (eWeek) Google last week claimed it had fixed the Stagefright flaw, but it is back. Or did it ever actually really get fixed in the first place?
Choc Factory patches zero day Google for Work hack hole (Register) Sysadmins told to lock down their Androids, also stop downloading random stuff
Users Urged To Update After IBM Finds Security Flaw In Android's SDK Dropbox (VC Post) Android users are urged to update after IBM finds major security vulnerability in its Dropbox software development kit (SDK). The security vulnerability, named CVE-2015-3825, was uncovered by IBM's elite X-Force Application Security Research Team. It affects more or less half of Android versions 4.3 to 5.1 and can be taken advantage with the proliferation of a mobile malware
ASUS ZenFone 2 update patches Stagefright vulnerability, adds many improvements (Android Authority) Every manufacturer is working on sending out patches for the Stagefright vulnerability, but so far everything we have seen is very much focused on that specific issue. ASUS is not wasting time as they release the patch update for the ZenFone 2, along with plenty of other improvements
Apple fixes a bucketload of vulnerabilities in everything (Help Net Security) Apple has pushed out updates for OS X Yosemite, OS X Server, iOS and Safari, fixing a bucketload of critical and less critical vulnerabilities
Microsoft Drops Another Windows 10 Update (TechCrunch) And then there were three. Earlier this week, Microsoft released a new set of updates for Windows 10 for the third time since the operating system formally debuted in late July. Windows 10 is Microsoft's attempt to build a single operating system that can function on devices of any size, or input variety
Lenovo does it again as LSE component removed after security fears (Guardian) Chinese company releases firmware update after fears new problem software could, as with Superfish, be used to let hackers access vulnerable computers
Cyber Trends
Black Hat, Data Science, Machine Learning, and… YOU! (Dark Reading) The time has come for security pros to start honing in on their machine learning skills. Here's why
Five principal cloud security challenges (Help Net Security) In our technology driven world, security in the cloud is an issue that should be discussed from the board level all the way down to new employees. CDNetworks takes a look at some of the key challenges
Internet of Things — New security and privacy challenges (Elsevier) The Internet of Things, an emerging global Internet-based technical architecture facilitating the exchange of goods and services in global supply chain networks has an impact on the security and privacy of the involved stakeholders. Measures ensuring the architecture's resilience to attacks, data authentication, access control and client privacy need to be established. An adequate legal framework must take the underlying technology into account and would best be established by an international legislator, which is supplemented by the private sector according to specific needs and thereby becomes easily adjustable. The contents of the respective legislation must encompass the right to information, provisions prohibiting or restricting the use of mechanisms of the Internet of Things, rules on IT-security-legislation, provisions supporting the use of mechanisms of the Internet of Things and the establishment of a task force doing research on the legal challenges of the IoT
Cyber Security Threat Grows As Hackers Become More Innovative (E&P) At 1:48 p.m. Aug. 1, 2012, Walter Energy Inc. submitted a press release to a newswire service announcing its quarterly results — just more than two hours before the news was made public
Administrators Continue to Fail in Securing Databases by Using Proper Configs (Softpedia) Security experts at BinaryEdge have analyzed how developers and system administrators configured different technologies and have found out that most of them fail to change the default configuration, which leaves their servers open to outside intrusions
New Threats To Caribbean Cyber Security (Jamaica Gleaner) Cybersecurity incidents continue to rise. According to PwC's Global State of Information Security Survey 2015, attacks rose internationally by 48 per cent in 2014, resulting in huge remedial and reputational costs to the companies and governments concerned
Marketplace
Companies hope cybersecurity experts in the boardroom can counter hacks (Los Angeles Times) The board of directors at construction and engineering company Parsons Corp. needed to fill a seat two years ago
US National Security Agency feeds big appetite for security start ups (Financial Review) Skilled engineers charged with tracking weapons of mass destruction in the Middle East, US government-backed cyber attackers and even the general who led the National Security Agency have all left the organisation to launch their own cyber security start-ups
Cyber hacks are 'single largest threat to our way of life,' according to Cambridge investor (Boston Business Journal) Cambridge venture partner Chris Lynch is serious about cybersecurity
Will Post-Split Symantec Go More Direct With Managed Services? (MSPmentor) In a not-unexpected reversal of one of the highest-value blockbuster tech acquisitions of all time, Symantec (SYMC) this week announced that it would be sell off its Veritas Info Management Business to private equity firm The Carlyle Group in an $8 billion deal. Here's what it will mean to MSPs
Analysts Recommend Cybersecurity Stocks After Recent Underperformance (TheStreet) Analysts at Piper Jaffray and Wells Fargo this morning are highlighting names in the cybersecurity space as attractive investments. With the Q2 reporting season now over, the firms are recommending the shares of CyberArk Software (CYBR), Barracuda Networks (CUDA) and Fortinet (FTNT), among others
FireEye Sees Large Increase in Short Interest (FEYE) (Dakota Financial News) Shares of FireEye (NASDAQ:FEYE) saw a large growth in short interest during the month of July. As of July 31st, there was short interest totalling 18,561,173 shares, a growth of 6.6% from the July 15th total of 17,411,190 shares, Marketbeat.com reports. Based on an average daily volume of 6,999,078 shares, the days-to-cover ratio is currently 2.7 days. Currently, 15.0% of the shares of the stock are short sold
Report claims Kaspersky faked malware to trip up competitors' products (Ars Technica) Anonymous former employees: company sought to punish rivals for "stealing"
Kaspersky Lab statement on the Contrary to allegations made in a Reuters news story (Hans India) Contrary to allegations made in a Reuters news story, Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing. Such actions are unethical, dishonest and illegal. Accusations by anonymous, disgruntled ex-employees that Kaspersky Lab, or its CEO, was involved in these incidents are meritless and simply false. As a member of the security community, we share our threat intelligence data and IOCs on advanced threat actors with other vendors, and we also receive and analyze threat data provided by others. Although the security market is very competitive, trusted threat data exchange is a critical part of the overall security of the entire IT ecosystem, and we fight hard to help ensure that this exchange is not compromised or corrupted
Human Rights Violation? Hacking Team CEO Says No (Inquisitr) Human Rights Watch (HRW) has accused Italian technology company Hacking Team of violations of human rights in Ethiopia. HRW is a nongovernmental advocacy group that seeks to expose offenders of the Universal Declaration of Human Rights that was (UNDR) adopted by the UN. Hacking Team offers remote surveillance services to large entities such as governments and corporations
Opinion: Why bug hunting security researchers are Digital Age heroes (Christian Science Monitor Passcode) Comments from an Oracle executive disparaging the work of security researchers misunderstands their value and ethic. While hackers poking around in code may irritate software companies, their work has made computers safer for everyone
Lockheed wins DHS cyber accreditation (Washington Technology) Lockheed Martin this week became the first non-telecom company to earn a commercial service provider accreditation from the Homeland Security Department
Following the OPM data breach, Uncle Sam needs to step up recruitment of cyber talent (Washington Post) Better than any report on the federal government's "critical skills gap," the cybertheft of 22 million federal personnel records demonstrates Uncle Sam's need for cyber experts
A virtual community of cyber talent (FCW) Of the many ongoing initiatives to build a more cyber-savvy federal workforce, project leaders at the U.S. Cyber Challenge and Monster Government Solutions think they have something different in an online portal for trainees to network and display their credentials
GSA wants industry comments on cybersecurity SIN (Federal Times) The General Services Administration is considering adding a special item number (SIN) for cybersecurity and information assurance (CyberIA) to IT Schedule 70, making it easier for agencies to buy security tools and services and giving vendors a central place to offer their wares
Cybersecurity firm root9B planning San Antonio expansion (San Antonio Express-News) Colorado-based root9B, a high-ranking cybersecurity firm formed with the goal of preventing a "Cyber 9/11," has announced plans to expand in San Antonio
Security software firm Avecto secures space at Manchester Airport Trident development (BDaily) Global security software company Avecto has signed up for space at Property Alliance Group's (PAG) Trident Business Park next to Manchester Airport
Products, Services, and Solutions
Opinion: Twitter's privacy blunder (Christian Science Monitor Passcode) Twitter's decision to give companies instant access to every public post means that users' comments will be tracked, mined, and analyzed more than ever before. Perhaps it's time to think twice before you tweet
Why Microsoft Security Essentials is Better than All Third-Party Antivirus? (Neurogadget) The amount of malware released through the Internet and affecting user activity has increased massively in the last few years
Cisco or Trend Micro? The best breach detection systems around (IT Pro Portal) Given the current threat landscape and the fact that attackers are finding new ways to bypass traditional security, it's no surprise that many companies are turning to the use of breach detection to protect their systems
Risk Fabric: Automated predictive security analytics platform (Help Net Security) In this podcast recorded at Black Hat USA 2015, Anil Nandigam, Senior Director Product Marketing at Bay Dynamics, talks about Risk Fabric, an automated predictive security analytics platform that works with existing enterprise security systems to protect organizations from threats
ESET Virtual Appliance Remotely Manages Network Endpoint Security (eWeek) ESET seeks to reduce the complexity of managing endpoint security on an enterprise network with the ESET Remote Administrator v6, now available as a virtual appliance
Certes Networks: Business-Driven Cybersecurity via Crypto-Segmentation (Sys-Con Media) There are two kinds of enterprises in today's world: the ones that know they've been hacked, and the ones that don't know they've been hacked. To make matters worse, hackers are getting better and better at hiding their tracks. Companies often don't discover breaches until months later, long after the criminals have absconded with vital corporate data
Technologies, Techniques, and Standards
With New Domain Name, Banks Aim to Improve Security (Morning Consult) As consumers increasingly turn to the internet for their banking needs, the financial services industry is moving to create its own systems to bolster cybersecurity. The web domain .bank, which launched on June 23, is the latest effort to standardize and secure the online presence of banks
How to Fix the Top Five Cyber Security Vulnerabilities (Infosec Institute) A few weeks ago, we analyzed the top five cyber security vulnerabilities in terms of potential for catastrophic damage
The parfait approach to cyber defense: It's all about the layers (Venture Beat) Adobe was back in Flash-induced damage control mode again last month — which is a role that has become all too familiar for the company since Steve Jobs crafted his 2010 manifesto identifying 6 reasons why Flash should disappear
Dealing with a difficult data legacy (Help Net Security) Customer call recording and storage is now standard practice across a variety of industries, as well as a Financial Conduct Authority (FCA) requirement in many cases. But these 'legacy' call recordings regularly contain sensitive payment and personal data that must be (but often isn't) properly safeguarded
Design and Innovation
How Google's icon experiment could improve online security (Christian Science Monitor Passcode) Changing the way icons indicate safe website connections may seem small, but it could have a profound impact on users' understanding of secure online communications
Voice Authentication Beats Fingerprint Biometrics for Data Protection (Payments Source) While the average consumer's banking and payment account information may not be considered as highly-sensitive as the "non official cover" list from Mission Impossible, multi-layer authentication is still the best way to fend off fraudsters
The Burgeoning Invisible App Market (TechCrunch) Today's "invisible app" market could be classified as a passing trend, but it might also be the beginning of a significant multi-year shift in how we transact when we're away from our computers. This shift applies to mobile devices, email, home devices like the Amazon Echo and even wearables like the Apple Watch
Research and Development
NCCoE Seeks Vendors to Develop Model Systems for Controlling Access to IT Assets (NIST) The National Cybersecurity Center of Excellence (NCCoE) is seeking collaborators to provide products and technical expertise on three projects to help organizations improve their cybersecurity. The projects focus on access control, personal identity verification credentials and mobile devices. Each project will result in an example cybersecurity design that can be used by organizations in multiple industry sectors
Academia
SMU partners with Raytheon on cybersecurity research (Dallas Business Journal) Southern Methodist University has been designated as one of Raytheon Co.'s strategic partners in cybersecurity research
James Clapper to Keynote UMUC September Cyber Gala (GovConExecutive) The University of Maryland University College will host a gala Sept. 12 to raise funds in support of UMUC Foundation's scholarships for cybersecurity students and honor key people in the field of cybersecurity
Legislation, Policy, and Regulation
Obama Administration Warns Beijing About Covert Agents Operating in U.S. (New York Times) The Obama administration has delivered a warning to Beijing about the presence of Chinese government agents operating secretly in the United States to pressure prominent expatriates — some wanted in China on charges of corruption — to return home immediately, according to American officials
How China has cyber-stumped the US and why Israel could be next (Jerusalem Post) Each revelation is more shocking than the previous one
U.S., India Leaders Meet to Improve Cybersecurity Cooperation (Legaltech News) The discussion occurred in anticipation of next month's likely meeting between President Obama and India Prime Minister Narendra Modi in New York
Experts: In cyber warfare, deterrence a challenge but may be key to nation's defense (TribLive) The United States' best defense against a crippling cyber attack could be a more visible offense, military leaders and other experts recently suggested at the Army War College in Carlisle. Then they stopped talking
How to Combat the Global Cybercrime Wave (Op-Ed) (LiveScience) Today, economic reliance on the internet is all-encompassing. With 40 percent of the world population now online, there is hardly an industry that has not been dramatically transformed and empowered by the communication and business opportunities created. But the very thing that has been such a powerful engine of global economic growth is now threatening to undermine it
Editorial: U.S. has been complacent, lazy in responding to cyberattacks (Hew Haven Register) The disclosure that Russia was responsible for penetrating the unclassified email system used by the Joint Chiefs of Staff should be disconcerting. Unfortunately, many accounts of cyberattacks these days seem to produce yawns. A major Hollywood studio discovered its computers ruined; a sensitive U.S. government trove of personnel information was stolen; corporate secrets were hacked and used for insider trading; major retailers and a health-care provider were looted of customer data — yet the United States has been complacent and lazy in responding
Wyden Asks What Steps Intelligence Leaders Took to Protect Federal OPM Records, Other Sensitive File (Political News) "The fact that such sensitive information was not adequately protected raises real questions about how well the government can protect personnel information in the future"
Brands On Alert As Massive Fines Set To Dwarf Reputation Damage After Hack Attacks (MediaPost) The statement most likely to fall from any marketing commentator's mouth when asked to report on a data breach is how the main threat to the business is its good name. The next line usually goes into a prophetic warning about how breaches can actually bring down companies as customers decide not to trust a brand that has been hacked and vote with their feet. The news today — in fact, the news in the making for the last couple of years — is that brands will probably have to start thinking about loyalty implications a lot less than they are massive new fines. The reason is that the punishments for breaches are going to skyrocket in the EU within the next year or so when the Data Protection General Regulation (DPGR) eventually becomes law
NETWARCOM gains oversight of more Naval networks (C4ISR & Networks) The Naval Network Warfare Command (NETWARCOM), headquartered in Suffolk, Virginia, executes tactical-level command and control of Navy networks and leverages joint space capabilities for Navy and joint operations, and also operates directly under the Navy's Fleet Cyber Command/10th Fleet. CAPT Eugene Costello has helmed the command since September 2013, after serving as deputy director of operations at the Defense Information Systems Agency
Jeh Johnson Tasks Homeland Security Advisory Council to Form Cybersecurity Subcommittee (ExecutiveGov) Jeh Johnson, secretary of the Department of Homeland Security, has issued a task assignment for the Homeland Security Advisory Council to form a cybersecurity subcommittee that will support the council's efforts in the cyber sector
Litigation, Investigation, and Law Enforcement
Will Supreme Court force DHS to divulge secret plan to cut cell service? (Ars Technica) Feds, lower courts say release of the full plan would "endanger" public safety
Safe given to lawyer among irregularities seen in review of Hillary Clinton emails (Washington Times) When State Department officials first discovered that Hillary Rodham Clinton's personal email account contained classified information, they did not seize the thumb drive containing her digitally archived inbox but rather provided her attorney a special safe to secure the device, according to interviews and documents
Dianne Feinstein defends Clinton's email practices (Politico) The top Democrat on the Senate Intelligence Committee defended Hillary Clinton's email practices on Thursday, saying media reports about classified information on the former secretary of state's server did not make clear that Clinton hadn't written any of the "top secret" emails
Former CIA spy on Clinton emails: 'You and I would get fired and possibly jailed' for this (Washington Examiner) If Hillary Clinton allowed classified information onto her private server or personal phone, she should be disqualified from becoming president, former CIA spy Bob Baer said Saturday
Hillary Clinton Hits Back on Email and Benghazi (Defense One) In a heated and defiant appearance, Hillary Clinton said she is the victim of a political witch hunt, and vowed to fight it
AT&T's "Extreme Willingness to Help" is key to NSA Internet surveillance (Ars Technica) Published report said partnership dates back to 1985
Private-Public Collaboration Puts Pittsburgh at Fore of Cybercrime Fight (Wall Street Journal) Partnership allows FBI agents to work with analysts from banks and other firms to identify threats
Using Passive DNS to Fight Cybercrime (eSecurity Planet) Going after bad guys can lead to unintended Internet collateral damage, but Paul Vixie has some ideas on limiting the risk with DNS
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
5th Annual Cyber Security Training & Technology Forum (CSTTF) (Colorado Springs, Colorado, USA, Aug 19 - 20, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter and FBC, Inc. will once again co-host the 5th Annual Cyber Security Training & Technology Forum (CSTTF). CSTTF 2015 will bring together cyber experts from the DoD, federal government, business, research, and academia to address a variety of current cyber topics
Decepticon 2015 (Cambridge, England, UK, Aug 24 - 26, 2015) Decepticon brings together researchers and practitioners in the detection and prevention of deception. Previously, deception research has been fragmented across conferences in many different disciplines, sub-disciplines and countries. To cover the great diversity of approaches to deception research, our scientific committee has members covering several domains
AFCEA OKC Technology & Cyber Security Day (Oklahoma City, Oklahoma, USA, Aug 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker AFB. This is the only Technology Day held at Tinker AFB each year. The annual Technology Day allows exhibitors the opportunity to have access to information technology, communications, cyber, engineering, and contracting personnel at Tinker AFB. Over 300 attendees participated in the 2014 Technology Day and we expect the same level of attendance in 2015
Power Grid Cyber Security Exchange 2015 (San Diego, California, USA, Aug 30 - Sep 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology and information security executives. This program is tailored to utility executives and industry stakeholders that are responsible for addressing threat intelligence, analysis and monitoring; network architecture; and cyber incident response
2015 HTCIA International Conference & Training Expo (Orlando, Florida, USA, Aug 30 - Sep 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics
ICFP 2015 (Vancouver, British Columbia, Canada, Aug 31 - Sep 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire spectrum of work, from practice to theory, including its peripheries
Mid-Atlantic Security Conference (Gaithersburg, Maryland, USA, Sep 1, 2015) The conference is brought to you by Information Systems Security Association's Baltimore, NOVA, and National Capital Chapters. Join us for a full day of training on cybersecurity topics by industry leaders, hands-on workshops, and a Capture the Flag event and receive a certificate for 7 CPEs toward your professional certifications
SCADA Nexus 2015 (Houston, Texas, USA, Sep 2 - 4, 2015) SCADA Nexus is an international annual event for ICS and SCADA security professionals and executives to focus on world-wide security concerns. The event is located in Houston, Texas each year at the Hilton Americas Convention Center. Our 2015 event is from September 2-4 with extended training from September 7-11.
SIN 2015 (Sochi, Russia, Sep 8 - 10, 2015) The 8th International Conference on Security of Information and Networks (SIN 2015) provides an international forum for presentation of research and applications of security in information and networks. SIN 2015 features contributed as well as invited papers, special sessions, workshops, and tutorials on theory and practice. It seeks to convene a high-quality, well-attended, and up-to-date conference on scientific and technical issues of security in information, networks, and systems
NSPW (New Security Paradigms Workshop) (Twente, Netherlands, Sep 8 - 11, 2015) Although NSPW is more of a workshop than a conference, it has earned its right to be included in this list. Since 1992, NSPW has been offering a unique forum for cyber security specialists involved in researching high-risk, high-opportunity paradigms to present their ideas. The discussions always challenge the current limitations of information security tools and technology, while disputing ng-held beliefs or the very foundations of security. You're bound to get fresh, new ideas from attending this workshop
Global Cyberspace Cooperation Summit VI (New York, New York, USA, Sep 9 - 10, 2015) An invitation-only event, this meeting of international actors aims to coordinate and consolidate progress, showcase results and promote collective action. The annual cyber summits provide a crucial forum for building international, private-public action to foster international cooperation in cyberspace. Breakthrough groups, aligned with the initiative's objectives of economic and political development, digital security and stability, and sound governance and management, carry the program forward
Intelligence and National Security Summit (Washington, DC, USA, Sep 9 - 10, 2015) AFCEA International (AFCEA) and the Intelligence and National Security Alliance (INSA) are pleased to host the second Intelligence and National Security Summit to provide the platform for this essential discussion. This two-day, unclassified Summit will feature five plenary sessions with top federal agency leaders and policymakers sharing their assessments and priorities for U.S. national, defense and homeland security intelligence. In addition, thought leaders from government, industry and academia will explore emerging issues and solutions related to intelligence policy, cyber threats, and technology and innovation over nine breakout sessions
Cybersecurity Innovation Forum (Washington, DC, USA, Sep 9 - 11, 2015) The 2015 Cybersecurity Innovation Forum is a three-day event hosted by the National Institute of Standards and Technology, and planned with the National Security Agency, and the Department of Homeland Security. This event brings government and industry together to focus on current, emerging, and future challenges, technologies, projects, solutions, and research in trusted computing, security automation, and information sharing
2nd Annual Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, Sep 10, 2015) The one-day symposium will examine the potential advantages and pitfalls of an information-sharing strategy from the technological, business and regulatory perspectives
Cyber 6.0 (Laurel, Maryland, USA, Jun 17, 2015) The mission of the Cyber Conference is to provide a forum for small and mid-sized businesses in Howard County and the region to access industry and government leaders with current information on cybersecurity that will improve their market position, enhance their corporate security policies and infrastructure, identify potential business opportunities, and provide a take away of information and contacts for follow-up that assists businesses in understanding the role they play in national cybersecurity and how they can address those challenges. All businesses have a role to play in protecting the national security of our infrastructure. While locally sponsored and organized, the conference has national reach
BSides Augusta 2015 (Augusta, Georgia, USA, Sep 12, 2015) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening
SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel
Gulf Cooperation Council Cyber Security Summit (Abu Dhabi, United Arab Emirates, Sep 13 - 15, 2015) The GCC Cyber Security Summit will bring together regional and international thought leaders and decision-makers to examine one of the most vital threats to the region's future well-being: cyber-attack. Penetration of national and company security, criminal fraud and identity theft are now big business worldwide among a shadowy fraternity that is only growing in power and size. Recent incidents with film studios, healthcare providers and global banks continue to resonate in cabinet offices and boardrooms everywhere
Hacker Halted 2015 (Atlanta, Georgia, USA, Sep 13 - 18, 2015) EC-Council Foundation's flagship information security conference, Hacker Halted, will unite some of the greatest minds in information security, as industry experts address the latest threats and vulnerabilities plaguing the virtual world. Hacker Halted will also feature several highly technical and advanced workshops that cover the most current security topics and will include EC-Council's most sought after certification classes. Hacker Halted runs concurrently with the invitation-only Global CSO Forum
EnergySec 11th Annual Security & Compliance Summit (Washington, DC, USA, Sep 14 - 16, 2015) For more than 10 years the EnergySec Security Summit has been the premier gathering for stakeholders in the energy sector focused on physical and cyber security. Our summits give each attendee a rare opportunity to mingle with asset owners, government agencies, researchers, consultants, vendors and academia under one roof
Fraud Summit San Francisco (San Francisco, California, USA, Sep 15, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Among the areas to be discussed are the fraud ecosystem, trends in consumer fraud awareness (what's working and what's not), and threat intelligence
Borderless Cyber 2015 (Washington, DC, USA, Sep 15 - 16, 2015) OASIS, in collaboration with The World Bank, will bring together public and private sector security professionals from around the world to evaluate, debate, and collaborate on cyber security best practices and tools. Hosted at The World Bank headquarters in Washington, DC, the conference will generate dialogue across government and business, combining high-profile guest speakers, interactive roundtable sessions, and moderated debates. Additional networking events will complement each day's agenda, offering opportunities for real-time collaboration
Detroit Secure World (Detroit, Michigan, USA, Sep 16 - 17, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. Risk management and enterprise cyber defense strategies figure among the agends
National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, Jul 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting
6th Annual Billington Cybersecurity Summit (Washington, DC, USA, Sep 17, 2015) Join key leaders and decision makers from government, military and the private sector at this one-day intensive networking event as participants focus on the next generation of solutions to ensure this nation's cybersecurity
Cyber Security Summit: New York (New York, New York, USA, Sep 18, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at the Cyber Security Summit are prequalified based on their willingness to meet with Solution Providers and proven ability to purchase products and services
Data Breach Investigation Summit (Dallas, Texas, USA, Sep 21 - 26, 2015) Data Breaches are occurring at an alarming rate and increasing in their scope, frequency and impact and they don't discriminate by industry, geography or organization size. When a breach occurs, organizations, agencies and individuals need to learn how to more effectively, identify/detect that the breach has occurred, respond to the breach in an effective and timely manner, investigate the breach, and prevent/defend the organization from future breaches
St. Louis SecureWorld 2015 (St. Louis, Missouri, USA, Sep 22 - 23, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. The security implications of the Internet-of-things will be among the topics discussed
OWASP APPSECUSA (San Francisco, California, USA, Sep 22 - 25, 2015) The premier gathering of developers, security experts and technologists to discuss cutting edge approaches to secure web applications
SAT 2015: 18th International Conference on Theory and Applications of Satisfiability Testing (Austin, Texas, USA, Sep 24 - 27, 2015) The International Conference on Theory and Applications of Satisfiability Testing (SAT) is the premier annual meeting for researchers focusing on the theory and applications of the propositional satisfiability problem, broadly construed. Aside from plain propositional satisfiability, the scope of the meeting includes Boolean optimization (including MaxSAT and Pseudo-Boolean (PB) constraints), Quantified Boolean Formulas (QBF), Satisfiability Modulo Theories (SMT), and Constraint Programming (CP) for problems with clear connections to Boolean-level reasoning
CSS (International Conference on Cryptography and Security Systems) (Warsaw, Poland, Sep 25 - 27, 2015) After three years' break, CSS is returning in 2017 with another great look at the evolution of cryptography and its role for the cyber security industry. This event is focused on presenting original and unpublished research and developing activities related to all aspects of cryptography and network security. From theory to practice, this conference might be right up your alley if you're interested in cryptography
ASIS International (Anaheim, California, USA, Sep 28 - Oct 1, 2015) The ASIS Annual Seminar and Exhibits boasts of being one of the world's most influential events for security professionals. Its mission is to provide industry-leading education, countless business connections, and the latest product and service innovations from 600+ exhibitors from the information security sector
CYBERSEC European Cybersecurity Forum (Kraków, Poland, Sep 28 - 29, 2015) The CYBERSEC forum is the first of its kind in Poland and one of just a few regular public policy conferences in Europe devoted to the strategic issues of cyberspace and cybersecurity. The goal of CYBERSEC conference is the formulation of practical recommendations that aim to increase resilience to cyber threats within specific economic sectors, countries, and the EU as a whole
(ISC)² Security Congress (Anaheim, California, USA, Sep 28 - Oct 1, 2015) Proudly colocated for the fifth year in a row, (ISC)² Security Congress 2015 and ASIS International 61st Annual Seminar and Exhibits (ASIS 2015) expect more than 19,000 professionals worldwide from both the information security and operational security disciplines to join together September 28 - October 1 in Anaheim, CA. Offering more than 80 education sessions along with networking and career advancement opportunities, (ISC)² Security Congress 2015 will include topics on best practices, current and emerging issues, and solutions to challenges
Fraud Summit Toronto (Toronto, Ontario, Canada, Sep 17, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology solutions designed to stop them.
Threat Intelligence Summit 2015 (ChampionsGate, Florida, USA, Sep 29 - 30, 2015) The threat landscape is getting bigger and more complex, the tools more plentiful, the amount of digital information increasingly massive, and the skills needed to navigate this terrain seem to multiply continuously. The key to success in defending against threats — actionable threat intelligence. Threat Intelligence Summit 2015 will address best practices for combating threats in your organization
hardwear.io: Hardware Security Conference and Training (The Hague, Netherlands, Sep 29 - Oct 2, 2015) Do you trust your hardware? Learn from experts about backdoors, exploits, trust, assurance and attacks on hardware equipment, firmware and related protocols
VB2015 (Prague, Czech Republic, Sep 30 - Oct 2, 2015) The VB2015 programme includes 38 papers on a wide range of security topics. As in previous years, the presentations will run in two parallel streams and the programme includes both technical and less technical presentations. Just a small selection of the many highlights includes: "Attack on the drones: security vulnerabilities of unmanned aerial vehicles" (Oleg Petrovsky), "How malware eats cookies" (Zhaoyan Xu, Wei Xu), "The Unbearable Lightness of APTing" (Yaniv Balmas, Ron Davidson, Shahar Tal), "The Kobayashi Maru dilemma" (Morton Swimmer, Nick FitzGerald, Andrew Lee), "DDoS trojan: a malicious concept that conquered the ELF format" (Peter Kalnai, Jaromir Horejsi), "POS fraud: trends and counter-actions to mass fraud" (Ken Dunham), and "The elephant in the room" (Marion Marschalek). This year's conference will include two keynote speakers — one at the opening of the conference and one at the very end. The programme will also include a number of added extras