The CyberWire Daily Briefing 08.27.15

Summary

By The CyberWire Staff

Alleged TeaMp0isoN and Cyber Caliphate ringleader Junaid Hussain (a.k.a. "TriCk"), thought to be a leading ISIS hacker and online recruiter, is reported killed by a US drone strike in Syria.

Concerns about Tor's vulnerability to de-anonymization prompt a leading black market service, Agora, to shut down until such vulnerability is addressed.

Palo Alto, TrendLabs, Kaspersky, and SANS report on some new and some long-standing exploits and vectors: the uWarrior RAT, Gamker, Android mediaserver heap overflow exploitation, and malicious MS Office documents contained within pdfs.

The Ashley Madison hacker (avidly pursued by both the RCMP and the FBI) may be close to revelation. Krebs reports the hacker may be tweeting (a temptation harder to resist than adultery) and John McAfee is telling people to look for a female insider.

Endress+Hauser patches a buffer overflow vulnerability in their industrial control system tools. PayPal closes a cross-site scripting issue in its payment system. Google pulls a mobile app that exploited Certifi-gate.

Bellwether Netflix appears to be dumping traditional signature-based anti-virus products in favor of SentinelOne's "irregularity" sensing solution. Netflix judges this sufficient to meet compliance needs.

The US National Archives and Records Administration (NARA) tells Federal records administrators to get more involved in cyber security. The US Federal CIO calls the Government's pre-OPM-hack cyber preparation lacked "urgency," and says that the Government Accountability Office (GAO) and agency IGs will institutionalize the recent "cybersecurity sprint."

The US Department of Defense institutes mandatory breach reporting requirements for contractors (who complain the Department's moved too fast).

Notes.

Today's issue includes events affecting Canada, China, Italy, Japan, Russia, Singapore, Syria, United States

Selected Reading

Cyber Trends

Netflix Is Dumping Anti-Virus, Presages Death Of An Industry (Forbes) For years, nails have been hammering down on the coffin of anti-virus. But none have really put the beast to bed. An industry founded in the 1980s, a time when John McAfee was known as a pioneer rather than a tequila-downing rascal, has survived despite the rise of umpteen firms who claim to offer services that eradicate the need for anti-virus

A Tale Of Two IoT Security Outcomes (Dark Reading) Commandeered Jeep gets fixed but a 'hijacked' satellite network does not? Why Internet of Things security remains a work in progress

Many firms not getting to grips with third-party data security risk (ComputerWeekly) Supply chain data security risk is pervasive, but being unable to deal with it is down to basic failings, says a cyber risk expert

Phishing is a $3.7-million annual cost for average large company (CSO) The average 10,000-employee company spends $3.7 million a year dealing with phishing attacks

Crypto'wear Is Emerging As a Security Topic (Heimdal) Cryptoware is advancing on all fronts in the cyber crime space, with attacks from spam and exploits readily happening every single day, in both single-target and mass targeted campaigns

'Breach is the new normal,' says IDC security director (FierceITSecurity) You have been breached. And if you haven't, you will be

81% of healthcare organizations have been compromised (Help Net Security) Eighty-one percent of health care executives say that their organizations have been compromised by at least one malware, botnet, or other cyber-attack during the past two years, and only half feel that they are adequately prepared in preventing attacks, according to KPMG

Why the healthcare industry badly needs a cyber security health check (Information Age) The healthcare industry had the highest number of breaches in 2014

FuTuRology: Watch Out for Literally Crippling Healthcare Technologies (TrendLabs Security Intelligence Blog) We're back to look inside the crystal ball of future technologies. This is the third post of the "FuTuRology" project, a blog series where the Trend Micro Forward-Looking Threat Research (FTR) team predicts the future of popular technologies

Cyberthreats: Worse Than Anyone Thinks (The VAR Guy) The potential for a cyberattack is top of mind for not just IT professionals and CIOs but also among the general population

Consumers Want Password Alternatives (Dark Reading) Consumer confidence in online passwords wanes and their password hygiene remains as sketchy as ever, study finds

Legislation, Policy and Regulation

Obama calls Japanese leader over spying concerns (The Hill) President Obama phoned Japanese Prime Minister Shinzō Abe late on Tuesday to express his regret over new reports of U.S. spying on Japan

Federal records managers should be more engaged in cybersecurity work, says NARA official (FierceGovernmentIT) Chief information officers are not always engaging records managers in the cybersecurity efforts that are underway at federal agencies and departments, said a top National Archives and Records Administration Official

Federal CIO: Cybersecurity Policies Lacked 'Urgency' Before OPM Hack (Nextgov) Shortly after Tony Scott became the federal government's chief information officer in February, some of the Obama administration's keystone tech policies — including cybersecurity and cloud computing — "felt like they were languishing a little bit and maybe had lost a sense of urgency," the former corporate IT executive says

GAO, IGs will institutionalize cybersecurity sprint, says Tony Scott (FierceGovernmentIT) Federal agencies and departments may have concluded that the Office of Management and Budget's 30-day "cybersecurity sprint," but that doesn't mean their work to meet cybersecurity goals is finished, said Federal Chief Information Officer Tony Scott

DoD Addresses Cybersecurity Preparedness, Incident Reporting, and Cloud Computing Acquisitions with new DFARS interim rule (National Law Review) Announced and effective today, August 26, 2015, DoD has issued an interim rule that significantly expands existing DFARS provisions and clauses requiring contractors and subcontractors to report cyber incidents

Pentagon unveils data breach rules for defense contractors (The Hill) The Pentagon is rolling out long-awaited rules governing how the defense industry should report cybersecurity incidents

Industry: Pentagon Moved Too Fast on Cyber Rules (Defense One) Companies fear they'll have to rewrite their Defense Department contracts when pan-federal regulations arrive

Business leaders mount effort to beat back contractor 'blacklisting' rule (The Hill) Business groups are calling on regulators to withdraw forthcoming labor regulations they say will "blacklist" companies from procuring federal contracts

CRS: Oversight of intelligence community contractors nearly impossible due to classified data (FierceGovernmentIT) Oversight of intelligence community contracts is extremely difficult because the government doesn't have reliable contracting data and most of the intelligence information is classified, says an Aug. 18 Congressional Research Service report that was obtained by the Federation of American Scientists

Carter: Pentagon Needs Better Cyber Security Following Joint Chiefs Breach (Defense One) Defense Secretary Ash Carter criticizes the military's computer network security en route to seek help from Silicon Valley

The 22 Amendments That Could Determine the Fate of the Senate's Cybersecurity Bill (National Journal) These amendments will get a vote if and when CISA comes up after recess

Call to mandate reporting of data breaches (Straits Times) All should follow countries that already have this law, says speaker at Data Privacy Asia

New commander at Scott AFB wants to step up fight against cyber attacks (St. Louis Post-Dispatch) The new leader of U.S. Transportation Command, essentially the moving company for nearly all things military, said here Wednesday that cyberattacks are an "evolving threat" with a low cost of entry that need to be dealt with

U.S. Army Cyber Center of Excellence making strides; still has long way to go (Augusta Chronicle) The U.S. Army Cyber Center of Excellence is progressing as planned a little more than a year after transitioning from the branch's Signal Center, but it still has a ways to go, Maj. Gen. Stephen Fogarty said

Applications for 17C cyber transfers due by Aug. 31 (Army Times) The Army is about to close the fiscal 2015 application window for enlisted soldiers who want to reclassify into 17C, the new military occupational specialty for cyber operations specialists

Products, Services, and Solutions

10 Free or Cheap WiFi Security Testing Tools (eSecurity) Do not kid yourselves, security professionals. You need more than one WiFi security testing tool. Here are 10 free or inexpensive options

Kaspersky catches the phishes (ITWire) The new version of Kaspersky Internet Security has received the highest Advanced+ award in the anti-phishing technology test conducted by AV-Comparatives, without a single false positive and successfully blocking 98% of phishing URLs

Terbium Labs Leverages MapR to Help Power Discovery of Stolen Data on the Dark Web (BusinessWire) More than 350 billion data fingerprints are used to automatically detect breaches in minutes

HackerOne Co-Founder Details the Value of Bug Bounty Programs (eWeek) Alex Rice, co-founder and CTO of HackerOne, discusses the benefits of bug bounty programs and why organizations can never buy every software bug

Brocade unleashes new monitoring and analytics platform (Networks Asia) Brocade has introduced the Brocade Analytics Monitoring Platform, which represents a new product line for the company

From TV’s to cars, Symantec secures over one billion IoT devices (IT Pro Portal) Symantec has announced it is securing more than one billion Internet of Things (IoT) devices, including everything from televisions and cars to smart meters and critical infrastructure

PointClick Technologies Unveils Enhanced Cloud Security Services For The Enterprise (PRNewswire) Partnership with Imperva provides web application firewall, DDoS protection, and CDN services to enhance enterprise cloud assets

Verizon enters the connected car space with Hum (Ars Technica) Is the market ready for yet another Internet-connected OBD2 reader?

Technologies, Techniques, and Standards

Open source auditing with Lynis (Help Net Security) Lynis is an open source security auditing tool

4 security metrics that matter (InfoWorld via CSO) Today, management demands metrics to get a clearer view of security. Here are four metrics that deliver actionable insight — and a few others with less value

Why understanding the lifecycle of a cyber attack is better than trying to stop it (Information Age) Prevention as a security strategy is inherently flawed- business need to walk in the footsteps of their attacker to make their system smarter and leaner

The Complexities of Attribution in Cyber Space: An Overview (Dark Matters) The challenges with attribution and Cyber Space are a study of both social and political aspects that directly relate to the overall technical architecture of the Internet as a whole

Spotting an Attacker's "Tell" through Data Analysis (RSA Blogs) People have been talking about using Big Data for security for a long time now. Most of the ideas have been at a very high level, with few concrete tangible use cases — especially when dealing with today's nation state attacker or hacktivist

Ashley Madison Fallout: Investigations, Lawsuits, Lessons (InformationWeek) The fallout from the Ashley Madison breach continues, offering some surprise lessons for CIOs and IT professionals on how to respond to a very public event

When to host your Website's security (CSO) Does managed website hosting provide stronger security than self-hosting?

Exploiting the Social Media Security Conundrum (Tripwire: the State of Security) It is 2015, and social media is everywhere. It is embedded in your smartphone, and its logos are printed on nearly every product packaging

EXCLUSIVE: Managing Cyber Risk In The Shadows — A Q&A With NSA's Chief Risk Officer (Homeland Security Today) Perhaps the most crucial infrastructure in the US — and globally — is the country's intelligence and security community, which ensures national security for the US and its allies, thus ensuring that global economic commerce operates in a stable and secure environment. But can risk management also play an effective role in the "shadow work" of the intelligence and security sector? In a question and answer session, Anne Neuberger, Chief Risk Officer at the National Security Agency (NSA), presents a strong case in support of this idea

Identity Theft 101 — Stop It, Catch It, Kill It: Part 1 (Team Cymru) We've touched on the subject of identity theft (specifically, medical identity theft) before. But as one of the most damaging outcomes of an information security failure, it's worth taking a closer look at

Marketplace

Deltek: Cybersecurity, Intell Analysis Projects to Drive DoD Big Data Spend in 2016-2019 (ExecutiveBiz) Deltek has forecast the U.S. Defense Department will increase spending on big data platforms and services by 8.7 percent year-over-year from fiscal 2016 to fiscal 2019

IBM and Cisco: Progress on Cyber Security, But Not Enough (Design News) At NIWeek earlier this month, executives from two tech heavyweights — Cisco and IBM — weighed in on the status of cyber security. Their conclusion? We're making progress, but not enough

BlackBerry and WatchDox: 9/11 and Our Sadly Ironic Security Conundrum (IT Business Edge) Awhile back, BlackBerry announced the acquisition of WatchDox, a secure collaboration platform that is apparently classified as "visionary" by the Gartner Group

This Decade-Old Cybersecurity Firm Is on a Tear After a Big Turnaround (BostonInno) How Digital Guardian got its groove back

Leading Threat Intelligence Platform Provider BrightPoint Security Adds New SVP of Products to Growing Executive Team (IT Business Net) Former CipherCloud and Symantec executive Ajay Nigam to lead development of leading platform for sharing threat intelligence

Arxan Appoints Joe Sander as CEO (IT Business Net) Seasoned growth executive to build upon company success in mobile, IoT, and other markets

Research and Development

The US Navy is working on AI that can predict a pirate attack (Science Alert) Pipe in enough data, and computer algorithms can do just about anything with it — including spotting tell-tale signs of pirate behaviour. The US Navy has just filed a patent application that outlines a "method for predicting pirate attack risk… based on intel regarding pirates", and it might one day help its ships recognise a threat ahead of time

Security Patches, Mitigations, and Software Updates

Endress+Hauser Patches Buffer Overflow in Dozens of ICS Products (Threatpost) There is a serious, remotely exploitable vulnerability in the Device Type Manager library used in a long list of industrial process automation and measurement products sold by German firm Endress+Hauser that can cause affected products to hang indefinitely

PayPal Patches Serious Flaw in Payment System (SecurityWeek) PayPal has patched a serious vulnerability that could have been exploited by malicious actors to trick users into handing over their personal and financial details

Google Pulls App Exploiting Certifi-Gate Vulnerability (Threatpost) A mobile application exploiting the so-called Certifi-gate vulnerability disclosed at Black Hat has been removed from the Google Play store

Cyber Attacks, Threats, and Vulnerabilities

Reports: Ex-TeaMp0isoN member killed in Syrian drone strike (CSO) A British hacker, and former member of the hacking group TeaMp0isoN, Junaid Hussain (TriCk), was killed in a drone strike outside of the Syrian city of Raqqa on Tuesday

Junaid Hussain, British Hacker For ISIS, Killed In US Drone Strike In Syria: Sources (International Business Times) A British hacker believed to be a top cyber expert for the Islamic State group has been killed in a U.S. drone strike, sources reportedly said Wednesday. Junaid Hussain, a British citizen from Birmingham, reportedly traveled to Syria in 2013

U.S. Drone Strike Kills Islamic State Hacker (Wall Street Journal) A fugitive British hacker who had become one of Islamic State's top online terrorist recruiters was killed by a U.S. drone strike in Syria on Tuesday, two people familiar with the operation said, indicating the U.S.-led campaign is continuing to penetrate the extremist network's leadership

Tor security concerns prompt largest dark market to suspend operations (IDG via CSO) The Agora black marketplace will be closed down until a fix for recent Tor de-anonymization attacks is found

Researchers Uncover New Italian RAT uWarrior (Threatpost) Details have come to light about a new remote access Trojan called uWarrior that arrives embedded in a rigged .RTF document

Revisiting CVE-2015-3823: Mediaserver Bug Leads To Heap Overflow, Too (TrendLabs Security Intelligence Blog) Issues surrounding the Android mediaserver component continue. It has been brought to our attention that a vulnerability (CVE-2015-3823) could (theoretically) be used for arbitrary code execution as well. On August 23, Google raised the severity of this vulnerability to "critical", indicating that code execution was possible. We have previously discussed how this bug in the mediaserver component of Android could lock devices in an endless reboot loop

Not a GAMe maKER (Virus Bulletin) Gamker is an information-stealing trojan which uses simple decryption, then drops a copy of itself using a random filename and injects itself into a different process. Raul Alvarez looks into its code injection routine and at the twists in its API-hooking routine

PDF ÷ maldoc1 = maldoc2 (Internet Storm Center) I received another example of a PDF file that contains a malicious MS Office document

CERT Warns of Hard-Coded Credentials in DSL SOHO Routers (Threatpost) DSL routers from a number of manufacturers contain hard-coded credentials that could allow a hacker to access the devices via telnet services and remotely control them

Patched Insomnia Vulnerability Keeps Malicious iOS Apps Hidden (Threatpost) Apple's monster security update of Aug. 13 included a patch for an iOS vulnerability that could beacon out location data and other personal information from a device, even if a particular task has been shut off by the user

PayPal XSS flaw could have let hackers steal your unencrypted credit card details (Lumension) A cross-site scripting (XSS) flaw on PayPal's website could have been used by hackers to phish for your login credentials, and even steal your unencrypted card details

Who Hacked Ashley Madison? (KrebsOnSecurity) AshleyMadison.com, a site that helps married people cheat and whose slogan is "Life is Short, have an Affair," recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack

Is Ashley Madison Cyber-Attack An Inside Job? (Food World News) In line with the controversial Ashley Madison cyber-attack, security experts believe that the attackers are not some faceless group of hackers. John McAfee, who developed the first controversial antivirus program released a statement revealing who the hackers are

Academia

The growing need for more women cybersleuths (CNBC) Only one-fifth of US computer science and engineering degrees are earned by women

Litigation, Investigation, and Enforcement

Spies: Obama's Brass Pressured Us to Downplay ISIS Threat (Daily Beast) U.S. intelligence analysts keep saying that the American-led campaign against ISIS isn't going so well. Their bosses keep telling them to think again about those conclusions

State Department officials routinely sent secrets over email (AP) The transmission of now-classified information across Hillary Rodham Clinton's private email is consistent with a State Department culture in which diplomats routinely sent secret material on unsecured email during the past two administrations, according to documents reviewed by The Associated Press

What Does Joe Biden Know? (Atlantic) As the vice president edges toward a presidential run, is he banking on further public disclosures to discredit the frontrunner?

Legal Experts Weigh In On Court Ruling in Favor of FTC Authority Over Data Breaches (Legaltech News) Wyndham ruling "nails the coffin shut" on FTC's authority to go after companies following a cyberbreach

Hack impact: Analysing the cyber attack aftermath (Mobile Today) On Monday, a Federal Court in the US ruled that companies who fail to provide customers with reasonable protections against the theft of online data could be sued by federal consumer protection enforcers

Target Says SEC Won't Pursue Enforcement Action as a Result of Data Breach (Threatpost) Target officials say that the Securities and Exchange Commission, one of several U.S. agencies investigating the massive data breach at the company in 2013, has decided not to punish Target as a result of the breach

Do Local Laws Belong In a Global Cloud? Q&A with Brad Smith of Microsoft (Part One) (Council on Foreign Relations) In December 2013, the U.S. Department of Justice (DOJ) served Microsoft with a warrant requiring the company to hand over the e-mails of a Microsoft customer suspected of drug trafficking

Electronic Warrantless Surveillance: What IT Should Know (InformationWeek) Today, in the name of public safety, federal and local government agencies are piling up advanced technologies to monitor people, with little regard for the basic principles of privacy. Here's what businesses and individuals need to know

Is the Ashley Madison Hacker Tweeting? (Wall Street Journal) The Royal Canadian Mounted Police and the Federal Bureau of Investigation are investigating the hack of the Ashley Madison website. Security blogger Brian Krebs thinks he has a clue

What Happens When Hacking Hits the Road? (National Law Review) As was widely covered by various media outlets around the world, recently reported on researchers who claimed to have hacked the dashboard entertainment system of a vehicle being driven on public streets

Facebook spammer Sanford Wallace guilty of sending 27 million messages (Naked Security) Notorious spammer Sanford Wallace, aka the "Spam King," found himself in a San Jose court this week as his long-running case concluded with a pair of guilty pleas

FireEye intern VXer pleads guilty for Darkode droid RAT ruse (Register) Dreams of half a million infections

FireEye intern created and sold Dendroid malware (Graham Cluley) Having worked for anti-virus companies for over twenty years, I'm pretty used to dealing with one question in particular

Online Child Predator Charged with 'Revenge Porn' Against Underage Girls (Hack Read) The city of Los Angeles arrested a young man on almost 150 charges — 109 felonies and 42 misdemeanors — related to child pornography

Design and Innovation

Effective security starts with UX (Help Net Security) There's an unfortunate disconnect between the priorities of security teams and where they're investing their time, focus, and budget

Symantec Publishes Crash Course in Car Security (Infosecurity Magazine) Security firm Symantec has released a research report containing advice and practical guidance for combatting the increasingly significant issue of automotive security vulnerabilities

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

AFCEA OKC Technology & Cyber Security Day (Oklahoma City, Oklahoma, USA, August 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker AFB. This is the only Technology Day held at Tinker AFB each year. The annual Technology Day allows exhibitors the opportunity to have access to information technology, communications, cyber, engineering, and contracting personnel at Tinker AFB. Over 300 attendees participated in the 2014 Technology Day and we expect the same level of attendance in 2015

Power Grid Cyber Security Exchange 2015 (San Diego, California, USA, August 30 - September 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology and information security executives. This program is tailored to utility executives and industry stakeholders that are responsible for addressing threat intelligence, analysis and monitoring; network architecture; and cyber incident response

2015 HTCIA International Conference & Training Expo (Orlando, Florida, USA, August 30 - September 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics

ICFP 2015 (Vancouver, British Columbia, Canada, August 31 - September 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire spectrum of work, from practice to theory, including its peripheries

Mid-Atlantic Security Conference (Gaithersburg, Maryland, USA, September 1, 2015) The conference is brought to you by Information Systems Security Association's Baltimore, NOVA, and National Capital Chapters. Join us for a full day of training on cybersecurity topics by industry leaders, hands-on workshops, and a Capture the Flag event and receive a certificate for 7 CPEs toward your professional certifications

SCADA Nexus 2015 (Houston, Texas, USA, September 2 - 4, 2015) SCADA Nexus is an international annual event for ICS and SCADA security professionals and executives to focus on world-wide security concerns. The event is located in Houston, Texas each year at the Hilton Americas Convention Center. Our 2015 event is from September 2-4 with extended training from September 7-11.

SIN 2015 (Sochi, Russia, September 8 - 10, 2015) The 8th International Conference on Security of Information and Networks (SIN 2015) provides an international forum for presentation of research and applications of security in information and networks. SIN 2015 features contributed as well as invited papers, special sessions, workshops, and tutorials on theory and practice. It seeks to convene a high-quality, well-attended, and up-to-date conference on scientific and technical issues of security in information, networks, and systems

NSPW (New Security Paradigms Workshop) (Twente, Netherlands, September 8 - 11, 2015) Although NSPW is more of a workshop than a conference, it has earned its right to be included in this list. Since 1992, NSPW has been offering a unique forum for cyber security specialists involved in researching high-risk, high-opportunity paradigms to present their ideas. The discussions always challenge the current limitations of information security tools and technology, while disputing ng-held beliefs or the very foundations of security. You're bound to get fresh, new ideas from attending this workshop

Global Cyberspace Cooperation Summit VI (New York, New York, USA, September 9 - 10, 2015) An invitation-only event, this meeting of international actors aims to coordinate and consolidate progress, showcase results and promote collective action. The annual cyber summits provide a crucial forum for building international, private-public action to foster international cooperation in cyberspace. Breakthrough groups, aligned with the initiative's objectives of economic and political development, digital security and stability, and sound governance and management, carry the program forward

Intelligence and National Security Summit (Washington, DC, USA, September 9 - 10, 2015) AFCEA International (AFCEA) and the Intelligence and National Security Alliance (INSA) are pleased to host the second Intelligence and National Security Summit to provide the platform for this essential discussion. This two-day, unclassified Summit will feature five plenary sessions with top federal agency leaders and policymakers sharing their assessments and priorities for U.S. national, defense and homeland security intelligence. In addition, thought leaders from government, industry and academia will explore emerging issues and solutions related to intelligence policy, cyber threats, and technology and innovation over nine breakout sessions

Cybersecurity Innovation Forum (Washington, DC, USA, September 9 - 11, 2015) The 2015 Cybersecurity Innovation Forum is a three-day event hosted by the National Institute of Standards and Technology, and planned with the National Security Agency, and the Department of Homeland Security. This event brings government and industry together to focus on current, emerging, and future challenges, technologies, projects, solutions, and research in trusted computing, security automation, and information sharing

2nd Annual Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, September 10, 2015) The one-day symposium will examine the potential advantages and pitfalls of an information-sharing strategy from the technological, business and regulatory perspectives

Cyber 6.0 (Laurel, Maryland, USA, June 17, 2015) The mission of the Cyber Conference is to provide a forum for small and mid-sized businesses in Howard County and the region to access industry and government leaders with current information on cybersecurity that will improve their market position, enhance their corporate security policies and infrastructure, identify potential business opportunities, and provide a take away of information and contacts for follow-up that assists businesses in understanding the role they play in national cybersecurity and how they can address those challenges. All businesses have a role to play in protecting the national security of our infrastructure. While locally sponsored and organized, the conference has national reach

BSides Augusta 2015 (Augusta, Georgia, USA, September 12, 2015) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

Gulf Cooperation Council Cyber Security Summit (Abu Dhabi, United Arab Emirates, September 13 - 15, 2015) The GCC Cyber Security Summit will bring together regional and international thought leaders and decision-makers to examine one of the most vital threats to the region's future well-being: cyber-attack. Penetration of national and company security, criminal fraud and identity theft are now big business worldwide among a shadowy fraternity that is only growing in power and size. Recent incidents with film studios, healthcare providers and global banks continue to resonate in cabinet offices and boardrooms everywhere

Hacker Halted 2015 (Atlanta, Georgia, USA, September 13 - 18, 2015) EC-Council Foundation's flagship information security conference, Hacker Halted, will unite some of the greatest minds in information security, as industry experts address the latest threats and vulnerabilities plaguing the virtual world. Hacker Halted will also feature several highly technical and advanced workshops that cover the most current security topics and will include EC-Council's most sought after certification classes. Hacker Halted runs concurrently with the invitation-only Global CSO Forum

EnergySec 11th Annual Security & Compliance Summit (Washington, DC, USA, September 14 - 16, 2015) For more than 10 years the EnergySec Security Summit has been the premier gathering for stakeholders in the energy sector focused on physical and cyber security. Our summits give each attendee a rare opportunity to mingle with asset owners, government agencies, researchers, consultants, vendors and academia under one roof

Fraud Summit San Francisco (San Francisco, California, USA, September 15, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Among the areas to be discussed are the fraud ecosystem, trends in consumer fraud awareness (what's working and what's not), and threat intelligence

Borderless Cyber 2015 (Washington, DC, USA, September 15 - 16, 2015) OASIS, in collaboration with The World Bank, will bring together public and private sector security professionals from around the world to evaluate, debate, and collaborate on cyber security best practices and tools. Hosted at The World Bank headquarters in Washington, DC, the conference will generate dialogue across government and business, combining high-profile guest speakers, interactive roundtable sessions, and moderated debates. Additional networking events will complement each day's agenda, offering opportunities for real-time collaboration

Detroit Secure World (Detroit, Michigan, USA, September 16 - 17, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. Risk management and enterprise cyber defense strategies figure among the agends

National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, July 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting

6th Annual Billington Cybersecurity Summit (Washington, DC, USA, September 17, 2015) Join key leaders and decision makers from government, military and the private sector at this one-day intensive networking event as participants focus on the next generation of solutions to ensure this nation's cybersecurity

Cyber Security Summit: New York (New York, New York, USA, September 18, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at the Cyber Security Summit are prequalified based on their willingness to meet with Solution Providers and proven ability to purchase products and services

Data Breach Investigation Summit (Dallas, Texas, USA, September 21 - 26, 2015) Data Breaches are occurring at an alarming rate and increasing in their scope, frequency and impact and they don't discriminate by industry, geography or organization size. When a breach occurs, organizations, agencies and individuals need to learn how to more effectively, identify/detect that the breach has occurred, respond to the breach in an effective and timely manner, investigate the breach, and prevent/defend the organization from future breaches

St. Louis SecureWorld 2015 (St. Louis, Missouri, USA, September 22 - 23, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. The security implications of the Internet-of-things will be among the topics discussed

OWASP APPSECUSA (San Francisco, California, USA, September 22 - 25, 2015) The premier gathering of developers, security experts and technologists to discuss cutting edge approaches to secure web applications

SAT 2015: 18th International Conference on Theory and Applications of Satisfiability Testing (Austin, Texas, USA, September 24 - 27, 2015) The International Conference on Theory and Applications of Satisfiability Testing (SAT) is the premier annual meeting for researchers focusing on the theory and applications of the propositional satisfiability problem, broadly construed. Aside from plain propositional satisfiability, the scope of the meeting includes Boolean optimization (including MaxSAT and Pseudo-Boolean (PB) constraints), Quantified Boolean Formulas (QBF), Satisfiability Modulo Theories (SMT), and Constraint Programming (CP) for problems with clear connections to Boolean-level reasoning

CSS (International Conference on Cryptography and Security Systems) (Warsaw, Poland, September 25 - 27, 2015) After three years' break, CSS is returning in 2017 with another great look at the evolution of cryptography and its role for the cyber security industry. This event is focused on presenting original and unpublished research and developing activities related to all aspects of cryptography and network security. From theory to practice, this conference might be right up your alley if you're interested in cryptography

Business Insurance Cyber Risk Summit 2015 (San Francisco, California, USA, September 27 - 28, 2015) The Business Insurance Cyber Risk Summit provides risk management professionals and chief information security officers with the practical information and tools needed to combat the latest cyber risks that threaten their organizations. The day-long conference will explore cyber exposures, regulations, governance and insurance coverage. Risk managers and CISOs will learn how to adapt proven risk management strategies to their current cybersecurity environments, how to better communicate with their information security teams, and how to effectively convey risks, exposures and coverage options to their corporate boards and the C suite

ASIS International (Anaheim, California, USA, September 28 - October 1, 2015) The ASIS Annual Seminar and Exhibits boasts of being one of the world's most influential events for security professionals. Its mission is to provide industry-leading education, countless business connections, and the latest product and service innovations from 600+ exhibitors from the information security sector

CYBERSEC European Cybersecurity Forum (Kraków, Poland, September 28 - 29, 2015) The CYBERSEC forum is the first of its kind in Poland and one of just a few regular public policy conferences in Europe devoted to the strategic issues of cyberspace and cybersecurity. The goal of CYBERSEC conference is the formulation of practical recommendations that aim to increase resilience to cyber threats within specific economic sectors, countries, and the EU as a whole

(ISC)² Security Congress (Anaheim, California, USA, September 28 - October 1, 2015) Proudly colocated for the fifth year in a row, (ISC)² Security Congress 2015 and ASIS International 61st Annual Seminar and Exhibits (ASIS 2015) expect more than 19,000 professionals worldwide from both the information security and operational security disciplines to join together September 28 - October 1 in Anaheim, CA. Offering more than 80 education sessions along with networking and career advancement opportunities, (ISC)² Security Congress 2015 will include topics on best practices, current and emerging issues, and solutions to challenges

Cloud Security Alliance Congress at P.S.R. (Las Vegas, Nevada, USA, September 28 - October 1, 2015) The industry's premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security. Offering best practices and practical solutions for remaining secure in the cloud, CSA Congresses also expose attendees to industry-specific case studies. P.S.R. brings together two industry-leading events — CSA Congress US and the IAPP Privacy Academy — to provide attendees with more than double the education and networking opportunities with leading innovators and practitioners in technology, security and privacy for the price of a single conference. Among the keynote presenters are Arthur W. Coviello, Jr., Executive Chairman (Retired), The Security Division of EMC, RSA, Brian Krebs, Investigative Reporter, Cybersecurity Expert, Travis LeBlanc, Chief of Enforcement, Federal Communications Commission, Lydia Parnes, Partner, Wilson Sonsini Goodrich & Rosati, Jessica Rich, Director, Bureau of Consumer Protection, Federal Trade Commission

Fraud Summit Toronto (Toronto, Ontario, Canada, September 17, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology solutions designed to stop them.

Threat Intelligence Summit 2015 (ChampionsGate, Florida, USA, September 29 - 30, 2015) The threat landscape is getting bigger and more complex, the tools more plentiful, the amount of digital information increasingly massive, and the skills needed to navigate this terrain seem to multiply continuously. The key to success in defending against threats — actionable threat intelligence. Threat Intelligence Summit 2015 will address best practices for combating threats in your organization

hardwear.io: Hardware Security Conference and Training (The Hague, Netherlands, September 29 - October 2, 2015) Do you trust your hardware? Learn from experts about backdoors, exploits, trust, assurance and attacks on hardware equipment, firmware and related protocols

VB2015 (Prague, Czech Republic, September 30 - October 2, 2015) The VB2015 programme includes 38 papers on a wide range of security topics. As in previous years, the presentations will run in two parallel streams and the programme includes both technical and less technical presentations. Just a small selection of the many highlights includes: "Attack on the drones: security vulnerabilities of unmanned aerial vehicles" (Oleg Petrovsky), "How malware eats cookies" (Zhaoyan Xu, Wei Xu), "The Unbearable Lightness of APTing" (Yaniv Balmas, Ron Davidson, Shahar Tal), "The Kobayashi Maru dilemma" (Morton Swimmer, Nick FitzGerald, Andrew Lee), "DDoS trojan: a malicious concept that conquered the ELF format" (Peter Kalnai, Jaromir Horejsi), "POS fraud: trends and counter-actions to mass fraud" (Ken Dunham), and "The elephant in the room" (Marion Marschalek). This year's conference will include two keynote speakers — one at the opening of the conference and one at the very end. The programme will also include a number of added extras

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.