The CyberWire Daily Briefing 08.28.15

Summary

By The CyberWire Staff

There appear to be at least two spearphishing campaigns running that either target EFF people (apparently run by Iran, as it also goes after Iranian dissidents) or spoof an EFF email (which looks like the work of Russian security services).

DD4BC denial-of-service extortionists grow more troublesome, attracting both researcher and law enforcement attention.

Kaspersky notes a rise in superuser mobile exploits. CloudLock observes that privileged accounts cause most (75%) of the problems in cloud environments.

Symantec publishes an update and retrospective on the Regin spyware toolkit, suggesting that it will serve as a template for advanced threats yet to be developed.

Krebs believes he's got a preliminary person-of-interest in the AshleyMadison hack. (Cluley suggests the real mystery of the breach is why you'd sign up for the service with their work email.) Avid Life's CEO steps down in atonement for the hack (if not the business model).

Mozilla updated Firefox, BitTorrent patches a denial-of-service amplification vulnerability, and Adode pushes a hotfix to a ColdFusion flaw.

Observers note a legal trend, now that the US Federal Trade Commission seems greenlighted to regulate cyber security: enterprises may well be victims of hacking, but they need to be able to address suspicions of negligence when they're breached.

Los Alamos's quantum security device continues to generate buzz. (Other researchers wish haecceity could replace all other authentication modes.)

The US and China prepare for cyber talks. Some observers call for détente, others for deterrence (and note that the Great Firewall could be held at risk).

Notes.

Today's issue includes events affecting Australia, China, Germany, India, Iran, Israel, Russia, Syria, United Kingdom, United States

Selected Reading

Cyber Trends

Tech nightmares that keep Turing Award winners up at night (PCWorld) You might want to start printing all your photos

The Psychology Of Insecurity (TechCrunch) The recent Ashley Madison hack isn't the only high-profile one to make headlines this summer

Internet of Things : Security is getting better, but far from secure (SlashGear) Connected devices are common all around the world today and becoming more and more common

WiFi Pioneer Cees Links: IoT Is Like A Butler (InformationWeek) A WiFi pioneer says we need to rethink how the Internet of Things is being marketed and sold. For starters, how about finding a better name?

Shadow IT Feeds 'Man in the Cloud' Attacks (TechNewsWorld) As the number of devices connected to company networks increases, the ability of traditional security solutions to counter threats will decrease, noted Morgan Gerhart, VP of product marketing for Imperva

What drives employees to shadow IT? (Help Net Security) While 94 percent of knowledge workers recognize the importance of collaboration and 83 percent use technology to collaborate, 59 percent are not satisfied with the tools they are given in their workplace

Moving From Dot-Com to Not-Com (BloombergBusiness) Businesses begin trying to migrate customers to private Web domains

ATM Security: Fundamental Changes Overdue (InfoRiskToday) Prakash Joshi of EPS on where ATM security must improve

Should companies be held responsible for a customer data breach? [POLL] (Naked Security) Let's say you were the victim of a massive cybercrime

Middle East cyber security market that is expected to be worth USD 9.56 billion by 2019 illuminated by new report (WhaTech) Middle East Cyber Security market is estimated to be $5.17 billion in 2014 and is expected to grow to USD 9.56 billion in 2019. This represents an estimated Compound Annual Growth Rate (CAGR) of 13.07% till 2019

European firms take proactive security stance on APTs (ComputerWeekly) Intelligence and forensics will become the most important differentiators for companies selling APT defence systems and services, says Frost & Sullivan

Report: phishing training could cut damage costs by $1.8M (TechTarget) A new report breaks down the potential costs associated with a phishing breach and claims that phishing training could cut those costs by as much as $1.8 million

Legislation, Policy and Regulation

White House should threaten Great Firewall to curb Chinese cyber attacks, experts say as Obama-Xi summit nears (South China Morning Post) As the world recalls how two atomic bombs were dropped on Japan to end the second world war in Asia 70 years ago, a digital deterrent of a similar magnitude could be Washington's only way to stop cyber attacks from the latest Asian aggressor, China, experts say

The US-China cyberwar needs detente (Boston Globe) The realms of cybersecurity and cyber foreign relations are still relatively new — and often poorly understood by many policy makers. Unfortunately, the digital world continues to be treated as a highly specialized area of policy, despite the huge role it already plays in most aspects of everyday life

Military leaders warn U.S. is falling behind in cybersecurity (Washington Examiner) The United States is at risk of falling behind its enemies in the field of cybersecurity, military leaders said this week

Analysis: U.S., India Cyber Talks (InfoRiskToday) Experts say dialogue is fine, but defense needs new approach

Creating Private-Public Partners (CareersInfoSecurity) What are the key ingredients for effective collaboration?

Smart Cities: Security Is Lacking (InfoRiskToday) Security leaders criticize new framework as 'superficial'

Who's Leading the World's 'Counter Violent Extremism' Efforts? No One (Defense One) An international institution dedicated to CVE research and evaluation would reduce redundancy and promote buy-in

Tech group takes issue with student privacy bill (The Hill) A major tech trade group expressed concerns Thursday with a House student privacy bill that it said would "create undue costs for our member companies" without sufficient benefit to any involved party

Army tries to speed cyber acquisition process (FCW) The Army is trying to speed cyber-related acquisition by using a template known as the Information Technology Box

Products, Services, and Solutions

Northrop Grumman M5 Network Security wins Eureka Prize for outstanding science for safeguarding Australia (YourDefenseNews) Northrop Grumman M5 Network Security, an Australian subsidiary of Northrop Grumman Corporation (NYSE: NOC), has been awarded the Defence Science and Technology Group Eureka Prize for Outstanding Science for Safeguarding Australia in a ceremony in Canberra last night

Ernst & Young to Offer LANL's Behavioral Cyber Tools in Commercial Market (ExecutiveBiz) Ernst & Young and the Los Alamos National Laboratory have entered into a strategic alliance to bring the lab's behavioral cybersecurity tools to the commercial marketplace amid a growing sophistication of attacks

TeleSign and Telefónica team up to cut mobile fraud (Beta News) Mobile identity specialist TeleSign has announced an agreement with Spanish telecoms giant Telefónica — the company behind O2 in the UK and Germany — to deliver a suite of services to address account security and fraud prevention for enterprises and service providers

Review: ESET's ERA 6.0 Endpoint Security Management (Enterprise Networking Planet) Frank Ohlhorst reviews ERA v6, which promises to simplify endpoint security management on large and complex enterprise networks

Vidder's Software Defined Perimeter puts tight security around high value assets (Network World) Reducing the surface that needs to be protected to a single application, makes it easier to apply very tight controls through Software Defined Perimeter techniques

Tenable Network Security Completes SCAP 1.2 Certification for SecurityCenter 5 (BusinessWire) NIST certification of Tenable's continuous network monitoring solution helps federal agencies close security gaps and meet FISMA reporting standards

No, Microsoft is not spying on you with Windows 10 (ZDNet) The Windows 10 privacy agreement doesn't mean Microsoft is secretly stealing the data from your hard disk. Where do people come up with these crazy ideas?

Catching Attackers In The Act Of Stage Two, With Gigamon (Dark Reading) When you accept that the attackers will break through your perimeter defenses, how do you hope to contain them? Shehzad Merchant, CTO of Gigamon, visits the Dark Reading News Desk to describe a platform to provide more visibility into what attackers are planning next

Technologies, Techniques, and Standards

A Checklist for Every Security Awareness Presentation (Infosec Institute) As an IT Security Officer for a large financial services organization, maintaining a high level of staff awareness is a key aspect of my role

A Threat Intelligence Business Case Example, Part IV (Cyveillance Blog) Over the past few weeks we have explained why threat intelligence is essential for your cyber security plan, how to map your security needs to business objectives, and how to formulate a plan. Now, we'll put all of that together. The following two examples, one for information security and the other for physical security, illustrate some common situations where a business case is built to justify an expenditure on threat intelligence

Protect against privileged credential attacks with zero trust (Help Net Security) Enterprise networks — and the attacks against them — have evolved. No longer static, they are dynamic entities

The Pursuit of Cybersecurity (Wall Street Journal) CFOs in North America view cyberattacks as a serious threat, but many have doubts about their organization's level of preparedness, according to findings from Deloitte's Q2 2015 CFO Signals™ survey. Nearly 25% of the 101 CFOs surveyed, most of whom work for companies with more than $1 billion in annual revenue, say they are insufficiently prepared for such crises, and just 10% say they are well-prepared

Why Cloud Security Threats Shouldn't Inhibit Cloud Adoption (IT Business Edge) I got an email the other day that said companies shouldn't let security worries keep them from moving to the cloud. Ironically, the two emails directly below that particular message in my inbox were warnings about the latest security concerns within cloud computing

Identifying Physical Threats in the Virtual World (Security Magazine) In the last decade, security has become a multi-platform, multi-channel concern for businesses

Marketplace

When to throttle yourself as a new CISO (CSO) "Cybersecurity Exhaustion" across the enterprise can get you out the door sooner than expected as a new CISO

Security Startups: India vs. US (InfoRiskToday) How does building a startup in Silicon Valley compare to India?

The Heart of Israeli Cyber, a Check Point Brotherhood (Haaretz) Alumni of the veteran Israeli computer-security company are behind an outsize number of successful startups  in the same area. Last spring they all got together when Check Point acquired the startups Hyperwise and Lacoon

The Carlyle Group to Acquire Novetta from Arlington Capital Partners (The Wall Street Transcript) Arlington Capital Partners announced today that they have entered into an agreement to sell Novetta to the global alternative asset manager The Carlyle Group (NASDAQ: CG)

Cisco Systems (CSCO) Announces Completion of $635M OpenDNS Acquisition (Street Insider) Cisco Systems (NASDAQ: CSCO) announced it has completed the acquisition of OpenDNS, a privately held company that provides advanced threat protection for any device, anywhere, anytime

Splunk Inc. (SPLK — $64.24*) Company Update: Delivers Solid July Results, Raises FY16 Top-Line (BBR Capital) Last night, Splunk reported solid F2Q16 (July) results, exceeding the Street on both the top and bottom lines. Importantly, the company beat (by 5%) on billings, gave guidance for the October quarter (F3Q16) above Street expectations, and raised its previous FY16 top-line guidance ahead of the Street

Cyber solutions: Marylanders gather in Odenton to learn about tech industry (Capital Gazette) Maryland's job seekers see if they have what it takes for a cyber career

Waltham cybersecurity firm will open a new Boston office following acquisition (Boston Business Journal) Bit9 + Carbon Black, a Waltham-based cybersecurity firm, will open a second office in downtown Boston following the acquisition of local security analytics company VisiTrend

Security Patches, Mitigations, and Software Updates

Mozilla Releases Security Updates for Firefox (US-CERT) The Mozilla Foundation has released security updates to address a critical vulnerability in Firefox and Firefox ESR. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system

BitTorrent patches flaw that could amplify distributed denial-of-service attacks (IDG via CSO) Attackers could use the vulnerability to force BitTorrent applications to send malicious traffic

Adobe Hotfix Patches XXE Vulnerability in ColdFusion (Threatpost) Adobe today pushed out a hotfix to ColdFusion implementations, patching a vulnerability it had already patched nine days ago on the LiveCycle Data Services application framework

Another nail in Adobe Flash's coffin — Chrome to block Flash ads from September 1st (Graham Cluley) Last month, Firefox blocked all Flash content by default — as it waited for Adobe to patch a critical security hole that was being actively exploited in malicious attacks

Cyber Attacks, Threats, and Vulnerabilities

Pentagon can't confirm ISIS hacker's death (Washington Examiner) The Pentagon could not confirm reports that a top online recruiter for the Islamic group was killed, a spokesman said, but added that the military has conducted a "number of strikes" against Islamic State leaders in Syria over the past three days

Elaborate spear-phishing attempt against global Iranian and free speech activists, including an EFF staffer (BoingBoing) Citizenlab details an "elaborate phishing campaign" against Iranian expats and activists, combining phone-calls from fake Reuters reporters, mostly convincing Google Docs login-screens, and a sophisticated attempt to do a "real-time man-in-the-middle attack" against Google's two-factor authentication

Spear phishers with suspected ties to Russian government spoof fake EFF domain, attack White House (BoingBoing) The spear-phishing attempt appears to be part of "Pawn Storm," a massive attack that's been underway across the net for more than a month, and involved a rare zero-day (previously unknown) Java exploit

DD4BC are DDoS attack driving force, new report claims (SC Magazine) A new report on DDoS trends points the finger at one group as the driving force behind many attacks. So, who is DD4BC?

Test File: PDF With Embedded DOC Dropping EICAR (Internet Storm Center) My diary entry yesterday inspired me to create another test file base on the EICAR test file

Taking root Part 1: Dangerous trends (SecureList) Since June 2015, we have seen a steady growth in the number of mobile malware attacks that use superuser privileges (root access) on the device to achieve their goals

Research highlights security risk posed by cloud "super" users (ComputerWeekly) CloudLock's third quarter report into cloud security trends reveals 1% of users create 75% of the risk in off-premise environments

Regin: Further unravelling the mysteries of a cyberespionage threat (Symantec Security Response Blog) Symantec's investigation uncovers additional modules for the Regin spying tool and finds advanced infrastructure supporting it

How a crook could have taken over your Facebook pages (Naked Security) It's the third bug of the year for Facebook bounty hunter Laxman Muthiyah

Smart Refrigerators Leave Gmail Logins Vulnerable to Exploits (LIFARS) Penetration testers have discovered an exploit that could potentially steal Gmail credentials of a user whose information is available in a Samsung smart fridge

Thousands Of Potentially Malicious Android Apps Unearthed In Google Play (Dark Reading) Indiana University researchers develop a new scanning technique dubbed 'MassVet' for vetting mobile app stores at scale

Flash: Web Browser Plugins Are Vulnerable (Dark Reading) Maybe it's time to uninstall Flash for those that don't need it and continuously monitor those that do

Ashley Madison boss steps down following hack (Engadget) Noel Biderman, the CEO of Avid Life Media, the company behind the extra-marital dating site Ashley Madison, is stepping down from his position "in mutual agreement with the company." In a statement released today, Avid says Noel Biderman the change "is in the best interest of the company." The decision comes after the site was hacked, revealing the identity of millions of potentially infidelious members

Security expert claims to have found Ashley Madison hacker (The Hill) Well-known security researcher Brian Krebs claims he knows who carried out the hack of the infidelity website Ashley Madison

Ashley Madison: 150K Indian Records Exposed (Data Breach Today) Indian subscribers' data breached in hacking dump

The Ashley Madison mystery: why would use your work email address? (Hot for Security) The Ashley Madison hack, and leak of its user database, continues to enrapture the public, and delight online news editors keen to fill their webpages with salacious content

Student data breach reported by South Dakota School of Mines (Idaho Statesman) Officials at the South Dakota School of Mines and Technology say an email that a university employee inadvertently sent to graduate students included an attachment with names, student identification numbers and grade point averages of about 350 students

Academia

St. Bonaventure University, Hilbert College collaborate to offer degrees in cybersecurity (PRNewswire) St. Bonaventure University and Hilbert College announced today that they will each offer Bachelor of Science degree programs in Cybersecurity beginning in the fall of 2016. They are the only higher education institutions in the region to offer undergraduate majors in this high-demand field

Help your children navigate digital highway ( Better Business Bureau via the Journal-Advocate) While schools are good at teaching readin', writin' and 'rithmetic, it's often left up to parents to teach their children how to be good digital citizens. It's never too soon to get started

Litigation, Investigation, and Enforcement

FBI: Social Engineering, Hacks Lead to Millions Lost to Wire Fraud (Threatpost) U.S. businesses are losing millions in fraudulent wire transfers that have their root in email compromises of accounts belonging to top executives

Targeted Attacks: Not All Attacks Need To Be Sophisticated (TrendLabs Security Intelligence Blog) The security industry loves to talk about how "sophisticated" attacks can be. Usually this takes the form of us saying how advanced and sophisticated an attack is, what new methods were used to hide servers or make analysis harder, etcetera. However, it's easy to forget that not all attacks need to be technically sophisticated; instead it can be in the social engineering used and how the attack is carried out

Ashley Madison cyber attack is a lawyer's feast (Financial Review ) The personal relationships of millions of people are in tatters but the Ashley Madison hacktivist scandal has lawyers preparing for a legal feast

Cybersecurity Under FTC Authority: What Does it Mean? (Dark Reading) Consumers can now expect the same level of security and privacy in the digital realm as they do in the physical

Cybersecuriyt Alert: Businesses Victimized by a Cyber Attack May Have to Answer to Federal Regulators (SKO Insider) Recently we wrote about the legal risks in overpromising your ability to protect electronic data you obtain from your customers. As one major (you're probably a member) social networking site learned, promising "industry standard" cybersecurity can be a huge mistake if the standard evolves after you make the initial promise, yet you fail to evolve

Russia banned Wikipedia because it couldn't censor pages (Verge) Government agency blocked website over a drug-related entry, but the blackout was short-lived

State Dept. IG chides diplomats for using private email (FierceGovernmentIT) State Department employees at the Embassy in Tokyo, including U.S. Ambassador to Japan Caroline Kennedy, used private email to conduct official business, according to the department's inspector general

Full Investigation Threatened Against DD4BC Attack Group (Tripwire: the State of Security) A group of security researchers and law enforcement officials are threatening to launch a full investigation into the DDoS for Bitcoins (DD4BC) attack group if it continues to target banks

Google denies abusing dominant market position in Europe (ComputerWeekly) Internet giant says the preliminary findings of the EC's investigation into its business practices are "wrong as a matter of fact, law and economics"

Six Nabbed for Using LizardSquad Attack Tool (KrebsOnSecurity) Authorities in the United Kingdom this week arrested a half-dozen young males accused of using the Lizard Squad's Lizard Stresser tool, an online service that allowed paying customers to launch attacks capable of taking Web sites offline for up to eight hours at a time

Feds: Arizona Man Helped Student Get Islamic State Training (AP via ABC News) An Arizona man was indicted Thursday on charges that he helped a New York college student join the Islamic State in Syria, where the student underwent religious and military training earlier this year

Jury convicts man who tried to buy ricin on Darknet marketplace (Ars Technica) FBI created a shady seller account on Evolution, then arrested a customer

Design and Innovation

The race for the unbreakable password is almost over (PBS News Hour) What Ashley Madison needed was quantum cryptography

Maybe it's time to eliminate "something you know" as an authentication method (CSO) Secure authentication is crucial to protect data and guard your identity from being stolen or hijacked. The vast majority of authentication used today is based simply on a username and password, which has proven time and time again to be inherently insecure. Perhaps it's time to change our definition of authentication

How LinkedIn Scales Security [VIDEO] (eSecurity Planet) Cory Scott, director of Information Security at LinkedIn, discusses how the business social network manages security even with a small team

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

Power Grid Cyber Security Exchange 2015 (San Diego, California, USA, August 30 - September 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology and information security executives. This program is tailored to utility executives and industry stakeholders that are responsible for addressing threat intelligence, analysis and monitoring; network architecture; and cyber incident response

2015 HTCIA International Conference & Training Expo (Orlando, Florida, USA, August 30 - September 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics

ICFP 2015 (Vancouver, British Columbia, Canada, August 31 - September 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire spectrum of work, from practice to theory, including its peripheries

Mid-Atlantic Security Conference (Gaithersburg, Maryland, USA, September 1, 2015) The conference is brought to you by Information Systems Security Association's Baltimore, NOVA, and National Capital Chapters. Join us for a full day of training on cybersecurity topics by industry leaders, hands-on workshops, and a Capture the Flag event and receive a certificate for 7 CPEs toward your professional certifications

SCADA Nexus 2015 (Houston, Texas, USA, September 2 - 4, 2015) SCADA Nexus is an international annual event for ICS and SCADA security professionals and executives to focus on world-wide security concerns. The event is located in Houston, Texas each year at the Hilton Americas Convention Center. Our 2015 event is from September 2-4 with extended training from September 7-11.

SIN 2015 (Sochi, Russia, September 8 - 10, 2015) The 8th International Conference on Security of Information and Networks (SIN 2015) provides an international forum for presentation of research and applications of security in information and networks. SIN 2015 features contributed as well as invited papers, special sessions, workshops, and tutorials on theory and practice. It seeks to convene a high-quality, well-attended, and up-to-date conference on scientific and technical issues of security in information, networks, and systems

NSPW (New Security Paradigms Workshop) (Twente, Netherlands, September 8 - 11, 2015) Although NSPW is more of a workshop than a conference, it has earned its right to be included in this list. Since 1992, NSPW has been offering a unique forum for cyber security specialists involved in researching high-risk, high-opportunity paradigms to present their ideas. The discussions always challenge the current limitations of information security tools and technology, while disputing ng-held beliefs or the very foundations of security. You're bound to get fresh, new ideas from attending this workshop

Global Cyberspace Cooperation Summit VI (New York, New York, USA, September 9 - 10, 2015) An invitation-only event, this meeting of international actors aims to coordinate and consolidate progress, showcase results and promote collective action. The annual cyber summits provide a crucial forum for building international, private-public action to foster international cooperation in cyberspace. Breakthrough groups, aligned with the initiative's objectives of economic and political development, digital security and stability, and sound governance and management, carry the program forward

Intelligence and National Security Summit (Washington, DC, USA, September 9 - 10, 2015) AFCEA International (AFCEA) and the Intelligence and National Security Alliance (INSA) are pleased to host the second Intelligence and National Security Summit to provide the platform for this essential discussion. This two-day, unclassified Summit will feature five plenary sessions with top federal agency leaders and policymakers sharing their assessments and priorities for U.S. national, defense and homeland security intelligence. In addition, thought leaders from government, industry and academia will explore emerging issues and solutions related to intelligence policy, cyber threats, and technology and innovation over nine breakout sessions

Cybersecurity Innovation Forum (Washington, DC, USA, September 9 - 11, 2015) The 2015 Cybersecurity Innovation Forum is a three-day event hosted by the National Institute of Standards and Technology, and planned with the National Security Agency, and the Department of Homeland Security. This event brings government and industry together to focus on current, emerging, and future challenges, technologies, projects, solutions, and research in trusted computing, security automation, and information sharing

2nd Annual Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, September 10, 2015) The one-day symposium will examine the potential advantages and pitfalls of an information-sharing strategy from the technological, business and regulatory perspectives

Cyber 6.0 (Laurel, Maryland, USA, June 17, 2015) The mission of the Cyber Conference is to provide a forum for small and mid-sized businesses in Howard County and the region to access industry and government leaders with current information on cybersecurity that will improve their market position, enhance their corporate security policies and infrastructure, identify potential business opportunities, and provide a take away of information and contacts for follow-up that assists businesses in understanding the role they play in national cybersecurity and how they can address those challenges. All businesses have a role to play in protecting the national security of our infrastructure. While locally sponsored and organized, the conference has national reach

BSides Augusta 2015 (Augusta, Georgia, USA, September 12, 2015) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

Gulf Cooperation Council Cyber Security Summit (Abu Dhabi, United Arab Emirates, September 13 - 15, 2015) The GCC Cyber Security Summit will bring together regional and international thought leaders and decision-makers to examine one of the most vital threats to the region's future well-being: cyber-attack. Penetration of national and company security, criminal fraud and identity theft are now big business worldwide among a shadowy fraternity that is only growing in power and size. Recent incidents with film studios, healthcare providers and global banks continue to resonate in cabinet offices and boardrooms everywhere

Hacker Halted 2015 (Atlanta, Georgia, USA, September 13 - 18, 2015) EC-Council Foundation's flagship information security conference, Hacker Halted, will unite some of the greatest minds in information security, as industry experts address the latest threats and vulnerabilities plaguing the virtual world. Hacker Halted will also feature several highly technical and advanced workshops that cover the most current security topics and will include EC-Council's most sought after certification classes. Hacker Halted runs concurrently with the invitation-only Global CSO Forum

EnergySec 11th Annual Security & Compliance Summit (Washington, DC, USA, September 14 - 16, 2015) For more than 10 years the EnergySec Security Summit has been the premier gathering for stakeholders in the energy sector focused on physical and cyber security. Our summits give each attendee a rare opportunity to mingle with asset owners, government agencies, researchers, consultants, vendors and academia under one roof

Fraud Summit San Francisco (San Francisco, California, USA, September 15, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Among the areas to be discussed are the fraud ecosystem, trends in consumer fraud awareness (what's working and what's not), and threat intelligence

Borderless Cyber 2015 (Washington, DC, USA, September 15 - 16, 2015) OASIS, in collaboration with The World Bank, will bring together public and private sector security professionals from around the world to evaluate, debate, and collaborate on cyber security best practices and tools. Hosted at The World Bank headquarters in Washington, DC, the conference will generate dialogue across government and business, combining high-profile guest speakers, interactive roundtable sessions, and moderated debates. Additional networking events will complement each day's agenda, offering opportunities for real-time collaboration

Detroit Secure World (Detroit, Michigan, USA, September 16 - 17, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. Risk management and enterprise cyber defense strategies figure among the agends

National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, July 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting

6th Annual Billington Cybersecurity Summit (Washington, DC, USA, September 17, 2015) Join key leaders and decision makers from government, military and the private sector at this one-day intensive networking event as participants focus on the next generation of solutions to ensure this nation's cybersecurity

Cyber Security Summit: New York (New York, New York, USA, September 18, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at the Cyber Security Summit are prequalified based on their willingness to meet with Solution Providers and proven ability to purchase products and services

Data Breach Investigation Summit (Dallas, Texas, USA, September 21 - 26, 2015) Data Breaches are occurring at an alarming rate and increasing in their scope, frequency and impact and they don't discriminate by industry, geography or organization size. When a breach occurs, organizations, agencies and individuals need to learn how to more effectively, identify/detect that the breach has occurred, respond to the breach in an effective and timely manner, investigate the breach, and prevent/defend the organization from future breaches

St. Louis SecureWorld 2015 (St. Louis, Missouri, USA, September 22 - 23, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. The security implications of the Internet-of-things will be among the topics discussed

OWASP APPSECUSA (San Francisco, California, USA, September 22 - 25, 2015) The premier gathering of developers, security experts and technologists to discuss cutting edge approaches to secure web applications

SAT 2015: 18th International Conference on Theory and Applications of Satisfiability Testing (Austin, Texas, USA, September 24 - 27, 2015) The International Conference on Theory and Applications of Satisfiability Testing (SAT) is the premier annual meeting for researchers focusing on the theory and applications of the propositional satisfiability problem, broadly construed. Aside from plain propositional satisfiability, the scope of the meeting includes Boolean optimization (including MaxSAT and Pseudo-Boolean (PB) constraints), Quantified Boolean Formulas (QBF), Satisfiability Modulo Theories (SMT), and Constraint Programming (CP) for problems with clear connections to Boolean-level reasoning

CSS (International Conference on Cryptography and Security Systems) (Warsaw, Poland, September 25 - 27, 2015) After three years' break, CSS is returning in 2017 with another great look at the evolution of cryptography and its role for the cyber security industry. This event is focused on presenting original and unpublished research and developing activities related to all aspects of cryptography and network security. From theory to practice, this conference might be right up your alley if you're interested in cryptography

Business Insurance Cyber Risk Summit 2015 (San Francisco, California, USA, September 27 - 28, 2015) The Business Insurance Cyber Risk Summit provides risk management professionals and chief information security officers with the practical information and tools needed to combat the latest cyber risks that threaten their organizations. The day-long conference will explore cyber exposures, regulations, governance and insurance coverage. Risk managers and CISOs will learn how to adapt proven risk management strategies to their current cybersecurity environments, how to better communicate with their information security teams, and how to effectively convey risks, exposures and coverage options to their corporate boards and the C suite

ASIS International (Anaheim, California, USA, September 28 - October 1, 2015) The ASIS Annual Seminar and Exhibits boasts of being one of the world's most influential events for security professionals. Its mission is to provide industry-leading education, countless business connections, and the latest product and service innovations from 600+ exhibitors from the information security sector

CYBERSEC European Cybersecurity Forum (Kraków, Poland, September 28 - 29, 2015) The CYBERSEC forum is the first of its kind in Poland and one of just a few regular public policy conferences in Europe devoted to the strategic issues of cyberspace and cybersecurity. The goal of CYBERSEC conference is the formulation of practical recommendations that aim to increase resilience to cyber threats within specific economic sectors, countries, and the EU as a whole

(ISC)² Security Congress (Anaheim, California, USA, September 28 - October 1, 2015) Proudly colocated for the fifth year in a row, (ISC)² Security Congress 2015 and ASIS International 61st Annual Seminar and Exhibits (ASIS 2015) expect more than 19,000 professionals worldwide from both the information security and operational security disciplines to join together September 28 - October 1 in Anaheim, CA. Offering more than 80 education sessions along with networking and career advancement opportunities, (ISC)² Security Congress 2015 will include topics on best practices, current and emerging issues, and solutions to challenges

Cloud Security Alliance Congress at P.S.R. (Las Vegas, Nevada, USA, September 28 - October 1, 2015) The industry's premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security. Offering best practices and practical solutions for remaining secure in the cloud, CSA Congresses also expose attendees to industry-specific case studies. P.S.R. brings together two industry-leading events — CSA Congress US and the IAPP Privacy Academy — to provide attendees with more than double the education and networking opportunities with leading innovators and practitioners in technology, security and privacy for the price of a single conference. Among the keynote presenters are Arthur W. Coviello, Jr., Executive Chairman (Retired), The Security Division of EMC, RSA, Brian Krebs, Investigative Reporter, Cybersecurity Expert, Travis LeBlanc, Chief of Enforcement, Federal Communications Commission, Lydia Parnes, Partner, Wilson Sonsini Goodrich & Rosati, Jessica Rich, Director, Bureau of Consumer Protection, Federal Trade Commission

Fraud Summit Toronto (Toronto, Ontario, Canada, September 17, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology solutions designed to stop them.

Threat Intelligence Summit 2015 (ChampionsGate, Florida, USA, September 29 - 30, 2015) The threat landscape is getting bigger and more complex, the tools more plentiful, the amount of digital information increasingly massive, and the skills needed to navigate this terrain seem to multiply continuously. The key to success in defending against threats — actionable threat intelligence. Threat Intelligence Summit 2015 will address best practices for combating threats in your organization

hardwear.io: Hardware Security Conference and Training (The Hague, Netherlands, September 29 - October 2, 2015) Do you trust your hardware? Learn from experts about backdoors, exploits, trust, assurance and attacks on hardware equipment, firmware and related protocols

VB2015 (Prague, Czech Republic, September 30 - October 2, 2015) The VB2015 programme includes 38 papers on a wide range of security topics. As in previous years, the presentations will run in two parallel streams and the programme includes both technical and less technical presentations. Just a small selection of the many highlights includes: "Attack on the drones: security vulnerabilities of unmanned aerial vehicles" (Oleg Petrovsky), "How malware eats cookies" (Zhaoyan Xu, Wei Xu), "The Unbearable Lightness of APTing" (Yaniv Balmas, Ron Davidson, Shahar Tal), "The Kobayashi Maru dilemma" (Morton Swimmer, Nick FitzGerald, Andrew Lee), "DDoS trojan: a malicious concept that conquered the ELF format" (Peter Kalnai, Jaromir Horejsi), "POS fraud: trends and counter-actions to mass fraud" (Ken Dunham), and "The elephant in the room" (Marion Marschalek). This year's conference will include two keynote speakers — one at the opening of the conference and one at the very end. The programme will also include a number of added extras

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.