The CyberWire Daily Briefing 08.30.16

Summary

By The CyberWire Staff

An FBI report that "foreign hackers" (and for "foreign hackers" most observers are reading "Russian intelligence services") last month penetrated two US state election databases contributes to worries about election hacking. The affected states appear to be Illinois and Arizona. The SQL injection attacks used commonly available, off-the-shelf tools: SQLMap, DIRBuster, and Acunetix.

Offering some useful perspective, Motherboard points out that state election databases have not only been hacked before, but the information they contain is often made readily available by state officials themselves. Besides, the number of records taken was relatively small—about 200,000 in Illinois. What's troubling is not the breach itself, but the foreign involvement (and the foreign interest), the context provided by other hacks of political parties and campaigns, and the fears of data manipulation the incidents stoke.

The Trident zero-day affair raises similar questions. As Haaretz asks about the jailbreaking attempt against an Emirati dissident's iPhone, if a security service can do that, what's to stop them from electronically framing people for crimes? (Which seems to have already occurred in Turkey.) So too with manipulation of election data.

ISIS and al Qaeda internal discontents may be affecting jihadist information operations capabilities.

St. Jude Medical strongly disputes the pacemaker vulnerabilities disclosed in the course of short-selling by Muddy Waters Capital and MedSec. The device manufacturer says the exploits as described aren't possible.

The RIPPER ATM malware FireEye found in Thailand may use a rogue EVM chip.

Level 3 researchers describe the risk of IoT-based DDoS campaigns.

Learn how Cylance silences cyber attacks with Artificial Intelligence.

Notes.

Today's issue includes events affecting Australia, Brazil, Canada, Colombia, France, India, Iran, Ireland, Israel, Kazakhstan, Republic of Korea, Mexico, Panama, Russia, Saudi Arabia, Taiwan, Thailand, Trinidad and Tobago, Uganda, United Arab Emirates, United Kingdom, United States, and and Uzbekistan.

On the Podcast

The CyberWire's regular daily Podcast will be out later this afternoon, with interviews, educational tips, and more on the stories of the day. Today Ben Yelin from the University of Maryland's Center for Health and Homeland Security comments on how Muddy Waters and MedSec shorted St. Jude stock on the strength of publicly disclosed vulnerability research. Our guest, Dan Lohrmann, Chief Security Officer at Security Mentor talks about preventing C-Suite fraud (and everything you wanted to know about spearphishing and whalephishing). As always, if you enjoy the podcast, please consider giving it an iTunes review.

Sponsored Events

3rd Annual Senior Executive Cyber Security Conference: Navigating Today’s Cyber Security Terrain (Baltimore, MD, USA, September 21, 2016) Hear from industry leaders on cyber security best practices and trends that will help you better secure your organization’s data. This year’s agenda examines the current cyber security landscape, threats, and challenges ahead for organizations and how senior leaders can work towards “shifting their data to being safe and secure.”

Selected Reading

Cyber Trends

Microsoft: Security Top Hurdle to Enterprise IoT Adoption (eWeek) The internet of things may be loaded with promise, but it's the potential hazards that are keeping many businesses from making the leap

Feds are using big data analytics for cybersecurity, but is it effective? (Help Net Security) 81 percent of Feds say their agency is using big data analytics for cybersecurity in some capacity

55% of apps are already in the cloud, security a priority (Help Net Security) Executives are increasingly adopting a digital business model, with the cloud as the key enabler

Legislation, Policy and Regulation

International defense deal motivated by Russian hacking, experts say (FedScoop) “It’s the realization that hybrid warfare is a Russian tactic designed to circumvent things like NATO, and cyber is a big part of it," one expert said

U.S. and EU need secure threat sharing (FCW) The United States and the European Union are deepening their information sharing regarding potential terrorist threats in hopes of preventing more Paris or Brussels-style attacks

Microsoft joining China's cybersecurity council paves the way for better relations between the two largest internet markets (Business Insider) China is allowing foreign technology companies to join a key government committee in an effort to ease foreign concerns over its strict cybersecurity policies

French Education minister: Get rare Pokémon out of our schools (Ars Technica) The minister is worried that "legendary" Pokemon could draw strangers

Exclusive: Six U.S. senators urge Obama to prioritize cyber crime at G20 summit (Reuters) Six U.S. senators have urged President Barack Obama to prioritize cyber crime at this weekend's Group of 20 summit in China, in the wake of the theft of $81 million from Bangladesh's central bank, according to a letter obtained by Reuters

For law enforcement, the rule must be no implementation without representation (TechCrunch) Last week it emerged that the police in Baltimore were working with a company called, appropriately enough, Persistent Surveillance, which deployed aircraft equipped with high-resolution cameras, recording entire regions of the city for hours on end for law enforcement to browse through

Products, Services, and Solutions

Bay Dynamics Announces Major Enhancements to Flagship Cyber Risk Analytics Platform (Bay Dynamics) New version of Risk Fabric® prioritizes threats and vulnerabilities, deputizes line-of-business leaders and automates cyber risk management

Palo Alto Networks Unveils New WildFire European Cloud Hosted in the Netherlands English (PRNewswire) Enables customers to submit data for full analysis within European borders while benefiting from global threat prevention

CodexGigas: Malware profiling search engine (Help Net Security) CodexGigas is a free malware profiling search engine powered by Deloitte Argentina, which allows malware analysts to explore malware internals and perform searches over a large number of file characteristics

The secure messaging app that is better than WhatsApp (My Broadband) If you’re worried about WhatsApp sharing your information with Facebook, here’s where you can turn

illusive networks' Deceptions Everywhere (Linux Journal) illusive networks' bread and butter is its deception cybersecurity technology called Deceptions Everywhere whose approach is to neutralize targeted attacks and Advanced Persistent Threats by creating a deceptive layer across the entire network

Fortinet Launches Industry's First Universal Wireless Access Points (MarketWired) Fortinet's new series of universal access points automate operations and defend against IoT threats with the Fortinet Security Fabric

Technologies, Techniques, and Standards

Cybersecurity Sharing Launches for Credit Unions (Credit Union Times) The National Credit Union Information Sharing and Analysis Organization officially announced its launch. Their mission - to advance cyberresilience, real-time security situational awareness information sharing, and coordinated response

How To Bullet Proof Your PAM Accounts: 7 Tips (Dark Reading) Recent studies demonstrate the need for companies to focus more on their privileged users

Recommended Reading: Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs (SANS Internet Storm Center) My Twitter feed brought a good paper to my attention, courtesy of Andrew Case @attrc, that is appropriate for your consideration, Storm Center readers

IT security’s reality distortion field (Network World) Organizations need to create a 'Secure Breach' environment to safeguard data

South Korea, U.S. unveil interoperable spectrum management capabilities (C4ISRNET) The Army, along with coalition partners in the Pacific, have developed a plan for cooperative management of the electromagnetic spectrum

Risk and the Pareto Principle: Applying the 80/20 rule to your risk management strategy (Help Net Security) Enterprises these days are putting more resources into monitoring and managing business risk

Marketplace

ASRC Acquires Vistronix Intelligence & Technology Solutions (Washington Exec) Arctic Slope Regional Corporation announced Aug. 17 its acquisition of Vistronix Intelligence & Technology Solutions by its wholly-owned subsidiary, ASRC Federal. Going forward, Vistronix will be a subsidiary of ASRC Federal

Tech stocks for your portfolio: Proofpoint, Inc. (PFPT), Imperva Inc. (IMPV) (Independent Republic) Proofpoint, Inc. (PFPT) ended last trading session with a change of 0.92 percent. It trades at an average volume of 639.45K shares versus 0.38M shares recorded at the end of last trading session

Symantec Moves Security Forward in Blue Coat Era (eWeek) Mike Fey, president and COO of Symantec, discusses how the security giant will differentiate against competitors and help secure users

Symantec (SYMC) Stock Gains, Barron's Sees 25% Upside (The Street) Symantec (SYMC) stock was up in pre-market trading on Monday after Barron's issued a bullish note on the company

Dimension Data lands $450K Victorian grant for cybersecurity incubator (CRN) Dimension Data has been awarded $450,000 from startup investment fund LaunchVic to establish a cyber security incubator

DoD Taps DEF CON Hacker Traits For Cybersecurity Training Program (Dark Reading) Famed capture-the-packet contest technology will become part of DoD training as well

Raising the Profile of Women in Security (IBM Security Intelligence) If you take a historical look at security, there is a perception that industry professionals are predominantly male and ex-military

Next-Gen Solution Provider Fivesky Nabs Former Proofpoint Exec Tierney As Managing Partner (CRN) Next-generation solution provider Fivesky has landed a big executive win, appointing former Proofpoint exec Luanne Tierney as managing partner and co-owner as the company looks to vastly expand its business

EXCLUSIVE: Lani Edwards leaves FireEye (ARN) Vendor’s A/NZ channel boss departs after 18 months in the role

Security Patches, Mitigations, and Software Updates

Kaspersky fixes antivirus crash bug (ZDNet) The denial-of-service flaws could be used to install malware

Cyber Attacks, Threats, and Vulnerabilities

FBI says foreign hackers penetrated state election systems (Yahoo! News) The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials

After Illinois hack, FBI warns of more attacks on state election board systems (Ars Technica) Concern about more attacks mounting as presidential elections approach

FBI: Common scanning tools used to target state election systems (CSO) Basic VPS hosting providers used to launch scans with SQLMap, Acunetix, and DirBuster

Hackers had a chance to hamper voting by deleting records (CSO) In June, attackers managed to steal administrative login credentials from a county official in the U.S.

Voter Records Get Hacked a Lot, And You Can Just Buy Them Anyway (Motherboard) On Monday, Yahoo reported the FBI had uncovered evidence that foreign hackers had breached two US state election databases earlier this month. The article, based on a document the FBI distributed to concerned parties, was heavily framed around other recent hacks which have generally been attributed to Russia, including the Democratic National Committee email dump

Hack Brief: As FBI Warns Election Sites Got Hacked, All Eyes Are on Russia (Wired) In any other year, hackers breaking into a couple of state government websites through common web vulnerabilities would hardly raise a blip on the cybersecurity community’s radar

Reid asks FBI to probe threat of Russian election tampering (AP via Yahoo! Finance) Senate Minority Leader Harry Reid is asking the FBI to investigate the threat of Russian tampering with U.S. elections, including potentially falsifying election results

How to hack- and rig-proof U.S. elections (Washington Post) A Monday report from Yahoo News’s Michael Isikoff raised concerns that this year’s election will be rigged — though not in the way Donald Trump has predicted. Election systems in at least two states — Arizona and Illinois — have been compromised, seemingly by foreign hackers, possibly operating out of Russia or Iran

NYTimes: Kremlin Likely Behind the Attack (Infosecurity Magazine) The cyber-attack that targeted the New York Times’ Moscow bureau earlier this month is now suspected to have been carried out by hackers tied to the Russian military

If Spies Can Hack Our iPhones, What’s Stopping Them From Framing Us for Crimes? (Haaretz) Instead of being astonished by the ease with which an Israeli firm’s software can hijack ‘secure’ devices, we need to put in place laws governing how all actors can use this personal data

Israel's secretive surveillance industry in the spotlight following iPhone spyware discovery (PRI) The discovery of sophisticated spyware to infiltrate and remotely take control of iPhones without leaving a trace has put a spotlight on Israel's secretive surveillance industry, considered among the world's most advanced

Two Months of Internet Blackouts Have Taken a Toll on Kashmir (Motherboard) Earlier this summer, the north Indian state of Kashmir was hit with a new wave of riots when young militant leader Burhan Wani was killed by state police.

Leaked ISIS Documents Show Internal Chaos (Daily Beast) Reading the recently captured ISIS documents is like watching a bad comedy about embezzlement, infiltration, and bureaucratic infighting

U.S. intelligence sees Islamic State as weakened after series of defeats (Los Angeles Times) The Pentagon and U.S. intelligence agencies now view Islamic State as a shrinking and increasingly demoralized military force, a sharp shift from the seemingly invincible extremist army that declared an Islamist caliphate two years ago

Once a Qaeda Recruiter, Now a Voice Against Jihad (New York Times) In the four years that he ran the Revolution Muslim website out of his walk-up apartment in Flatbush, Brooklyn, Jesse Morton became one of the most prolific recruiters for Al Qaeda, luring numerous Americans to the group’s violent ideology

Ghost Squad Shuts Down Israeli Prime Minister, Bank of Israel websites (HackRead) The Ghost Squad hackers shut down israeli prime minister office and the Bank of Israel Website in support of Palestine

St Jude calls easily hackable pacemaker claims 'false and misleading' (Network World) St. Jude came out swinging, calling MedSec and Muddy Waters' report on how easily its pacemakers could be hacked 'false and misleading'

Pacemaker Hacking Fears Rise With Critical Research Report (Threatpost) Pacemakers, defibrillators and other medical devices made by a leading medical equipment maker are vulnerable to potentially “catastrophic” cyberattacks

Medical device security ignites an ethics firestorm (CSO) Security firm Medsec tried to use its research findings to drive down the stock of St. Jude Medical

Thousands of Australian computer log-ins up for sale on dark web (Australian Broadcasting Corporation) Computers from a federal research network, a peak sporting body, a school and a local council are among tens of thousands of machines which have been hacked and had their login details put up for sale in a dark web marketplace, a Four Corners investigation has revealed

Sophisticated malware possibly tied to recent ATM heists in Thailand (CSO) The Ripper malware allows attackers to withdraw money from ATMs with specially made cards

RIPPER ATM Malware Uses Malicious EVM Chip (Threatpost) A never-before-seen malware family known as RIPPER is being blamed for a rash of ATM heists in Thailand last week. The malware, found by researchers at FireEye, is responsible for the theft of 12 million baht ($378,000) from ATMs at banks across Thailand

Google Chrome users targeted by tech support scammers (Help Net Security) Google Chrome users, beware: tech support scammers are misusing helpful browser features to impersonate Microsoft and to bombard users users with pop-ups

XSS flaw in D-Link NAS devices allows attackers to mess with your data (Help Net Security) Security researcher Benjamin Daniel Mussler has unearthed an XSS flaw affecting seven D-Link NAS devices – a flaw which could allow attackers to access the devices and peruse and change the stored contents

Australia Census 2016: Cyber attack and huge traffic ‘foreseeable’ (Melbourne Herald Sun) The Australian government should have been better prepared for a potential cyber attack and huge amount of website traffic on Census night, Telstra’s chief Information Security officer says

Attack of Things! (Level 3 Communications Blog) The rush to connect everything to the internet is leaving millions of everyday products vulnerable and ripe for abuse. We’ve seen internet connectivity added to appliances, athletic clothing, pill bottles and even forks

Attack of Things: Level 3 Threat Research Labs Releases New Malware Research (Level 3 Communications) The Level 3 Threat Research Labs, Level 3 Communications' (LVLT) threat intelligence and research arm, unveiled new research about the botnet size and behavior for the malware commonly referred to as Lizkebab, BASHLITE, Torlus or gafgyt, including botnet size and victim stats

The Kelihos Botnet Shifts to Banking Trojans and Ransomware Distribution (Virus Guides) The MalwareTech security expert discovered that the Kelihos botnet, also known as Waledac, has started dropping banking Trojans and ransomware instead of its standard “pump-and-dump” spams while adding more and more new bots during the summer

Meet USBee, the malware that uses USB drives to covertly jump airgaps (Ars Technica) Technique works on virtually all USB drives with no modifications necessary

Linux servers hit with FairWare ransomware – or is it just a scam? (Help Net Security) Users posting on Bleeping Computer’s forums have alerted the world to a new threat targeting Linux server admins: the FairWare ransomware

Social media, the gateway for malware (CSO) Why the Common Vulnerability Scoring System (CVSS) doesn't give an accurate picture of the security risks from social media sites

Cyber threat grows for bitcoin exchanges (Reuters) When hackers penetrated a secure authentication system at a bitcoin exchange called Bitfinex earlier this month, they stole about $70 million worth of the virtual currency

Inside ‘The Attack That Almost Broke the Internet’ (KrebsOnSecurity) In March 2013, a coalition of spammers and spam-friendly hosting firms pooled their resources to launch what would become the largest distributed denial-of-service (DDoS) attack the Internet had ever witnessed

Critical Infrastructure: The Next Cyber-Attack Target (Dark Reading) Power and utilities companies need a risk-centric cybersecurity approach to face coming threats

Going Beyond Cybersecurity Compliance (IEEE Power and Energy) What power and utility companies really need to consider

Gotta Hack em’ All: Pokémon Go, Security and Privacy Awareness (Infosecurity Magazine) Pokémon Go made a big splash for many reasons when it was first released to iPhone and Android users in early July. Building on the legacy of a franchise that has been around since the 90s, it effectively pulled at the nostalgic heartstrings of many Gen Xers and Gen Yers – almost all of which are equipped with the latest smartphones

Some Pokémon Go players given lifetime bans are being let back into the game (TechCrunch) Did you get banned from playing Pokémon Go after downloading an app that you thought might make the game more fun? Well, it turns out that you might be able to get back into the smash hit title after all

Angry Birds bad: Security threats outpacing mobile policy (Australian) Angry Birds is the number one black-listed consumer app inside Australian enterprises as businesses strive to get a handle on the mobility trend

Academia

GCSE Computing Numbers Jump 76% (Infosecurity Magazine) The number of students taking GCSE computing rocketed by 76% over the past year, fuelling hopes that this could translate into more UK school leavers pursuing careers in cybersecurity

Litigation, Investigation, and Enforcement

Facebook Slapped With FTC Complaint Over WhatsApp Data Grab (Motherboard) Consumer privacy watchdogs filed a federal complaint Monday against Facebook over the tech titan’s decision to begin harvesting phone numbers from its popular WhatsApp messaging service

WhatsApp Angers Users Over Facebook Data Sharing (Infosecurity Magazine) Messaging service WhatsApp has come under fire for privacy changes that will see it share more personal data with parent company Facebook

Apple ordered to pay up to $14.5 billion for illegal tax benefits in Ireland (TechCrunch) The bill is getting quite expensive as the European Commission has just released a statement saying that Apple has benefited from illegal tax benefits in Ireland for its European operations

NH man pleads guilty to sextortion, accessed victims' social media accounts (SC Magazine) A 22-year-old New Hampshire man, pleaded guilty to hacking into social media and email accounts and engaging in sextortion of almost a dozen female victims

Design and Innovation

Pentagon Looks to Adaptive EW Systems to Thwart Future Adversaries (Defense News) The US military is cultivating new electronic warfare technologies that, in real time, use artificial intelligence to learn how to jam enemy systems that are using never-before-seen frequencies and waveforms

Facebook fires human editors, algorithm immediately posts fake news (Ars Technica) Facebook makes its Trending feature fully automated, with mixed results

Mr. Robot’s tech guru: “My job is to outsmart this hive of geniuses” (Ars Technica) "They’re hacking the show, which is something that’s never really been done before"

Hollywood's 7 Dumbest Hacking Depictions (Dark Reading) Movies and TV shows too often use hacking as a deus ex machina device to resolve an impossible plot, but real hacking takes time, effort and lots of testing

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Crossroads Regional Cybersecurity Summit (Victoria, Texas, USA, October 4, 2016) Bringing together top experts from both the public and private sectors, the Crossroads Regional Cybersecurity Summit (CRCS) will be an exciting and educational day for local businesses. Through a variety of speakers and interactive panels, CRCS will educate and raise awareness on a wide range of cybersecurity issues - from local to global - facing businesses of all sizes. Summit attendees will be exposed to the latest findings and best practices regarding: small organizations/SMB cybersecurity preventative measures, network security (whether large or small), financial and payment card industry (PCI) compliance, and law enforcement and national security concerns. Plan to attend and ensure that your business is prepared to face the 21st Century cybersecurity challenges ahead.

IAPP Europe Data Protection Congress 2016 (Brussels, Belgium, November 7 - 10, 2016) The GDPR is finalised, the Data Protection Congress is returning to Brussels and you have a great deal of work ahead. Begin at the Congress, where you’ll find thought leadership, a thriving professional community and unrivaled education. It’s time to get to work: Start here.

Practical Privacy Series 2016 (Washingto, DC, USA, December 7 - 8, 2016) This year, the Practical Privacy Series will return to Washington, DC, with its rapid, intensive education that arms you with the knowledge you need to excel on the job. We’re programming some stunningly good sessions right now—we can’t wait to share them with you!

ShmooCon 2017 (Washington, DC, USA, January 15 - 17, 2017) ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks called One Track Mind. The next two days bring three tracks: Build It, Belay It, and Bring It On.

International Cyber Risk Management Conference (ICRMC) (Toronto, Ontario, Canada, March 2 - 3, 2017) The third annual International Cyber Risk Management Conference (ICRMC) brings together a world class roster of experts with cross-sector, global and multidisciplinary expertise to share knowledge, lessons learned, and methodology on cyber security. We are delighted to build on last year’s very successful ICRMC. Cyber security has grown into a global pandemic and organizations of all sizes are struggling with questions on how to mitigate, manage, and transfer cyber risk. We’ve structured our agenda based on delegate feedback and our exceptional 2017 Advisory Committee is determined to provide engaging high-profile speakers and compelling content to share knowledge, captivate and educate. Visit www.icrmc.com for details.

IAPP Europe Data Protection Intensive 2017 (London, Englan, UK, March 13 - 16, 2017) Set in London, the Data Protection Intensive delivers innovative solutions to today’s top privacy and data protection challenges. Known for its exceptional programming, the Intensive has come into its own as a leading forum for practical data protection education.

InfoSec World Conference and Expo 2017 (ChampionsGate, Florida, USA, April 3 - 5, 2017) The conference will feature security practitioners who speak from experience on the real-world challenges companies are facing today. The conference is most suitable for those whose responsibilities include creating solutions. The organizers bill it as a training conference.

29th Annual FIRST Conference (San Juan, Puerto Rico, USA, June 11 - 16, 2017) FIRST is an international confederation of trusted computer incident response teams who cooperatively handle computer security incidents and promote incident prevention programs.

upcoming Events

HTCIA International Conference and Training Expo (Summerlin, Nevada, USA, August 28 - 31, 2016) The High Technology Crime Investigation Association (HTCIA) sponsors this conference for professionals in law enforcement cyber security and cyber forensic investigations. College and university faculty working in these areas are also welcome, as are their students. Learn how to protect your agency, organization, or company against cyber threats in the more than 125 lectures and labs offered at the event. Hear distinguished keynote speakers, and network with colleagues. Industry vendors will also be available to discuss their newest products and services.

Air Force Information Technology and Cyberpower Conference 2016 (Montgomery, Alabama, USA, August 29 - 31, 2016) America is faced with a national emergency in cyberspace. US national security, economic vitality, financial stability and foreign policy are being eroded. Increasingly prevalent and severe malicious cyber activities are being directed against the DOD, USG, Private-Sector, Critical Infrastructure and Key Resource operators, Academia and Civil Society. USG industrial-aged thought, processes, and organizational relationship are not fostering “success” against decentralized, digital-age threat actors. An information-age solution is needed. Private-public dialogue is integral to building a new paradigm in which digital platforms are secure, and the nation is defended in a domain. Building bridges between government and the private sector is essential for victory. This conference will promote a national dialogue between the US Air Force, commercial businesses, academia and civil society to generate “whole of nation” strategies and processes aimed at overcoming challenges and ambiguities of an increasingly digital world.

CISO Toronto (Toronto, Ontario, Canada, August 30, 2016) A data breach is not only a PR nightmare, but cause for customers to turn to competitors, exposing sensitive company information and racking up fines from industry regulators. In order for organizations to operate smoothly, CISOs and IT security executives need to be ahead of the hackers, and kept abreast of the latest IT security topics and trends.

2016 Government Cyber Security SBIR Workshop (Washington, DC, USA, August 30 - September 1, 2016) The 2016 Government Cyber Security SBIR Workshop affords Small Business Innovation Research (SBIR) awardees in the completed Phase II or Phase III processes the opportunity to collaborate and present their research and technologies to researchers and cybersecurity leadership from the government, private sector and academia. This workshop facilitates knowledge-sharing, improvement of existing deployed technologies and transition to the marketplace by innovative research that safeguards cyberspace.

ISAO SO Public Forum (Tysons, Virginia, USA, August 31 - September 1, 2016) This public forum is the last opportunity to meet face-to-face and participate in conversations that will shape the first set of standards and guidelines to be published in September! Speakers will include leaders from multiple industry sectors, government and academia. The meeting will feature topics including: an in-depth public discussion of ISAO 100-1: Guidelines for Establishing an ISAO and ISAO 600-1: Government Relations, Programs, and Services; the State of the Ecosystem from the ISAO SO: “Where We Are and Where We’re Going” and “How We’ll Get There”; a special meeting of emerging ISAOs, and panel discussions from industry experts and thought leaders on ISAO Services and Capabilities, and Building an ISAO.

cybergamut Technical Tuesday: Quantifying Cyber Attacks: To Optimize and Assess your Defense by Jason Syversen of Siege Technologies (Elkridge, Maryland, USA, September 6, 2016) cybergamut Technical Tuesday is for cyber professionals to exchange innovative ideas and discuss technical issues of mutual interest. We’ll have a Technical Tuesday event on 6 September 2016 (1600 – 1730 East Coast Time). This talk describes the challenges of quantifying offensive and defensive capabilities and posture. This is not an IT-oriented metrics-talk about measuring the firewall rules or number of incidents last year. Instead, you’ll hear about new military-backed research on how to quantify the effectiveness of attacks, predict outcomes and measure defensive strength, as well as the future of data-driven security technologies.

2016 Intelligence & National Security Summit (Washington, DC, USA, September 7 - 8, 2016) Third annual unclassified summit hosted by AFCEA International and the Intelligence and National Security Alliance (INSA). There are five plenary sessions and nine breakout sessions related to cybersecurity, policy, and enduring strategic issues

Annual Privacy Forum 2016 (Frankfurt, Hesse, Germany, September 7 - 8, 2016) In the light of the upcoming data protection regulation and the European digital agenda, DG CONNECT, ENISA and, Goethe University Frankfurt is organizing APF 2016. In the light of the upcoming data protection regulation and the European digital agenda, DG CONNECT, ENISA and, Goethe University Frankfurt is organizing APF 2016.

Innoexcell Annual Symposium 2016 (Singapore, September 8, 2016) The Innoxcell Annual Symposium (IAS) is largest and most comprehensive international legal and regulatory compliance conference in Hong Kong, Beijing, Shanghai, Singapore, Australia and United States.This is the only event of its kind that will run multiple paths covering great diversity of Legal and Regulatory Compliance topics with over 20 sessions to select from and 10+ exhibitions. We aim to provide a ‘one-of-a-kind’ conference for legal and compliance executives and professionals from different industries to explore the latest best legal and business practices, catch-up with latest regulatory updates, establish networking with prominent legal professionals around the Globe, as well as visit the legal technology and solutions exhibition.

SecureWorld Cincinnati (Sharonville, Ohio, USA, September 8, 2016) Join your fellow security professionals for affordable, high-quality cybersecurity training and education. Earn 6-12 CPE credits through 30+ educational elements learning from nationally recognized industry leaders. Attend featured keynotes, panel discussions & breakout sessions all while networking with local peers

Borderless Cyber Europe (Brussels, Belgium, September 8 - 9, 2016) Join CIOs, CISOs and cyber threat intelligence experts from industry, government and CSIRTs worldwide to share experiences, strategies, tactics and practices that will improve your state of preparedness and more effectively protect your business against cyber threats. You will learn how to build communities of practice between C-level professionals and IT security practitioners, access the latest cyber threat information sharing and get actionable experiences from real-world use cases.

SANS Network Security 2016 (Las Vegas, Nevada, USA , September 10 - 16, 2016) We are pleased to invite you and your colleagues to attend SANS Network Security 2016 at the magnificent Caesars Palace, Las Vegas, on September 10-19. SANS Network Security is your annual networking opportunity! SANS will bring you the best in network security training, certification, and up-to-the-minute research on the most important topics in the industry today.

Business Insurance Cyber Risk Summit 2016 (San Francisco, California, USA, September 11 - 12, 2016) The Business Insurance Cyber Risk Summit provides risk management professionals and chief information security officers with the practical information and tools needed to combat the latest cyber risks that threaten their organizations. The day-long conference will explore cyber exposures, regulations, governance and insurance coverage. Risk managers and CISOs will learn how to adapt proven risk management strategies to their current cybersecurity environments, how to better communicate with their information security teams, and how to effectively convey risks, exposures and coverage options to their corporate boards and the C suite.

Hacker Halted 2016 (Atlanta, Georgia, USA, September 11 - 16, 2016) This year, Hacker Halted’s theme is the Cyber Butterfly Effect: When Small Mistakes Lead to Big Disasters. The goal of the conference is to bring the IT security community together to discuss how organizations are often compromised through the smallest of mistakes and how implementing effective changes can have ripple effects throughout all departments of an organization.

(ISC)² Security Congress (Orlando, Florida, USA, September 12 - 15, 2016) (ISC)² Security Congress offers attendees over 90 education sessions, designed to transcend all industry sectors, focus on current and emerging issues, best practices, and challenges facing cybersecurity leaders. As cyber threats and attacks continue to rise, the goal of (ISC)² Security Congress is to advance security leaders by arming them with the knowledge, tools, and expertise to protect their organizations.

7th Annual Billington Cybersecurity Summit (Washington, DC, USA, September 13, 2016) Join over 600 senior-level attendees, more than 50 distinguished speakers, and over 40 prestigious sponsors and exhibitors at the 7th Annual Billington CyberSecurity Summit, the leading Fall forum on cybersecurity in the Nation’s Capital, on September 13 in Washington, D.C. at the Ronald Reagan Building and International Trade Center. Keynotes Include NSA Director Admiral Michael Rogers and top U.K. and Israeli Cyber Leaders.

Privacy. Security. Risk. 2016 (San Jose, California, USA, September 13 - 16, 2016) Innovative since Day 1, P.S.R. brings together two related fields—privacy and security—helping you see beyond your role in order to excel in your role. Because perspective is everything. Delivering the most thought-provoking speakers, sessions led by foremost experts and invaluable opportunities to connect and share ideas, P.S.R. gives you a world of new perspective.

CISO GAS (Frankfurt, Hessen, Germany, September 13, 2016) A data breach is not only a PR nightmare, but cause for customers to turn to competitors, exposing sensitive company information and racking up fines from industry regulators. CISOs and IT security executives must always have this in mind, as well as a host of other evolving concerns, from curbing Bring-Your-Own-Device (BYOD) risk to controlling vulnerable social media data. In order for today's leading enterprises to operate smoothly, information security must be ahead of the hackers and kept abreast of the latest IT security topics and trends. The CISO Summit will bring together C-level IT security executives, industry analysts and solution providers to discuss challenges and best practices in a relaxed, yet focused business setting. Agenda sessions include engaging Keynote Presentations, Thought Leadership sessions, CISO Think Tanks, Analyst Q&As and much more

ISS World Americas (Washington, DC, USA, September 13 - 15, 2016) ISS World America is the world's largest gathering of North American Law Enforcement, Intelligence and Homeland Security Analysts as well as Telecom Operators responsible for Lawful Interception, Hi-Tech Electronic Investigations and Network Intelligence Gathering and Sharing. ISS World Programs present the methodologies and tools for Law Enforcement, Public Safety and Government Intelligence Communities in the fight against drug trafficking, cyber money laundering, human trafficking, terrorism and other criminal activities conducted over today's Telecommunications networks, the Internet and Social Networks.

Tarleton State University Cyber Security Summit 2016 (Dallas, Texas, USA, September 13, 2016) Cyber Security for the Board and the C-Suite: "What You Need to Know." Cyber Security experts will discuss corporate cyber-attacks and legal practitioners will discuss strategies to help companies comply with the increasingly complex data security laws. Data privacy and security experts will discuss practical solutions to current problems.

Insider Threat Program Development Training For NISPOM CC 2 with Legal Guidance (Germantown, Maryland, USA, September 14 - 15, 2016) Insider Threat Program Development Training for NISPOM CC 2 (Germantown, Maryland, September 14 - 15, 2016) Insider Threat Defense will hold a two-day training class on Insider Threat Program Development (NISPOM Conforming Change 2). For a limited time the training is being offered at a discounted rate of $795 (normally $1395). The training is comprehensive and provides students with the knowledge and resources to develop and implement a robust Insider Threat Program. The training will include "Legal Considerations & Guidance For Insider Threat Programs" (Privacy Concerns, User Activity Monitoring, Investigations, Etc.) - Provided By Co-Instructor Insider Threat Law - Licensed Attorney. Insider Threat Defense has trained over 400 organizations and has become the "leader-go to company" for insider threat program development training.

SecureWorld Detroit (Dearborn, Michigan, USA , September 14 - 15, 2016) Join your fellow security professionals for affordable, high-quality cybersecurity training and education. Earn 12-16 CPE credits through 60+ educational elements learning from nationally recognized industry leaders. Attend featured keynotes, panel discussions & breakout sessions all while networking with local peers

Insider Threat Program Development Training for NISPOM CC 2 (Milwaukee, Wisconsin, USA, September 19 - 20, 2016) Insider Threat Defense will hold a two-day training class on Insider Threat Program Development (NISPOM Conforming Change 2). For a limited time the training is being offered at a discounted rate of $795 (normally $1395). The training is comprehensive and provides students with the knowledge and resources to develop and implement a robust insider threat program. Insider Threat Defense has trained over 350+ organizations and has become the "leader-go to company " for insider threat program development training.

4th ETSI/IQC Workshop on Quantum-Safe Cryptography (Toronto, Ontario, Canada, September 19 - 21, 2016) This three-day workshop brings together diverse players in the quantum-safe cybersecurity community to facilitate the knowledge exchange and collaboration required to transition cyber infrastructures and business practices to make them safe in an era with quantum computers. Attendees and presenters will include leaders from the fields of post-quantum (quantum resistant) cryptography, quantum key distribution (QKD), theoretical and commercial integration of cryptography and security tools, first-adopters of quantum-safe tools from industry and government, and members of standards bodies. Anyone interested in joining the growing community that is working to mitigate the quantum risk and creating quantum safe cryptosystems for the future should attend this workshop.

Cyber Physical Systems Summit (Newport News, Virginia, USA, September 20 - 22, 2016) On September 20-22, 2016 the Commonwealth will be hosting a Cyber and Physical Systems Summit. The three day event will consist of roundtable discussions, plenary and panel presentations across the intersection of cyber and three vectors – Autonomy, Physical Systems (Mfg), and Critical Infrastructure. Participants in the Summit will engage in conversations surrounding challenges, opportunities, threats, and the associated policy and budgetary implications.

hardwear.io Security Conference (The Hague, the Netherlands, September 20 - 23, 2016) hardwear.io Security Conference is a platform for hardware and security community where researchers showcase and discuss their innovative research on attacking and defending hardware. The objective of the conference revolves around four key concerns in hardware, firmware and related protocols i.e. backdoors, exploits, trust and attacks (BETA). hardwear.io is seeking innovative research on hardware security. If you have done interesting research on attacks or mitigation on any Hardware and want to showcase it to the security community, just submit your research paper.

3rd Annual Senior Executive Cyber Security Conference: Navigating Today's Cyber Security Terrain (Baltimore, Maryland, USA, September 21, 2016) The Johns Hopkins University Information Security Institute and COMPASS Cyber Security are hosting the 3rd Annual Senior Executive Cyber Security Conference on Wednesday, September 21, from 8:30 a.m. – 4:00 p.m., on the Homewood campus of Johns Hopkins University. Hear from industry leaders on cyber security best practices and trends that will help you better secure your organization's data. This year's agenda examines the current cyber security landscape, threats, and challenges ahead for organizations and how senior leaders can work towards "shifting their data to being safe and secure."

New York Cyber Security Summit (New York, New York, USA, September 21, 2016) The Cyber Security Summit is an exclusive conference series connects C-Suite & Senior Executives who are responsible for protecting their companies’ critical infrastructures with innovative solution providers and renowned information security experts. This educational and informational forum will focus on educating attendees on how to best protect highly vulnerable business applications and critical infrastructure. Attendees will have the opportunity to meet the nation’s leading solution providers and discover the latest products and services for enterprise cyber defense.

Gigaom Change 2016 Leader's Summit (Austin, Texas, USA, September 21 - 23, 2016) Over an immersive 2.5 days, we will explore the current state-of-the-art technologies, how these are transforming industry, and why this all matters. You’ll emerge with a greater understanding of the exponential technological changes occurring around us, and the confidence to accelerate tangible next steps. Gigaom Change is designed to empower businesses of today to thrive in a world of tomorrow. Gigaom Change will focus on the seven most disruptive enterprise technologies that are widely known but little understood: Artificial Intelligence, Virtual Reality, Robotics, Nanotechnology, Cybersecurity, 3-D Printing, and Human-Machine Interface.

NYIT Annual Cybersecurity Conference (New York, New York, USA, September 22, 2016) Presented by NYIT School of Engineering and Computing Sciences, this conference brings together cyber experts from academia, business, and government to address: Cyber Defense Against Attacks–How Industry Is Addressing Evolving Threats; Information Currency and Blockchain Vulnerability; Cyber Physical Systems, Cyber Infrastructure, and the Internet of Things; Government Agencies' Strategies for Securing Cyberspace; Cyber Risks of Smart Transportation; and Accelerating Cyber Education and Career Paths.

GDPR Comprehensive 2016 (London, England, UK, September 22 - 23, 2016) The GDPR is now a reality. Are you prepared? We had an incredible response to the IAPP GDPR Comprehensive in Brussels and New York, where we prepared hundreds of privacy and data protection professionals for the implementation of the GPDR. Now we’re bringing the programme to London. Don’t miss this intensive, two-day guided tour of the GDPR with the industry’s most knowledgeable experts.

Cyber Security: How to Identify Risk and Act (Frankenmuth, Michigan, USA, September 26, 2016) Join us on 9/26/2016 for the PMI-MTC's annual project management PDD focusing on "Cyber Security: How to Identify Risk and Act." Earn 7 PDUs during the interactive sessions with well-known information security and project management experts. Featuring a keynote speaker from the FBI Detroit Cyber Task Force. Also featuring speakers from the Dow Chemical Company, UHY LLP, Ally Financial, CBI, and more.

CYBERSEC (Kraków, Poland, September 26 - 27, 2016) The CYBERSEC forum is the first of its kind in Poland and one of just a few regular public policy conferences in Europe devoted to the strategic issues of cyberspace and cybersecurity.The goal of the CYBERSEC conference is the formulation of practical recommendations that aim to increase resilience to cyber threats within specific economic sectors, states, and the EU as a whole.

Third Annual Women in Cyber Security Reception (Baltimore, Maryland, USA, September 27, 2016) The CyberWire is pleased to present the 3rd Annual Women in Cyber Security Reception in cooperation with our partner the Cybersecurity Association of Maryland (CAMI) on Tuesday, September 27, 2016, in Baltimore, MD - See more at: https://thecyberwire.com/events/s/3rd-annual-women-in-cyber-security-reception.html#sthash.Kgzd4dXp.dpuf

IP EXPO Nordic 2016 (Stockholm, Sweden, September 27 - 28, 2016) IP EXPO Nordic is part of Europe’s number ONE enterprise IT event series, designed for those looking to find out how the latest IT innovations can drive business growth and competitiveness. The event showcases brand new exclusive content and senior-level insights from across the industry, as well as unveiling the latest developments in IT. It covers everything you need to run a successful enterprise or organisation. Arrive with challenges, leave with solutions. IP EXPO Nordic 2016 incorporates six IT events under one roof – Cloud, Cyber Security, Networks and Infrastructure, Data Analytics, DevOps and Open Source. This year’s event will be the most comprehensive business-enhancing experience for those across the IT industry, including IT managers, CTOs, CDOs, network and storage engineers, CISOs, data analysts, developers and communications specialists.

SecureWorld Dallas (Plano, Texas, USA , September 27 - 28, 2016) Join your fellow security professionals for affordable, high-quality cybersecurity training and education. Earn 12-16 CPE credits through 60+ educational elements learning from nationally recognized industry leaders. Attend featured keynotes, panel discussions & breakout sessions all while networking with local peers

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

Election hacking becoming an international incident? Jailbreaking, data manipulation, and frame jobs. St. Jude strongly disputes Muddy Waters and MedSec bug warnings. Rogue EVM chips in ATM skimming?