The CyberWire Daily Briefing 11.13.18

Summary

By The CyberWire Staff

Finland investigates apparent Russian GPS jamming during NATO exercises (Deutsche Welle).

Jihadist groups, pushed by social media into temporary online occultation, counsel members to spread malign inspiration through hijacked accounts (Naked Security).

RiskIQ and Flashpoint this morning issued a joint report on Magecart, the family of carding campaigns against e-commerce sites. The researchers identify six criminal groups as responsible for Magecart activity, and they trace the threat from its modest origins as the Cart32 online shopping cart backdoor (discovered in 2000) to the present threat responsible for large-scale attacks on large enterprises including Ticketmaster and British Airways. Magecart proper emerged in 2015. The criminals monetize their theft of paycard data either by selling it to other, pettier crooks in carding fora, or by enlisting mostly unwitting mules to buy goods and ship them to the gang.

Cathay Pacific has told Hong Kong's Legislative Council data regulators that the breach it sustained was sophisticated and lasted for several months as the airline sought with difficulty to parry the attacks (Bloomberg Quint). The attacks were discovered in March; the airline struggled (at considerable effort and expense) with containment until August, at which time it began to be able to assess the extent of customer data loss: "far worse than thought" (Star). Cathay Pacific has established a site that worried customers may consult if they're concerned for their data's security.

Asked if there will be another Cambridge Analytica scandal, UK Information Commissioner Denham bets on form and says, "I suspect there will" (Telegraph).

Learn how Cylance silences cyber attacks with Artificial Intelligence.

Notes.

Today's issue includes events affecting Australia, Belgium, Canada, China, Finland, France, India, Iraq, NATO/OTAN, Netherlands, New Zealand, Russia, Syria, Taiwan, United Arab Emirates, United Kingdom, United States, and and Vietnam.

Securing the Vote: How Easily Could Our Elections Be Hacked?

U.S. voting systems are broken. They are peppered with risks from people, process, and technology – and something must be done to regain voter confidence. In the latest Securealities report, Coalfire identifies these vulnerabilities and provides recommendations for remediation based on analyses from their work on voting networks and systems, plus 3,000 cybersecurity engagements in the past year.

On the Podcast

In today's podcast, out later this afternoon, we speak with our partners at the Johns Hopkins University Information Security Institute, as Joe Carrigan offers a report on the NICE conference, and in particular on a presentation that discussed ways of including psychologists in cybersecurity decision making. Our guest is Rich Bolstridge from Akamai, with a review of their latest State of Internet Security report.

Sponsored Events

The Pesky Password Problem: Red and Blue Team Battle featuring Kevin Mitnick (Online, November 14, 2018) Kevin Mitnick and Roger Grimes debate one of security's most controversial issues: passwords. Hear the truth regarding effective passwords, password management and more in this unique webinar. Save your spot!

Cyber Security Summit: November 29 in Los Angeles (Los Angeles, California, United States, November 29, 2018) Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The CIA, The City of Los Angeles, Verizon, CenturyLink and more. Register with promo code cyberwire95 for $95 VIP admission (Regular price $350) https://CyberSummitUSA.com

Rapid Prototyping Event: The Turing Test (Columbia, Maryland, United States, December 11 - 13, 2018) DreamPort, in conjunction with the Maryland Innovation & Security Institute and USCYBERCOM, is hosting a Rapid Prototyping Event in which participants implement an automated process to interact with a Microsoft Windows machine just as a human user may do with the goal being to fool a human judge who is monitoring target computers via Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC) into thinking a normal user is interacting with that machine and not an automated program or process.

Selected Reading

Cyber Attacks, Threats, and Vulnerabilities

Russia ‘disrupted Nato wargames by jamming GPS’ (Times) Russian electronic warfare to disrupt Nato wargames are suspected to have caused the widespread jamming of satellite-based navigation systems in Norway and Finland that put airline passengers at risk.

Finland to probe reports of Russia disrupting GPS during NATO drill (Deutsche Welle) Finland's GPS signal was disrupted during NATO's recent military drills and Russia may have been the culprit, according to Finland's prime minister. The apparent jamming also affected air traffic in Norway.

Terrorists told to hijack social media accounts to spread propaganda (Naked Security) Facebook has removed 14 million pieces of content dubbed likely to come from terrorists, as determined by new machine learning technology

Intel agencies on alert as Islamic State modules in Kerala switch to Wickr app (The New Indian Express) Both the NIA and the IB have been keeping track of devious new communication tools being used by the IS, including messaging apps that encrypt texts and destroy them almost immediately.

Symantec: ‘Gallmaker’ Cyber Attack Group Uses ‘Living off the Land’ Tactics to Avoid Detection (ExecutiveBiz) Symantec has identified a new cyber espionage group dubbed Gallmaker that launches attacks on some government, defense and military organizations in Eastern Europe and the Middle East. The company said Thursday the Gallmaker group uses publicly available hacking tools and “living off the land” techniques to access targeted computers and avoid detection by traditional security...

US banks prepare for Iranian cyberattacks as retaliation for sanctions (KPAX.com) As the United States reinstated economic sanctions on Iran on Monday, American banks were gearing up for retaliatory Iranian cyberattacks. Bank executives believe Iranian hackers could attempt to disrupt financial services, perhaps as they did between 2011 and 2013 — with denial-of-service attacks that interrupted bank websites and other internet financial services. Last week, CNN …

The US Military Just Publicly Dumped Russian Government Malware Online (Motherboard) US Cyber Command, a part of the military tasked with hacking and cybersecurity operations, says it is releasing malware samples as an information sharing effort.

Securiosity: All quiet on the election front (Cyberscoop) Everything ended up being quiet when it came to election security. But there were still plenty of other breaches and security advisories to talk about. In our interview, we talk to Digital Shadows CEO Alastair Paterson about Facebook, digital risk and whether he sees a sea change coming for the way people think about their privacy online.

Information Warfare: Twitter Brings Dezinformatsiya To The World (Strategy Page) Twitter, the popular messaging app, began in 2006 and it soon became a favorite tool for Russian dezinformatsiya (disinformation) operations That was because it was easier to conceal Russian involvement Messages were limited to 140 characters, meaning

Facebook Groups are “the greatest short-term threat to election news and information integrity” (Nieman Lab) Plus: How "junk news" differs from "fake news," and LinkedIn gets less boring (but not in a good way).

NBC News Signal presents factory of lies: Democracy under attack (NBC News) Americans elected Donald Trump president after a bruising campaign mired by disinformation online and suspicious hacks. We now know the Russian government interfered in the elections by manipulating social media in a bold attempt to influence the vote. The Russian tactics may have been new, but their propaganda playbook is age-old. The NBC News Business, Tech and Media team recounts what happened in 2016 and sheds light on what it means for our democracy going forward.

Flashpoint - ‘Inside Magecart’ Exposes the Operation Behind the Web’s Biggest E-Commerce Scourge (Flashpoint) “Inside Magecart” is the deepest, publicly reported look into the Magecart operations and one of the most dangerous cybercrime outfits operating today.

Cathay Pacific Says World’s Biggest Airline Data Hack Went on for Months (BloombergQuint) The breach has prompted calls to overhaul Hong Kong’s two-decades-old privacy laws to ensure companies report any leaks quicker

Privilege Escalation Flaw In WP GDPR Compliance Plugin Exploited In The Wild (Wordfence) After its removal from the WordPress plugin repository yesterday, the popular plugin WP GDPR Compliance released version 1.4.3, an update which patched multiple critical vulnerabilities. At the time of this writing, the plugin has been reinstated in the WordPress repository and has over 100,000 active installs. The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, …

Patched Adobe ColdFusion Flaw Exploited By APT (Threatpost) The critical vulnerability, which was patched earlier in September, has put ColdFusion servers at risk.

Threat Actors Exploiting Red Team Tool JexBoss (Infosecurity Magazine) The NCCIC issued a CERT alert warning of vulnerabilities in the JBoss application server.

Microsoft issues security advisory on SSD hardware encryption (Windows Report) Security advisory warnings from Microsoft are as much a part of daily life as bad updates from... er... Microsoft. Read on to find out how to protect your SDDs.

Emotet distributed in a major new large-scale spam campaign (WeLiveSecurity) Following a period of low activity, the malicious actors behind Emotet have launched a new, large-scale spam campaign. ESET telemetry shows the latest activity was launched on November 5, 2018.

Botnet pwns 100,000 routers using ancient security flaw (Naked Security) Researchers have stumbled on another large botnet that’s been hijacking home routers while nobody was paying attention.

Monero mining malware responsible for 6th largest cyber attack in Switzerland: report (BCFocus) Switzerland has increasingly embraced cryptos and related businesses. However, the country’s crypto industry is no stranger to cyber attacks.

Taking Cryptojacking Out of the Shadows (Infosecurity Magazine) The only way to truly prevent cryptojacking is to prevent the malware from getting installed in the first place, rather than waiting to detect it post-breach.

Bioscoopketen Pathé voor meer dan €19 miljoen opgelicht (Quote) Het klinkt als een slechte film maar is helaas de pijnlijke realiteit: bioscoopketen Pathé is eerder dit jaar slachtoffer geworden van CEO-fraude waa...

HSBC Breach Apparently Caused by Credential Stuffing, or Not (Credit Union Times) More than one million accounts have been compromised and cybersecurity experts are suspicious of the reasoning behind the breach.

Nordstrom data breach exposes employee information (SC Media) High-end retailer Nordstrom is in the process of notifying its employees their data may have been compromised in a breach.

Elizabeth Denham: 'Will there be other Cambridge Analyticas out there? I suspect there will' (The Telegraph) Elizabeth Denham doesn’t organise her spices.

Cyber Trends

Reported breaches in the first 9 months of 2018 exposed 3.6 billion records (Help Net Security) There have been 3,676 publicly disclosed data compromise events through September 30. Breach activity continues at a consistent pace for 2018, which

Harris Poll And Finn Partners Unveil New Metric For The Return On Investment For Social Good (PR Newswire) Today, Harris Poll, in partnership with Finn Partners, unveiled the Societal Return on Investment (SROI) Index, a newly...

Closing the security gap will drive $125 billion critical infrastructure security spending (Help Net Security) ABI Research forecasts critical infrastructure security spending will hit US$125 billion globally by 2023, boosted by adoption of smart operational tech.

The data blame game: what to do when executives are playing fast and loose with core IP (Computing) 93 per cent of CEOs store their work on a laptop or other personal device outside of official company storage, finds survey

SlashNext Survey Reveals 95% of IT Security Pros Underestimate Phishing Attack Risk (SlashNext) Growing Gaps in Protections Against Short-Lived, Yet Dangerous Phishing Threats on the Web

Marketplace

Taiwanese IoT Delegation to Meet with Leading Vietnamese Companies for Future Collaboration (NBC) NBC Right Now will provide all your local Yakima, Tri-Cities, Walla Walla and Hermiston news, weather and sports.

Moody's is going to start building the risk of a business-ending hack into its credit ratings (CNBC) We're getting closer to the time where a cyber event will prove to be business ending, and Moody's wants to be able to find companies with the most exposure

Will credit ratings finally get Board of Directors' attention about control system cyber threats? (Control Global) Moody’s will incorporate cyber risk into its existing credit ratings. Moody's is considering a stand-alone cyber risk rating separate from the credit rank – this is expected to include control system cyber threats.

The Mad Dash to Find a Cybersecurity Force (New York Times) Employers and educators are rethinking the way they attract and train potential employees to meet the demands of an increasingly vulnerable online world.

PLUS Experts: One of the Biggest Gaps in Cyber is Explaining it to Customers (Insurance Journal) What's one of the biggest gaps in cyber? Good communication between the insurance industry and customers, who are in need of more than just products to

Top US Intelligence Official Sue Gordon Wants Silicon Valley on Her Side (WIRED) In an expansive on-the-record interview with WIRED, the principal deputy director of national intelligence made her pitch for public-private partnerships.

4 Cyber Stocks in Focus as China Violates US Anti-Hack Pact (Zacks Investment Research) China's violation of a bilateral anti-hacking agreement with the United States could invite sanctions on Chinese hackers.

Italian-founded IoT cybersecurity startup EXEIN raises €2 million (Tech.eu) Cybersecurity startup EXEIN from Rome has raised a €2 million funding round from United Ventures for its IoT firmware security solution. The company was founded in July this year as a spin-off project undertaken of an Italian cybersecurity company Aspisec led by its CEO Gianni Cuozzo. EXEIN claims that firmware has become the weak point …

Thoma Bravo, eyeing Symantec, has been on a Silicon Valley buyout spree (Silicon Valley Business Journal) The private equity firm has spent billions to buy or take a stake in 10 cybersecurity businesses in the past year, including several big M&A deals in Silicon Valley. Here's a look at those deals and why analysts think more may be coming.

BlackBerry in talks to buy cybersecurity company Cylance: Business... (Reuters) BlackBerry Ltd is in talks to buy cybersecurity company Cylance Inc for as much ...

Report: BlackBerry in talks to acquire security firm Cylance (Seeking Alpha) BlackBerry (BB -2.5%) is in talks to acquire cybersecurity start-up Cylance in a deal that could reach $1.5B, Business Insider reports.

Hivint acquisition strengthens Optus's security play (Technology Decisions) Optus's acquisition of cybersecurity consultant Hivint will help the company grow its security business in Australia and potentially the wider APAC region.

Fortinet: No, Not The Game, But A Stock Everyone Should Love Just As Much (Seeking Alpha) Forinet is among the leaders in the firewall security market, one that is poised to grow ~10% CAGR through 2020.

More than £540m wiped off value of cyber security firm Sophos (City A.M.) More than £540m has been wiped off the value of cyber security firm Sophos after it cut forecasts for the second half of the financial year.

Securonix Launches Securonix Threat Research Labs to Help Cybersecurity Teams Mitigate Advanced Threats (AiThority) Securonix, the market leader in next-generation security information and event management (SIEM) and user and entity behavior analytics (UEBA), announced that it has officially launched the Securonix Threat Research (STR) Labs.

Synack Launches Veterans Cyber Program (Meritalk) Synack, a crowdsourced security testing firm, announced Thursday the launch of its Synack Veterans Cyber Program which will “recruit, empower, and deploy veterans in the cybersecurity industry.”

Armistice Day (Acumin) In light of the 100th anniversary of the end of WW1 this Sunday on Armistice Day, Acumin Consulting would like to pay our respects to those who helped our country 100 years ago.

CIT and MACH37 Expand Cybersecurity Partnership with UVa-Wise (GlobeNewswire News Room) Third annual information session on Nov. 14 will continue to cultivate a pipeline of trained cybersecurity and software development professionals

Products, Services, and Solutions

Aqua Security Introduces Risk Assessment Controls for Serverless Functions and Container Encryption (Aqua) New release of Aqua’s cloud native security platform addresses the needs of large enterprise deployments with runtime visibility and multi-application, multi-team policy management

RivalGuardian Launches Simple and Powerful Cloud-Based Firewall Service Designed to Protect Nearly Any Website (IT News Online) RivalGuardian Launches Simple and Powerful Cloud-Based Firewall Service Designed to Protect Nearly Any Website

Arilou And Alpine Announce Co-Developing Of Secure Infotainment System (NNG) Arilou Information Security Technologies, a supplier of high-end cyber security solutions for the automotive industry, and Alpine Electronics, Inc., a leading manufacturer of in-car audio equipment, mobile multimedia components, and in-vehicle infotainment systems announced joining forces to create the concept of an infotainment system securing the vehicle’s CAN bus against malicious hacking attempts.

KnowBe4 Announces Competitive Buyout Program to Combat Ineffective Phishing Tools (Virtual-Strategy Magazine) Organizations stuck with ineffective security awareness training and anti-phishing efforts can now take advantage of KnowBe4's offerings Phishing Security Test

Thycotic Releases Secret Server Cloud Fall Edition Amidst 240 Percent Year-Over-Year Sales Growth (Security Boulevard) Record Growth Reflects Demand for Enterprise-Scale PAM Software-as-a-Service

GlobalPlatform Expands Card/SE Spec Following Widespread Consumer & M2M Deployments (GlobalPlatform) GlobalPlatform Expands Card/SE Spec Following Widespread Consumer & M2M Deployments

NSA certifies Harris AN/PRC-163 radio for top secret intelligence (UPI) The NSA has granted Harris Corporation Type-1 certification for its AN/PRC-163 handheld networked encrypted radio for transmitting top secret information.

Huawei Chips Unlock New Era of Artificial Intelligence (AsiaOne) New Ascend 310 AI Chip Earns Huawei the Prestigious "World Leading Scientific and Technological Achievement Award" at the Fifth World Internet Conference

Dropbox Teams with Israeli Security Firm Coronet (Dark Reading) The partnership is expected to improve threat detection for Dropbox while growing Coronet's user base.

8 Top Cyber Insurance Vendors (eSecurity Planet) Cyber insurance is one more way to manage cybersecurity risk. Here are the top cyber insurance vendors that can help.

Technologies, Techniques, and Standards

Implications of the NIS Directive for the industrial sector (Help Net Security) The Network and Information System legislation is forcing operational technology professionals into unfamiliar security waters.

Top banks in cyber-attack 'war game' (BBC News) The Bank of England is testing the UK's ability to withstand a major cyber-attack on financial institutions.

Cyber-security exercises needed to better prepare for cyber attacks: Expert at COI on SingHealth cyber attack (The Straits Times) An expert has called for more exercises involving simulated data breaches to allow professionals in an organisation to practice responses for a cyber-security incident.. Read more at straitstimes.com.

At USAA, cybersecurity is a '24/7 problem' (San Antonio Express-News) At USAA’s Cyber Threat Operations Center in San Antonio, cybersecurity experts are constantly monitoring attempts by cybercriminals to get into members’ accounts.

Oracle CEO: I go through each day not wanting to get ‘the call’ (Computerworld) Everyone from bedroom hackers to nation states is trying to hack Oracle, its chief executive officer Mark Hurd has told Computerworld.

'SEIMs and SOCs can be very dangerous' - N Brown's Mike Koss on effective cybersecurity (Computing) SOCs can be effective but only if introduced properly

New weapon to fight risk of cyber attack (BQ) A voucher scheme has been launched to help small businesses and third sector organisations to combat the menace of e-crime by securing a Cyber Essentials accreditation.

CEOs are the top cybersecurity targets. Here’s how to protect them. (Houston Chronicle) A company's chief executive typically has access to the most sensitive information about the organization. That makes the CEO a highly prized target for online evildoers bent on malfeasance.

What's working, what's not in banks' battle against 'credential stuffing' (American Banker) HSBC is the latest bank to be hit with this type of attack, in which hackers take stolen usernames and passwords from one site and attempt to reuse them to login to banks.

Why Family Offices Need To Prioritize Cyber-Security (Forbes) Cyber-crime statistics indicate that family offices are becoming more frequent victims of targeted data breaches, often wreaking havoc on systems and posing a significant reputational and financial risk when sensitive information is accessed.

What You Should Know About Grayware (and What to Do About It) (Dark Reading) Grayware is a tricky security problem, but there are steps you can take to defend your organization when you recognize the risk.

How to Safely and Securely Dispose of Your Old Gadgets (WIRED) Keep your data private and the environment protected.

Design and Innovation

Google open-sources AI that can distinguish between voices with 92% accuracy (VentureBeat) Google researchers have open-sourced an AI system that can suss out speakers with state-of-the-art accuracy compared to previous methods.

When is the network not really the network? (C4ISRNET) The Defense Information Systems Agency is looking for internet browsing to take place on a commercial cloud and away from Department of Defense servers.

Researchers Defeat Most Powerful Ad Blockers, Declare a ‘New Arms Race’ (Motherboard) Perceptual ad blockers will come out on the losing side in the war against internet advertisers and expose users to a host of new attack vectors in the process, the researchers warned.

Priority: Frictionless Transactions Over Fraud Prevention (BankInfo Security) As the pace of technology innovation continues to quicken - including the ability to make payments via everything from Alexa to Facebook Messenger - risk-based

Why We Cannot be Trusted to Make Our Own Passwords (Infosecurity Magazine) Does your password contain numbers 1, 2 or 3, or what about letters E or T?

Research and Development

Denim Group Awarded HotSpot Technology Patent to Identify Vulnerabilities in Shared Internally-Developed Code (Digital Journal) announced that the United States Patent and Trademark Office (USPTO) has

Post-quantum cryptography a major challenge, says expert (ComputerWeekly) The crypto wars are just beginning and open systems are key to improved security in future, says cryptography expert.

Academia

DCU leads €2.4m EU project to tackle ‘fake news’ (Silicon Republic) DCU is to lead a €2.4m EU project entitled ‘Provenance’ to tackle the issue of ‘fake news’ by tracking and flagging online disinformation.

UNCW Receives Federal Recognition as a National Center of Excellence in Cyber Defense Education (UNCW) UNCW has been named a National Center of Academic Excellence in Cyber Defense Education, a designation that will enable students to compete for federal and private cyber security jobs.

Inside CSAW, a Massive Student-Led Cybersecurity Competition (Dark Reading) Nearly 400 high school, undergraduate, and graduate students advance to the final round of New York University's CSAW games.

Legislation, Policy and Regulation

France Seeks Global Talks on Cyberspace Security (SecurityWeek) The French government announced a "Paris Call" for talks to lay out a common framework for ensuring internet security, following a surge in cyberattacks which has dented confidence in global networks.

What Is the 'Paris Call?' Google and Microsoft Back Emmanuel Macron's New Plan to Protect the Internet (Fortune) China and Russia aren't on board, and the U.S. may not be either.

More than 50 nations, but not U.S., sign onto cybersecurity pact (Axios) Russia and China also avoided signing the call for cooperative cybersecurity.

What happens when the US-China cyber agreement isn’t working (Fifth Domain) “It’s clear that they are well beyond the bounds today of the agreement that was forged between our two countries,” said Rob Joyce, senior adviser to the National Security Agency.

Salisbury attack : UK open to “different” relation with Russia (The Mirror Herald) Salisbury attack, wherein agent Sergei Skripal and his daughter, Yulia were poisoned with Novichok by Russian intelligence agents in March.

NIS Directive Gets Real After OES Deadline (Infosecurity Magazine) So-called “operators of essential services” have now been identified

Belgian govt to continue with Kaspersky security software (Telecompaper) The Belgian government plans to continue using software from Russia’s Kaspersky. The Belgian center for cybersecurity said no objective or independent study showed that Kaspersky's software was unreliable.

Five Eyes Focused on Huawei as China Continues to Use Its Tech to Hack Into Other Countries (ClearanceJobs) Huawei's American advertising slogan is "Building a Fully Connected Intelligent World." It ought to be "Building a Fully Connected Intelligence Network."

Canada should oust Chinese telecom Huawei, say security experts (Toronto Star) Both the United States and Australia have banned the company from 5G network construction because of security concerns, and Washington is putting pressure on Canada, Britain and New Zealand to join suit.

Britain flashes amber light at Huawei with review of telecoms supply chains (Financial Review) Hot on the heels of Australian and US moves to ban Huawei from 5G networks, Britain has launched a review of security in its telecoms supply chains.

Should the Government Require Companies to Meet Cybersecurity Standards for Critical Infrastructure? (Wall Street Journal) Some argue that government regulation is needed to keep critical systems safe from hackers. Others say industry can do a better job on its own.

California Regulates Online Bots (Cooley) Citing the proliferation of online bots used to deceive consumers and influence voters, the California legislature recently passed the nation’s first law directly regulating online bots. Enacted o…

Analysis | The Cybersecurity 202: Two ex-CIA officers are coming to Congress. Here's how they want to improve security policy (Washington Post) Spanberger and Slotkin say their experience helps them understand the threats.

Litigation, Investigation, and Enforcement

Lawsuits Aim Billions in Fines at Equifax, Ad-Targeting Companies (Threatpost) The results could start a wave of major damages for companies that collect and sell consumer information.

Consumers File Class Action Lawsuit Against Symantec for Defective AntiVirus Software (PR Newswire) Consumers have filed a class action lawsuit against Symantec Corporation (NASDAQ: SYMC), alleging that from 2005 to ...

FBI Records Show Former FBI Director James Comey’s Use of Personal Email (Cause of Action Institute) Cause of Action Institute has acquired former FBI Director James Comey’s work-related emails from his personal Gmail account. Garnered from the FBI through the first of rolling document productions in an ongoing Freedom of Information Act (FOIA) lawsuit, the email records start to shed light on the extent of Comey’s …

Amazon must give up Echo recordings in double murder case, judge rules (Ars Technica) New Hampshire judge orders data handover in 2017 stabbing case.

Bug Bounty Hunter Ran ISP Doxing Service (KrebsOnSecurity) A Connecticut man who’s earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their Web sites secretly operated a service that leveraged these same flaws to sell their customers’ personal data, KrebsOnSecurity has learned.

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

CPX Asia 360 2019 (Bangkok, Thailand, January 21 - 23, 2019) CPX 360 - the industry’s premier cyber security summit and expo - brings together the world’s leading cyber security experts to one venue. Gain a deep understanding of current challenges cyber security professionals face. Experience insightful Cyber Talk keynotes, conference sessions, and hands-on labs covering the latest innovations. Register today!

CPX Americas 360 2019 (Las Vegas, Nevada, USA, February 4 - 7, 2019) CPX 360 promises to be the premier cyber security summit. CPX 360 is where you’ll receive up-to-the-minute intelligence about global threats and other vital topics from the world’s leading cyber security experts. In addition, you’ll enjoy getting hands on with cutting-edge security solutions from Check Point, networking with your peers, and celebrating with the world’s cyber security elite. If you attend one cyber security event this year, make it CPX 360.

BSides Huntsville (Huntsville, Alabama, USA, February 15 - 16, 2019) The fun and cheap way to earn CEU's. Instead of paying way too much to listen to some guy in a suit try and sell you something, you can pay just a few bucks to hear actual programmers and hackers talk about the unfiltered side of Cybersecurity. Instead of trying to think of questions that will expose the salesperson as a fraud, you can have interesting exchanges with people that have actually gained access to high security facilities. BSides Huntsville is the conference for those that work in the trenches of Cybersecurity. This is the opportunity for you to engage in fierce discussions about the next big ideas or the worst product you've ever seen, but in a friendly and informal setting.

CPX Europe 360 2019 (Vienna, Austria, February 18 - 20, 2019) CPX 360 - the industry’s premier cyber security summit and expo - brings together the world’s leading cyber security experts to one venue. Gain a deep understanding of current challenges cyber security professionals face. Experience insightful Cyber Talk keynotes, conference sessions, and hands-on labs covering the latest innovations. Register today!

upcoming Events

Capital Cybersecurity Summit (Tysons Corner, Virginia, USA, November 13, 2018) The 2018 Capital Cybersecurity Summit will feature keynote speakers and panels offering unique insights on emerging cybersecurity technologies, digital solutions, operations and enforcement from the private sector, government and academic perspectives. The Summit will also include a technology showcase at which cybersecurity companies from Virginia, Maryland and D.C. can promote their products and services, network, and connect with potential customers, partners, investors and employees. Tenable CEO Amit Yoran is speaking in a fireside chat at the Capitol Cybersecurity Summit about the importance of strong cyber hygiene as a key part of any cybersecurity strategy. Amit will also touch on the importance of quickly addressing vulnerabilities, stressing that almost 50% of all breaches are caused by known vulnerabilities.

Infosecurity North America (New York, New York, USA, November 14 - 15, 2018) With 23+ years of global experience creating leading information security events, Infosecurity Group is coming to New York in November 2018. Infosecurity North America will provide a focussed business event environment that facilitates valuable networking, immersive learning and leads the critical debate through cutting-edge content. The Infosecurity North America conference program provides access to the latest information security insight presented by leading experts, practitioners and thought leaders. The panel discussions, presentations, demos and workshop will provide you with the information and skills you need to strengthen your organization’s cyber defenses against the threats of tomorrow.

Kingdom Cyber Security (Riyadh, Saudi Arabia, November 20 - 21, 2018) Setting a game plan to boost cyber resilience at the national level.

API Security Summit (London, England, UK, November 21, 2018) The API Security Summit, taking place in London on the 21st of November 2018 will bring together the financial services community, regulators, fintechs, TPPs and associations from across UK and Europe to find solutions to the current lack of standardisation, debate what standards/legislation may emerge in 2019, and how to plan with these in mind.

Army Autonomy and Artificial Intelligence Symposium and Exposition (Detroit, Michigan, USA, November 28 - 29, 2018) This symposium will explore and showcase innovative ways the U.S. Army is developing critical capabilities in robotics, autonomy, machine learning, and artificial intelligence. The goals are to explore how the Army-Industry team can best collaborate to achieve cost-effective, innovative solutions to military problems, seamlessly reallocate resources as conditions change, and with the speed and efficiency that adversaries cannot match.

The Cyber Security Summit: Los Angeles (Los Angeles, California, USA, November 29, 2018) This event is an exclusive conference connecting Senior Level Executives responsible for protecting their company’s critical data with innovative solution providers & renowned information security experts. Learn from cyber security thought leaders and Engage in panel discussions focusing on trending cyber topics such as Sr. Leadership’s Best Approach to Cyber Defense, What’s Your Strategic Incident Response Plan?, Protecting your Enterprise from the Human Element and more. Your registration includes a catered breakfast, lunch, and cocktail reception. Receive half off your admission with promo code cyberwire50 at CyberSummitUSA.com and view details including the full agenda, participating solution providers & confirmed speakers. Tickets are normally $350, but only $175 with promo code.

Securing Digital ID 2018 (Alexandria, Virginia, USA, December 4 - 5, 2018) As an increasing number of transactions move online and are mobile-enabled, the conference will explore today’s complex world of digital identities and how they are used for strong authentication and remote authorization. Securing Digital ID is a unique event for executives, policy makers, product developers and engineers interested in identity security and authentication. The conference will be held in partnership with TWST Events on December 4-5, 2018 at the Hilton Alexandria Mark Center minutes from Washington, D.C.

First Annual Maryland InfraGard Cybersecurity Conference (College Park, Maryland, USA, December 5, 2018) InfraGard is a partnership between the FBI and members of the private sector. The InfraGard program provides a vehicle for seamless public-private collaboration with government that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of Critical Infrastructure. With thousands of vetted members nationally, InfraGard's membership includes business executives, entrepreneurs, military and government officials, computer professionals, academia and state and local law enforcement; each dedicated to contributing industry specific insight and advancing national security.

International Cyber Risk Management Conference (Hamilton, Bermuda, December 6 - 7, 2018) Now in its fourth year in Canada, the International Cyber Risk Management Conference (ICRMC) has earned a reputation as one of the world’s most trusted cyber security forums. We are proud to bring ICRMC to Bermuda, the “world’s risk capital,” where we, with the support of a stellar advisory committee, will focus on cyber risk with an emphasis on insurance and risk-transfer solutions.

2018 Cloud Security Alliance Congress (Orlando, Florida, USA, December 10 - 12, 2018) Today, cloud represents the central IT system by which organizations will transform themselves over the coming years. As cloud represents the future of an agile enterprise, new technology trends, such as Internet of Things (IoT), FOG Computing, Block Chain and Artificial Intelligence will extend the benefits of cloud - but also create new attack vectors for ambitious and resourceful adversaries. Additionally, the compliance landscape continues to evolve creating new challenges in delivering, measuring, and communicating compliance through multitude of regulations across multiple jurisdictions. The Cloud Security Alliance and MIS Training Institute have partnered to host the 2018 Cloud Security Alliance Congress on December 10-12 at the Omni Orlando Resort in ChampionsGate, Florida. This year’s event welcomes world leading security experts and cloud providers to discuss global governance, the latest trends in technology, the threat landscape, security innovations, best practices and global governance in order to help organizations address the new frontiers in cloud security.

Wall Street Journal Pro CyberSecurity Executive Forum (New York, New York, USA, December 11, 2018) The WSJ Pro Cybersecurity Executive Forum will bring together senior figures from industry and government to discuss how senior executives can best prepare for hacking threats, manage breaches, and work with government cybersecurity authorities and regulators. The forum will offer insights, practical advice, case studies and workshops tailored to the needs of executives and managers. (Request an invitation at the link.)

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

GPS jamming? Jihadist look to account hijacking. Report on Magecart. Cathay Pacific post-mortem. Data risks, cyber norms.