Morning Security Brief: Cyberdisaster Exercise, Software Security, Pandemic Tools, and More
Facebook page is protected speech, lessons from a mock cyberdisaster, the push to hold software companies accountable for flaws, the problem with PDFs, going digital with pandemic information tracking, and deadly bomb scanner hoax saga continues.
► Facebook page criticizing a teacher is constitutionally protected speech , rules a U.S. Magistrate, allowing the case to proceed in a lawsuit brought by the student who originally posted the page when in high school. The then honor student was at the time suspended for several days for cyberbullying and removed from honor classes. The suit seeks to expunge the record and establish the principle the principle of the student's right in such as case, says the student's lawyer, according to the CNN report.
► Cyber ShockWave , a mock cyberdisaster exercise, was hosted by the Bipartisan Policy Center, a Washington, D.C., think tank yesterday. Former U.S. Secretary of Homeland Security Michael Chertoff and former U.S. Deputy Attorney General Jamie Gorelick, and Stewart Baker, a former assistant secretary for cybersecurity policy at the U.S. Department of Homeland Security, were among the participants, reports Grant Gross, IDG News Service, for PC World. They were role playing to try to learn lessons that could help in a real cyberattack. The conclusion of one participant was that "The U.S. doesn't have a well-developed policy for responding to major cyberattacks," writes Gross.
► Representatives from more than 30 organizations, including SANs, Mitre, the U.S. Department of Homeland Security, the National Security Agency, Apple, and Microsoft, are pushing for custom software developers to be held liable for insecure code they write, reports Dark Reading. The call was issued in conjunction with the SANS release of the top 25 programming flaws. The idea is to make software companies contractually bound to avoid those common flaws, or bugs, to establish a minimum standard of care, writes Kelly Jackson Higgins. Supporters say the intent is not perfect security, but Gary McGraw, CEO of Cigital, worries that such language would only encourage lawsuits against the software companies in the event of the inevitable security flaws arising. The report also notes that the SANS list includes mitigation information for the first time.
► "Malicious PDF files comprised 56% of exploits in 1Q09, growing to 80% of all exploits by 4Q09," reports ZDNet.
► Technology Review has an Associated Press article on use of digital tools in pandemics , and how they are transforming the way information can be quickly shared to improve tracking of an outbreak. "With instant two-way communication unavailable during past pandemics and smaller outbreaks, the public now can help paint a fuller picture of what's happening and complement the often delayed and restrained announcements from health officials," says the piece. Among the new tools is CDC News Reader iPhone app, which offers the federal agency's swine flu updates, and HealthMap Outbreaks Near Me, which gathers information from users. But misinformation about outbreaks from an unfettered public could cause panic, it notes.www.cnn.com/2010/WORLD/asiapcf/02/16/thailand.bomb.scanner/
► A device sold as a bomb scanner to scores of countries is likely nothing more than a deadly hoax, confirms a new round of tests from the Thai government, one of many that has spend millions on the GT200 from the firm Global Technologies, run by Jim McCormick, alleged to be perpetrating a fraud, reports Dan Rivers of CNN. For more on the device and its sordid history, listen to the Jan 27 podcast from the Skeptics Guide to the Universe, the section on dousing for bombs . And go to the BBC's January report on why the U.K. has banned export of the bomb scanning device sold by McCormick under another name, ADE 651.