[ISN] Sendmail flaw tests Homeland Security

From: InfoSec News (isnat_private)
Date: Tue Mar 04 2003 - 02:06:44 PST

  • Next message: InfoSec News: "[ISN] Security firm shuttered by sabotage"

    By Robert Lemos 
    Staff Writer, CNET News.com
    March 3, 2003, 5:13 PM PT
    A critical flaw in Sendmail, the Internet's most popular e-mail
    server, has become the first test for the newly minted Department of
    Homeland Security and its cyberdefense arm.
    The DHS's Directorate of Information Analysis and Infrastructure
    Protection (IAIP) worked with security company Internet Security
    Systems, which discovered the flaw, and Sendmail Inc. to create a
    patch while keeping news of the issue from leaking to those who might
    exploit the vulnerability.
    "Working with the private sector, we alerted key owners of the
    vulnerable software and got them talking," said David Wray, spokesman
    for the IAIP Directorate. "We think this is a great example of how
    this should, and does, work."
    The Department of Homeland Security got high marks from the security
    community for giving companies the necessary time to create the patch
    and for synchronizing its release.
    "This is the model for what you do if you want to find a
    vulnerability," said Alan Paller, director of research for the
    SysAdmin, Audit, Network and Security (SANS) Institute, a research and
    education group that lets security companies, system administrators
    and others share information. "The DHS are the ones that can put the
    pressure on all the vendors and keep it quiet."
    In the future, the Department of Homeland Security will be the U.S.  
    agency that will manage any response to major cyberthreats.
    The three organizations that have previously handled the United States
    government's response to cyberthreats--the National Infrastructure
    Protection Center (NIPC), the Federal Computer Incident Response
    Center (FedCIRC), and the National Communication System
    (NCS)--officially became part of the Department of Homeland Security
    on Friday at midnight. The third of NIPC personnel that handled
    investigations, rather than response, have returned to the FBI. The
    IAIP Directorate has now absorbed the NIPC's response personnel and
    Internet Security Systems originally reported the flaw to the NIPC in
    mid-January. The agency helped notify other companies and the Sendmail
    Consortium, the open-source project that develops the mail-server
    "They were a good resource in helping us make sure that the protection
    was put in place," Greg Olson, chairman and co-founder of Sendmail
    Inc., said of the National Infrastructure Protection Center responder
    personnel (now with the directorate). "You need to contact a lot of
    people and make sure they understand this is important and (make sure
    they) apply the patch." Sendmail Inc. develops a proprietary version
    of the mail server.
    In February, the Bush administration unveiled the completed National
    Strategy to Secure Cyberspace and laid out five major efforts: to
    create a cyberspace security response system, to establish a threat
    and vulnerability reduction program, to improve security training and
    awareness, to secure the government's own systems and to work
    internationally to solve security issues.
    The IAIP is one of five directorates under the umbrella of the
    Department of Homeland Security. The others are Management, Science
    and Technology, Border and Transportation Security, and Emergency
    Preparedness and Response.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 04:38:41 PST