[ISN] Symantec issues bogus warning of full-scale Internet meltdown

From: InfoSec News (alerts@private)
Date: Mon Sep 24 2007 - 22:17:20 PDT


By Gregg Keizer
September 22, 2007 

Symantec Corp.'s early-warning system gave its enterprise customers a 
brief scare late Friday when it erroneously sent an alert that said an 
Internet-crippling attack was in progress.

The message, which went out to users of Symantec's DeepSight advanced 
alert system around 8:40 p.m. Eastern time, had a subject head that 
simply read: "DeepSight Increased ThreatCon from 1 to 4 Alert."

ThreatCon uses a 1-4 scoring system, with 1 being the least alarming 
threat level and 4 the most dire, to indicate Symantec's take on the 
current state of Internet security. According to the company's own 
definition, Level 4 is regarded as a "Full alert" and is reserved for 
those times when "extreme global network incident activity is in 
progress." The definition goes on to say that "implementation of 
measures in this Threat Condition for more than a short period probably 
will create hardship and affect the normal operations of network 

Symantec has never set ThreatCon to Level 4. In fact, even a Level 3 is 
rare. One of the last times the Cupertino, Calif.-based security company 
issued a Level 3 alert was in May 2004, when the Sasser worm was on the 

In the body of the e-mailed alert, however, careful readers found the 
words "Summary: threatcon test threatkhanh otrs" buried among several 

The alert was a false alarm, Symantec said just over an hour later in a 
follow-up message at 9:45 p.m. Eastern time. "The DeepSight Threat 
Management System is NOT at ThreatCon 4. At 18:40 MST on September 21, 
2007 an erroneous ThreatCon 4 update was issued through DeepSight TMS 
due to product testing. This ThreatCon 4 update should be disregarded."

A similar message posted on the DeepSight Threat Management System 
Web-based console ended with: "The ThreatCon has been returned to the 
correct level, ThreatCon 1."

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com

This archive was generated by hypermail 2.1.3 : Mon Sep 24 2007 - 22:35:34 PDT