E-Mail Flaw Tests U.S. Safety Net
By Michelle Delio
02:00 AM Mar. 07, 2003 PT
What appeared to be just another alert detailing a security flaw in a widely used e-mail transfer application this week has since been revealed to
have also been a trial run of the new U.S. Department of Homeland Security's cyberprotection system.
According to information circulated by the SANS Institute, a security information outfit, Monday's disclosure of a vulnerability in Sendmail -- which
is installed on at least 1.5 million systems and handles a large amount of the Internet's e-mail traffic -- was coordinated by the new federal
After being alerted back in December to the Sendmail flaw by Internet Security Systems, a private security firm, Homeland Security officials contacted
more than 20 software vendors that bundle Sendmail with their products, including Hewlett-Packard, IBM, Apple Computer and Sun Microsystems, to
coordinate the development and release of patches.
Homeland Security also made sure critical military and government systems were patched before Internet Security Systems released a general alert on
It's difficult to gauge the effects of the early warning system, however, since subsequent information about the flaw suggests that it may not be as
dangerous as originally thought.
Security pros said the government's effort to protect systems before the hole went public is a good first step.
But they also wondered whether any national cybersecurity force could ever be truly useful in the "real world," where systems administrators don't
have the luxury of knowing that vulnerability information will be kept under wraps while they shore up their systems.
Security experts have criticized security information clearinghouses like the CERT Coordination Center and the FBI's National Infrastructure
Protection Center (now part of Homeland Security) for being too slow to report important issues.
"By the time CERT or NIPC issues an alert, the warning has often been posted hours beforehand on one or more of the major security mailing lists,"
said network security consultant Mike Sweeney. "Security people want to have information about a flaw before the problem lands in their systems."
Security researcher Robert Ferrell agreed.
"Hours are an eternity in IT terms," he said. "The Slammer worm did a great deal of its damage in 10 minutes. By the time the official advisories
came out, we were mopping up."
Experts said that the only way a national clearinghouse will be effective is if it has people monitoring the major security mailing lists and
immediately relaying any information posted there.
Preliminary alerts based on unsubstantiated information could be marked as such, and later alerts with confirmed information could be circulated after
the government team has had a chance to analyze the information.
"So long as DHS keeps trying to cover all their bases and refrains from reporting until they're sure about everything, they'll come in dead last
every time," Ferrell said.
"This is a fast-paced world where every move is a gamble. If you want to be in the notification business, you have to be prepared to deal with the
fact that you're going to be wrong at least some of the time, and you must keep what you know to be true and what you suspect might be true separate,
distinct and clearly marked."
Page 1 of 2 next ª