Sendmail flaw tests new security body
Published: 04 Mar 2003 08:36 GMT
A critical flaw in Sendmail, the Internet's most popular email server, has become the first test for the US' newly minted Department of Homeland Security and its cyberdefence arm.
The DHS's Directorate of Information Analysis and Infrastructure Protection (IAIP) worked with security company Internet Security Systems, which discovered the flaw, and Sendmail to create a patch while keeping news of the issue from leaking to those who might exploit the vulnerability.
"Working with the private sector, we alerted key owners of the vulnerable software and got them talking," said David Wray, spokesman for the IAIP Directorate. "We think this is a great example of how this should, and does, work."
The Department of Homeland Security got high marks from the security community for giving companies the necessary time to create the patch and for synchronising its release.
"This is the model for what you do if you want to find a vulnerability," said Alan Paller, director of research for the SysAdmin, Audit, Network and Security (SANS) Institute, a research and education group that lets security companies, system administrators and others share information. "The DHS are the ones that can put the pressure on all the vendors and keep it quiet."
In the future, the Department of Homeland Security will be the US agency that will manage any response to major cyberthreats.
The three organisations that have previously handled the United States government's response to cyberthreats -- the National Infrastructure Protection Center (NIPC), the Federal Computer Incident Response Center (FedCIRC), and the National Communication System (NCS) -- officially became part of the Department of Homeland Security on Friday at midnight. The third of NIPC personnel that handled investigations, rather than response, have returned to the FBI. The IAIP Directorate has now absorbed the NIPC's response personnel and role.
Internet Security Systems originally reported the flaw to the NIPC in mid-January. The agency helped notify other companies and the Sendmail Consortium, the open-source project that develops the mail-server code.
"They were a good resource in helping us make sure that the protection was put in place," Greg Olson, chairman and co-founder of Sendmail Inc., said of the National Infrastructure Protection Center responder personnel (now with the directorate). "You need to contact a lot of people and make sure they understand this is important and (make sure they) apply the patch." Sendmail Inc. develops a proprietary version of the mail server.
In February, the Bush administration unveiled the completed National Strategy to Secure Cyberspace and laid out five major efforts: to create a cyberspace security response system, to establish a threat and vulnerability reduction program, to improve security training and awareness, to secure the government's own systems and to work internationally to solve security issues.
The IAIP is one of five directorates under the umbrella of the Department of Homeland Security. The others are Management, Science and Technology, Border and Transportation Security, and Emergency Preparedness and Response.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
67 out of 126 people found this useful
- Share this article:
