Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] Sendmail flaw tests Homeland Security,

Sendmail flaw tests Homeland Security

By Robert Lemos 
Staff Writer, CNET
March 3, 2003, 5:13 PM PT

A critical flaw in Sendmail, the Internet's most popular e-mail
server, has become the first test for the newly minted Department of
Homeland Security and its cyberdefense arm.

The DHS's Directorate of Information Analysis and Infrastructure
Protection (IAIP) worked with security company Internet Security
Systems, which discovered the flaw, and Sendmail Inc. to create a
patch while keeping news of the issue from leaking to those who might
exploit the vulnerability.

"Working with the private sector, we alerted key owners of the
vulnerable software and got them talking," said David Wray, spokesman
for the IAIP Directorate. "We think this is a great example of how
this should, and does, work."

The Department of Homeland Security got high marks from the security
community for giving companies the necessary time to create the patch
and for synchronizing its release.

"This is the model for what you do if you want to find a
vulnerability," said Alan Paller, director of research for the
SysAdmin, Audit, Network and Security (SANS) Institute, a research and
education group that lets security companies, system administrators
and others share information. "The DHS are the ones that can put the
pressure on all the vendors and keep it quiet."

In the future, the Department of Homeland Security will be the U.S.  
agency that will manage any response to major cyberthreats.

The three organizations that have previously handled the United States
government's response to cyberthreats--the National Infrastructure
Protection Center (NIPC), the Federal Computer Incident Response
Center (FedCIRC), and the National Communication System
(NCS)--officially became part of the Department of Homeland Security
on Friday at midnight. The third of NIPC personnel that handled
investigations, rather than response, have returned to the FBI. The
IAIP Directorate has now absorbed the NIPC's response personnel and

Internet Security Systems originally reported the flaw to the NIPC in
mid-January. The agency helped notify other companies and the Sendmail
Consortium, the open-source project that develops the mail-server

"They were a good resource in helping us make sure that the protection
was put in place," Greg Olson, chairman and co-founder of Sendmail
Inc., said of the National Infrastructure Protection Center responder
personnel (now with the directorate). "You need to contact a lot of
people and make sure they understand this is important and (make sure
they) apply the patch." Sendmail Inc. develops a proprietary version
of the mail server.

In February, the Bush administration unveiled the completed National
Strategy to Secure Cyberspace and laid out five major efforts: to
create a cyberspace security response system, to establish a threat
and vulnerability reduction program, to improve security training and
awareness, to secure the government's own systems and to work
internationally to solve security issues.

The IAIP is one of five directorates under the umbrella of the
Department of Homeland Security. The others are Management, Science
and Technology, Border and Transportation Security, and Emergency
Preparedness and Response.

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.