Sendmail flaw tests Homeland Security

A critical flaw in Sendmail, the Internet's most popular e-mail server, has become the first test for the newly minted Department of Homeland Security and its cyberdefense arm.

The agency's Directorate of Information Analysis and Infrastructure Protection (IAIP) worked with security company Internet Security Systems, which discovered the flaw, and Sendmail Inc. to create a patch while keeping news of the issue from leaking to those who might exploit the vulnerability.

"Working with the private sector, we alerted key owners of the vulnerable software and got them talking," said David Wray, spokesman for the IAIP Directorate. "We think this is a great example of how this should, and does, work."

Word of the vulnerability, which would let an attacker take control of a Sendmail server and execute a malicious program, was more widely disseminated Monday. The Department of Homeland Security got high marks from the security community for giving companies the necessary time to create the patch and for synchronizing its release.

"This is the model for what you do if you want to find a vulnerability," said Alan Paller, director of research for the SANS Institute, a research and education group that lets security companies, system administrators and others share information. "The DHS are the ones that can put the pressure on all the vendors and keep it quiet."

In the future, the Department of Homeland Security will be the U.S. agency that will manage any response to major cyberthreats.

The three organizations that have previously handled the U.S. government's response to cyberthreats--the National Infrastructure Protection Center (NIPC), the Federal Computer Incident Response Center (FedCIRC), and the National Communication System (NCS)--officially became part of the Department of Homeland Security late last week. The third of NIPC personnel that handled investigations, rather than response, have returned to the FBI. The IAIP Directorate has now absorbed the NIPC's response personnel and role.

Internet Security Systems originally reported the flaw to the NIPC in mid-January. The agency helped notify other companies and the Sendmail Consortium, the open-source project that develops the mail-server code.

"They were a good resource in helping us make sure that the protection was put in place," Greg Olson, chairman and co-founder of Sendmail Inc., said of the response staff at NIPC, now with the directorate. "You need to contact a lot of people and make sure they understand this is important and (make sure they) apply the patch." Sendmail Inc. develops a proprietary version of the mail server.

In February, the Bush administration unveiled the completed National Strategy to Secure Cyberspace and laid out five major efforts: to create a cyberspace security response system, to establish a threat and vulnerability reduction program, to improve security training and awareness, to secure the government's own systems and to work internationally to solve security issues.

The IAIP is one of five directorates under the umbrella of the Department of Homeland Security. The others are Management, Science and Technology, Border and Transportation Security, and Emergency Preparedness and Response.