Slashdot Mirror
Sendmail Bug Tests US Dept Homeland Security
yanestra writes "CNET reports that the reported Sendmail bug has been a test for the US Department of Homeland Security which seems to have managed information flow in this case."
← Back to Stories (view on slashdot.org)
"Whats the sendmail bug of this week?"
The trend is back!
And it's taken them this long to set up a system like this. I'm glad Bush got his act together and appointed someone to the administration who actually cared about information technology, otherwise this may have taken much longer.
While keeping news of the issue from leaking to those who might exploit the vulnerability.
Free flow of information > Security
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Interesting to read that the government is involved with this -- kind of makes you wonder what happened to CERT, which always used to coordinate public disclosure of and vendor response to bugs like this.
The fact that CERT always seemed to do a decent job makes this even more interesting. The biggest criticisms voiced about CERT were that they acted too slow and didn't provide enough detail information about problems (other than to acknowledge the general nature of it). How will the government do better in these areas?
My guess is that the answer to the latter question is 'not much', and that we'll start hearing the same complaints about the Dept. of Homeland Security soon...
This is actually quite encouraging. Having an organization that deals with the painful process of contacting each vendor and major user of a program with a newly discovered vulnerability is a major improvement. They also seem to have the law behind them (is this true?), so we finally have someone that can force people to fix security holes. I don't quite like the homeland-security big-brother model, but it worked nicely in this case and got the job done, something pretty hard in the Internet jungle.
Are they saying that this worked perfectly? If so, what about the next exploit? What if Joe Nobody finds a hole, and makes it public before the DHS gets with the makers of the software? What about the businesses in the private sector that fail to patch their systems? Wasn't the fix for SQL Slammer out for months? I'm sure this is a step in the right direction, but really, what happens next time?
Sometimes I doubt your commitment to Sparkle Motion.
Sendmail is a very flexible mail package...too flexible for most people.
It's power and configuration settings make it a good choice for admins who have taken the time to read on it. However, more often then not we find that there are a lot of lazy admins out there who just get it "up and running" and don't care to understand the security issues with the server. While I've used sendmail for years in the past, but now use postfix. There are a slew of other mail programs out there that can be configured without having to use m4 rules, understand sendmail's rewrite metods etc. I would suggest that if you must have a mail server up, but don't want to take the time to learn sendmail, PLEASE, use something else. I realize this is a little off-topic but it's not too much. It all boils down to securing the net. That takes more then a few bug fixes (and YES you must apply all of them) and a good admin to configure the server/services.
Sendmail flaw tests Homeland Security
By Robert Lemos
Staff Writer, CNET News.com
March 3, 2003, 5:13 PM PT
A critical flaw in Sendmail, the Internet's most popular e-mail server, has become the first test for the newly minted Department of Homeland Security and its cyberdefense arm.
The DHS's Directorate of Information Analysis and Infrastructure Protection (IAIP) worked with security company Internet Security Systems, which discovered the flaw, and Sendmail Inc. to create a patch while keeping news of the issue from leaking to those who might exploit the vulnerability.
"Working with the private sector, we alerted key owners of the vulnerable software and got them talking," said David Wray, spokesman for the IAIP Directorate. "We think this is a great example of how this should, and does, work."
The Department of Homeland Security got high marks from the security community for giving companies the necessary time to create the patch and for synchronizing its release.
"This is the model for what you do if you want to find a vulnerability," said Alan Paller, director of research for the SysAdmin, Audit, Network and Security (SANS) Institute, a research and education group that lets security companies, system administrators and others share information. "The DHS are the ones that can put the pressure on all the vendors and keep it quiet."
In the future, the Department of Homeland Security will be the U.S. agency that will manage any response to major cyberthreats.
The three organizations that have previously handled the United States government's response to cyberthreats--the National Infrastructure Protection Center (NIPC), the Federal Computer Incident Response Center (FedCIRC), and the National Communication System (NCS)--officially became part of the Department of Homeland Security on Friday at midnight. The third of NIPC personnel that handled investigations, rather than response, have returned to the FBI. The IAIP Directorate has now absorbed the NIPC's response personnel and role.
Internet Security Systems originally reported the flaw to the NIPC in mid-January. The agency helped notify other companies and the Sendmail Consortium, the open-source project that develops the mail-server code.
"They were a good resource in helping us make sure that the protection was put in place," Greg Olson, chairman and co-founder of Sendmail Inc., said of the National Infrastructure Protection Center responder personnel (now with the directorate). "You need to contact a lot of people and make sure they understand this is important and (make sure they) apply the patch." Sendmail Inc. develops a proprietary version of the mail server.
In February, the Bush administration unveiled the completed National Strategy to Secure Cyberspace and laid out five major efforts: to create a cyberspace security response system, to establish a threat and vulnerability reduction program, to improve security training and awareness, to secure the government's own systems and to work internationally to solve security issues.
The IAIP is one of five directorates under the umbrella of the Department of Homeland Security. The others are Management, Science and Technology, Border and Transportation Security, and Emergency Preparedness and Response.
Sendmail always has been and always will be a security risk.
Superior alternatives exist... so why is anyone still using sendmail???
Conformity is the jailer of freedom and enemy of growth. -JFK
Speaking of the Dept. of Homeland Security, here's an link to an article with some suggestions to Tom Ridge on how to improve his department, so that it actually keeps the citizenry well-informed and aware of possible terrorist threats and how to handle them (as opposed to keeping them scared and in an information blackout).
Bush Lies Watch
We all got notified to patch our systems immediately.
Everyone is working togther to get all the systems running sendmail patched.
While this doesn't seem like a big deal in the corporate world, in the government world, all red tape has been removed and we can make changes to critical systems INSTANTLY.
FIX FIRST, meet later. It's an entirely different attitude, and it allows me to do my job more efficently. It works.
The reason I ask is because this type of co-operation with public defense organisations and the private sector are likeley to become much more important as we come to rely more on these technologies, OR if we ever see any kind of cyber-terrorism. Ideally there would be a single point through which relevant information flows - as hinted at in the article, any leaks could be a problem.
Do these agencies have a reputation for hiring good security people?
Vacancy for signature. Apply within.
Should the DHS have this responsibility? to notify the companies that have a vulnerability once it's found? Who watches the watchers?
If the dept. wants to inquire information on specific businesses or corporations, they will get the key to enter from security companies (exploits).
I think this is wrong, security holes should be annouced freely, the solution is not secrecy, it's education, to teach the administrators to apply the patches needed properly and always stay up to date.
The DHS should take care of their own systems and leave cyberspace alone, I think the internet community as a whole is doing very well for itself and does not need a babysitter.
Posting useless rant since 2003.
NSA going to do with all of their newfound freetime? According to the article:
In the future, the Department of Homeland Security will be the U.S. agency that will manage any response to major cyberthreats.
Will the DHS publish Security Recommendation Guides like the NSA?
made me laugh thanks
if your in the U.S. check out the daily show on comedy Central Very Very funny and whats more real......
http://www.comedycentral.com/tv_shows/ds/
regards
John Jones
Wouldn't it be best to issue a statement like "sendmail has an exploitable vulnerability, we recommend that you switch to your standby alternate mail system until we release a fix"? There is no way that blackhats would figure out where to look from a statement like that, and those of us with really good security could switch to our exim-based solution if we really feared to be hacked. Basically, do we trust the homeland security dept to determine our security policy?
That being said, good to see a well coordinated patch release. I just wish the paranoids would get advance warning.
Stop the brainwash
Is the U.S. Department of Homeland Security also going to try and take care of software developed internationally?
For example, it seems that a lot of OpenSSH development is done in Canada and Germany. And the server is run out of Canada.
The OpenSSL team looks primarily international too (UK, Germany, Sweden, New Zealand). There server is managed by Brits and Swedes.
Actually... I think you'll find that a lot of crypto software is based outside the US. Probably due to constraints placed on crypto development in the last decade.
They have wayyyyy too much power for their own good. And that department can easily become the homeland citizen control center overnight with the appointment of only one self ritious "patriot" that needs to protect this country from the non-patriots.
I want a homeland security security office.. a office that does nothing but watches them and can stop or shut them down at a moment's notice.
I dont trust them, and given with the levels of corruption today, it's only a matter of a short time before you become a "traitor" or a criminal of the homelans security office for simply viewing a DVD or hearing a song or reading a book.
I certainly didn't hear about this until a number of groups announced it yesterday, but then, I stopped running sendmail after the umpteenth root exploit back in the 90s, so I couldn't give a damn about it.
Regardless, I read the exploit has been known since January of this year. Is this correct? If so, I find it hard to believe The Office of Homeland Security kept this under wraps and away from the hacker community for this long a period of time. The announcement and fix to this exploit are anything but timely.
I have heard that sendmail is the most complicated program ever developed, is this true in any way? Sendmail can do a lot and there are a frequent amount of security issues, most of which get fixed very timely, but it has to be better than exchange, isn't it?
The article says:
...
A critical flaw in Sendmail, the Internet's most popular e-mail server,
But I've been reading all these claims that Outlook handles 99% of all email.
Which of these claims is a lie?
(Is it possible that they're both lies?)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
i don't see how the US government can even think of taking credit for this patch. From what I have read about it, it has been around since circa. 1987.
Giving Sendmail Inc. the proper "mask" so terrorists wouldn't find this problem is ridicilious. Anyone can look through the source and find these exploits if they do exist. Just DHS got to it first.
Scares me that they are running Sendmail though on their mail servers, since it has more holes then a wiffle ball and they are suppose to be about security and defense.
waiting for the day...
Caption: "Soldier send an email to the liuetent"
Soldier: "I can't sir I am getting terrorist spam....scary looking at a naked bin laden....ewwwww"
Caption: "mmmmm spam!"
I liked the handling of ssh's problems last year much better. "Heads up, there's a problem in these versions. We'll let you know exactly what after we get the patch out." It's not enough to give a hacker a reasonable foot up, but it gets the service off the network should anyone already be quietly taking advantage of the weakness.
Quote:
"Working with the private sector, we alerted key owners of the vulnerable software and got them talking," said David Wray, spokesman for the IAIP Directorate. "We think this is a great example of how this should, and does, work."
The Department of Homeland Security got high marks from the security community for giving companies the necessary time to create the patch and for synchronizing its release.
"This is the model for what you do if you want to find a vulnerability," said Alan Paller, director of research for the SysAdmin, Audit, Network and Security (SANS) Institute
1st part of the check: Someone is claiming this was known in December.
It is now March.
Where is the evidence that The Department of Homeland Security was told about this by ISS before the ISS data:
Vendor Notification Schedule:
Initial vendor notification: 1/13/2003
Initial vendor confirmation: 1/13/2003
Final release schedule confirmation: 1/31/2003
Is this a case of The Department of Homeland Security Puffing up its chest, a case of TDHS giving info to ISS, ISS 1st goes to governments before the code authors, or something else?
Once again, ISS have let the community down. Instead of informing the vendors, or CERT, or even just posting to Bugtraq, they informed the USG first. As a result .mil sites had the patch four days before anyone else (so far as we know) were even aware that there was an issue. [Although they claim that they checked their private "sensor" networks, somehow I doubt they have better coverage than eg DShield.org. ) This is unacceptable behaviour for an info-sec company that wants to be a responsible member of the community, and of course is just the latest in a list of behaviour that I at least consider unethical. I work for an ISS reseller outside the USA, and I will be exercising my influence internally to push for replacing the ISS prodcuts either with Free alternatives, or proprietary products from companies with a better grasp of their responsibilities. BTW we have several very big global clients.
It sounds cool to have the US govt leaning on vendors to write patches, but I have a feeling that if this becomes the norm, vendors will just push DHS for longer and longer lead times. The article indicates this particular bug was known since January. Two months is a pretty long time to wait for patches!
And this is just DHS's "first test" - I imagine after they build up a cozy relationship with the major security-problem vendors (i.e. Microsoft), they might not even disclose any known flaws until patches come out (i.e. months to "never").
Remember that government officials will probably listen a lot more attentively to "captains of industry" (i.e. MS) than "those unwashed hippy hackers" (i.e. the open-source community).
That's it. I'm guitting the profession as soon as I can find something that pays just enough.
This is the beginning of the end. It's not hard to imagine an "Office of System Software Security Review" or some other government group of 'experts' that mandates all software go through their security analysis. I'm sorry. I have enough trouble explaining my code and system architecture to corporate 'security experts' (the types that don't understand TLS/SSL or SSH, and insist that we use tcp_wrappers enabled tftp since it doesn't use plain-text passwords going over the network!).
So the big question is, what do I do with my life now? Maybe open a Subway sandwich shop. Any other suggestions?
_______
2B1ASK1
Why don't they go after Microsoft and force them to patch IIS instead? Well, we all know why.
Oh, and don't forget: stock up on duct tape. It scares our ennemies.
Although there have been a few grumblings, it looks like there are a lot of others who feel the same way I do: it's perfectly OK to have a short lag time between vulnerability discovery and disclosure, as long as the Baddies don't start taking advantage of the situation before the patches are available. In this case, I read that the lag time was about 2 weeks, which seems perfectly reasonable.
Kudos to all involved!
Check out my eclectic infosec blog at InfoSecPotpou
Does anybody else find it disturbing that "good security" is being equated with "keeping exploits quiet"?
It's precisely the threat of publicity that pressures vendors into patching their compromised software quickly. If that threat is relieved, by Official KeepYerDamnMouthShut Orders from a government body, those same vendors may start to think "Phew, now we can wait for the next upgrade".
This is Not a Good Thing.
There's this thing called a SERVER and this thing called a CLIENT.
sendmail? server.
outlook? client.
That's what we need. -More- secrecy in government. You just don't see enough of that these days.
I thought the DHS was just out there trying to get me with the Black Helicopters ....
YOU SUCK BALLS!
So what happens when a Finnish hacker finds a vuln in MS IE...should they tell a foreign government first? What about a French hacker? Or an Iraqi hacker? These problems now transcend national government interests.
--
This sig is inoffensive.
I think it's interesting that the government is getting credit for working with the private sector in releasing information. Part of the the point of open sourced software is so that bugs can be found and patched quickly. The CERT email I got yesterday afternoon had MANY patch sources listed by vendor (RedHat, Apple, Sendmail etc) and was timely. I don't belive that the pat on the back goes to Uncle Sam in this situation, but rather the folks at Sendmail who worked to resolve this issue in a timely and organized fashion. They released the information to those who needed to know (including the DHS) and worked on a solution to get this stuff out to the public.
To quote Eric Raymond, "Given enough eyeballs, all bugs are shallow"
Kudos to Sendmail for getting this taken care of.
AF-Design, web development.
> Regardless, I read the exploit has been known since January of this year. Is this correct? If so, I find it hard to believe The Office of Homeland Security kept this under wraps and away from the hacker community for this long a period of time. The announcement and fix to this exploit are anything but timely.
Sorry, but they were too busy buying up stock in duct tape and plastic wrap last month. Everything in good time, my man.
Sheesh, evil *and* a jerk. -- Jade
This is a nice, photogenic, easy dry run. Bully for DHS. But are they ready to get their hands really dirty and take on Microsoft? Patching Sendmail is easy - the OSS community wants to help, Sendmail themselves want to help. But somehow I think Microsoft is going to be a little tougher.
...Why is anyone still reading this one? ;)
In the future, the Department of Homeland Security will be the U.S. agency that will manage any response to major cyberthreats.
I hope these guys have Microsoft's number on speed dial...
Run with Scissors!
My vendor is kaputt and there are no sendmail packages.
So what happens when a Finnish hacker finds a vuln in MS IE...should they tell a foreign government first?
Probably...and allies should share information and cooperation with regards to the matter.
Enemies? Umm...generally we expect them to be enemies. That's life.
I'm curious to know whether the NIPC notified non-commerical interests such as the Debian organization? Also, did they notify any non-US-based distributions such as Suse?
It is not clear to me that the NIPC is anything more than a bureauratic clearing house and censor. I suspect that the security community that is referred to as giving high marks includes only the commercial side of the industry. I'll bet that Mr. Lemos could get a meatier article out of investigating some of these questions.
If the parties involved are actively seeking to fix the problem, in a timely manner, I see no harm in not shouting from the mountain top what the problem is.
I think it reflects well on discoverers of vulnerabilities if they notify the software maintainers first by backchannel means and describe the vulnerability with enough precision for the authors to be able to fix the problem in a timely manner. DoVs should get extra credit if they submit an actual patch that fixes the vulnerability (does not apply to proprietary binary products, clearly).
But the vulnerabiltiy is a ticking time bomb out there for users in the real world. The white hat DoV may have discovered the vulnerability after 3 black hats who are shoving it into their latest malware.
The discoverer of the vulnerability and the maintainers of the software are jointly responsible for doing everything in their power to expedite their work, to notify users of the vulnerability, and to provide a patch for them.
Finally, all software users have the responsibility to keep appraised of the latest security alerts and patches for vulnerabilities and to apply them.
If any of the 3 parties: discoverer, software maintainers, software users fall short on any of these responsibilities, then all users will suffer.
As a user, I must rely upon the goodwill of the DoVs and the maintainers.
"Provided by the management for your protection."
So a Finn finds a vuln in MS IE. First thing s/he does is ring the US Government? Dream on! Governments are, by-and-large, too slow and unwieldy to deal with fast-moving problems like these.
--
This sig is inoffensive.
> Outlook isn't an e-mail server, its a client. Get a clue.
The original poster was rather obviously going for a +5, Funny.
Before I even thought about sending an email, when I logged in this morning, the RedHat network alerted me to a new update for sendmail, downloaded, and installed it, almost like the Windows Update, but with much more speed.
The one thing I didn't like about this article was the idea that this kind of process should be followed by everyone. This is what I saw as the process:
Here's the flaw(s) in this process:
I guess the biggest thing that I don't like about this is that idea that this model will support the Closed Source software model because of the arguments of:
From the test:
solvent:
able to pay all depths (sic)
Test your own spelling first before testing someone elses vocabulary, the bible says.
Sendmail is an MTA. Yes, it works on a server, but it isn't a server program the way something like "MS Exchange" is.
Its job is to receive email and to send email. That's it.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
I thought it was a bit silly at the time (~10 years ago) but I'm starting to wonder.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Did you modify your cubes in your spare time? If not, I could see them being upset; they're probably paying you good money for some kind of technical work, not to play erector set with your office furniture.
According to the article, the vulnerability was discovered mid-january, and only now do we get the warning.
This is a definite proof that this definitely does not work. Sendmail should have been shut down over a month ago, but only some crazy american agency - and of course all the black hats - new about the hole.
Time to rethink the strategy of staying away from closed software. Possibly it should be stay away from closed software and any software developed in the USA.
You say "stop spreading FUD", but you make that highly uneducated comment about the conditions of politics. My Adivse to you: try to pass 6th grade again, this time you might actually do it!
How exactly is this helping? Control the information flow? How is it then, that links to, and a discussion of, the flaw and possible exploits were publicly available six hours ago on this very website? I wouldn't exactly call a discussion thread on one of the world's largest weblogs "controlling the flow of information."
This is about the level of competency I've come to expect from Large Government Entities.
It would be interesting to see the time line on this... Did it take this long for the patch to be created or did it get left on someones desk of periods of time before some one spent an hour making the patch.
MG
Randomly distributing Karma whenever possible.
Thanks for the link. You know, I don't think 2 months is exorbitant in this case. As your article states below,
"Because there are so many different flavors of Sendmail, twenty software vendors had to develop a variety of patches for the flaw..."
So, they had to patch a ton of different versions, and you don't necessarily want them issuing a shitty patch. So if you blame anyone, blame those sendmail monkeys for the delay. ;) Given the nature of the coordination effort, I think they did quite well.
-Looking for a job as a materials chemist or multivariat
to make sure the DoHS hasn't gotten Sendmail Inc. to insert any "additional [homeland] security patches" into the build?
No competent sysadmin runs sendmail. It's a huge pile of bug-filled crap that's nightmarish to configure.
/usr/lib/sendmail won't even notice.
Install one of the many far-superior free alternatives that provide the same functionality. Exim, for example. Your applications that call
Well, unless they rely on broken header rewriting and slow delivery...
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
--CERT has been runing this "survey" about "internal threats" that companies might have observed between two specific dates. Not from such and such a date until the survey is taken by any respondents, but between two exact dates. I looked, maybe I missed it, but I haven't seen a reason for picking the end date. I can speculate why that might be, but I'll let someone else do that.
/rant
begin more generic rant
Don't know about anyone else, but with patriot act 2 coming into law soon, where the government can just call someone a "terrorist" on their say-so, and with the definition just vague enough to apply to-just about anyone it appears- and that means they are now not under any civil protection or rights, I am wondering if they are starting to set up even more infrastructure to add to "the lists".
Anyone who don't take the "lists" serious is someday gonna be waving bye bye from the back of a truck heading..someplace.
When I was growing up, the stuff the US government is doing right now was something we were taught only "bad" places like east germany did. And those bad places had a complete blend of bureaucracy, large corporations, and then the military and police. Everyone snitched on each other. government had all the rights, you had none, even if some word drivel was printed on paper someplace, government ignored it. That's exactly what those bad places were.
We were taught that was definetly "wrong".
Now it's "patriotic".
Yes, we have a need for some sort of law enforcement effort on the net,and it's there and quite frankly it's more than enough to function, the net is part of society,but what we are seeing now goes WAY beyond it. And now all these other weird things? Model toy rocket permits now but leave the border just wide open, millions of illegals ayear free to just walk across? Huh? They are going to regulate or ban model airplanes, while they have been sprayinbg HUGE amounts of weird crap over america for several years now and outright lying about it? huh?? We have a MAJOR goon run cia front company called "wackenhut security" running private prisons,running for -profit manufacturing efforts using prisoners, running some mental institutions, and now RUNNING ROADBLOCKS on the public highway? This just broke a few days ago, private security org manning roadblocks. Just THINK on this one. We have "secret" Total Informational Awareness efforts codified into law? Is there something about the word "total" that isn't understood? Forced collection of DNA samples at roadblocks? Taking hair and blood samples and you aren't going to be able to say NO? Collation of all purchase records? High level officials who just blatantly WARN YOU that if you are NOT 100% behind their efforts that YOU ARE A TERRORIST? And now they are taking over these internet efforts when it comes to security, telling people what they can and can't do, and this "they" guy will tell you when an exploit gets noted and "official" patches released? Huh? What's to stop them from eventually making little cute distinctions between what they release and what they don't, suppose "they" decide they would like a little pre-patch hacking so they can get into machines THEMSELVES. Maybe they JUST DID THAT, hmmm?
sweet deal for them.
I am against non disclosure of exploits in a timely manner. Waiting months is not timely. Anyone writing code now can review it before release. Anyone NOT knowing about "security" in general needs to stop and step back away from the keyboard and stop writing code until they "get it" on security, because GUARANTEED if this constant release of buggy code continues,and if people who maintain what are historical examples of just dismal exploitable code that should just be chucked out as lame don't voluntarily just admit it's buggy and pull it off the distribution mirrors, this government will start regulating all releases themselves, after a "review". they don't do it now, but they sure as heck could make it a law tomorrow. In my opinion, it's better to be able to not give them any more excuses. If that's what everyone wants,because known sloppy stuff keeps being used and released, this is what's going to happen. You are going to see licenses, you are going to see full governmental review of code, probably fees attached, stuff like that, I tell you, the internet is going to turn into an electronic "highway" whoops they call it that, so that means that this highway is going to be full of smokey the bears and roadblocks and regulations. And I am NOT kidding on that. We saw them just hijacking sites last week. I can see them starting to do that on a much larger scale. And if sites get hosted overseas, you know what, government will have no problems dealing with that, if anyone cares to notice, they have no problems going over stomping on other nations, they can control some wires if they choose to. Host at home, you are going to outfox them? Not when they can just call up your isp and have you dropped, then they send over some goons to pick you up once you are on the "suspicious" list. And they'll do some of these efforts from major backbones or routers if they have to, I am not so convinced that carnivore and such-like efforts only have the capability to just sniff.
So, the mandate will be patch first and question whether it will destroy the server and its data later?
There are reasons why not every patch is applied without thought.
...why the hell aren't you using it in the first place?
-Looking for a job as a materials chemist or multivariat
... a Krispy Kreme.
That way you can serve those who are self-serving.
to create a patch while keeping news of the issue from leaking to those who might exploit the vulnerability.
The debian version of the patch wasn't available yesterday. The whole point of delaying the announcement is to get the fix out there ahead of the knowledge of the vulnerability. I'd say their system for "working with vendors" needs some work.
And what exactly is the knowledge dissemination path here? This time the mass media spread knowledge far and wide that attention was needed. They'll get bored after a couple more of these and stop prominantly reporting it. How does homeland security plan to get the message out then?
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
...on this "Homeland Security" thing... is that like the Fatherland?
with the US Government being involved in this. I don't feel that it is their job to determine when I should hear about a security vunderability. Plus, I feel that this gives the US Government an unfair advantage on citizens and foreign governments that might be using the effected software.
It would not stretch my paranoia to ask what would happen if a weakness was found in the Arabic version of PGP. Would HS push its fix as seriously as they would push a similar weakness in the English version? Or would they prefer to keep quiet and only inform NSA? Or what if a backdoor was found in an American software, would they dare to recommend the world to switch to a corresponding European product that does not have that back door? Or could that be considered un-American? What if the NSA needed access to this back door for some important security reason?
Let's see...a search for advisories on Security Focus with "sendmail" = 100 hits. qmail gives 1 hit, and it isn't even for qmail, it's for "masqmail".
It's time for the sendmail people to start from scratch. You can keep patching all you want (and apparently take two months to do it), but if your initial security design model is flawed, you are going to keep finding holes.
It was old - years old - and to knowledge, never used as an exploit.
It was found by a white hat - so this isn't a case of "the criminals having all the guns."
Therefore, what are the chances that, though no one found the bug in five years, that both a black hat and a white hat will find the same exploit within 2 months of each other? Pretty much nil.
As usual,the chances of an exploit coming out are higher if disclosed. So, in terms of a damage perspective, we have to compare two things: greater chance of attack if disclosed, or greater damage per attack if not disclosed from people not being prepared.
In this case, since the chance of double discovery of this bug was VERY low, the chance of total damage was greater if it was disclosed, giving black hats a head start. So I agree with what they did, and given the scope of the project (patching all flavors of sendmail), two months ain't all that bad.
Ultimately, the government doesn't really care about any RMS-style "info wants to be free" crap. They just want the fewest exploited boxes possible. In this case, their actions were pretty well correct. I don't think this will always be the correct action, so we'll have to watch them on other issues, including how they interact with OSS groups, should the need arise.
-Looking for a job as a materials chemist or multivariat
You want to accuse someone of 'cyberterrorism?' How about the RIAA, the MPAA, or those who passed the DMCA?
Yes, the handling of this vulnerability was a good joint effort between ISS and the DHS. No, it wasn't anything spectacular. Maybe the DHS will be able to put pressure on our favorite monopoly to 'unenable' some of their terribly insecure features.
Is that your corporate network's security is more important than the national security of the US?
I lost my concept of community when my community lost all concept of me.
I run sendmail on a well connected server, and I'm patching my system of course, but I'm in no real panic to do so.
Why? Because aside from hozing my sendmail, a hacker can't easily touch my box, even if they manage root access via this exploit.
On my FreeBSD server, all services (web, ftp, mail, database, game servers, etc) are run in their own FreeBSD "jails" bound to aliased loopback IPs (127.0.0.200, etc) routed from the real world via nat and bandwidth restricted via dynamically weighted pipes. Hack my sendmail jail all you like, but at the end of the day you can only recieve and send on mail ports and that's about it. So you got r00t; I care why, exactly? You can't do anything with it.
My point here is that the old model of running all services in the host environment is the real problem IMHO. The alternitive that most places seem to use is a service per-box, which adds its own set of problems. FreeBSD's jail system and similar change the game from, "OMG they hacked my server!", to, "Oh bother, they hacked my sendmail.".
Ever since I've redesigned my server environment to be jail-centric, I've slept much better knowing I don't have to jump so fast every time some security issue comes up with one of the dozen of so services hosted on my server. "Oh, a sendmail exploit, how cute. I'll fix it this weekend, maybe next".
AFAIK, this is something Linux can't match with any efficiency. -The closest I know of is User Mode Linux, which is overkill, resource hvy, and I'm not sure how safe it really is (I hand FreeBSD jail root accounts out without much fear).
This isn't one of those "all our freedom and rights are being removed by the evil government" type posts. But yet...
In this case DHS seem to have done a good thing, coordinated the patching and disclosure between different vendors. Now, for me it isn't a stretch to ask the question, what if someone had announced while DHS were still working on it? What if it is a truly critical bug or hole. Say wide open root-enabling flaw in SSH, Samba or some other service that's very common (for the geeks that can't take that as an example without saying that they should never be used as root bla bla bla, please just move on, I'm trying to make a point here, and it's not about best security practices).
Say such a security hole of a great magnitude is discovered, and someone announces it publically on a mailinglist. Or say vendor A wants to release the patch immediately, but vendor B wants to test for another week. Vendor A goes ahead and releases it without DHS approval.
In either case, will DHS see it as a risk to homeland security and a prosecutable offense? Is software security now suddenly a matter that the government should oversee? How far does their involvement stretch? Will security discussions require a DHS representative or approval to avoid premature disclosures that could be a threat to homeland security?
I really don't wanna sound alarmist here, but I'm not sure the goverment getting involved in things like this is a great idea. Software bugs or flaws can be a real threat to a nation, and so DHS should perhaps be involved. But again, I can't help but wonder, where will that take us and where will that involvement stop.
Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
Think about it, the Department of Homeland Security (and by proxy, the entire US Government) is getting a heads up on potential exploits.
The US spies on it's allies. If you're the Germans, then the NSA are the blackhats. Nobody but the US government themselves should feel more comfortable knowing that they're being informed first.
This has got to be the most expensive form of BugTraq I've ever seen, I can hardly wait till they try it with an Windows bug and Microsoft trys to bargain with them...
No the bosses are all foreign. And when you hire a foreigner, they are like evil demon locusts.
Sucking and eatting away at a company.
And then one hires 2 and 2 hire 10 and then you have villages of indians living in a 1 bedroom apartment making the whole town smell like BO and curry!
the HomeLand Defense Force Faciscts HAD ANYTHING to do with this...What a bunch of crap. Is there ANYTHING a politician WON'T claim credit for ?
Can we hope that lightening will strike the other Bush and the rest of his inbred southern cabinet ? Please GOD PLEASE....
errr....umm...*whooosh* *whoosh* Is this thing on ?
The problem is that just because I (an innocent user of the product) don't know about the vulnerability doesn't mean that the evil crackers don't know about it. Sure, a public announcement increases the number of crackers who know about it, but also gives me enough information to react. There is a security hole in sendmail, but no patch yet? Well, without real information, I can't confirm if my particular installation is at risk. Once I know about it, I can take reactive steps. With enough information I could try to patch the vulnerability myself. With enough information I could try to limit my risk (say, changing my sendmail configuration to limit what an attacker can get, or adding a wrapper to detect the attack and terminate the connection). With enough information I reasonably weigh the options of disabling sendmail for security reasons versus keeping it up for my users.
With no information, I'll just keep ignorantly running the vulnerable version, possibly getting attacked by crackers who already knew about it. With a little information, I don't have enough information to decide if I'm really at risk and to weigh my possible solutions.
Search 2010 Gen Con events
That's what I wanna see too!
In this case, it's companies (sendmail, inc, and companies with derived code) that needed to know; debian just has to apply the patch, recompile, and release, which they can do in a small bounded amount of time. Telling the people who need to come up with the patch first is all that's necessary.
Look, this is the entire rationale for using Open Source in important functions. If the function is truly important, cost is not the issue (the cost benefits of free software are arguable anyway, since you need to hire competent people to use it, and the incompetents that are usually hired to run proprietary systems are much cheaper).
Go to www.sendmail.org, download the source, and COMPILE IT ACCORDING TO THE INSTRUCTIONS.
BACKUP YOUR SYSTEM FIRST. Do I need to repeat that?
If you don't have a C compiler, go get the latest GCC for your platform and install it first.
C'mon, man, get on the stick! You can do it!! Go, go, go! Time's a wastin', and it'll look good on your resume once the big sendmail worm hits this weekend....
You ignorance is showing, buddy. Do some research.
The Magical Sendmail Fairies are not particularly enthused about government repression. While the "alternative" sendmail vendors like Sun and HP might be willing to do something like that, I don't think you need to worry about Sendmail's original authors jumping on any government bandwagons.
In order for this to be exploitable, the compiler has to arrange the data segment such that there is a structure containing pointers shortly after the buffer that can be overrun. As it turns out, most builds of sendmail, including all of the Red Hat precompiled binaries tested and all of the commercial UNIX ones tested, are not directly exploitable (that is, it might be possible to get them to misbehave somehow, but not to crash in any predictable way). The exploits also depend on knowing what structure you've hit, which is only possible if you have access to the particular binary, and the exploits will only work for a particular binary.
So this is not a good candidate for a worm or automated exploit, and only useful for a direct attack if you happen to be relatively unlucky and the attacker knows it.
This headline coming soon: dozens of gummint and commercial sites hacked by a Sendmail bug just days after a bug fix was released.
Here is the problem with the Gov having first knowledge of security flaws in software. In a earlier post it was reported this flaw was found two months ago. Now the Gov knew about this flaw and had two months of time to create a exploit of their own and hack into Iraqs computer systems(If they use sendmail), or into some other russian civilians homes who are suspected of hacking themseleves.
This in no was is a goo thing that the Government knows about these problems first.
I WANT TO KNOW of these Problems first so I can protect myself from that self serving Government that I like so much!!!!
Look, I'll freely admit to being biased, but... I'm a little baffled why Sendmail has not been more widely replaced, given that full understanding of its configuration file seems to require a Ph.d in computer science.
There are better (to my eye) alternatives. Postfix and qmail, just to name a couple. I just made the switch to Postfix, and my admin work got a lot easier overnight.
Is it just inertia that's keeping Sendmail in place?
Bruce Lane, KC7GR,
Blue Feather Technologies
Read the NIPC Advisory -- it sends people the the ISS site for Sendmail patches. Not only is the link broken, but ISS does not offer patches on its site, at least not in the public area.
In short, if you rely on NIPC, you are screwed. Nice waste of your tax dollars.
I run sendmail and I didn't hear a peep until today. I guess you have to be a big corporate supporter of the republican party to get on the DHS to-be-notified list.
kill all semitic niggers!
I don't see this need. All that happened here is that a newly formed, highly political Government agency took a process already in the civil sector and went "Look what I can do!"
Sure - there will be some who won't concider warnings authoritive unless it comes from gov't. And there are those who thrilled that there's a nice, beurocratic process to follow. I've seen this sentiment already; I work for a US Gov't agency handling infosec issues. There were lots of meetings full of hand-wringing managers who normaly wouldn't have been involved to the extent that they were.
And that's the problem - a Government beurocracy tends to bring in people who don't improve the process and have no real understanding or function in that process. My concern is that a process that has been evolving over time will now be derailed by beurocracy and, in the end, damaged. Perhapse even becoming as ineffective as many internal Government infosec activities.
Its worth stressing that the "old" and "new" systems are the same. Claiming the old system was flawed does little compliment towards the new one. I doubt additional Gov't involvement has solved some of the existing issues: patch quality, information dispersal, time and manning restraints, etc.
In particular that interim between someone discovering the problem and having a fix available is worrisome. In this case it seems to have been two months - suppose it were six months? a year? two years? During all this time, it is possible for someone to exploit the problem and since many sites using the software would not be aware the problem even exists, it leaves them with some exposure.
People who might reveal such problems during this interim (perhaps wanting to get information, perhaps wanting to warn others) could be muzzled with "National Security" resources, even criminalized. Probably not a wise idea (though certainly a tempting one to those in power) as it makes people rather less than motivated to find and report such.
The final couple of steps also concern me.
In particular, there is one possibility inherent in this very government oriented process : that the presence of the bug never get published and gets (and this seems inevitable where "government security" is involved) rated as "classified". Now nobody except the vendor and the government would know anything about the problem - even its existence. Why should anyone care if it is classified?
When they talk about a "sendmail flaw", they are talking about sendmail versions 8.9 through 8.12, and perhaps older ones. They're not talking about mailers which are not sendmail, even if those mailers install a symlink called "sendmail".
By the way, does your perl script queue a mail for later retries if there's a temporary delivery failure? Or does it just throw the mail away?
...see this as a government agency sticking its nose into something it has no business even being involved with? I wonder if they took control of the situation and TOLD Sendmail, Inc what to do and when to do it. If they did then that pisses me off.
Furthermore, if an exploit really exists... its likely after a while to make some waves and become a "known" exploit....
Probabiliy(bug exploited by crackers | no known wild exploit) is less than P(bug exploited by crackers)
All together, if there isn't any known exploit in the wild, and an exploitable bug was found by "good guys." I think the probabilities are pretty good that the bug HASN'T been cracked yet. Giving vendors a short reasonable time to respond in private is therefore the responsible thing to do.
Gates' Law: Every 18 months, the speed of software halves.
"Sendmail Bug Causes Global Worming!"
Sorry.
they sat on a bug for a year and you are applauding them ?!?! sigh. While the government exploited this 'hole' to scan Saddam's mail, they left the rest of use hanging in the wind. While we pursue the 'nasty' Saddam and his 'arsenal' of weapons, the Madman in Korea shoots missle's over Japan, threatens to nuke someone, and HAS FOR A KNOWN FACT, TONS of biological weapons, BUT SADDAM and his 'suspected' weapons of MASS DESTRUCTION, are a threat top the very world, not to mention a bump in the road to an oil pipline to a very lucrative Indian and Pakistani market. GW's rhetoric is really beginning to show it inbred stripes. I love living in the Land of Hypocrisy. At least I am free to complain about it, or turn my back during the national anthem, for the time being.
Disclaimer, I would like to say thanks to the very brave and heroic people who volunteer to serve in this country's armed forces, and I would also like to apologize to them for the poor way in which we are allowing our government to use them.
errr....umm...*whooosh* *whoosh* Is this thing on ?
"This is the model for what you do if you want to find a vulnerability," said Alan Paller, director of research for the SANS Institute, a research and education group that lets security companies, system administrators and others share information. "The DHS are the ones that can put the pressure on all the vendors and keep it quiet."
How, exactly, did they keep people from talking? Could the same be used against private citizens?
More chilling however, is the implied government guidance and endorsement of private work and enforced silence. What is the federal government doing working with Sendmail INC? How about a little of my tax money going to Exim's developers? I'll pass if that means that no one can talk about bugs the feds happen to stumble across. Is sendmail to be considered the "secure" mail program, sanctioned by my federal government?
At first glance, centralization of bug fixes within the federal government sounds good but it might make problems. this poster sings praises for the effort, having been told what patch to apply without a meeting to get his opinion. What he seems to have missed is that the red tape still exists, hence the lag time between discovery and implementation, it's just been taken from his control. Now, if this kind of thinking is applied throughout the federal government, every one of their machines will be running exactly the same software! Bust one, bust all. The creators of this agency hope to bring the best talent to the problem. If they have done that and if they stay out of the way, great. What I fear however, is the usual political pressures turning this office into a means of making money for particular vendors of software. It could and might result in a system that enforces worst practices everywhere, especially if the government decides that private networks are also "security risks" to be managed.
Friends don't help friends install M$ junk.
That's great, do I really want a piece of software which has it's security releases based on what is "co-ordinated" by the American government. Hello!?! Global community here. If companies like RedHat, yada yada want me to use their software I'd much rather an impartial international organization (RE: UN) to handle it.
Futhermore, if I ever felt that the country I belong to were to ever be on opposite sides with the great USA, I might never buy the software for fear of having my support cut off, or, worse, I can definitely imagine; "hey we won't release this information until we take down all our enemies networks!"
So regardless of whether or not I belong to a country which is an enemy of the states, I can see that security releases would be delayed for the benefit of America, putting my network, and possibility government at more risk (assuming your government does not share this information with mine).
So to the bit bucket Sendmail goes! Goodbye, and good riddance to your buggy American agenda software! (Luckily it isn't software I paid for.)
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Daniel
http://people.cinn.ca/daniel/
This article is so full of itself and the DHS, that it stinks to high heaven. Like this bug in Sendmail was going to "cripple the Internet!" or some other sensational crap. I know there isn't a lot to report on right now but, c'mon! find something a little more worthwhile CNet. yeesh!
"Klaatu, verada, necktie!" -Ash
Hooray for the DOHS!!! If they had not found this 15 year old bug I might not be getting my email right now. Take that Osama!!!!
As this has been mentioned a little bit in other peoples posts, I'll ask the question too :
Why should I (an australian) have to rely on the "Department of Homeland Security" of another country for information regarding a sendmail patch?
What if someone found a root exploit affecting 75% of say, iraq's servers and reported it to the "Department of Homeland Security"?
I wonder how long it would take for them to issue a release about that one? As far as I'm concerned , the body that looks after this sort of thing should be international and not have any majority government control, as otherwise they start acting in their own interests, and not the greater interests of the other technically competent people on the planet.
(And "Department of Homeland Security" always has a weird , 1984-ish sound to me, hence the quotes)
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
So, if I read this correctly, there was a long window of time during which the government was aware of this hole and the public was not informed. This isn't a good thing, like they claim. What it means is that for those weeks the government had exclusive knowlege of how to root your machine. Do you trust them to use that knowlege responsibly (meaning, to have the integrety to refrain from using that knowlege at all)? I do not.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
I fixed my sendmail server in a little under 30 minutes. 5 to download the new version, 5 to unpack it, 10 to compile, and 10 to install and reboot. It's not THAT big of a deal.
Department of Homeland Security is a political power grab by people who are unacceptable in a free society to start with, with a name that's trying very hard to sound almost like several different classic totalitarian thug agencies, and having ISS kiss their ass does not make me respect ISS at all.
Now, it's possible that Homeland Security did a good job of making the civilian government agencies running sendmail install patches, using clout that CERT doesn't have, and either cooperating with or stepping on the toes of the NSA's NCSC, and if true, that's a Good Thing, but they're issuing press releases like they did something to protect America's Precious Bodily Fluids when it was really somebody else that did all the work and would have helped the Global Information Infrastructure protect ourselves anyway.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Department of Homeland Security are a bunch of political thugs who _are_ very disturbing - not only may it be counterproductive to have them around, but this does hint at the "Revealing Security Flaws is Un-American" "Loose Lips Sink Ships" "McCarthy Knows What's Best For You" kind of mentality that we don't need to bring back out of the past.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
When the owner of the bug is your manager things get hairy. He doesn't want to admit the flaw to his superiours. He doesn't want you to show the flaw to his superiours and he will make your life hell as long as you know about the bug. He'll probably make it part of your year-end goals to fix the bug. Since he doesn't want the people above him to know about the bug he'll also have you do a few dozen other things to obfuscate the real target of your daily duties.
:-) Don't ask for any sort of compensation. Bug-tracking isn't part of your job. Your job is to do exactly as your manager tells you. If you persist you may be terminated for insubordination--performing duties which your manager didn't specifically assign to you.
At the end of the year when the bug still exists and you haven't fixed it for him then he'll find a way to tell human resources that you are an incompetent employee who the company would be better without.
If you did manage to fix the bug then he'll take the fix and show it to his managers. They'll turn pale at seeing the bug and then breathe easier when he provides the fix. They'll never ask who actually created the fix.
Congratulations for finding the bug.
And don't ask questions.
+++ATHZ 99:5:80
Now we know that the US was desperately looking for support in the UN security council for it's war resolution. As a result, many of the officials were informed that they may have been 'observed' by the US government, so that the government might devise a strategy that would make their resolution more appealing to those undecided security council members. Wouldn't those officials like to know that for the last 2 months the United States Government has had exclusive access to their email correspondence? Also, notice how there hasn't been any information given out with regards to detecting a break-in using this exploit. One might say there is no point due to the fact that the exploit was not observed in the wild. However, I'm sure that if a method of detection was discovered and applied then some governments and organizations might find some interesting server activity in the previous two months. Mars
Security by Obscurity is a yesterday's item, but the current US government is a yesterday's government to begin with.
One big security problem ist that it is far too easy for clueless morons to get connected to the internet. And you can hardly force private end users to have a staff or contractor. It is the task of the ISPs imho to make sure they connect only properly skilled people.
open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;