Slashdot Mirror
Sendmail Bug Tests US Dept Homeland Security
yanestra writes "CNET reports that the reported Sendmail bug has been a test for the US Department of Homeland Security which seems to have managed information flow in this case."
← Back to Stories (view on slashdot.org)
While keeping news of the issue from leaking to those who might exploit the vulnerability.
Free flow of information > Security
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Are they saying that this worked perfectly? If so, what about the next exploit? What if Joe Nobody finds a hole, and makes it public before the DHS gets with the makers of the software? What about the businesses in the private sector that fail to patch their systems? Wasn't the fix for SQL Slammer out for months? I'm sure this is a step in the right direction, but really, what happens next time?
Sometimes I doubt your commitment to Sparkle Motion.
Sendmail is a very flexible mail package...too flexible for most people.
It's power and configuration settings make it a good choice for admins who have taken the time to read on it. However, more often then not we find that there are a lot of lazy admins out there who just get it "up and running" and don't care to understand the security issues with the server. While I've used sendmail for years in the past, but now use postfix. There are a slew of other mail programs out there that can be configured without having to use m4 rules, understand sendmail's rewrite metods etc. I would suggest that if you must have a mail server up, but don't want to take the time to learn sendmail, PLEASE, use something else. I realize this is a little off-topic but it's not too much. It all boils down to securing the net. That takes more then a few bug fixes (and YES you must apply all of them) and a good admin to configure the server/services.
Sendmail always has been and always will be a security risk.
Superior alternatives exist... so why is anyone still using sendmail???
Conformity is the jailer of freedom and enemy of growth. -JFK
NSA going to do with all of their newfound freetime? According to the article:
In the future, the Department of Homeland Security will be the U.S. agency that will manage any response to major cyberthreats.
Will the DHS publish Security Recommendation Guides like the NSA?
Wouldn't it be best to issue a statement like "sendmail has an exploitable vulnerability, we recommend that you switch to your standby alternate mail system until we release a fix"? There is no way that blackhats would figure out where to look from a statement like that, and those of us with really good security could switch to our exim-based solution if we really feared to be hacked. Basically, do we trust the homeland security dept to determine our security policy?
That being said, good to see a well coordinated patch release. I just wish the paranoids would get advance warning.
Stop the brainwash
sadly, i don't see the 'force people to fix security holes' where we need it.
we have (mostly) good timing getting patches out (even ms gets patches out), but getting end users to *apply* the patches has been a problem. lack of knowledge, time, technical skills, etc.
at this point, this does seem to be addressed.
how do we (ahum) fix the end user? my belief is that it should be required that end users have staff/contractors that are certified on their stuff *and* that hey maintain a maintenance log that documents actions or lack of them. if you look at radio stations and the requirements they include licensed radio engineers and logs and other must-dos and must-haves.
it's time people understood that being connected to everyone else requires a little bit more work.
eric
yeah, why nto? the US seems to be trying to take care of everything else internationally..
I know I know, prolly flamebait, but i gots the karma to burn
I liked the handling of ssh's problems last year much better. "Heads up, there's a problem in these versions. We'll let you know exactly what after we get the patch out." It's not enough to give a hacker a reasonable foot up, but it gets the service off the network should anyone already be quietly taking advantage of the weakness.
It sounds cool to have the US govt leaning on vendors to write patches, but I have a feeling that if this becomes the norm, vendors will just push DHS for longer and longer lead times. The article indicates this particular bug was known since January. Two months is a pretty long time to wait for patches!
And this is just DHS's "first test" - I imagine after they build up a cozy relationship with the major security-problem vendors (i.e. Microsoft), they might not even disclose any known flaws until patches come out (i.e. months to "never").
Remember that government officials will probably listen a lot more attentively to "captains of industry" (i.e. MS) than "those unwashed hippy hackers" (i.e. the open-source community).
> Speaking of the Dept. of Homeland Security, here's an link [democratic...ground.org] to an article with some suggestions to Tom Ridge on how to improve his department, so that it actually keeps the citizenry well-informed and aware of possible terrorist threats and how to handle them (as opposed to keeping them scared and in an information blackout).
You're making a mighty big assumption about what the DoHS was created for.
Sheesh, evil *and* a jerk. -- Jade
Does anybody else find it disturbing that "good security" is being equated with "keeping exploits quiet"?
It's precisely the threat of publicity that pressures vendors into patching their compromised software quickly. If that threat is relieved, by Official KeepYerDamnMouthShut Orders from a government body, those same vendors may start to think "Phew, now we can wait for the next upgrade".
This is Not a Good Thing.
So what happens when a Finnish hacker finds a vuln in MS IE...should they tell a foreign government first? What about a French hacker? Or an Iraqi hacker? These problems now transcend national government interests.
--
This sig is inoffensive.
I'm curious to know whether the NIPC notified non-commerical interests such as the Debian organization? Also, did they notify any non-US-based distributions such as Suse?
It is not clear to me that the NIPC is anything more than a bureauratic clearing house and censor. I suspect that the security community that is referred to as giving high marks includes only the commercial side of the industry. I'll bet that Mr. Lemos could get a meatier article out of investigating some of these questions.
If the parties involved are actively seeking to fix the problem, in a timely manner, I see no harm in not shouting from the mountain top what the problem is.
I think it reflects well on discoverers of vulnerabilities if they notify the software maintainers first by backchannel means and describe the vulnerability with enough precision for the authors to be able to fix the problem in a timely manner. DoVs should get extra credit if they submit an actual patch that fixes the vulnerability (does not apply to proprietary binary products, clearly).
But the vulnerabiltiy is a ticking time bomb out there for users in the real world. The white hat DoV may have discovered the vulnerability after 3 black hats who are shoving it into their latest malware.
The discoverer of the vulnerability and the maintainers of the software are jointly responsible for doing everything in their power to expedite their work, to notify users of the vulnerability, and to provide a patch for them.
Finally, all software users have the responsibility to keep appraised of the latest security alerts and patches for vulnerabilities and to apply them.
If any of the 3 parties: discoverer, software maintainers, software users fall short on any of these responsibilities, then all users will suffer.
As a user, I must rely upon the goodwill of the DoVs and the maintainers.
"Provided by the management for your protection."
I don't throwing a pile of Beareaucratic Bullshit is going to improve the situation. That's one of the points lauded by previous posters. This was an example of someone who was able to get something done technically without the forms in triplicate. You are advocating those forms!
Like we have time for the patches already, you want to make us spend countless hours filling in stupid forms?
Personally, I think that public humiliation of the company that fails basic security patches is a pretty effective method. It now becomes an interest to the company to maintain a positive PR profile. And we all know that the only thing greater to a Corporation than profits is the Image it portrays.
Did you modify your cubes in your spare time? If not, I could see them being upset; they're probably paying you good money for some kind of technical work, not to play erector set with your office furniture.
How exactly is this helping? Control the information flow? How is it then, that links to, and a discussion of, the flaw and possible exploits were publicly available six hours ago on this very website? I wouldn't exactly call a discussion thread on one of the world's largest weblogs "controlling the flow of information."
This is about the level of competency I've come to expect from Large Government Entities.
Thanks for the link. You know, I don't think 2 months is exorbitant in this case. As your article states below,
"Because there are so many different flavors of Sendmail, twenty software vendors had to develop a variety of patches for the flaw..."
So, they had to patch a ton of different versions, and you don't necessarily want them issuing a shitty patch. So if you blame anyone, blame those sendmail monkeys for the delay. ;) Given the nature of the coordination effort, I think they did quite well.
-Looking for a job as a materials chemist or multivariat
You are right, but that is not the most scary effect of the so called "Homeland Security." Imagin: comany X finds some major bug in a widespread security relevant application an informs first(!) the US gov. so the US "cyber warfare" units had a 2 month headstart exploiting servers around the world.
nice eh?
-- greetings from _OLD_ europe
Let's see...a search for advisories on Security Focus with "sendmail" = 100 hits. qmail gives 1 hit, and it isn't even for qmail, it's for "masqmail".
It's time for the sendmail people to start from scratch. You can keep patching all you want (and apparently take two months to do it), but if your initial security design model is flawed, you are going to keep finding holes.
First, notice that they give credit to ISS and Sendmail.
Then they discuss that they alerted key owners and facilitated communication. Sendmail *themselves* noted that the coordination of the government helped... Bottom line, yes Sendmail gets kudos. But so does the government for being the coordinator of the entire effort. I'm not a big fan of this department of homeland defense, but in this case their agency did a nice job, and it deserves the mention it is getting.This is getting to less and less be the case. Keep in mind that the traffic caused by the slammer worm managed to disrupt 911 services.
.. what is your mom doing running servers? If there is no one to maintain her systems then there should be no outside accessable daemons at all.
Also
This isn't one of those "all our freedom and rights are being removed by the evil government" type posts. But yet...
In this case DHS seem to have done a good thing, coordinated the patching and disclosure between different vendors. Now, for me it isn't a stretch to ask the question, what if someone had announced while DHS were still working on it? What if it is a truly critical bug or hole. Say wide open root-enabling flaw in SSH, Samba or some other service that's very common (for the geeks that can't take that as an example without saying that they should never be used as root bla bla bla, please just move on, I'm trying to make a point here, and it's not about best security practices).
Say such a security hole of a great magnitude is discovered, and someone announces it publically on a mailinglist. Or say vendor A wants to release the patch immediately, but vendor B wants to test for another week. Vendor A goes ahead and releases it without DHS approval.
In either case, will DHS see it as a risk to homeland security and a prosecutable offense? Is software security now suddenly a matter that the government should oversee? How far does their involvement stretch? Will security discussions require a DHS representative or approval to avoid premature disclosures that could be a threat to homeland security?
I really don't wanna sound alarmist here, but I'm not sure the goverment getting involved in things like this is a great idea. Software bugs or flaws can be a real threat to a nation, and so DHS should perhaps be involved. But again, I can't help but wonder, where will that take us and where will that involvement stop.
Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
That's nice. I can't even find out if this flaw is exploitable on my non-x86 platforms. ISS didn't bother to test non-x86 platforms. According to their release, "others" might be affected. But there is no information on how to test my systems for this vulnerability, so how can I tell if the patch is effective on my platform? It seems nobody but me is going to bother to check this. Is it now "In DHS and ISS We Trust?"
No scanner, no tester, no exploit code, no help. Thanks ISS and DHS! I feel so much better with this new process.
Edith Keeler Must Die
Which part of "outside the USA" did you miss? That's EXACTLY what he is telling you. This does not serve US' interests. Crypto development has already been pushed outside the country. This sort of behaivor could push most security work outside as well. The rest of the world isn't going to run their networks three-sheets-to-the-wind just so Tom Ridge can get his warm fuzzies.
Nobody outside the US is going to place their security below that of the US. Yet everybody, US included, runs the same software. This means something has to give and if the issue is forced then yet another chunk of the industry leaves the country. How is this good?
It's already started. Many developers won't visit the US because they discuss vulnerabilities "that could circumvent a copyright protection". Hello! They have to do that to fix problems. Pentagon-style paranoia could much worse than the DMCA. This industry is hurting as it is. We don't need more government imposed problems.
The problem is that just because I (an innocent user of the product) don't know about the vulnerability doesn't mean that the evil crackers don't know about it. Sure, a public announcement increases the number of crackers who know about it, but also gives me enough information to react. There is a security hole in sendmail, but no patch yet? Well, without real information, I can't confirm if my particular installation is at risk. Once I know about it, I can take reactive steps. With enough information I could try to patch the vulnerability myself. With enough information I could try to limit my risk (say, changing my sendmail configuration to limit what an attacker can get, or adding a wrapper to detect the attack and terminate the connection). With enough information I reasonably weigh the options of disabling sendmail for security reasons versus keeping it up for my users.
With no information, I'll just keep ignorantly running the vulnerable version, possibly getting attacked by crackers who already knew about it. With a little information, I don't have enough information to decide if I'm really at risk and to weigh my possible solutions.
Search 2010 Gen Con events
Okay here's the thing. If we have to worry about malfunctioning (malicious or buggy) computers shutting down or disrupting the internet, then the internet is already broken.
Does anyone remember that the Internet was a network designed to continue to operate after a nuclear war? We should not have to worry about this stuff. This is a problem for network architects, not the server admins.
If my server get's hacked then that should and must remain only my problem. Don't tell me the obvious, and don't shift responsibilities. These challenges can only be solved with distribution of resources and by maintaining excess capacity.
It must be taken as a given that a network like the internet will have bad actors whose malicious actions it must be able to absorb until the problem is corrected or blocked.
Look, this is the entire rationale for using Open Source in important functions. If the function is truly important, cost is not the issue (the cost benefits of free software are arguable anyway, since you need to hire competent people to use it, and the incompetents that are usually hired to run proprietary systems are much cheaper).
Go to www.sendmail.org, download the source, and COMPILE IT ACCORDING TO THE INSTRUCTIONS.
BACKUP YOUR SYSTEM FIRST. Do I need to repeat that?
If you don't have a C compiler, go get the latest GCC for your platform and install it first.
C'mon, man, get on the stick! You can do it!! Go, go, go! Time's a wastin', and it'll look good on your resume once the big sendmail worm hits this weekend....
the homeland security is responsible for making us americans feel all warm and fuzzy inside that our government is doing something to protect its citizens on its soil.
l =c1
they're responsible for releasing alert warnings every so often. placing the country on a level 3 or orange alert whatever that means, but it sure spikes the sales of bottled water, canned foods, batteries and duct tape for when the big bombs and chemical warfare comes our way.
to be honest this entire administration has been doing a complete knee-jerk reaction to the WTC and Pentagon events from 2001. they're molding those knee-jerk reactions into something they can use to bomb Iraq and overthrow Suddam because quite frankly there's some big roots in the big state of Texas where "all Your Oil are belong to us"
here's my favorite quote from the folowwing article:
http://www.msnbc.com/news/872585.asp?0c
That warning regarding tape and three days of water is profoundly helpful to people who are choosing to go to war with Iraq and need to cause an environment of fear in order that the public will do anything to break the fear fever. It serves the administration for the public to be so afraid. When you are afraid enough, you'll get on any train that's leaving the station, even if it is not going where you want to go. That sentence says it all.
You guys are completely missing another important factor. The government has known about this bug--and kept it secret--since December. That means ALL the mailservers around the world running Sendmail were open for their inspection.
What's the chance that the CIA got word of this bug from Tom Ridge's outfit in December, and oh, just decided to sit on it? Nada.
One say--almost with complete certaintly--that foreign countries had some of their mail servers rooted last year and in early January. And this was possible because the government is playing an active role in funding code review, and working with vendors and security outfits like X-Force as ISS. The Homeland folks get a heads up on exploits (and passes this information along to the FBI, CIA, NSA and electronic warfare units in the DoD.)
This is not so much another story about a bug release and yet another flame war about how people are supposed to be notified. Instead, this is a hint (if you're smart enough to catch it) at the future of Cyber Warfare.
Yeah well I too miss the days when a rooted server on someone else's network was not my problem. But welcome to today.
How exactly are network archetects supposed to design for 300 drones all sending traffic to one place? There is no amount of overcapacity that would handle that.
Gates' Law: Every 18 months, the speed of software halves.