Slashdot Mirror
Sendmail Bug Tests US Dept Homeland Security
yanestra writes "CNET reports that the reported Sendmail bug has been a test for the US Department of Homeland Security which seems to have managed information flow in this case."
← Back to Stories (view on slashdot.org)
While keeping news of the issue from leaking to those who might exploit the vulnerability.
Free flow of information > Security
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Interesting to read that the government is involved with this -- kind of makes you wonder what happened to CERT, which always used to coordinate public disclosure of and vendor response to bugs like this.
The fact that CERT always seemed to do a decent job makes this even more interesting. The biggest criticisms voiced about CERT were that they acted too slow and didn't provide enough detail information about problems (other than to acknowledge the general nature of it). How will the government do better in these areas?
My guess is that the answer to the latter question is 'not much', and that we'll start hearing the same complaints about the Dept. of Homeland Security soon...
This is actually quite encouraging. Having an organization that deals with the painful process of contacting each vendor and major user of a program with a newly discovered vulnerability is a major improvement. They also seem to have the law behind them (is this true?), so we finally have someone that can force people to fix security holes. I don't quite like the homeland-security big-brother model, but it worked nicely in this case and got the job done, something pretty hard in the Internet jungle.
Are they saying that this worked perfectly? If so, what about the next exploit? What if Joe Nobody finds a hole, and makes it public before the DHS gets with the makers of the software? What about the businesses in the private sector that fail to patch their systems? Wasn't the fix for SQL Slammer out for months? I'm sure this is a step in the right direction, but really, what happens next time?
Sometimes I doubt your commitment to Sparkle Motion.
Sendmail is a very flexible mail package...too flexible for most people.
It's power and configuration settings make it a good choice for admins who have taken the time to read on it. However, more often then not we find that there are a lot of lazy admins out there who just get it "up and running" and don't care to understand the security issues with the server. While I've used sendmail for years in the past, but now use postfix. There are a slew of other mail programs out there that can be configured without having to use m4 rules, understand sendmail's rewrite metods etc. I would suggest that if you must have a mail server up, but don't want to take the time to learn sendmail, PLEASE, use something else. I realize this is a little off-topic but it's not too much. It all boils down to securing the net. That takes more then a few bug fixes (and YES you must apply all of them) and a good admin to configure the server/services.
Speaking of the Dept. of Homeland Security, here's an link to an article with some suggestions to Tom Ridge on how to improve his department, so that it actually keeps the citizenry well-informed and aware of possible terrorist threats and how to handle them (as opposed to keeping them scared and in an information blackout).
Bush Lies Watch
We all got notified to patch our systems immediately.
Everyone is working togther to get all the systems running sendmail patched.
While this doesn't seem like a big deal in the corporate world, in the government world, all red tape has been removed and we can make changes to critical systems INSTANTLY.
FIX FIRST, meet later. It's an entirely different attitude, and it allows me to do my job more efficently. It works.
The reason I ask is because this type of co-operation with public defense organisations and the private sector are likeley to become much more important as we come to rely more on these technologies, OR if we ever see any kind of cyber-terrorism. Ideally there would be a single point through which relevant information flows - as hinted at in the article, any leaks could be a problem.
Do these agencies have a reputation for hiring good security people?
Vacancy for signature. Apply within.
Wouldn't it be best to issue a statement like "sendmail has an exploitable vulnerability, we recommend that you switch to your standby alternate mail system until we release a fix"? There is no way that blackhats would figure out where to look from a statement like that, and those of us with really good security could switch to our exim-based solution if we really feared to be hacked. Basically, do we trust the homeland security dept to determine our security policy?
That being said, good to see a well coordinated patch release. I just wish the paranoids would get advance warning.
Stop the brainwash
Is the U.S. Department of Homeland Security also going to try and take care of software developed internationally?
For example, it seems that a lot of OpenSSH development is done in Canada and Germany. And the server is run out of Canada.
The OpenSSL team looks primarily international too (UK, Germany, Sweden, New Zealand). There server is managed by Brits and Swedes.
Actually... I think you'll find that a lot of crypto software is based outside the US. Probably due to constraints placed on crypto development in the last decade.
Windows always has been and always will be a security risk.
Superior alternatives exist... so why is anyone still using Windows???
--
Sure Joe runs sendmail, and sendmail is insecure. But does Joe's server get attacked frequently? Chances are it probably doesn't. If it does, Joe may be looking into alternatives, or Joe may have found one already.
Joe doesn't have the time to fix every potential threat. Joe probably installs patches and updates as frequently as possible, maybe even on a schedule. Joe does his best to keep sendmail from being a problem, and at the same time Joe tries not to waste time.
If Joe were working for a huge company that depended heavily on it's e-mail, Joe would probably spend more time on sendmail. But odds are Joe doesn't, and Joe is doing the best he can.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
The article says:
...
A critical flaw in Sendmail, the Internet's most popular e-mail server,
But I've been reading all these claims that Outlook handles 99% of all email.
Which of these claims is a lie?
(Is it possible that they're both lies?)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
I liked the handling of ssh's problems last year much better. "Heads up, there's a problem in these versions. We'll let you know exactly what after we get the patch out." It's not enough to give a hacker a reasonable foot up, but it gets the service off the network should anyone already be quietly taking advantage of the weakness.
Quote:
"Working with the private sector, we alerted key owners of the vulnerable software and got them talking," said David Wray, spokesman for the IAIP Directorate. "We think this is a great example of how this should, and does, work."
The Department of Homeland Security got high marks from the security community for giving companies the necessary time to create the patch and for synchronizing its release.
"This is the model for what you do if you want to find a vulnerability," said Alan Paller, director of research for the SysAdmin, Audit, Network and Security (SANS) Institute
Once again, ISS have let the community down. Instead of informing the vendors, or CERT, or even just posting to Bugtraq, they informed the USG first. As a result .mil sites had the patch four days before anyone else (so far as we know) were even aware that there was an issue. [Although they claim that they checked their private "sensor" networks, somehow I doubt they have better coverage than eg DShield.org. ) This is unacceptable behaviour for an info-sec company that wants to be a responsible member of the community, and of course is just the latest in a list of behaviour that I at least consider unethical. I work for an ISS reseller outside the USA, and I will be exercising my influence internally to push for replacing the ISS prodcuts either with Free alternatives, or proprietary products from companies with a better grasp of their responsibilities. BTW we have several very big global clients.
It sounds cool to have the US govt leaning on vendors to write patches, but I have a feeling that if this becomes the norm, vendors will just push DHS for longer and longer lead times. The article indicates this particular bug was known since January. Two months is a pretty long time to wait for patches!
And this is just DHS's "first test" - I imagine after they build up a cozy relationship with the major security-problem vendors (i.e. Microsoft), they might not even disclose any known flaws until patches come out (i.e. months to "never").
Remember that government officials will probably listen a lot more attentively to "captains of industry" (i.e. MS) than "those unwashed hippy hackers" (i.e. the open-source community).
Does anybody else find it disturbing that "good security" is being equated with "keeping exploits quiet"?
It's precisely the threat of publicity that pressures vendors into patching their compromised software quickly. If that threat is relieved, by Official KeepYerDamnMouthShut Orders from a government body, those same vendors may start to think "Phew, now we can wait for the next upgrade".
This is Not a Good Thing.
So what happens when a Finnish hacker finds a vuln in MS IE...should they tell a foreign government first? What about a French hacker? Or an Iraqi hacker? These problems now transcend national government interests.
--
This sig is inoffensive.
I think it's interesting that the government is getting credit for working with the private sector in releasing information. Part of the the point of open sourced software is so that bugs can be found and patched quickly. The CERT email I got yesterday afternoon had MANY patch sources listed by vendor (RedHat, Apple, Sendmail etc) and was timely. I don't belive that the pat on the back goes to Uncle Sam in this situation, but rather the folks at Sendmail who worked to resolve this issue in a timely and organized fashion. They released the information to those who needed to know (including the DHS) and worked on a solution to get this stuff out to the public.
To quote Eric Raymond, "Given enough eyeballs, all bugs are shallow"
Kudos to Sendmail for getting this taken care of.
AF-Design, web development.
...Why is anyone still reading this one? ;)
In the future, the Department of Homeland Security will be the U.S. agency that will manage any response to major cyberthreats.
I hope these guys have Microsoft's number on speed dial...
Run with Scissors!
I'm curious to know whether the NIPC notified non-commerical interests such as the Debian organization? Also, did they notify any non-US-based distributions such as Suse?
It is not clear to me that the NIPC is anything more than a bureauratic clearing house and censor. I suspect that the security community that is referred to as giving high marks includes only the commercial side of the industry. I'll bet that Mr. Lemos could get a meatier article out of investigating some of these questions.
If the parties involved are actively seeking to fix the problem, in a timely manner, I see no harm in not shouting from the mountain top what the problem is.
I think it reflects well on discoverers of vulnerabilities if they notify the software maintainers first by backchannel means and describe the vulnerability with enough precision for the authors to be able to fix the problem in a timely manner. DoVs should get extra credit if they submit an actual patch that fixes the vulnerability (does not apply to proprietary binary products, clearly).
But the vulnerabiltiy is a ticking time bomb out there for users in the real world. The white hat DoV may have discovered the vulnerability after 3 black hats who are shoving it into their latest malware.
The discoverer of the vulnerability and the maintainers of the software are jointly responsible for doing everything in their power to expedite their work, to notify users of the vulnerability, and to provide a patch for them.
Finally, all software users have the responsibility to keep appraised of the latest security alerts and patches for vulnerabilities and to apply them.
If any of the 3 parties: discoverer, software maintainers, software users fall short on any of these responsibilities, then all users will suffer.
As a user, I must rely upon the goodwill of the DoVs and the maintainers.
"Provided by the management for your protection."
The one thing I didn't like about this article was the idea that this kind of process should be followed by everyone. This is what I saw as the process:
Here's the flaw(s) in this process:
I guess the biggest thing that I don't like about this is that idea that this model will support the Closed Source software model because of the arguments of:
How exactly is this helping? Control the information flow? How is it then, that links to, and a discussion of, the flaw and possible exploits were publicly available six hours ago on this very website? I wouldn't exactly call a discussion thread on one of the world's largest weblogs "controlling the flow of information."
This is about the level of competency I've come to expect from Large Government Entities.
It would be interesting to see the time line on this... Did it take this long for the patch to be created or did it get left on someones desk of periods of time before some one spent an hour making the patch.
MG
Randomly distributing Karma whenever possible.
Thanks for the link. You know, I don't think 2 months is exorbitant in this case. As your article states below,
"Because there are so many different flavors of Sendmail, twenty software vendors had to develop a variety of patches for the flaw..."
So, they had to patch a ton of different versions, and you don't necessarily want them issuing a shitty patch. So if you blame anyone, blame those sendmail monkeys for the delay. ;) Given the nature of the coordination effort, I think they did quite well.
-Looking for a job as a materials chemist or multivariat
to make sure the DoHS hasn't gotten Sendmail Inc. to insert any "additional [homeland] security patches" into the build?
--CERT has been runing this "survey" about "internal threats" that companies might have observed between two specific dates. Not from such and such a date until the survey is taken by any respondents, but between two exact dates. I looked, maybe I missed it, but I haven't seen a reason for picking the end date. I can speculate why that might be, but I'll let someone else do that.
/rant
begin more generic rant
Don't know about anyone else, but with patriot act 2 coming into law soon, where the government can just call someone a "terrorist" on their say-so, and with the definition just vague enough to apply to-just about anyone it appears- and that means they are now not under any civil protection or rights, I am wondering if they are starting to set up even more infrastructure to add to "the lists".
Anyone who don't take the "lists" serious is someday gonna be waving bye bye from the back of a truck heading..someplace.
When I was growing up, the stuff the US government is doing right now was something we were taught only "bad" places like east germany did. And those bad places had a complete blend of bureaucracy, large corporations, and then the military and police. Everyone snitched on each other. government had all the rights, you had none, even if some word drivel was printed on paper someplace, government ignored it. That's exactly what those bad places were.
We were taught that was definetly "wrong".
Now it's "patriotic".
Yes, we have a need for some sort of law enforcement effort on the net,and it's there and quite frankly it's more than enough to function, the net is part of society,but what we are seeing now goes WAY beyond it. And now all these other weird things? Model toy rocket permits now but leave the border just wide open, millions of illegals ayear free to just walk across? Huh? They are going to regulate or ban model airplanes, while they have been sprayinbg HUGE amounts of weird crap over america for several years now and outright lying about it? huh?? We have a MAJOR goon run cia front company called "wackenhut security" running private prisons,running for -profit manufacturing efforts using prisoners, running some mental institutions, and now RUNNING ROADBLOCKS on the public highway? This just broke a few days ago, private security org manning roadblocks. Just THINK on this one. We have "secret" Total Informational Awareness efforts codified into law? Is there something about the word "total" that isn't understood? Forced collection of DNA samples at roadblocks? Taking hair and blood samples and you aren't going to be able to say NO? Collation of all purchase records? High level officials who just blatantly WARN YOU that if you are NOT 100% behind their efforts that YOU ARE A TERRORIST? And now they are taking over these internet efforts when it comes to security, telling people what they can and can't do, and this "they" guy will tell you when an exploit gets noted and "official" patches released? Huh? What's to stop them from eventually making little cute distinctions between what they release and what they don't, suppose "they" decide they would like a little pre-patch hacking so they can get into machines THEMSELVES. Maybe they JUST DID THAT, hmmm?
sweet deal for them.
I am against non disclosure of exploits in a timely manner. Waiting months is not timely. Anyone writing code now can review it before release. Anyone NOT knowing about "security" in general needs to stop and step back away from the keyboard and stop writing code until they "get it" on security, because GUARANTEED if this constant release of buggy code continues,and if people who maintain what are historical examples of just dismal exploitable code that should just be chucked out as lame don't voluntarily just admit it's buggy and pull it off the distribution mirrors, this government will start regulating all releases themselves, after a "review". they don't do it now, but they sure as heck could make it a law tomorrow. In my opinion, it's better to be able to not give them any more excuses. If that's what everyone wants,because known sloppy stuff keeps being used and released, this is what's going to happen. You are going to see licenses, you are going to see full governmental review of code, probably fees attached, stuff like that, I tell you, the internet is going to turn into an electronic "highway" whoops they call it that, so that means that this highway is going to be full of smokey the bears and roadblocks and regulations. And I am NOT kidding on that. We saw them just hijacking sites last week. I can see them starting to do that on a much larger scale. And if sites get hosted overseas, you know what, government will have no problems dealing with that, if anyone cares to notice, they have no problems going over stomping on other nations, they can control some wires if they choose to. Host at home, you are going to outfox them? Not when they can just call up your isp and have you dropped, then they send over some goons to pick you up once you are on the "suspicious" list. And they'll do some of these efforts from major backbones or routers if they have to, I am not so convinced that carnivore and such-like efforts only have the capability to just sniff.
Which part of "outside the USA" did you miss? That's EXACTLY what he is telling you. This does not serve US' interests. Crypto development has already been pushed outside the country. This sort of behaivor could push most security work outside as well. The rest of the world isn't going to run their networks three-sheets-to-the-wind just so Tom Ridge can get his warm fuzzies.
Nobody outside the US is going to place their security below that of the US. Yet everybody, US included, runs the same software. This means something has to give and if the issue is forced then yet another chunk of the industry leaves the country. How is this good?
It's already started. Many developers won't visit the US because they discuss vulnerabilities "that could circumvent a copyright protection". Hello! They have to do that to fix problems. Pentagon-style paranoia could much worse than the DMCA. This industry is hurting as it is. We don't need more government imposed problems.
The problem is that just because I (an innocent user of the product) don't know about the vulnerability doesn't mean that the evil crackers don't know about it. Sure, a public announcement increases the number of crackers who know about it, but also gives me enough information to react. There is a security hole in sendmail, but no patch yet? Well, without real information, I can't confirm if my particular installation is at risk. Once I know about it, I can take reactive steps. With enough information I could try to patch the vulnerability myself. With enough information I could try to limit my risk (say, changing my sendmail configuration to limit what an attacker can get, or adding a wrapper to detect the attack and terminate the connection). With enough information I reasonably weigh the options of disabling sendmail for security reasons versus keeping it up for my users.
With no information, I'll just keep ignorantly running the vulnerable version, possibly getting attacked by crackers who already knew about it. With a little information, I don't have enough information to decide if I'm really at risk and to weigh my possible solutions.
Search 2010 Gen Con events
Umm... they did in fact have everything to
do with this.
The Homeland department contracted out the
NCIP coordination to ISS, allowing them to
hire programmers to do code review. As
part of the NCIP review, this bug was found,
and kept quite for over a month while the
government and industry got first crack at
updates and patches.
OK, it wasn't a government employee who found
the bug, but it was a private contractor
doing work for the government. (You don't
really expect republicans to hire gov't workers
when they can just contract out to industry
do you?)
And by the way, it wasn't Ridge that started
this whole process. The Critical Infrastructure
protection process started under Clinton.
After 9/11, it all got moved under Homeland
to coordinate with other agencies. (E.g.,
the Department of Defense has known about
this bug in Iraqi mail servers since last
year....) Now THAT'S coordination.
Please get a clue before your next post.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
Gates' Law: Every 18 months, the speed of software halves.