In Sendmail threat, beginnings of a cyber plan

BOSTON -- The new U.S. Department of Homeland Security (DHS) received praise for the role it played in coordinating the response to the recent Sendmail vulnerability, but challenges remain as the agency defines its role in securing the nation's information technology infrastructure, according to those familiar with the Sendmail investigation.

While DHS will likely hold off on becoming involved in all but the most serious computer security issues, its response after learning of the Sendmail vulnerability may serve as a model for future incidents and will help establish the agency's place at the vanguard of the government's response to computer threats, according to a number of security industry experts.

On Monday, Internet Security Systems announced that a buffer overflow vulnerability was found in a number of versions of the open source Sendmail Mail Transfer Agent (MTA), ranging from the most recent release of that software to versions that first appeared in the late 1980s. The vulnerability could allow a remote attacker to gain "root" (superuser) access to a Sendmail server, according to ISS.

The Department of Homeland Security was informed of the problem by ISS on February 14, according to an e-mail circulated by the Systems Administration, Networking and Security (SANS) Institute.

ISS first informed the National Infrastructure Protection Center (NIPC), which recently moved from the Federal Bureau of Investigation (FBI) to the DHS, according to Dan Ingevaldson, team leader of X-Force research and development at ISS.

DHS consolidates a number of different government groups responsible for tracking and preventing computer crime. In addition to the NIPC, those groups include the Federal Computer Incident Response Center, formerly part of the General Services Administration, and the U.S. Department of Commerce's Critical Infrastructure Assurance Office.

After it was satisfied that the vulnerability reported by ISS did exist, the DHS shared information about it with other federal departments and government groups such as the Department of Defense (DoD) and the Federal CIO Council, according to Commander David Wray, spokesman for the NIPC and interim spokesman for the new Directorate for Information Analysis and Infrastructure Protection (IAIP) within the DHS.

DHS also played a key role, early on, in alerting software vendors affected by the vulnerability and encouraging those organizations to quickly develop patches, Wray said.

"It was a cooperative effort and DHS sort of led the coordination," said Wray.

The Sendmail vulnerability did not mark the first time ISS has worked with the NIPC, according to Ingevaldson.

In fact, the NIPC is a regular attendee at a daily conference call that ISS hosts to discuss emerging threat data supplied by its worldwide network of sensors.

However, the NIPC's recent inclusion in the DHS gave the organization a larger platform from which to act.