, Washington Post 2003-03-05
The U.S. government and the technology industry have passed an important test of whether they can work together to protect the nation's online infrastructure from hackers and other enemies, computer security experts said.
The test in this case involved a private information security services and software firm that collaborated with the Department of Homeland Security over a period of weeks to alert government agencies and the private sector to a serious flaw in a widely used e-mail software product.The joint effort, revealed for the first time this week, may indicate a thaw in what has been a traditionally icy relationship between government and business in the area of cybersecurity. It also provides a textbook illustration of the public-private partnership called for in the White House's recently released National Plan to Secure Cyberspace, said one government official.
"This is exactly the level of cooperation we've been striving for," said David Wray, a spokesman for the Homeland Security Department's Information Analysis and Infrastructure Protection division. "It clearly gives us something strong to build upon."
The public-private cybersecurity operation got its start in January, when Atlanta-based Internet Security Systems Inc. discovered that Sendmail, a program that powers the e-mail operations of many of the world's Fortune 500 companies, had a major hole that could result in wide-scale havoc if exploited. By conservative estimates, Sendmail is responsible for handling at least half of the world's e-mail traffic.
"When we saw the sheer market share that [the hole] would impact, we knew we needed to figure out a way to tackle this on a broader scale," said Pete Allor, manager of ISS's X-Force Threat Intelligence Services.
According to ISS and other security firms, the vulnerability lies in a faulty Sendmail security function. A hacker can overwhelm this weak point with a flood of data, which would crash the program. Once the security feature is compromised, the hacker could use Sendmail to gain privileged access to the computer or server that the program is running on, and leverage that access to read or destroy private files, or attack other computer systems.
The flaw is particularly dangerous because the hacker could exploit the hole with a specially formed e-mail that goes unnoticed by firewalls, virus scanners and intrusion detection systems, Allor said.
ISS alerted officials at the Department of Homeland Security, which contacted more than 20 software vendors that bundle Sendmail in their products, including Hewlett-Packard, IBM and Sun Microsystems. The Homeland Security Department and ISS also fixed vulnerable national security and military systems at the Department of Defense, and called a meeting of all federal chief information officers to ensure the agencies had adequate staff on hand to patch their systems.
All of it was done under strict non-disclosure agreements that -- to everyone's surprise -- managed to keep things under wraps until the announcement late Monday.
"Frankly, I thought by the end of this process we had so many people who knew about it that it didn't have a prayer of staying secret, and I am deeply impressed," said Eric Allman, who wrote the original Sendmail program and now serves as chief technology officer for Emeryville, Calif.-based Sendmail Inc.
The cooperation marked a notable departure from the vicious cycle of cynicism that has become endemic between the government, software vendors and security companies, said Alan Paller, research director for the SANS Institute, a security research and education group based in Bethesda, Md.
The friendly and efficient nature of the Sendmail situation worked in spite of fundamental differences in the way the government and the private sector handle cybersecurity.
Software vendors and security companies are reluctant to share vulnerability information with the government, fearing that it might be leaked to the public -- including hackers -- before a patch is developed to fix the problem. The government prefers to take a coordinating role in sharing information privately among businesses, hoping that communal knowledge will result in a stronger defense.
They also vie over the ability to control the timing and spin of high-profile vulnerability alerts. Software makers worry about disruptive FBI investigations and the potential backlash from press reports about shoddy security. Internet security firms that scour thousands of software and hardware products for major flaws usually just don't want anyone else to spoil their thunder, Paller said.
Despite the public-private cooperation and the government consolidation of cybersecurity responsibilities, Paller and other security experts warned that the toughest job lies ahead because companies must take steps to patch their systems, or else hackers will quickly seize opportunities to exploit the Sendmail hole.
In January, companies around the world were stunned by the Slammer worm, a fast-moving Internet virus that spread to hundreds of thousands of servers almost instantaneously. Microsoft had a patch available online for six months that would have prevented the Slammer attack, but few people running the vulnerable servers bothered to patch them.
© 2003 TechNews.com