Admin News Admin Admin Admin Admin

Please enter email address to receive NEWSALERTS and ISSUE BRIEFS

Search articles
Ref2: Email snafu from DHS mailing list shows security vulnerabilities

NY Times

To view the original article, please click on the link below.

October 4, 2007
Security Bulletin Problem Creates Message Flood

WASHINGTON, Oct. 3 — It started off early Wednesday as an innocuous request from a North Carolina businessman to the Homeland Security Department. He was responding to a daily antiterrorism bulletin by asking that it be sent to another e-mail address.

But by afternoon, a programming flaw involving the “reply” function transformed that e-mail message into a flood of more than 2.2 million messages nationwide that clogged the e-mail accounts of government and private experts on domestic security, including the operators of an Illinois nuclear power station.

Along the way, dozens of the recipients including federal employees, security officers and local officials exchanged lighthearted remarks about random topics like astrological signs and wine preferences.

“It’s good here in D.C.,” Bill Miller wrote from the Office of Emergency Programs in the Treasury Department. “Just a bit muggy!”

Such accidental mass e-mail exchanges often occur in the corporate world. But because this occurred in a network of government and private officials dedicated to preventing and responding to terrorist attacks, it generated disbelief and even anger.

“Urgent Request From D.O.D.” read the subject line of a Defense Department message sent at 10:42 a.m. “This is your Combating Terrorism Office for D.O.D. asking you to kindly stop now please.”

Minutes earlier, an official of the Homeland Security Department had made a similar request.

But the messages accelerated, continuing into the evening.

John Polhemus, the plant security director at the Lanxess Corporation in Pittsburgh, said: “This has gone from an amazing pain in the neck to fifth grade. But that was my favorite grade.”

A spokesman for the Homeland Security Department, Russ Knocke, said an error in the e-mail setup for the unclassified bulletin, the Daily Open Source Infrastructure Report, had led to the barrage.

“Human error,” Mr. Knocke said, promising that it would be repaired by Thursday. “Very frustrating.”

The report is a summary, largely based on news reports, on domestic security, like a report Wednesday on an Ethiopian who told an AirTran employee at Logan International Airport in Boston that he had explosives and was a member of Al Qaeda.

Anytime anyone simply clicked on “reply” to the e-mail message that delivered the report, the new message was sent back to the department and then to all 7,500 list subscribers, resulting in the more than 2.2 million messages.

“I’m a Sagittarius from N.Y.,” Sgt. First Class Michael L. Bass wrote from the Army Reserve Regional Readiness Command in Devens, Mass. “My only fault is that I am partial to V.O. on the rocks as I cut into my rare porterhouse!”

The accident raised questions among cybersecurity experts about how well prepared the Homeland Security Department is to defend against a cyberattack because it had trouble dealing with this computer problem.

“It is a very simple fix,” said Marcus H. Sachs, a volunteer computer security expert at the SANS Internet Storm Center. “Do they not have anybody there that understands how to fix it?”

The SANS organization monitors Internet spam attacks, and Mr. Sachs posted a notice for it about the problem.

Copyright 2007 The New York Times Company

Alerts Media Resources