DdC

The Department of Homeland Security (DHS) has been working in secret for more than two weeks with the private sector to fix a major Internet vulnerability that could have had disastrous consequences for millions of businesses and the U.S. military.

Since early December, the DHS and the White House Office of Cyberspace Security have been working with Atlanta-based Internet Security Systems Inc. (ISS) to alert IT vendors and the business community about a major buffer-overflow vulnerability in the sendmail mail-transfer agent (MTA).

Sendmail is the most common MTA and handles 50% to 75% of all Internet e-mail traffic. Versions of the software, from 5.79 to 8.12.7, are vulnerable, according to an ISS alert issued publicly today.

According to sources familiar with the investigation, ISS discovered the vulnerability on Dec. 1. It contacted the homeland security officials on Dec. 5, who began alerting IT vendors that distribute sendmail, including Sun Microsystems Inc., IBM, Hewlett-Packard Co. and Silicon Graphics Inc., as well as the Sendmail Consortium, the organization that develops the open-source version of sendmail that is distributed with both free and commercial operating systems. Those vendors were told of the flaw on Jan. 13. The seriousness of the vulnerability, coupled with the fact that the hacker community wasn't yet aware of it, led the government and ISS to decide it was better to keep the news under wraps until patches could be developed.

The Sendmail Consortium is urging all users to upgrade to Sendmail 8.12.8 or apply a patch for 8.12.x or for older versions. Updates can be downloaded from ftp.sendmail.org or any of its mirrors, or from the Sendmail Consortium's Web site. The consortium said patch users should remember to check the Pretty Good Privacy signatures of any patches or releases obtained. It also suggested that users running the open-source version of sendmail check with their vendors for a patch.

Emeryville, Calif.-based Sendmail Inc., the commercial provider of the sendmail MTA, is providing a binary patch for its commercial customers that can be downloaded from its Web site at: <a href="http://www.sendmail.com" target="_blank">http ://www.sendmail.com</A>

"The Remote Sendmail Header Processing Vulnerability allows local and remote users to gain almost complete control of a vulnerable Sendmail server," according to an alert prepared today by the DHS. "Attackers gain the ability to execute privileged commands using super-user (root) access/control. This vulnerability can be exploited through a simple e-mail message containing malicious code.

"System administrators should be aware that many Sendmail servers are not typically shielded by perimeter defense applications" such as firewalls, warned the DHS alert, which hadn't yet been made publicly available as of midafternoon. "A successful attacker could install malicious code, run destructive programs and modify or delete files."

In addition, attackers could gain access to other systems through a compromised sendmail server, depending on local configurations, according to the DHS warning.

According to ISS, the sendmail remote vulnerability occurs when processing and evaluating header fields in e-mail collected during a Simple Mail Transfer Protocol transaction. Specifically, when fields are encountered that contain addresses or lists of addresses (such as the "From" field, "To" field and "CC" field), sendmail attempts to semantically evaluate whether the supplied address or list of addresses is valid. This is accomplished using the crackaddr() function, which is located in the headers.c file in the sendmail source tree.

A static buffer is used to store data that has been processed. Sendmail detects when this buffer becomes full and stops adding characters, although it continues processing. Sendmail implements several security checks to ensure that characters are parsed correctly. One such security check is flawed, making it possible for a remote attacker to send an e-mail with a specially crafted address field that triggers a buffer overflow.

"Sendmail's vulnerability offers a legitimate test [of the new DHS and its ability to work with the private sector] because sendmail handles a large amount of Internet mail traffic and is installed on at least 1.5 million Internet-connected systems," said an alert from the SANS Institute in Bethesda, Md., that was obtained by Computerworld today. "More than half of the large ISPs and Fortune 500 companies use sendmail, as do tens of thousands of other organizations. A security hole in sendmail affects a lot of people and demands their immediate attention."

Of particular concern to the White House was the potential vulnerability of the U.S. military, which is poised to begin offensive military operations in Iraq and is simultaneously facing the possibility of conflict on the Korean peninsula. As a result, early versions of available patches were distributed first to U.S. military organizations on Feb. 25 and 26, according to the SANS alert. The advance military alert was followed last Thursday and Friday with alerts to various government organizations in the U.S. and around the world, including the Information Sharing and Analysis Centers (ISAC).

"Some of the large commercial vendors developed patches very quickly. But the delayed notice to smaller sources of sendmail distributions and limited resources at those organizations meant that not all the patches would be ready by early in the week of February 23," according to the SANS analysis of the public/private response effort.

A senior-level coordination group of government and private-sector experts then decided, based on a review of cyberintelligence from various hacker discussion boards and a series of sensors deployed around the world by ISS, that it was safe to wait until all the patches were available before alerting the general business and Internet community to the vulnerability.

Beginning today at 10 a.m. EST, alerts began flowing from the Federal Computer Incident Response Center to federal agencies and from the ISACs to companies responsible for critical infrastructure. At noon EST today, ISS released its own advisory, followed by a general alert from the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

Date: Fri, 14 Mar 2003 13:10:16 -0700
From: "Victor" angelman24@sprintmai l.com
Subject: HOW Department of Homeland Security hopes to take over the Internet
campaignsforabetterw orld

Homeyland Security


Secret Bush Legislation Sent to Cheney, Hastert, Deepens Assault on Constitution

Patriot II
by Michael C. Ruppert
From The Wilderness Publications, <a href="http://www.fromthewildernes s.com" target="_blank">http ://www.fromthewildernes s.com</A>
<a href="http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/rationale.html" target="_blank">Swan : Securing the Internet against Wiretapping</a>
by FreeS/WAN project founder John Gilmore

<a href="http://www.freeswan.org" target="_blank">http ://www.freeswan.org</A>

<a href="http://www.yahooka.com/ubb/ultimatebb.php?ubb=g et_topic&f=10&t=0028 43" target="_blank">Nati onal Strategy to Secure Cyberspace</a>

<a href="http://www.yahooka.com/ubb/ultimatebb.php?ubb=g et_topic&f=10&t=0028 40" target="_blank">55 Charged in Drug Paraphernalia Sales</a>

<a href="http://www.yahooka.com/ubb/ultimatebb.php?ubb=g et_topic&f=10&t=0028 14" target="_blank">Patr iot Act II</a>

<a href="http://www.fromthewildernes s.com/free/ww3/022503_patriot_2.htm l" target="_blank">A Trial Balloon? - "Five to Ten Times Worse Than the Patriot Act"</a>

<a href="http://www.citybeat.com/2001-08-30/altheath.shtml" target="_blank">Now Owned By Monsanto</a>
"...Former President George Bush Sr. appointed Monsanto lawyer Clarence Thomas to the Supreme Court. Defense Secretary Donald Rumsfeld is a past chairman of G.D. Searle Co., now owned by Monsanto. Secretary of Agriculture Ann Venneman was on the board of directors of Calgene Pharmaceuticals, now owned by Monsanto."

SCIENTIST'S DEATH HAUNTS FAMILY
By Fredric N. Tulsky, copyright Aug 8, 2002 San Jose Mercury News
Original at: <a href="http://www.bayarea.com/mld/mercurynews" target="_blank">http ://www.bayarea.com/mld/mercurynews</A>

The death in 1953 of a government scientist, Frank Olson, in a fall from a New York hotel window, is one of the most notorious cases in CIA history.

Only in 1975 did Olson's family learn that the CIA had slipped LSD into his drink, days before his death. President Ford apologized for an experiment gone awry, and promised that the government would reveal everything about the case.

But newly obtained documents show that the Ford administration continued to conceal information about Olson -- particularly, his role in some of the CIA's most controversial research of the Cold War, on anthrax and other biological weapons.

The documents show that two of the key officials involved in the decision to withhold that information were White House aides Dick Cheney and Donald Rumsfeld, today the nation's vice president and secretary of Defense.

<a href="http://www.mkultra.com/index.html" target="_blank">MKUL TRA:CIA Mind Control</a>
Secret U.S. Court OKs Electronic Spying
<a href="http://cannabisnews.com/news/thread14788.shtml" target="_blank">http ://cannabisnews.com/news/thread14788.shtml</A>
Government Poses Greater Threat
<a href="http://cannabisnews.com/news/thread14076.shtml" target="_blank">http ://cannabisnews.com/news/thread14076.shtml</A>
Drugs, Money and The Patriot Act
<a href="http://cannabisnews.com/news/thread13861.shtml" target="_blank">http ://cannabisnews.com/news/thread13861.shtml</A>

See Also:

CCLE Fights Forced-Drugging Case
<a href="http://www.cognitiveliberty .org/DLL/sell_index.htm" target="_blank">http ://www.cognitiveliberty .org/DLL/sell_index.htm</A>
CCLE Psychedelics & Cognitive Liberty
<a href="http://www.cognitiveliberty .org/issues/psychedelics_index.h tm" target="_blank">http ://www.cognitiveliberty .org/issues/psychedelics_index.h tm</A>
CCLE "Mental Health" & Cognitive Liberty
<a href="http://www.cognitiveliberty .org/issues/mental_health_index. htm" target="_blank">http ://www.cognitiveliberty .org/issues/mental_health_index. htm</A>

<a href="http://www.onlinejournal.co m/Commentary/Chin012502/chin012502.html" target="_blank">The beautiful mind of Donald Rumsfeld ///dead link</a>

<a href="http://usgovinfo.about.com/library/weekly/aa081202a.htm?iam=sa vvy&terms=%2Brumsfel d" target="_blank">Rums feld Will Not Alter DoD Transformation</a>

More Rummy... Getting to Know Donald Rumsfeld (Monsanto, etc.)

Dump The Rumsfeld Junta

Revealing the truth about Defense Secretary Donald Rumsfeld, a classic loser from another era when he LOST the vietnam war in spite of millions of attrocities, millions of dollars and millions of lives that he despensed freely from his blockhouse of bureaucracy in the Nixon (''I am not a crook'') administration. A cornerstone of the ''Secret Government'', or as it is know in Haiti, ''the laboratory''.

Monsanto and the drug war
<a href="http://www.corpwatch.org/issues/PID.jsp?articleid=66 9" target="_blank">http ://www.corpwatch.org/issues/PID.jsp?articleid=66 9</A>
Spraying Misery
<a href="http://www.cannabisnews.com/news/thread9468.shtml" target="_blank">http ://www.cannabisnews.com/news/thread9468.shtml</A>
Monsantos
<a href="http://www.monsantos.com" target="_blank">http ://www.monsantos.com</A>
<a href="http://www.monsantosucks.co m" target="_blank">http ://www.monsantosucks.co m</A>
Partnership for a Drug-Free America? 
<a href="http://www.angelfire.com/boybands/mindfuk/war.html" target="_blank">http ://www.angelfire.com/boybands/mindfuk/war.html</A>
Terminator Seeds
<a href="http://www.rafi.com" target="_blank">http ://www.rafi.com</A>

<a href="http://www.angelfire.com/ca7/ddc/DEAth.html" target="_blank">D.E. A.th Deceptions</a>

__________________