Business & Finance
05:05 PM
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

DHS Spews Forth Spam In IT Snafu

A 'reply all' error in a Department of Homeland Security anti-terrorism bulletin had security professionals flooding in-boxes with jokes and personal information.

The Department of Homeland Security (DHS) said the glitch that turned an e-mail list into an out-of-control social networking experience Wednesday has been fixed.

The New York Times reported Thursday that a North Carolina businessman was responding to a daily anti-terrorism bulletin Wednesday when he accidentally set off a confluence of events that the newspaper said eventually flooded government, corporate, and personal e-mail boxes with 2.2 million messages.

The DHS, which sends out the bulletin, had misconfigured it so the businessman's reply message was swept out to the 7,500 security professionals and organizations on the list, according to Laura Keehner, a spokeswoman for the agency. Once others on the list saw what was happening, a virtual free-for-all started, with people like Army sergeants and business executives jumping into the fray to take advantage of the instant link-up.

"The issue is that the reply generated messages to the 7,500 addresses on the server list, which was followed by the spam," said Keehner in an interview with InformationWeek. "It was bad judgment for people to keep replying. It was a mix of federal, state, local, and industry leaders."

Keehner said they sent out an e-mail message asking people to stop e-mailing each other immediately. The New York Times reported that Department of Defense did the same thing. The requests met a lot of deaf ears, but the DHS notified the contractor who is in charge of the e-mail list and had it shut down.

But Wednesday night or Thursday morning, a new list was generated and this time all the addresses were bcc'ed, or hidden, according to Keehner.

"I don't know why it wasn't that way in the first place," she added. "It was just human error. I don't know. It has since been changed... No government secrets were leaked. No personal information was given out."

She did concede, however, that the e-mail addresses were disclosed for all of the people, who are mainly security professionals, on that list.

Marcus Sachs, director of the SANS Internet Storm Center, wrote in a blog that this was a good lesson for anyone maintaining a broadcast mailing list.

"It's not clear why a single e-mail got reflected today and not in the many previous months this service has been available," he wrote. "Quite likely, an e-mail administrator either clicked a box last night, rebuilt the system, migrated it to a new server, or did something that un-set a setting designed to prevent this type of event... Many of the posts were humorous, some offered jobs, at least one was a "vote for me" political advertisement, and many more offered their names and contact information in case somebody was looking to connect with their sector or region. Most definitely do not have the Jack Bauer (character from the series "24") mentality of total seriousness and no-joking attitude."

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.