DHS EMail Spam Attack II

The New York Times wrote a nice little article this morning on the e-mail spamming mess. It claims that over 2.2 million emails were generated by the incident.

What will be more interesting to watch is how people who helped keep the spurious email traffic going and disclosing their personal contact information along the way to boot, will like seeing their names and email posted in the New York Times.

I would love to be a fly on the wall when some of these folks are explaining in the future to their bosses why IT security policy is important, why everyone needs to follow it, why they need more resources for improving security, etc., etc., and then being asked by their boss why they couldn't keep their own damn hands off the keyboard.

As the Times article notes:

"The accident raised questions among cybersecurity experts about how well prepared the Homeland Security Department is to defend against a cyberattack because it had trouble dealing with this computer problem."

No kidding.

I wouldn't be surprised that Congress gets interested in this little episode, given the response of both DHS and the many government security professionals (the term is debatable) who kept it going. Maybe Congress will call a few in to testify to find out what was so irresistible about keeping a spam chain letter going, and clogging up government servers. Or maybe disclosing what appeared to me to be email addresses and telephone numbers including cell phones of folks doing highly classified work. And now that this incident has been reported world wide, how valuable do you think this information is going to be, even if only for a short time?

I'll also be curious to see how the employers of those folks looking for new jobs will view it. Maybe they will help their employees find new ones.

Please, all of you who I am sure are happy to get their names and places where they work in the NY Times, let me know.


Kim Zetter's blog over at Wired has a bit more information on the person from Iran who wanted to know why he was getting so many emails. Turns out he works for the Iranian Ministry of Defense.

Another story at Information Week quoted a spokesperson at the DHS:

"It was just human error. I don't know. It [the way the distribution list was configured] has since been changed... No government secrets were leaked. No personal information was given out."

Just like good old DHS to downplay any mistakes they make, and of course, no apologies. She did admit that 7,500 email addresses of security professionals across the country were disclosed, but that apparently is not a big deal to the Department.

As I said before, sad, very.

One final comment: last year, US News & World Report reported that,"Homeland Security Secretary Michael Chertoff likes to keep his personal tech simple. "I don't use E-mail," he confides. 'You just get deluged with a lot of garbage.' "


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City