When your team fumbles the opening kickoff its tough to be psyched about the game. Thats what our security team—the new National Cyber Alert System—did last week.
You may recall that, with MyDoom.A at its peak, the Department of Homeland Security announced a new security alert system. The system includes four security notification services, including Technical Alerts, which appears to provide more technical information than the others. These services were partly created as part of a partnership between DHS and the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University and are now part of the US-CERTs Technical Cyber Security Alerts.
I recall wondering during the press conference announcing the National Cyber Alert System exactly what would be new and valuable about the Dept. of Homeland Security taking charge of this duty? After all here are a large number of private alert services from security software companies, analyst firms and various non-governmental organizations.
My philosophy is to subscribe to a lot of these services; since if one is quicker on a particular attack than the others, Im covered. After the press conference I subscribed to all the groups new lists. After all, one would think that with DHS backing as well as new funding and lab facilities, we could expect authoritative results.
Indeed, the announcement promised "more information about more topics than before" while "we will maintain the same high quality control standards, edit content for security and privacy, and work to ensure technical accuracy as well as timeliness."
None of this was on my mind when, on February 2, I received a message with the subject line "US CERT Technical Alert TA04-028A MyDoom.B Rapidly Spreading." I glanced at the sender and found that it was the first message from the National Cyber Alert System.
Some of you may have noticed the main problem that caught my attention: "MyDoom.B Rapidly Spreading". Huh? Rapidly?
By the time I received this message it was already abundantly clear, as I reported in a column at that time, that MyDoom.B wasnt spreading anywhere. To this day I havent found an antivirus vendor that claims to have found more than a trivial amount of this worm. MessageLabs reports "about 200 cases," while Trend Micro still counts just 10.
So what was CERT/DHS talking about? Clearly they realized the mistake they made, because later versions of the alert, including the current one, dont make the claim about rapid spread of the worm. From my conversations with US-CERT officials, it sounds to me as if the group was misinformed by one of its sources.