When your team fumbles the opening kickoff its tough to be psyched about the game. Thats what our security team—the new National Cyber Alert System—did last week.
You may recall that, with MyDoom.A at its peak, the Department of Homeland Security announced a new security alert system. The system includes four security notification services, including Technical Alerts, which appears to provide more technical information than the others. These services were partly created as part of a partnership between DHS and the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University and are now part of the US-CERTs Technical Cyber Security Alerts.
I recall wondering during the press conference announcing the National Cyber Alert System exactly what would be new and valuable about the Dept. of Homeland Security taking charge of this duty? After all here are a large number of private alert services from security software companies, analyst firms and various non-governmental organizations.
My philosophy is to subscribe to a lot of these services; since if one is quicker on a particular attack than the others, Im covered. After the press conference I subscribed to all the groups new lists. After all, one would think that with DHS backing as well as new funding and lab facilities, we could expect authoritative results.
Indeed, the announcement promised “more information about more topics than before” while “we will maintain the same high quality control standards, edit content for security and privacy, and work to ensure technical accuracy as well as timeliness.”
None of this was on my mind when, on February 2, I received a message with the subject line “US CERT Technical Alert TA04-028A MyDoom.B Rapidly Spreading.” I glanced at the sender and found that it was the first message from the National Cyber Alert System.
Some of you may have noticed the main problem that caught my attention: “MyDoom.B Rapidly Spreading”. Huh? Rapidly?
By the time I received this message it was already abundantly clear, as I reported in a column at that time, that MyDoom.B wasnt spreading anywhere. To this day I havent found an antivirus vendor that claims to have found more than a trivial amount of this worm. MessageLabs reports “about 200 cases,” while Trend Micro still counts just 10.
So what was CERT/DHS talking about? Clearly they realized the mistake they made, because later versions of the alert, including the current one, dont make the claim about rapid spread of the worm. From my conversations with US-CERT officials, it sounds to me as if the group was misinformed by one of its sources.
Stick to the Facts,
The mistaken report reminds me a lot of when a war breaks out; inevitably there are stories in the media that turn out to be utterly untrue. In the rush of things early in battle—in this case, the shock we all felt from the magnitude of the MyDoom.A attack—theres always clamoring even for rumors. Sometimes people make bad assumptions, and mistakes are made. Although this isnt surprising, we should expect better of the Department of Homeland Security.
Ill anticipate a lot of the reaction to this column by adding that it was perfectly reasonable and appropriate for US-CERT to issue an advisory about MyDoom.B and to express caution about it. I was also very concerned about it at the time. But it wasnt too long before I heard from several reliable sources of my own that MyDoom.B had no traction at all, at least as best as anyone could determine for sure.
Given such circumstances, I would think that an appropriate alert would say something like: “given the virulence and dangerous potential of MyDoom.A, and the new, dangerous techniques employed by MyDoom.B, we are concerned about the potential for rapid spread and consequent damage.” This way theres no claim about anything that wasnt known to be true.
Now, I dont believe for a second that US-CERT simply made up the claim that it actually was spreading rapidly. But still it was a really important claim and it wasnt true.
The incident made me scrutinize the site and alerts, and I noticed that old versions of the online alerts arent available. Better systems include not just a set of dates for revisions, but an actual change log. Shouldnt a system with government involvement be at least as transparent as the private ones available?
US-CERT intends to be authoritative, and thats a good thing. True, there are lots of places you can go for this information, yet they want to be the one that everyone can rely on.
Even though I think were well-served by the variety of alert services, both for pay and free, Im rooting for US-CERT. Still, it will take a while before I get beyond this first impression. We can only hope that US-CERT addresses whatever that snafu was that caused them to stumble so badly right out of the gate.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Be sure to check out
More from Larry Seltzer