US Homeland Security e-mail gaffe exposes secrets

A technical contractor may have started a chain of events that led to security professionals divulging classified information

A contractor for the US Department of Homeland Security has initiated "a mini denial of service" against thousands of security professionals, according to Marcus H Sachs, the director of the SANS Internet Storm Center, a community that monitors global security threats.

A technical slip-up by a government contractor saw many US security professionals clogging up each other's e-mail inboxes, said Sachs.

On Wednesday morning the Department of Homeland Security (DHS) sent its daily Open Source Intelligence Report to "a subscription list of hundreds, perhaps thousands of recipients", wrote Sachs in a blog post. A reader replied to the list address with a request for a change, and his e-mail was re-sent to all of the list subscribers.

"In the next hour or so, dozens of readers have replied, creating a mini-DDoS of sorts to the subscriber's inboxes," wrote Sachs.

Almost half of the e-mails were either pleas to stop sending more e-mails, or people demanding to be unsubscribed, despite the fact that unsubscribe instructions are at the bottom of the DHS daily reports, wrote Sachs.

Subscribers to the mailing list included anti-terrorism professionals and military defence personnel.

"This is your combating terrorism office for DoD asking you to kindly stop now please. We actually have work to do," wrote Michael Kinder of the US Department of Defence Technical Support Working Group, according to a blog post on Wired.com.

Many of the posts were humorous, some offered jobs, at least one was a political advertisement, and many more offered their names and contact information in case somebody was looking to connect with their sector or region, according to Sachs.

However, the e-mail administration mistake had more serious security implications: it also "revealed a nice cross-section of who subscribes to DHS daily publications and consider themselves part of the defensive security community", according to Sachs.

Some of the respondents revealed their e-mail addresses, and also left their e-mail signatures with names, job titles and classified contact details in their response e-mails.

After a reply was sent to everyone on the mailing list from an employee of the Ministry of Defence of Iran, one of the mailing list recipients wrote: "Folks, wise up. This is an open report that anyone with an e-mail address can subscribe to. Although some of your responses have been humorous, to say the least, you are opening doors to people that you do not want to."

SANS said the incident was "quite likely" to have been caused by an e-mail administrator who "either clicked a box last night, rebuilt the system, migrated it to a new server, or did something that un-set a setting designed to prevent this type of event".