DHS' self-inflicted denial of service

I found it quite funny to read about the Department of Homeland Security's self-inflicted denial of service this week. A misconfigured mailing list resulted in over 2.2 million e-mails clogging up the inboxes of subscribers to the DHS' Open Source Intelligence Report.

It seems the mailing list had been configured to allow use of the reply-to-all function. One user inadvertently hit the reply-to-all button while requesting to have his e-mail address changed. This sent the message to all of the list's subscribers and also exposed their e-mail addresses. Eweek report that this caused chaos prompting many more subscribers to reply to the entire list asking to be unsubscribed or telling people to stop. The DHS posted official requests for people to desist but within a relatively short period, the list was being bombarded with messages from job offers to political ads and local weather updates.

Amusing as it may be, there is a more serious consequence than clogged up inboxes. The e-mail addresses of more than 300 public and private sector security professionals were exposed; one SANS Storm Center reader suggested that they could now become targets for zero-day attacks, many of which use undisclosed exploits to slip past antivirus systems.

It's quite alarming that something like this should happen in a government organisation like the Department of Homeland Security!