New Zealand?

The NASA team were left scratching their heads. This attack was getting stranger by the minute. Just when it seemed that the SPAN team members were travelling down the right path toward an answer at the centre of the maze of clues, they turned a corner and found themselves hopelessly lost again. Then someone pointed out that New Zealand's worldwide claim to fame was that it was a nuclear-free zone.

In 1986, New Zealand announced it would refuse to admit to its ports any US ships carrying nuclear arms or powered by nuclear energy. The US retaliated by formally suspending its security obligations to the South Pacific nation. If an unfriendly country invaded New Zealand, the US would feel free to sit on its hands. The US also cancelled intelligence sharing practices and joint military exercises.

Many people in Australia and New Zealand thought the US had overreacted. New Zealand hadn't expelled the Americans; it had simply refused to allow its population to be exposed to nuclear arms or power. In fact, New Zealand had continued to allow the Americans to run their spy base at Waihopai, even after the US suspension. The country wasn't anti-US, just anti-nuclear.

And New Zealand had very good reason to be anti-nuclear. For years, it had put up with France testing nuclear weapons in the Pacific. Then in July 1985 the French blew up the Greenpeace anti-nuclear protest ship as it sat in Auckland harbour. The Rainbow Warrior was due to sail for Mururoa Atoll, the test site, when French secret agents bombed the ship, killing Greenpeace activist Fernando Pereira.

For weeks, France denied everything. When the truth came out--that President Mitterand himself had known about the bombing plan--the French were red-faced. Heads rolled. French Defence Minister Charles Hernu was forced to resign. Admiral Pierre Lacoste, director of France's intelligence and covert action bureau, was sacked. France apologised and paid $NZ13 million compensation in exchange for New Zealand handing back the two saboteurs, who had each been sentenced to ten years' prison in Auckland.

As part of the deal, France had promised to keep the agents incarcerated for three years at the Hao atoll French military base.

Both agents walked free by May 1988 after serving less than two years.

After her return to France, one of the agents, Captain Dominique Prieur, was promoted to the rank of commandant.

Finally, McMahon thought. Something that made sense. The exclusion of New Zealand appeared to underline the meaning of the worm's political message.

When the w.a.n.k worm invaded a computer system, it had instructions to copy itself and send that copy out to other machines. It would slip through the network and when it came upon a computer attached to the network, it would poke around looking for a way in. What it really wanted was to score a computer account with privileges, but it would settle for a basic-level, user-level account.

VMS systems have accounts with varying levels of privilege. A high-privilege account holder might, for example, be able to read the electronic mail of another computer user or delete files from that user's directory. He or she might also be allowed to create new computer accounts on the system, or reactivate disabled accounts. A privileged account holder might also be able to change someone else's pa.s.sword. The people who ran computer systems or networks needed accounts with the highest level of privilege in order to keep the system running smoothly. The worm specifically sought out these sorts of accounts because its creator knew that was where the power lay.

The worm was smart, and it learned as it went along. As it traversed the network, it created a masterlist of commonly used account names.

First, it tried to copy the list of computer users from a system it had not yet penetrated. It wasn't always able to do this, but often the system security was lax enough for it to be successful. The worm then compared that list to the list of users on its current host. When it found a match--an account name common to both lists--the worm added that name to the masterlist it carried around inside it, making a note to try that account when breaking into a new system in future.

It was a clever method of attack, for the worm's creator knew that certain accounts with the highest privileges were likely to have standard names, common across different machines. Accounts with names such as 'SYSTEM', 'DECNET' and 'FIELD' with standard pa.s.swords such as 'SYSTEM' and 'DECNET' were often built into a computer before it was shipped from the manufacturer. If the receiving computer manager didn't change the pre-programmed account and pa.s.sword, then his computer would have a large security hole waiting to be exploited.

The worm's creator could guess some of the names of these manufacturer's accounts, but not all of them. By endowing the worm with an ability to learn, he gave it far more power. As the worm spread, it became more and more intelligent. As it reproduced, its offspring evolved into ever more advanced creatures, increasingly successful at breaking into new systems.

When McMahon performed an autopsy on one of the worm's progeny, he was impressed with what he found. Slicing the worm open and inspecting its entrails, he discovered an extensive collection of generic privileged accounts across the SPAN network. In fact, the worm wasn't only picking up the standard VMS privileged accounts; it had learned accounts common to NASA but not necessarily to other VMS computers. For example, a lot of NASA sites which ran a type of TCP/IP mailer that needed either a POSTMASTER or a MAILER account. John saw those names turn up inside the worm's progeny.

Even if it only managed to break into an unprivileged account, the worm would use the account as an incubator. The worm replicated and then attacked other computers in the network. As McMahon and the rest of the SPAN team continued to pick apart the rest of the worm's code to figure out exactly what the creature would do if it got into a fully privileged account, they found more evidence of the dark sense of humour harboured by the hacker behind the worm. Part of the worm, a subroutine, was named 'find f.u.c.ked'.

The SPAN team tried to give NASA managers calling in as much information as they could about the worm. It was the best way to help computer managers, isolated in their offices around the country, to regain a sense of control over the crisis.

Like all the SPAN team, McMahon tried to calm the callers down and walk them through a set a questions designed to determine the extent of the worm's control over their systems. First, he asked them what symptoms their systems were showing. In a crisis situation, when you're holding a hammer, everything looks like a nail. McMahon wanted to make sure that the problems on the system were in fact caused by the worm and not something else entirely.

If the only problem seemed to be mysterious comments flashing across the screen, McMahon concluded that the worm was probably hara.s.sing the staff on that computer from a neighbouring system which it had successfully invaded. The messages suggested that the recipients'

accounts had not been hijacked by the worm. Yet.

VAX/VMS machines have a feature called Phone, which is useful for on-line communications. For example, a NASA scientist could 'ring up'

one of his colleagues on a different computer and have a friendly chat on-line. The chat session is live, but it is conducted by typing on the computer screen, not 'voice'. The VMS Phone facility enabled the worm to send messages to users. It would simply call them using the phone protocol. But instead of starting a chat session, it sent them statements from what was later determined to be the aptly named Fortune Cookie file--a collection of 60 or so pre-programmed comments.

In some cases, where the worm was really bugging staff, McMahon told the manager at the other end of the phone to turn the computer's Phone feature off. A few managers complained and McMahon gave them the obvious ultimatum: choose Phone or peace. Most chose peace.

When McMahon finished his preliminary a.n.a.lysis, he had good news and bad news. The good news was that, contrary to what the worm was telling computer users all over NASA, it was not actually deleting their files. It was just pretending to delete their data. One big practical joke. To the creator of the worm anyway. To the NASA scientists, just a headache and heartache. And occasionally a heart attack.

The bad news was that, when the worm got control over a privileged account, it would help someone--presumably its creator--perpetrate an even more serious break-in at NASA. The worm sought out the FIELD account created by the manufacturer and, if it had been turned off, tried to reactivate the account and install the pa.s.sword FIELD. The worm was also programmed to change the pa.s.sword for the standard account named DECNET to a random string of at least twelve characters.

In short, the worm tried to pry open a backdoor to the system.

The worm sent information about accounts it had successfully broken into back to a type of electronic mailbox--an account called GEMPAK on SPAN node 6.59. Presumably, the hacker who created the worm would check the worm's mailbox for information which he could use to break into the NASA account at a later date. Not surprisingly, the mailboxes had been surrept.i.tiously 'borrowed' by the hacker, much to the surprise of the legitimate owners.

A computer hacker created a whole new set of problems. Although the worm was able to break into new accounts with greater speed and reach than a single hacker, it was more predictable. Once the SPAN and DOE teams picked the worm apart, they would know exactly what it could be expected to do. However, a hacker was utterly unpredictable.

McMahon realised that killing off the worm was not going to solve the problem. All the system managers across the NASA and DOE networks would have to change all the pa.s.swords of the accounts used by the worm. They would also have to check every system the worm had invaded to see if it had built a backdoor for the hacker. The system admin had to shut and lock all the backdoors, no small feat.

What really scared the SPAN team about the worm, however, was that it was rampaging through NASA simply by using the simplest of attack strategies: username equals pa.s.sword. It was getting complete control over NASA computers simply by trying a pa.s.sword which was identical to the name of the computer user's account.

The SPAN team didn't want to believe it, but the evidence was overwhelming.

Todd Butler answered a call from one NASA site. It was a gloomy call.

He hung up.

'That node just got hit,' he told the team.

'How bad?' McMahon asked.

'A privileged account.'

'Oh boy.' McMahon jumped onto one of the terminals and did a SET HOST, logging into the remote NASA site's machine. Bang. Up it came. 'Your system has officially been w.a.n.kED.'

McMahon turned to Butler. 'What account did it get into?'

'They think it was SYSTEM.'

The tension quietly rolled into black humour. The team couldn't help it. The head-slapping stupidity of the situation could only be viewed as black comedy.

The NASA site had a pa.s.sword of SYSTEM for their fully privileged SYSTEM account. It was so unforgivable. NASA, potentially the greatest single collection of technical minds on Earth, had such lax computer security that a computer-literate teenager could have cracked it wide open. The tall poppy was being cut down to size by a computer program resembling a bowl of spaghetti.

The first thing any computer system manager learns in Computer Security 101 is never to use the same pa.s.sword as the username. It was bad enough that naive users might fall into this trap ... but a computer system manager with a fully privileged account.

Was the hacker behind the worm malevolent? Probably not. If its creator had wanted to, he could have programmed the w.a.n.k worm to obliterate NASA's files. It could have razed everything in sight.

In fact, the worm was less infectious than its author appeared to desire. The w.a.n.k worm had been instructed to perform several tasks which it didn't execute. Important parts of the worm simply didn't work. McMahon believed this failure to be accidental.

For example, his a.n.a.lysis showed the worm was programmed to break into accounts by trying no pa.s.sword, if the account holder had left the pa.s.sword blank. When he disa.s.sembled the worm, however, he found that part of the program didn't work properly.

Nonetheless, the fragmented and partly dysfunctional w.a.n.k worm was causing a major crisis inside several US government agencies. The thing which really worried John was thinking about what a seasoned DCL programmer with years of VMS experience could do with such a worm.

Someone like that could do a lot of malicious damage. And what if the w.a.n.k worm was just a dry run for something more serious down the track? It was scary to contemplate.

Even though the w.a.n.k worm did not seem to be intentionally evil, the SPAN team faced some tough times. McMahon's a.n.a.lysis turned up yet more alarming aspects to the worm. If it managed to break into the SYSTEM account, a privileged account, it would block all electronic mail deliveries to the system administrator. The SPAN office would not be able to send electronic warnings or advice on how to deal with the worm to systems which had already been seized. This problem was exacerbated by the lack of good information available to the project office on which systems were connected to SPAN. The only way to help people fighting this bushfire was to telephone them, but in many instances the main SPAN office didn't know who to call. The SPAN team could only hope that those administrators who had the phone number of SPAN headquarters pinned up near their computers would call when their computers came under attack.

McMahon's preliminary report outlined how much damage the worm could do in its own right. But it was impossible to measure how much damage human managers would do to their own systems because of the worm.

One frantic computer manager who phoned the SPAN office refused to believe John's a.n.a.lysis that the worm only pretended to erase data. He claimed that the worm had not only attacked his system, it had destroyed it. 'He just didn't believe us when we told him that the worm was mostly a set of practical jokes,' McMahon said. 'He reinitialised his system.' 'Reinitialised' as in started up his system with a clean slate. As in deleted everything on the infected computer--all the NASA staff's data gone. He actually did what the worm only pretended to do.

The sad irony was that the SPAN team never even got a copy of the data from the manager's system. They were never able to confirm that his machine had even been infected.

All afternoon McMahon moved back and forth between answering the ever-ringing SPAN phone and writing up NASA's a.n.a.lysis of the worm. He had posted a cryptic electronic message about the attack across the network, and Kevin Oberman had read it. The message had to be circ.u.mspect since no-one knew if the creator of the w.a.n.k worm was in fact on the network, watching, waiting. A short time later, McMahon and Oberman were on the phone together--voice--sharing their ideas and cross-checking their a.n.a.lysis.

The situation was discouraging. Even if McMahon and Oberman managed to develop a successful program to kill off the worm, the NASA SPAN team faced another daunting task. Getting the worm-killer out to all the NASA sites was going to be much harder than expected because there was no clear, updated map of the SPAN network. Much of NASA didn't like the idea of a centralised map of the SPAN system. McMahon recalled that, some time before the w.a.n.k worm attack, a manager had tried to map the system. His efforts had accidentally tripped so many system alarms that he was quietly taken aside and told not to do it again.