Underground by Suelette Dreyfus (books to get back into reading txt) đź“–
- Author: Suelette Dreyfus
- Performer: 1863305955
Book online «Underground by Suelette Dreyfus (books to get back into reading txt) 📖». Author Suelette Dreyfus
John McMahon’s analysis suggested there were three versions of the WANK worm. These versions, isolated from worm samples collected from the network, were very similar, but each contained a few subtle differences. In McMahon’s view, these differences could not be explained by the way the worm recreated itself at each site in order to spread. But why would the creator of the worm release different versions? Why not just write one version properly and fire it off? The worm wasn’t just one incoming missile; it was a frenzied attack. It was coming from all directions, at all sorts of different levels within NASA’s computers.
McMahon guessed that the worm’s designer had released the different versions at slightly different times. Maybe the creator released the worm, and then discovered a bug. He fiddled with the worm a bit to correct the problem and then released it again. Maybe he didn’t like the way he had fixed the bug the first time, so he changed it a little more and released it a third time.
In northern California, Kevin Oberman came to a different conclusion. He believed there was in fact only one real version of the worm spiralling through HEPNET and SPAN. The small variations in the different copies he dissected seemed to stem from the worm’s ability to learn and change as it moved from computer to computer.
McMahon and Oberman weren’t the only detectives trying to decipher the various manifestations of the worm. DEC was also examining the worm, and with good reason. The WANK worm had invaded the corporation’s own network. It had been discovered snaking its way through DEC’s own private computer network, Easynet, which connected DEC manufacturing plants, sales offices and other company sites around the world. DEC was circumspect about discussing the matter publicly, but the Easynet version of the WANK worm was definitely distinct. It had a strange line of code in it, a line missing from any other versions. The worm was under instructions to invade as many sites as it could, with one exception. Under no circumstances was it to attack computers inside DEC’s area 48. The NASA team mulled over this information. One of them looked up area 48. It was New Zealand.
New Zealand?
The NASA team were left scratching their heads. This attack was getting stranger by the minute. Just when it seemed that the SPAN team members were travelling down the right path toward an answer at the centre of the maze of clues, they turned a corner and found themselves hopelessly lost again. Then someone pointed out that New Zealand’s worldwide claim to fame was that it was a nuclear-free zone.
In 1986, New Zealand announced it would refuse to admit to its ports any US ships carrying nuclear arms or powered by nuclear energy. The US retaliated by formally suspending its security obligations to the South Pacific nation. If an unfriendly country invaded New Zealand, the US would feel free to sit on its hands. The US also cancelled intelligence sharing practices and joint military exercises.
Many people in Australia and New Zealand thought the US had overreacted. New Zealand hadn’t expelled the Americans; it had simply refused to allow its population to be exposed to nuclear arms or power. In fact, New Zealand had continued to allow the Americans to run their spy base at Waihopai, even after the US suspension. The country wasn’t anti-US, just anti-nuclear.
And New Zealand had very good reason to be anti-nuclear. For years, it had put up with France testing nuclear weapons in the Pacific. Then in July 1985 the French blew up the Greenpeace anti-nuclear protest ship as it sat in Auckland harbour. The Rainbow Warrior was due to sail for Mururoa Atoll, the test site, when French secret agents bombed the ship, killing Greenpeace activist Fernando Pereira.
For weeks, France denied everything. When the truth came out—that President Mitterand himself had known about the bombing plan—the French were red-faced. Heads rolled. French Defence Minister Charles Hernu was forced to resign. Admiral Pierre Lacoste, director of France’s intelligence and covert action bureau, was sacked. France apologised and paid $NZ13 million compensation in exchange for New Zealand handing back the two saboteurs, who had each been sentenced to ten years’ prison in Auckland.
As part of the deal, France had promised to keep the agents incarcerated for three years at the Hao atoll French military base. Both agents walked free by May 1988 after serving less than two years. After her return to France, one of the agents, Captain Dominique Prieur, was promoted to the rank of commandant.
Finally, McMahon thought. Something that made sense. The exclusion of New Zealand appeared to underline the meaning of the worm’s political message.
When the WANK worm invaded a computer system, it had instructions to copy itself and send that copy out to other machines. It would slip through the network and when it came upon a computer attached to the network, it would poke around looking for a way in. What it really wanted was to score a computer account with privileges, but it would settle for a basic-level, user-level account.
VMS systems have accounts with varying levels of privilege. A high-privilege account holder might, for example, be able to read the electronic mail of another computer user or delete files from that user’s directory. He or she might also be allowed to create new computer accounts on the system, or reactivate disabled accounts. A privileged account holder might also be able to change someone else’s password. The people who ran computer systems or networks needed accounts with the highest level of privilege in order to keep the system running smoothly. The worm specifically sought out these sorts of accounts because its creator knew that was where the power lay.
The worm was smart, and it learned as it went along. As it traversed the network, it created a masterlist of commonly used account names. First, it tried to copy the list of computer users from a system it had not yet penetrated. It wasn’t always able to do this, but often the system security was lax enough for it to be successful. The worm then compared that list to the list of users on its current host. When it found a match—an account name common to both lists—the worm added that name to the masterlist it carried around inside it, making a note to try that account when breaking into a new system in future.
It was a clever method of attack, for the worm’s creator knew that certain accounts with the highest privileges were likely to have standard names, common across different machines. Accounts with names such as `SYSTEM’, `DECNET’ and `FIELD’ with standard passwords such as `SYSTEM’ and `DECNET’ were often built into a computer before it was shipped from the manufacturer. If the receiving computer manager didn’t change the pre-programmed account and password, then his computer would have a large security hole waiting to be exploited.
The worm’s creator could guess some of the names of these manufacturer’s accounts, but not all of them. By endowing the worm with an ability to learn, he gave it far more power. As the worm spread, it became more and more intelligent. As it reproduced, its offspring evolved into ever more advanced creatures, increasingly successful at breaking into new systems.
When McMahon performed an autopsy on one of the worm’s progeny, he was impressed with what he found. Slicing the worm open and inspecting its entrails, he discovered an extensive collection of generic privileged accounts across the SPAN network. In fact, the worm wasn’t only picking up the standard VMS privileged accounts; it had learned accounts common to NASA but not necessarily to other VMS computers. For example, a lot of NASA sites which ran a type of TCP/IP mailer that needed either a POSTMASTER or a MAILER account. John saw those names turn up inside the worm’s progeny.
Even if it only managed to break into an unprivileged account, the worm would use the account as an incubator. The worm replicated and then attacked other computers in the network. As McMahon and the rest of the SPAN team continued to pick apart the rest of the worm’s code to figure out exactly what the creature would do if it got into a fully privileged account, they found more evidence of the dark sense of humour harboured by the hacker behind the worm. Part of the worm, a subroutine, was named `find fucked’.
The SPAN team tried to give NASA managers calling in as much information as they could about the worm. It was the best way to help computer managers, isolated in their offices around the country, to regain a sense of control over the crisis.
Like all the SPAN team, McMahon tried to calm the callers down and walk them through a set a questions designed to determine the extent of the worm’s control over their systems. First, he asked them what symptoms their systems were showing. In a crisis situation, when you’re holding a hammer, everything looks like a nail. McMahon wanted to make sure that the problems on the system were in fact caused by the worm and not something else entirely.
If the only problem seemed to be mysterious comments flashing across the screen, McMahon concluded that the worm was probably harassing the staff on that computer from a neighbouring system which it had successfully invaded. The messages suggested that the recipients’ accounts had not been hijacked by the worm. Yet.
VAX/VMS machines have a feature called Phone, which is useful for on-line communications. For example, a NASA scientist could `ring up’ one of his colleagues on a different computer and have a friendly chat on-line. The chat session is live, but it is conducted by typing on the computer screen, not `voice’. The VMS Phone facility enabled the worm to send messages to users. It would simply call them using the phone protocol. But instead of starting a chat session, it sent them statements from what was later determined to be the aptly named Fortune Cookie file—a collection of 60 or so pre-programmed comments.
In some cases, where the worm was really bugging staff, McMahon told the manager at the other end of the phone to turn the computer’s Phone feature off. A few managers complained and McMahon gave them the obvious ultimatum: choose Phone or peace. Most chose peace.
When McMahon finished his preliminary analysis, he had good news and bad news. The good news was that, contrary to what the worm was telling computer users all over NASA, it was not actually deleting their files. It was just pretending to delete their data. One big practical joke. To the creator of the worm anyway. To the NASA scientists, just a headache and heartache. And occasionally a heart attack.
The bad news was that, when the worm got control over a privileged account, it would help someone—presumably its creator—perpetrate an even more serious break-in at NASA. The worm sought out the FIELD account created by the manufacturer and, if it had been turned off, tried to reactivate the account and install the password FIELD. The worm was also programmed to change the password for the standard account named DECNET to a random string of at least twelve characters. In short, the worm tried to pry open a backdoor to the system.
The worm sent information about accounts it had successfully broken into back to a type of electronic mailbox—an account called GEMPAK on SPAN node 6.59. Presumably, the hacker who created the worm would check the worm’s mailbox for information which he could use
Comments (0)