|
Monday, 16 October 1989 Kennedy Space Center, Florida NASA buzzed with the excitement of a launch. Galileo was finally going to Jupiter. Administrators and scientists in the world's most prestigious space agency had spent years trying to get the unmanned probe into space. Now, on Tuesday, 17 October, if all went well, the five astronauts in the Atlantis space shuttle would blast off from the Kennedy Space Center at Cape Canaveral, Florida, with Galileo in tow. On the team's fifth orbit, as the shuttle floated 295 kilometres above the Gulf of Mexico, the crew would liberate the three-tonne space probe. An hour later, as Galileo skated safely away from the shuttle, the probe's 32500 pound booster system would fire up and NASA staff would watch this exquisite piece of human ingenuity embark on a six-year mission to the largest planet in the solar system. Galileo would take a necessarily circuitous route, flying by Venus once and Earth twice in a gravitational slingshot effort to get up enough momentum to reach Jupiter. NASA's finest minds had wrestled for years with the problem of exactly how to get the probe across the solar system. Solar power was one option. But if Jupiter was a long way from Earth, it was even further from the Sun - 778.3 million kilometres to be exact. Galileo would need ridiculously large solar panels to generate enough power for its instruments at such a distance from the Sun. In the end, NASA's engineers decided on a tried if not true earthly energy source: nuclear power. Nuclear power was perfect for space, a giant void free of human life which could play host to a bit of radioactive plutonium 238 dioxide. The plutonium was compact for the amount of energy it gave off - and it lasted a long time. It seemed logical enough. Pop just under 24 kilograms of plutonium in a lead box, let it heat up through its own decay, generate electricity for the probe's instruments, and presto! Galileo would be on its way to investigate Jupiter. American anti-nuclear activists didn't quite see it that way. They figured what goes up might come down ..NASA assured them Galileo's power pack was quite safe. The agency spent about $50 million on tests which supposedly proved the probe's generators were very safe. They would survive intact in the face of any number of terrible explosions, mishaps and accidents. NASA told journalists that the odds of a plutonium release due to 'inadvertent atmospheric re-entry' were 1 in 2 million. The likelihood of a plutonium radiation leak as a result of a launch disaster was a reassuring 1 in 2700. NASA's Goddard Space Flight Center, Greenbelt, Maryland Across the vast NASA empire, reaching from Maryland to California, from Europe to Japan, NASA workers greeted each other, checked their in-trays for mail, got their cups of coffee, settled into their chairs and tried to login to their computers for a day of solving complex physics problems. But many of the computer systems were behaving very strangely. >From the moment staff logged in, it was clear that someone - or something - had taken over. Instead of the usual system's official identification banner, they were startled to find the following message staring them in the face: W O R M S A G A I N S T N U C L E A R K I L L E R S _______________________________________________________________ \__ ____________ _____ ________ ____ ____ __ _____/ \ \ \ /\ / / / /\ \ | \ \ | | | | / / / \ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / / \ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ / \_\ /__\ /____/ /______\ \____| |__\ | |____| |_\ \_/ \___________________________________________________/ \ / \ Your System Has Been Officically WANKed / \_____________________________________________/ You talk of times of peace for all, and then prepare for war. This was not going to be a good day for the guys down at the NASA SPAN computer network office. This was not going to be a good day for John McMahon. -- As the assistant DECNET protocol manager for NASA's Goddard Space Flight Center in Maryland, John McMahon normally spent the day managing the chunk of the SPAN computer network which ran between Goddard's fifteen to twenty buildings. McMahon worked for Code 630.4, otherwise known as Goddard's Advanced Data Flow Technology Office, in Building 28. Goddard scientists would call him up for help with their computers. Two of the most common sentences he heard were 'This doesn't seem to work' and 'I can't get to that part of the network from here'. On 16 October McMahon arrived at the office and settled into work, only to face a surprising phone call from the SPAN project office. Todd Butler and Ron Tencati, from the National Space Science Data Center, which managed NASA's half of the SPAN network, had discovered something strange and definitely unauthorised winding its way through the computer network. It looked like a computer worm. A computer worm is a little like a computer virus. It invades computer systems, interfering with their normal functions. It travels along any available compatible computer network and stops to knock at the door of systems attached to that network. If there is a hole in the security of the computer system, it will crawl through and enter the system. When it does this, it might have instructions to do any number of things, from sending computer users a message to trying to take over the system. What makes a worm different from other computer programs, such as viruses, is that it is self-propagating. It propels itself forward, wiggles into a new system and propagates itself at the new site. Unlike a virus, a worm doesn't latch onto a data file or a program. It is autonomous. At the SPAN centre, things were becoming hectic. The worm was spreading through more and more systems and the phones were beginning to ring every few minutes. NASA computers were getting hit all over the place. The SPAN project staff needed more arms. They were simultaneously trying to calm callers and concentrate on developing an analysis of the alien program. Was the thing a practical joke or a time bomb just waiting to go off? Who was behind this? NASA was working in an information void when it came to WANK. Some staff knew of the protesters' action down at the Space Center, but nothing could have prepared them for this. NASA officials were confident enough about a link between the protests against Galileo and the attack on NASA's computers to speculate publicly that the two were related. It seemed a reasonable likelihood, but there were still plenty of unanswered questions. Callers coming into the SPAN office were worried. People at the other end of the phone were scared. Many of the calls came from network managers who took care of a piece of SPAN at a specific NASA site, such as the Marshall Space Flight Center. Some were panicking; others spoke in a sort of monotone, flattened by a morning of calls from 25 different hysterical system administrators. A manager could lose his job over something like this. Most of the callers to the SPAN head office were starved for information. How did this rogue worm get into their computers? Was it malicious? Would it destroy all the scientific data it came into contact with? What could be done to kill it? NASA stored a great deal of valuable information on its SPAN computers. None of it was supposed to be classified, but the data on those computers is extremely valuable. Millions of man-hours go into gathering and analysing it. So the crisis team which had formed in the NASA SPAN project office, was alarmed when reports of massive data destruction starting coming in. People were phoning to say that the worm was erasing files. It was every computer manager's worst nightmare, and it looked as though the crisis team's darkest fears were about to be confirmed. Yet the worm was behaving inconsistently. On some computers it would only send anonymous messages, some of them funny, some bizarre and a few quite rude or obscene. No sooner would a user login than a message would flash across his or her screen: Remember, even if you win the rat race-you're still a rat. Or perhaps they were graced with some bad humour: Nothing is faster than the speed of light... To prove this to yourself, try opening the refrigerator door before the light comes on. Other users were treated to anti-authoritarian observations of the paranoid: The FBI is watching YOU. or Vote anarchist. But the worm did not appear to be erasing files on these systems. Perhaps the seemingly random file-erasing trick was a portent of things to come - just a small taste of what might happen at a particular time, such as midnight. Perhaps an unusual keystroke by an unwitting computer user on those systems which seemed only mildly affected could trigger something in the worm. One keystroke might begin an irreversible chain of commands to erase everything on that system. The NASA SPAN computer team were in a race with the worm. Each minute they spent trying to figure out what it did, the worm was pushing forward, ever deeper into NASA's computer network. Every hour NASA spent developing a cure, the worm spent searching, probing, breaking and entering. A day's delay in getting the cure out to all the systems could mean dozens of new worm invasions doing God knows what in vulnerable computers. The SPAN team had to dissect this thing completely, and they had to do it fast. Some computer network managers were badly shaken. The SPAN office received a call from NASA's Jet Propulsion Laboratories in California, an important NASA centre with 6500 employees and close ties to California Institute of Technology (Caltech). JPL was pulling itself off the network. This worm was too much of a risk. The only safe option was to isolate their computers. There would be no SPAN DEC-based communications with the rest of NASA until the crisis was under control. This made things harder for the SPAN team; getting a worm exterminating program out to JPL, like other sites which had cut their connection to SPAN, was going to be that much tougher. Everything had to be done over the phone. Worse, JPL was one of five routing centres for NASA's SPAN computer network. It was like the centre of a wheel, with a dozen spokes branching off - each leading to another SPAN site. All these places, known as tailsites, depended on the lab site for their connections into SPAN. When JPL pulled itself off the network, the tailsites went down too. It was a serious problem for the people in the SPAN office back in Virginia. To Ron Tencati, head of security for NASA SPAN, taking a routing centre off-line was a major issue. But his hands were tied. The SPAN office exercised central authority over the wide area network, but it couldn't dictate how individual field centres dealt with the worm. That was each centre's own decision. The SPAN team could only give them advice and rush to * Message split, to be continued * --- ifmail v.2.10-tx8.2 * Origin: IQ (1:340/13@fidonet) Ä ALT.2600 (1:340/26) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ALT.2600 Ä Msg : 404 of 500 From : Julian Assange 1:340/13 22 Jun 97 20:28:22 To : All 23 Jun 97 14:19:04 Subj : [part 2] Extract: _Underground_ new book on international computer crim ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .RFC-Subject: Extract: _Underground_ new book on international computer crime - "The WANK worm" From: proff@profane.iq.org (Julian Assange) * Continuation 1 of a split message * develop a way to poison the worm. Next or Previous The SPAN office called John McMahon again, this time with a more urgent request. Would he come over to help handle the crisis? The SPAN centre was only 800 metres away from McMahon's office. His boss, Jerome Bennett, the DECNET protocol manager, gave the nod. McMahon would be on loan until the crisis was under control. When he got to Building 26, home of the NASA SPAN project office, McMahon became part of a core NASA crisis team .. At first the core team seemed only to include NASA people and to be largely based at Goddard. But as the day wore on, new people from other parts of the US government would join the team. The worm had spread outside NASA. It had also attacked the US Department of Energy's worldwide High-Energy Physics' Network of computers. Known as HEPNET, it was another piece of the overall SPAN network, along with Euro-HEPNET and Euro-SPAN. The NASA and DOE computer networks of DEC computers crisscrossed at a number of places. A research laboratory might, for example, need to have access to computers from both HEPNET and NASA SPAN. For convenience, the lab might just connect the two networks. The effect as far as the worm was concerned was that NASA's SPAN and DOE's HEPNET were in fact just one giant computer network, all of which the worm could invade. The Department of Energy keeps classified information on its computers. Very classified information. There are two groups in DOE: the people who do research on civilian energy projects and the people who make atomic bombs. So DOE takes security seriously, as in 'threat to national security' seriously. Although HEPNET wasn't meant to be carrying any classified information across its wires, DOE responded with military efficiency when its computer managers discovered the invader. They grabbed the one guy who knew a lot about computer security on VMS systems and put him on the case: Kevin Oberman. Even as the WANK worm coursed through NASA, it was launching an aggressive attack on DOE's Fermi National Accelerator Laboratory, near Chicago. It had broken into a number of computer systems there and the Fermilab people were not happy. They called in CIAC, who contacted Oberman with an early morning phone call on 16 October. They wanted him to analyse the WANK worm. They wanted to know how dangerous it was. Most of all, they wanted to know what to do about it. The DOE people traced their first contact with the worm back to 14 October. Further, they hypothesised, the worm had actually been launched the day before, on Friday the 13th. Such an inauspicious day would, in Oberman's opinion, have been in keeping with the type of humour exhibited by the creator or creators of the worm. Oberman began his own analysis of the worm, oblivious to the fact that 3200 kilometres away, on the other side of the continent, his colleague and acquaintance John McMahon was doing exactly the same thing. .. --- John McMahon's analysis suggested there were three versions of the WANK worm. These versions, isolated from worm samples collected from the network, were very similar, but each contained a few subtle differences. In McMahon's view, these differences could not be explained by the way the worm recreated itself at each site in order to spread. But why would the creator of the worm release different versions? Why not just write one version properly and fire it off? The worm wasn't just one incoming missile; it was a frenzied attack. It was coming from all directions, at all sorts of different levels within NASA's computers. McMahon guessed that the worm's designer had released the different versions at slightly different times. Maybe the creator released the worm, and then discovered a bug. He fiddled with the worm a bit to correct the problem and then released it again. Maybe he didn't like the way he had fixed the bug the first time, so he changed it a little more and released it a third time. In northern California, Kevin Oberman came to a different conclusion. He believed there was in fact only one real version of the worm spiralling through HEPNET and SPAN. The small variations in the different copies he dissected seemed to stem from the worm's ability to learn and change as it moved from computer to computer. The worm circumnavigated the globe. It had reach into European sites, such as CERN - formerly known as the European Centre for Nuclear Research - in Switzerland, through to Goddard's computers in Maryland, on to Fermilab in Chicago and propelled itself across the Pacific into the Riken Accelerator Facility in Japan. NASA officials told the media they believed the worm had been launched about 4.30 a.m. on Monday, 16 October. They also believed it had originated in Europe, possibly in France .. The WANK worm left a number of unanswered questions in its wake, a number of loose ends which still puzzle John McMahon. Was the hacker behind the worm really protesting against NASA's launch of the plutonium-powered Galileo space probe? Did the use of the word 'WANK' - a most un-American word - mean the hacker wasn't American? Why had the creator recreated the worm and released it a second time? Why had no-one, no political or other group, claimed responsibility for the WANK worm? One of the many details which remained an enigma was contained in the version of the worm used in the second attack. The worm's creator had replaced the original process name, NETW_, with a new one, presumably to thwart the anti-WANK program. McMahon figured the original process name stood for 'netwank' - a reasonable guess at the hacker's intended meaning. The new process name, however, left everyone on the SPAN team scratching their heads: it didn't seem to stand for anything. The letters formed an unlikely set of initials for someone's name. No-one recognised it as an acronym for a saying or an organisation. And it certainly wasn't a proper word in the English language. It was a complete mystery why the creator of the WANK worm, the hacker who launched an invasion into hundreds of NASA and DOE computers, should choose this weird word. The word was 'OILZ'. It is not surprising the SPAN security team would miss the mark. It is not surprising, for example, that these officials should to this day be pronouncing the 'Oilz' version of the WANK worm as 'oil zee' .. nor that they hypothesised the worm's creator chose the word 'Oilz' because the modifications made to the last version made it slippery, perhaps even oily. Likely as not, only an Australian would see the worm's link to the lyrics of Midnight Oil. This was the world's first worm with a political message, and the second major worm in the history of the worldwide computer networks... Yet, NASA and the US Department of Energy were half a world away from finding the creator of the WANK worm. Even as investigators sniffed around electronic trails leading to France, it appears the perpetrator was hiding behind his computer and modem in Australia ... ---------------------------------------------------------------------------- Underground; Tales of Hacking, Madness and Obsession on the Electronic Frontier, by Suelette Dreyfus; published by Mandarin (Random House Australia); (P) 475 pages with bib. http://www.underground-book.com/