Underground: Hacking, madness and obsession on the electronic frontier - Suelette Dreyfus

The first thing any computer system manager learns in Computer Security 101 is never to use the same password as the username. It was bad enough that naive users might fall into this trap … but a computer system manager with a fully privileged account.

Was the hacker behind the worm malevolent? Probably not. If its creator had wanted to, he could have programmed the WANK worm to obliterate NASA's files. It could have razed everything in sight.

In fact, the worm was less infectious than its author appeared to desire. The WANK worm had been instructed to perform several tasks which it didn't execute. Important parts of the worm simply didn't work. McMahon believed this failure to be accidental. For example, his analysis showed the worm was programmed to break into accounts by trying no password, if the account holder had left the password blank. When he disassembled the worm, however, he found that part of the program didn't work properly.

Nonetheless, the fragmented and partly dysfunctional WANK worm was causing a major crisis inside several US government agencies. The thing which really worried John was thinking about what a seasoned DCL programmer with years of VMS experience could do with such a worm. Someone like that could do a lot of malicious damage. And what if the WANK worm was just a dry run for something more serious down the track? It was scary to contemplate.

Even though the WANK worm did not seem to be intentionally evil, the SPAN team faced some tough times. McMahon's analysis turned up yet more alarming aspects to the worm. If it managed to break into the SYSTEM account, a privileged account, it would block all electronic mail deliveries to the system administrator. The SPAN office would not be able to send electronic warnings or advice on how to deal with the worm to systems which had already been seized. This problem was exacerbated by the lack of good information available to the project office on which systems were connected to SPAN. The only way to help people fighting this bushfire was to telephone them, but in many instances the main SPAN office didn't know who to call. The SPAN team could only hope that those administrators who had the phone number of SPAN headquarters pinned up near their computers would call when their computers came under attack.

McMahon's preliminary report outlined how much damage the worm could do in its own right. But it was impossible to measure how much damage human managers would do to their own systems because of the worm.

One frantic computer manager who phoned the SPAN office refused to believe John's analysis that the worm only pretended to erase data. He claimed that the worm had not only attacked his system, it had destroyed it. `He just didn't believe us when we told him that the worm was mostly a set of practical jokes,' McMahon said. `He reinitialised his system.' `Reinitialised' as in started up his system with a clean slate. As in deleted everything on the infected computer—all the NASA staff's data gone. He actually did what the worm only pretended to do.

The sad irony was that the SPAN team never even got a copy of the data from the manager's system. They were never able to confirm that his machine had even been infected.

All afternoon McMahon moved back and forth between answering the ever-ringing SPAN phone and writing up NASA's analysis of the worm. He had posted a cryptic electronic message about the attack across the network, and Kevin Oberman had read it. The message had to be circumspect since no-one knew if the creator of the WANK worm was in fact on the network, watching, waiting. A short time later, McMahon and Oberman were on the phone together—voice—sharing their ideas and cross-checking their analysis.

The situation was discouraging. Even if McMahon and Oberman managed to develop a successful program to kill off the worm, the NASA SPAN team faced another daunting task. Getting the worm-killer out to all the NASA sites was going to be much harder than expected because there was no clear, updated map of the SPAN network. Much of NASA didn't like the idea of a centralised map of the SPAN system. McMahon recalled that, some time before the WANK worm attack, a manager had tried to map the system. His efforts had accidentally tripped so many system alarms that he was quietly taken aside and told not to do it again.