256 Security The Worms Crawl In In November 1988, an electronic parasite (a “worm”) disabled thousands of workstations and super-minicomputers across the United States. The worm attacked through a wide-area computer network called the Internet. News reports placed the blame for the so-called “Internet Worm” squarely on the shoulders of a single Cornell University graduate student, Robert T. Morris. Releasing the worm was something between a prank and a wide- scale experiment. A jury found him guilty of writing a computer program that would “attack” systems on the network and “steal” passwords. But the real criminal of the “Internet Worm” episode wasn’t Robert Morris, but years of neglect of computer security issues by authors and vendors of the Unix operating system. Morris’s worm attacked not by cunning, stealth, or sleuth, but by exploiting two well-known bugs in the Unix operating system—bugs that inherently resulted from Unix’s very design. Morris’s program wasn’t an “Internet Worm.” After all, it left alone all Internet machines running VMS, ITS, Apollo/Domain, TOPS-20, or Genera. It was a strictly and purely a Unix worm. One of the network programs, sendmail, was distributed by Sun Microsys- tems and Digital Equipment Corporation with a special command called DEBUG. Any person connecting to a sendmail program over the network and issuing a DEBUG command could convince the sendmail program to spawn a subshell. The Morris worm also exploited a bug in the finger program. By sending bogus information to the finger server, fingerd, it forced the computer to execute a series of commands that eventually created a subshell. If the fin- ger server had been unable to spawn subshells, the Morris worm would have crashed the Finger program, but it would not have created a security- breaking subshell. Date: Tue, 15 Nov 88 13:30 EST From: Richard Mlynarik mly@ai.mit.edu To: UNIX-HATERS Subject: The Chernobyl of operating systems [I bet more ‘valuable research time’ is being ‘lost’ by the randoms flaming about the sendmail worm than was ‘lost’ due to worm-inva- sion. All those computer science ‘researchers’ do in any case is write increasingly sophisticated screen-savers or read netnews.] Date: 11 Nov 88 15:27 GMT+0100
The Worms Crawl In 257 From: Klaus Brunnstein brunnstein@rz.informatik.uni-hamburg.dbp.de To: RISKS-LIST@KL.SRI.COM Subject: UNIX InSecurity (beyond the Virus-Worm) [...random security stuff...] While the Virus-Worm did evidently produce only limited damage (esp. ‘eating’ time and intelligence during a 16-hour nightshift, and further distracting activities in follow-up discussions, but at the same time teaching some valuable lessons), the consequence of the Unix euphoria may damage enterprises and economies. To me as an educated physicist, parallels show up to the discussions of the risks overseen by the community of nuclear physicist. In such a sense, I slightly revise Peter Neumann's analogy to the Three-Mile-Island and Chernobyl accidents: the advent of the Virus-Worm may be comparable to a mini Three-Mile Island accident (with large threat though limited damage), but the ‘Chernobyl of Computing’ is being programmed in economic applications if ill-advised customers follow the computer industry into insecure Unix-land. Klaus Brunnstein University of Hamburg, FRG