Twenty-nine years ago this week, on 3 November 1988, about 1 pm EST, I received a phone call at AFOSI Headquarters from Dr. Cliff Stoll. Cliff was my source for the Hanover Hacker case (the first computer espionage case, which discovered that 5 West Germans had hacked hundreds of US computers for the Soviet KGB for money) in 1986-1987. Cliff wrote the NY Times Bestseller, “The Cuckoo’s Egg” in 1989, laying out the entire case. Everyone in the business should read this book. It all still applies. Not much has changed since 1986.
Cliff said, “Do you know what’s going on?” I didn’t. He said there was a computer worm infecting hundreds of UNIX networks on the Internet that was spreading fast. I asked if he had contacted the FBI yet, and he said he had notified them in the early morning but that no one had called him back. The call probably went to a local duty agent who probably spelled computer with a “K”. So, I immediately called Special Agent Mike Gibbons, the FBI agent I successfully worked the Hanover Hacker case with.
Mike had not heard anything either but said he would look into it. Knowing the right person in the FBI was on it, I spent the rest of the day calling the Defense Communications Agency (now the Defense Information Systems Agency), the Air Force Communications Command, and commanders and network administrators, telling them to disconnect from the Internet until we figured out what was happening. I told them that if they discovered the worm in their system they should disconnect from the Internet and start documenting their findings as well as their actions for evidentiary purposes.In those days, US government policy was that all computer vulnerabilities were to be considered classified at the same level as the system, but minimally “CONFIDENTIAL” for UNCLASSIFED systems. That means you had to use classified networks and STU-III’s (Secure Telephone Units) to communicate about these vulnerabilities. I didn’t have access to those secure computers nor the STU’s, and time was of the essence. So, I had to violate that policy to get the word out, so that commanders and systems administrators could protect themselves and prevent the spread to more military networks. The policy wasn’t designed for the Information Age. Most of us just didn’t have access to secure communications in those days.
SA Mike Gibbons quickly identified Robert Morris Jr., a graduate student at Cornell University, as the culprit. Morris was arrested and claimed it was an accident. He was successfully prosecuted by my long-time friend, Assistant US Attorney Mark Rasch. The Internet was only about 100,000 systems—mainly old mainframe computers—in those days. The Worm had successfully taken down about 1/10th of the Internet. Pretty significant accident.
An interesting and embarrassing side-note was that Robert Morris Jr.’s father was the Chief Scientist of NSA’s National Computer Security Center (NCSC).
Back in 2005, I was chairing one of my 12 “Meet the Fed” panels at Defcon. I was in the Speaker Ready Room to pick up badges for my 10 panelists (the Fed’s) and one of the Goons said, “Would you like to meet Robert Morris Sr.?” I responded that I had previously met him on several occasions, but “OK.” We walked up to say hello and Sr. said “You look familiar.” I confessed that I was one of the investigators that had worked on his son’s case. He just laughed and we ended up hanging out with each other for the conference. I even invited him to join the “Meet the Fed” panel, which he did. Very cool guy!
Back to the Worm. On Monday, 7 Nov 1988, Presidential Election Day, Cliff Stoll called and invited me to a meeting at the NCSC. He said it was for academia to discuss the Worm and lessons learned. I asked if I could bring SA Mike Gibbons as well, and he agreed. The meeting started with Cliff sitting on a table in front of the crowd, with both legs crossed, holding his yoyo. Cliff gave a synopsis and chronology of the events. The end of the meeting was the creation of the Carnegie Mellon CERT (Computer Emergency Response Team). A very historic event.
Many agencies, companies, and countries followed suit, creating their own CERTS through the years to protect their respective domains. Hard to believe it was twenty-nine years ago.
Jim Christy is VP of Investigations and Digital Forensics at Cymmetria. Jim retired from the U.S. government in 2013, ending a career investigating computer crimes and running digital forensics labs that began in 1986 at the Air Force Office of Special Investigations.
Jim can be reached by email at firstname.lastname@example.org.
Connect with Jim on Twitter: @jimchristyusdfc