The Warnings? | Cyber War! | FRONTLINE

FRONTLINE




	Here are recent, and defining, wake-up calls covered in FRONTLINE's program, "Cyber War!" For many experts, these events underscore America's reliance on information technology systems and their vulnerabilities.

Eligible Receiver

Eligible Receiver is the code name of a 1997 internal exercise initiated by the Department of Defense. A "red team" of hackers from the National Security Agency (NSA) was organized to infiltrate the Pentagon systems. The red team was only allowed to use publicly available computer equipment and hacking software. Although many details about Eligible Receiver are still classified, it is known that the red team was able to infiltrate and take control of the Pacific command center computers, as well as power grids and 911 systems in nine major U.S. cities.

The case highlights the problem of identifying the ultimate user. Some tracking was done back to systems in Moscow, for example. But that, by no means, suggests that these were Russians doing this.

Moonlight Maze

Moonlight Maze refers to a highly classified incident in which U.S. officials accidentally discovered a pattern of probing of computer systems at the Pentagon, NASA, Energy Department, private universities, and research labs that had begun in March 1998 and had been going on for nearly two years. Highly placed sources told FRONTLINE that the invaders were systematically marauding through tens of thousands of files -- including maps of military installations, troop configurations and military hardware designs. The Defense Department traced the trail back to a mainframe computer in the former Soviet Union but the sponsor of the attacks is unknown and Russia denies any involvement. Moonlight Maze is still being actively investigated by U.S. intelligence.

Code Red

Code Red was a worm with multiple variants that first appeared in July 2001 and ultimately affected nearly 300,000 computers in the U.S. Exploiting a hole in Microsoft's IIS Web servers, it was time sensitive based on the date: From days 1-19 of the month the worm would propagate; from days 20-27 it would launch a denial of service attack against a particular site, and from day 27 through the end of the month the worm would "sleep," dormant in the computer. In Code Red's first variation, the affected computers were programmed to launch a denial of service attack against the White House Web site at a certain date and time. If the assault worked, the hundreds of thousands of pings would have overwhelmed the Internet in nanoseconds. Richard Clarke, the president's adviser for cyberspace security, worked with the nation's Internet providers to thwart the attack by blocking traffic to the White House site. Other Web sites were shut down, however, and replaced by a message that read "Hacked by Chinese."

To this day we don't know who was the writer of that particular virus. And it is a great example of where this was a known vulnerability for which the vendor had publicly provided a patch, for which many systems administrators and others in the industry had not applied the patch.

Mountain View

In the summer of 2001, the coordinator for the city of Mountain View, Calif.'s Web site noticed a suspicious pattern of intrusions. The FBI investigated and found similar "multiple casings of sites" in other cities throughout the U.S. The probes were seemingly emanating from the Middle East and South Asia, and the visitors were looking up information about the cities' utilities, government offices, and emergency systems. This information took on a new significance when U.S. intelligence officials examined computers seized from Al Qaeda operatives after the Sept. 11 attacks and discovered what appeared to be a broad pattern of surveillance of U.S. infrastructure.

Nimda

The Nimda worm ripped through the U.S. financial sector one week after the Sept. 11, 2001 terrorist attacks. Nimda, which is "admin" spelled backwards, was a mass-mailing worm that exploited vulnerabilities in Microsoft software. It was notable because of its sophistication. It could replicate itself several ways -- by infecting e-mail programs, copying itself onto computer servers, or afflicting users who downloaded infected Web pages. Nimda was also significant for its speed and potency -- it affected millions of computers and slowed the Internet. Officials do not believe it was related to the Sept. 11 attacks.

It proliferated across the world at a far greater rate than Code Red did. It rattled the Internet. It caused billions of dollars of damage. And we still don't know who proliferated that virus.

The worm could have been much more damaging than it was. It could have been attached to a very destructive payload. The fact that it wasn't leads me to think that it may have been a test to see what damage could have been done. The next time it might have a very destructive pay load.

Slammer

The Slammer worm, also known as the Sapphire worm, hit at 5:30 a.m. GMT on Jan. 25, 2003 -- Superbowl weekend. Exploiting a vulnerability in servers running Microsoft SQL Server 2000 software, Slammer was the fastest cyber attack in history. According to a team of researchers from the University of California at San Diego, Lawrence Berkeley National Labs, and Silicon Defense, the number of infections doubled every 8.5 seconds and Slammer did 90 percent of its damage in the first 10 minutes of its release. Among other things, the worm took down parts of the Internet in South Korea and Japan, disrupted phone service in Finland, and slowed airline reservation systems, credit card networks, and automatic teller machines in the U.S.

See a map of how quickly the Slammer worm spread.

home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
tapes & transcripts : press reaction : credits : privacy policy
FRONTLINE : wgbh : pbsi

published apr. 24, 2003

SUPPORT PROVIDED BY