Thinking Out Loud About: The MORRIS WORM
In the beginning there was nothing. Then came the Morris Worm and now we’ve got cybersecurity. Or…. just a really good story.
I’d like to think that it all began with one interesting, innocent question.
Have You Ever Wondered How Big The Internet Is?
The number of devices that connect to the internet is increasing every day, which means I could confidently quote numbers like 10 billion, or simply billions (for the sake of intellectual inaccuracy) without second thought. The 2020 estimate is a staggering 50 billion devices, if you’re wondering.
But have you ever wondered how big the internet really is? Well, there once was a 22-year old graduate student who did, and he decided to take matters into his own hands. The Morris Worm case is the story of how a supposed attempt to gauge the size of the internet went horribly wrong.
How Events Unfolded
November 2nd, 1988. Cornell student Robert Tappan Morris published the infamous Morris worm, designed to exploit poor security practices and vulnerabilities in the sendmail, fingerd and remote execute (rexec) programs available on Unix systems (specifically targeting the DEC-VAX and Sun-3 architectures), thereby unleashing havoc on the small community of internet-connected computers of ARPANET and subsequently making history.
To give you some context, the internet of the late 1980s was 0.00012% of the internet today, by size, with only around 60,000 computers connected to it. Security was theoretical, and threat-awareness was almost non-existent. In the United States, where the worm broke loose, most computer users of the day were government employees or university research scholars and students, and very few home users. Thankfully, the internet hadn’t been commercialized yet. However, the consequences of a malware that went out of control were quickly realized. Lessons were learned and laws were formulated for protecting against security threats.
To Infect, Or Not To Infect?
The Morris worm incident was essentially a large-scale virulent DoS attack, though it is unclear what Morris intended to gain from the whole affair (at least, to those who remain unconvinced about the whole “sizing up the internet” story). The rate at which the worm was infecting and taking down systems was something even he hadn’t anticipated. The famous flaw in its spreading mechanism caused the worm to spread so rapidly that, in under 15 hours of its release, it had infected 6000 systems — estimated to be about 10% of the internet back then! The flaw (dubbed “1-in-7” rule) is quite similar to a fork-bomb, where a system is rendered unusable by simply creating too many forks for processes, thereby consuming all the memory and CPU time. The ‘1-in-7’ rule, loosely based on Rabin Randomization, allows the worm to infect every seventh machine that appears to be infected — in other words, allows one in seven copies of the worm to run on a given machine. Suffice to say that this crippled the infected systems severely. Computer experts and security researchers could not exchange ideas and possible solutions to the problem because the worm took down internet-based communications as well. Ironically, when Morris first realized his mistake (rather, the mistake in his code), he contacted his friend at Harvard who tried to post a bulletin describing a fix to kill and defend against the worm. Unfortunately, the post didn’t go through as the worm had crashed the university gateway router by then.
November 5th, 1988. MIT and UC Berkeley finally solved the Morris worm problem and peace reigned again. Only until the next attack, of course! Morris, on another note, was tried under the then recently enacted Computer Fraud and Abuse Act (1986) in the US Court of Appeals, and was subsequently found guilty in 1991, for “accessing a [protected] computer without authorization”. He was sentenced to 3 years of probation, 400 hours of community service and a fine of $10,050.
Malware Preys On More Than Just The Machine.
The first most important revelation that the Morris worm brought was that the Internet isn’t some utopian community. Over the years, threat actors have only grown, both in numbers and variety; their motivations ranging from something as bleak as scaling the size of the internet to frightening, politically charged attacks against whole nations. Also, the number of internet users has gone from a few millions to a few billions in just 25 years. We owe the Morris worm (and by extension, Robert Morris Jr. himself) a great deal for nudging the world awake; for urging everyone to make computer security a priority and actively identify and acknowledge cyber-crime to be legal offense. It is as important to be protected by law as it is to be protected by firewalls and anti-malware software. It is as important to educate users in the matters of cybersecurity as it is to hold an individual/organization accountable for endangering users and their systems. We are grateful for online services and for the convenience and the boost in productivity they bring, but I also sincerely hope that we always remember to keep ourselves and our electronic better-halves safe from the implicit risks associated even with simply connecting to the internet.
Which leads us to the next point.
The second most important revelation brought by the Morris worm incident, is that the internet is only as secure as the devices connected to it. Malware such as worms and viruses do not pose a systemic risk. This implies that there is little-to-no-difference in risk faced by the internet and the risk faced by the billions of devices connected to it. If you think that the poorly configured spreading mechanism of the Morris worm was a bite, imagine what the consequences of a well-thought-out targeted attack would be. The chain is only as strong as its weakest link. Part of the Morris worm’s success — breaking the internet by breaking the devices that make up the internet — is attributed to poor password practices for trusted accounts on the victimized machines, thereby enabling it to brute-force it’s way to top-level privileges on those machines. It is disturbing to admit that similar weak security practices are still prevalent today.
Despite all the security measures in place — hardware, software and law — the weakest link has been and will always be the individual computer and by extension, the user.
Malware is continuously evolving. Attack techniques are becoming more and more sophisticated. That seemingly innocuous SMS, email attachment, link, USB lying on your desk unattended, pop-up, call, free Wi-Fi perk at the coffee shop, etc. is an attack vector ready to be used against you. The threat landscape is always shifting. It is becoming increasingly clear that the best solution is to strengthen that weakest link in the chain — through education, awareness and constant vigilance!
Are We Living On Borrowed Time?
A DoS (Denial-of-Service) attack makes services extended by a system, systems or a network, unavailable. If the Morris worm can be considered an experiment of sorts to understand the fragility of the internet, how far have we come in acknowledging this, especially as the likes of WannaCry, Stuxnet, NotPetya, Crash Override and countless others continue to plague the cyberspace? Despite the incessant efforts of security professionals to keep the internet and everything it interconnects up, running and relatively safe, history reminds us that there is always something new and dangerous lurking just below the surface. So, how far away are we from yet another rogue experiment (optimistically speaking) or targeted attack (realistically speaking) disrupting the everyday life of a city? Or a state? Or a nation?
Or the world…?
Discussing the impact of a cyber-attack on critical infrastructure and automation technology could be another blog post by itself, but IoT-integration is gaining traction at an incredible rate, globally. Be it controversies that heighten political-tension like Crash Override that caused the Ukrainian blackout of 2016, or the incredulous case of argument against Net Neutrality that sent shock-waves across the world, these only serve to reinforce the fact that internet of today is very, very, powerful and every day, it grows bigger and becomes even more powerful. Though the internet is decentralized and is not controlled by any single authority, various entities will be driven, inevitably, to seek out ways to exploit it — for commercial/political gains or simply for kicks when they’re bored. Even if we are not pointing fingers, I believe that any threat to the availability and procurement of the basic necessities (which must include connectivity over the internet because it’s 2020, honestly!) should be addressed carefully and urgently.
So, yes. I do feel like we’re living on borrowed time, sometimes.
Small Drops (can make or break the Mighty Ocean)
The internet is a global entity. Despite or maybe because of this, there are very few laws (if any) that apply to all internet users and activities across the world, today. There are, however, regulations like the GDPR, which is now part of EU law, that aim to protect users’ privacy and data within and outside the EU. Industry-specific regulations like PCI-DSS and HIPAA, and compliance standards like the ISO certification that are popular (and often mandatory) today, also, have significantly improved the way businesses and other organizations (including governments) practice security. But is it enough? If the internet is a highly distributed network, shouldn’t security be equally distributed as well?
At the time of writing this article, the COVID-19 pandemic has pulled the mat from under our feet. The ensuing chaos — chaos because of the sheer unpreparedness of people, businesses and governments alike, and the rigidity of systems in place — has taught everyone a good number of lessons and has enforced a new normal.
What’s interesting though (and a little unnerving), is that it took a pandemic — costing us in lives, health, jobs, money and time — for us to realize and acknowledge that our habits had become unsustainable; where doing what’s right and what’s logical is inconvenient because it doesn’t conform to a system built primarily on doing what’s comfortable.
Therefore and unsurprisingly, it is easy to draw a parallel between a (pathogenic) virus outbreak and a security incident — with similarities in (a) general preparedness and awareness, (b) reaction, (c) adapting to certain forced change and (d) the role of human error and individual responsibility. And after considerable deliberation, I’ve summarized my thoughts on the matter, as follows.
It is important to:
- protect yourself to protect the whole
- stay well-informed so you aren’t misled (which, in turn, might lead to poor decisions)
- remember that being cautious is rational but panicking is not
- practice HYGIENE because it’s beyond important
- learn to adjust and adapt because, yes, change is inevitable (sigh!)
It is absolutely crazy to:
- pretend it’s safe outside just because you can’t see the threat
- pretend you’re invincible (nobody is)
In conclusion, consider yourself warned.
P.S. Almost forgot to mention — don’t be the drop that breaks the ocean. Seriously, don’t.
P.P.S. Let’s not allow history to repeat itself. Let’s try harder at every turn.
Author’s Notes:
Thanks for reading!
If you’re interested in reading about the Morris Worm in detail, check out this paper!
The original article reporting the Morris Worm case, as published in the New York Times, can be found here.
The Morris worm story from the FBI archive can be found here.
Here is an interesting article by epidemiologist-turned-CTO Dr. Mike Lloyd: 4 Cybersecurity Lessons from the Pandemic
