Waiting for the attack

Did you notice that flood of messages in your inbox Monday, purportedly from your network administrator? Over the weekend, Homeland Security Department officials and security experts wondered if you had seen the first salvo in what may be one of the biggest online attacks in years.

The messages contained a new computer worm known as Mimail. The worm thumbs through a computer's e-mail address book and then mails itself to those addresses. Mimail contains no malicious "payload" however, so it's more of a snake without venom. It's mainly a nuisance as it clogs up e-mail systems.

Nevertheless, officials thought Mimail might be the much-anticipated worm that exploits a now very well known hole in several versions of the Microsoft operating system, which are used on hundreds of thousands of computers.

The Microsoft vulnerability affects a part of the operating system known as the remote procedure call, which deals with how computers exchange messages. It allows an attacker to gain control of a machine using a worm or other malicious code. Then, the attacker may delete files and programs or use the machine to bombard Web sites or Internet addresses with data, a so-called denial of service attack. Those attacks previously have slowed Internet traffic and knocked some commercial and government systems offline altogether.

Mimail began circulating in earnest on Friday. Homeland Security and Secret Service officials were so concerned they pulled their systems offline.

Homeland Security "expects that exploits [worms] are being developed for malicious use," the department said in a statement last Wednesday. But Homeland Security spokesman David Wray said Monday that no "worm code" yet has been reported.

That has hardly quelled the anxieties of security experts, who are calling on all users of the at-risk systems to batten down the hatches and apply a Microsoft security patch.

One security expert, Ken Dunham with iDEFENSE Inc. of Reston, Va., said he has learned from a credible source that more than 2,300 machines have been infected with a Trojan related to the vulnerability. An attacker is installing the Trojan program on the machines, so that he can use them to search for other vulnerable computers online. The attacker could be hunting for potential worm victims.

Dunham said it's difficult to tell when a worm might show up, adding that it may never be released if attackers feel there's too much attention from the authorities. The story of the would-be worm has attracted massive attention in security circles.

"Whenever you try to predict the outbreak of [worms and viruses], it's like predicting the weather," Dunham said. But Microsoft's vulnerability, coupled with reports of the Trojan, "makes the clouds very dark," he added. "We've got a thunderstorm rolling in with the Trojan, and we could certainly have a hurricane force with the worm outbreak."

The Legacy of Poindexter

Ending a stint in government that will go down in the annals of how not to behave as a federal manager, former National Security Advisor John Poindexter will step down from his current job as head of the Information Awareness Office for the Pentagon's research and development agency, a Defense Department official unceremoniously confirmed at a press conference last week. The Wall Street Journal first reported news of Poindexter's exit.

Poindexter has been under fire for his leadership on the Terrorism Information Awareness project (TIA), formerly known as Total Information Awareness. That project is researching ways to look for patterns in credit card purchases and other transactions that might indicate a terrorist plot in the works. It has been vilified by privacy advocates-and not a few journalists-as the real-life incarnation of George Orwell's Big Brother.

News last week that Poindexter's group also was managing an online futures market where people could bet on the likelihood of terrorist attacks was too much for his critics to bear. The undisputed king of bad public relations moves-Poindexter was convicted, and later exonerated, for lying to Congress during the Iran-Contra hearings-resigned only a few hours after newspapers broke word of the project.

In all the hubbub over the resignation, you might have missed the other piece of big news here: Namely, that the Terrorism Information Awareness Program may survive its controversial overseer.

The Senate version of the fiscal 2004 Defense Authorization Act contains a provision to halt TIA funding. The House version, however, has no such provision, and the White House has said publicly that it supports TIA's potential to thwart terrorist attacks. It wants the Senate provision stricken from the bill presented to the president. So, while Poindexter's terrorism betting market has been squashed, TIA still has a chance at life.

If TIA survives its battle on the Hill, it may lend credence to what many followers of the Poindexter story have suspected all along: Lawmakers and officials have less of a problem with a potentially invasive and illegal government spy machine than they do with the man who was running it.

It had appeared as though the two were inexorable. That may not turn out to be true. So, the question becomes, what's more explosive? Project or personality? That's the legacy Poindexter leaves behind for federal managers.