Creeper vs Reeper - The Original Computer Virus

Plus a NSFW cyber attack

Good morning. I just finished rewatching all of the Hobbit and Lord of the Rings movies, extended editions, of course. I lost track of how long it took (weeks), and I have zero regrets. I have so many more unanswered questions now, but we’ll save those for another time.

In the cyber world, this week we’re covering:

  • I bet you didn’t know this about the first computer virus

  • An NSFW cyber attack

  • Time to check for compromised accounts again

-Jason

Spotlight
The First Computer Virus is Not a Boomer

The story of the first computer virus is older than the Internet. No really. It dates back to 1971. Back in the 60s, some smart nerds at the US DoD’s Advanced Research Projects Agency began work on ARPANET (humble name, I know). It was the first packet-switched network, the basis for what we collectively refer to as the Internet today.

The first message on ARPANET was sent on October 29, 1969. It quickly blossomed into connecting university and government systems together to transfer information. It laid the foundation for building technologies that underpin how the Internet works today.

It only took two years for us to say, “This is why we can’t have nice things.” In 1971, Bob Thomas, a computer scientist at BBN Technologies, created the world’s first computer virus. Before we roast him, in his defense, he was building a proof-of-concept for self-replicating code.

Good ol’ Bob created the program to seek out specific systems on ARPANET and print the message “I’m the Creeper: catch me if you can.” The first version just moved from system to system. No harm, no foul. Not to be outdone, Ray Tomlinson created an enhanced version that copied itself from system to system, effectively creating the first computer worm.

The impact was minimal because it just printed a message. And there were only 28 systems connected to ARPANET at the time that could be infected. So, while harmless, our first computer virus is so affectionately known as “creeper.”

Not to despair, though, because the first anti-virus was not far behind. Because Ray Tomlinson was both a gentleman and a scholar, he had manners. Not wanting to leave the Creeper code lying around on the systems, he created Reeper, the first-ever AV. Its goal was to find the Creeper code on systems and remove it.

Those were simpler times in security.

HT to Craig Johnson, who first introduced me to this story earlier this week. He covers it in his blog post.

Deep Dive
An NSFW Cyber Attack

A few weeks back, some jerk decided to have some fun with me. They signed up one of my email addresses for many newsletters and websites for…well…how do we put this…let’s just say…certain types of adult toys with copious amounts (and yet also limited amounts) of leather.

This is mostly harmless, though very annoying, tactic, but it’s the symptom of a larger issue emerging.

It starts with digital pain. What I experienced was usually saved for friends pranking each other or online tweeners having a laugh. But like a gateway drug, this type of activity quickly evolves.

A tactic that has long been in play with cyber criminals is something known as a registration email bomb attack. This is a straightforward technique where attackers automate the signup of hundreds to thousands of newsletters and websites. The intent here is not to frustrate but to hide.

In the background, the attacker typically has gained access to one of your online accounts. Usually, an e-commerce or financial account. They then conduct some type of fraud, like buying a bunch of things with a credit card saved to your account. While that is happening, the email registration bomb goes off. The goal is to hide the email receipt of their nefarious activity in a deluge of spam emails. This gives them more time to get away with the goods while you pick up the mess.

These attacks then turn physical. Because cyber criminals love to up the pain (poor choice of words considering how this section started). Instead of just inflicting pain in the cyber world, hackers have found a disturbing way of translating cyber pain into physical pain with the help of an unlikely ally…the police.

More specifically, the SWAT team. Made popular with online gaming communities, swatting involves finding the home address of a victim and creating an emergency response scenario. This typically involves reporting a false violet crime at the victim’s home address.

The police rightly respond according to the threat. This can obviously be traumatic for the victim. Just ask Brian Krebs, who was one of the first journalists to be a victim of this crime.

This type of attack is increasing in frequency. With many judges and politicians getting caught up in the cross fire of angry online vigilantes since Christmas.

Preventing these types of attacks can be difficult. Especially considering all of the online breaches where address information is leaked.

The first line of defense is to limit the amount of information you provide online. Easier said than done, as you can’t control all of the data that is already out there.

If you are the victim of one of these (which I sincerely hope no is), cooperate with the authorities and work to get to clarity as soon as possible.

Stay safe out there.

News
What Else is Happening?

🌨️ Midnight Blizzard, the same Russian-based hackers who hit SolarWinds, found a new victim…Microsoft. In November 2023, the hackers accessed Microsoft systems using a password spray attack. They used that access to read emails from Microsoft senior leaders and the security team. Quite humbly, they were interested in learning more about what Microsoft was saying about them.

👮 Conor Fitzpatrick, the admin of the BreachForums hacking forum, was sentenced to 20 years of supervised release. The hacking forum became a go-to place to post and sell stolen data.

🍎 Please stop downloading pirated software. It’s probably just malware. According to Jamf Threat Labs, they found malware in pirated applications for MacOS that would allow for remote access to the system.

🔭 Time to check HaveIBeenPwned again. They just added 71 million email addresses tied to stolen account passwords with the Naz.API dataset, a collection of 1 billion credentials compiled for credential stuffing attacks.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week!

Reply

or to participate.