City IT firms that employ consultants should conduct thorough
checks, experts warn. Bill Goodwin reports
Businesses were put on alert this week after it emerged that the
British IT contractor accused of causing $900,000 (£570,000) of
damage by hacking into US military systems had inside access to the
IT systems of major London firms.
Gary McKinnon, an unemployed systems administrator, faces
extradition to the US after prosecutors there named him as the man
who broke into the systems of Nasa and the Pentagon.
McKinnon, from Hornsey, North London, claims to have worked on a
series of short-term contracts in the IT departments of
organisations including City firm JP Morgan, solicitors Rowe &
Maw, and the Employment Service.
IT security experts said McKinnon's work could have given him ready
access to sensitive IT systems.
"They should be extremely worried and they will need to carry out a
thorough audit of their systems to make sure that there were no
bits of server software hanging around that could give remote
access to their machines," said Peter Sommer, IT security expert at
the London School of Economics.
According to employment details sent by the out-of-work 36-year-old
to prospective employers, McKinnon provided IT support services and
assisted in the roll-out of Windows 95 for law firm Rowe & Maw,
in 1998.
He also claims to have worked on a short-term project at JP Morgan
from Windows 3.11 to Windows NT and installing a Windows computer
system at the Employment Service.
Messages posted on the Internet by McKinnon in 1999 show that he
had a keen interest in password cracking and was offering advice on
network administration tools frequently used by hackers.
"It highlights the problem for all corporations that hire
contractors - they need to make sure they know a lot about them,"
said Sommer.
Bob Ayers, an IT security consultant, responsible for overseeing
penetration tests at the US Department of Defense in the 1990s,
said that any organisations that believed they had been hacked
should rebuild their systems. "You cannot just use a back-up copy
because you do not know whether he contaminated the back-up copy or
changed it or put a trojan in place," he said.
A spokeswomen for Rowe and Maw, now part of Mayer, Brown, Rowe
& Maw Gaedertz, said that the firm had extensive scanning
systems and was not worried about potential damage. "He worked as a
contractor for two weeks, filling in for our onsite engineer. He
was a contract engineer, fixing computer hardware and did not have
access to the main computer systems," she said.
Janet Eagland, director of IT reseller Alphagen, which hired
McKinnon in the mid-1990s, said that although he sometimes appeared
to be "on a different planet," he did his job well. He was fired
after he failed to turn up for work. "They will be wasting a lot of
time and money prosecuting a boy who should talk to a counsellor,"
she said.
Former colleagues of McKinnon said they were amazed that the
contractor was at the centre of such a high-profile hacking
case.
Most recently McKinnon claims to have worked as a penetration
tester for consultancy Interrorem, which provides security advice
to businesses, though this was denied by the firm this week.
The Employment Service and JP Morgan declined to comment.
Hacker's £570,000 trail across US
- Earle Naval Weapons Station, New Jersey
- US Army's Fort Myer, Virginia
- US Navy
- US Air Force
- Nasa
- US Department of Defense
- Pentagon
- Non-military systems at Tobin International in Texas;
University of Tennessee; Frontline Solutions in Pennsylvania;
Louisiana Technical College; Martin Township Library Illinois; and
Bethlehem public library in Pennsylvania.