The latest case of hacking demonstrates the need to have up-to-date
patches on every PC in your business. Bill Goodwin reports
Unemployed systems administrator Gary McKinnon is accused of
exploiting well-known security vulnerabilities in the Windows
operating system to gain access to sensitive computer systems at
Nasa, the Pentagon, and the US Department of Defense.
The 36-year-old from Hornsey, North London, faces a possible life
sentence if found guilty following accusations that he hacked into
more than 90 military computers and caused more than £570,000 worth
of damage to US government computers.
McKinnon is charged with exploiting readily-available network
analysis software to identify computers that were missing crucial
security patches, during automatic scans of tens of thousands of US
military computers connected to the Internet.
The case demonstrates the difficulty that organisations with tens
of thousands of PC systems face in ensuring that every one of them
is kept up to date with the latest and most secure version of the
operating software.
"When you have an IT environment like the US Department of Defense,
where they have well over two million different computers, it's not
that difficult to find an unpatched machine," said security expert
Bob Ayres.
"Think of it this way. You have the job of ensuring every night
that every door in the City of London is locked. The burglar has
only got to find one unlocked door to get in. That's a very similar
analogy to information systems," said Ayres, who co-ordinated a
security testing project for the US military in the 1990s.
Once he had identified the vulnerable machines, McKinnon is alleged
to have downloaded files of user-names and used brute force
techniques to guess the passwords that would gain him deeper
access. He is alleged to have installed an off-the-shelf network
administration tool, Remotely Anywhere, giving him the ability to
remotely control machines from a PC in his home.
US prosecutors said that McKinnon's attacks had a profound impact
on the ability of the US naval weapons station at Earle, New
Jersey, which is responsible for replenishing suppliers to the US
Atlantic fleet, just after the 11 September terror attacks. The
entire network of 300 computers was effectively shut down for a
week, with military and civilian staff unable to receive or send
external e-mails for another three weeks.
Security experts remain unimpressed, however, by McKinnon's
technical skills. Bart Vansevenanp, director of security strategy
at security firm Ubizen, which provides IT security advice to
defence organisation Nato, said McKinnon was only slightly more
advanced than the teenage script kiddies, who download automatic
hacking programmes from the Net.
"This is something that an average hacker can do. This is not
someone of the black hat community. The only thing professional
about it was that he spent a lot of time on it," he said.
McKinnon's case is the first attempt by US authorities, which are
currently debating legislation that will increase the maximum
sentence for hacking to life imprisonment, to extradite a British
citizen for alleged hacking offences.
It follows the failure by UK authorities to secure prison sentences
for Londoners Richard Pryce and Mathew Bevan in the mid-1990s after
they were accused of hacking into US Air Force and Nasa sites.
Charges against Bevan were dropped and Pryce was fined £1,200.
From school to arrest for hacking
1977-1982: Highgate Wood School, London. Gained O-levels in
English, French and Maths
1991-1994: Student at University of North London
1994-1996: A variety of IT and non-IT-related jobs,
including working in a wine retailer
December 1996 - March 1997: Fired from a job overseeing the
hardware stockroom at IT reseller Alphagen, after failing to turn
up for work, but not before the firm gave him a PC to help him
learn IT skills at home
January 1998 - February 1998: Technical support and Windows
roll-out at JP Morgan
March 1998 - June 1998: Support and work on Windows upgrade
at Rowe & Maw Solicitors
June 1998 - December 1998: Manned the telephone helpdesk of
Internet service provider, Global Internet, answering support calls
from home users
November 1999 - October 2000: Systems administrator at
telecommunications firm, Corporate Business Technology. Claims to
have carried out security audits of internal computer and phone
systems and provided technical support
August 2001 - January 2002: McKinnon claims to have worked
as a penetration tester with IT consultancy Interrorem but the firm
said this week that it has not heard of him
January/February 2002: Nasa starts investigating hacking
attacks against its computer systems
19 March 2002: Arrested by the UK's National High-Tech Crime
Unit under the Computer Misuse Act and bailed until 8 August
September 2002: Released on UK police bail as US authorities
decide to begin extradition procedures
November 2002: US government attorneys call a high-profile
press conference to announce plans to extradite McKinnon.
Trail of hacking across 14 US states
Earle Naval
Weapons Station, New Jersey - a port services computer used for
monitoring the battle readiness and for re-supplying US Navy ships
was hacked. From 18 June to 21 June 2001, unauthorised access was
gained to the machine, about 950 passwords were stolen. Critical
computer files were deleted and security compromised, causing
$290,431 in damage
US Army Fort Myer Virginia: - 1,300 user accounts were
deleted and critical systems files were destroyed in a computer
system used for commerce and communications. A file containing
user-names and encrypted passwords was downloaded. A 52 further
computer systems in other US military establishments were
penetrated. Total damage $10,000 plus
US Navy: - administrator privileges were obtained, hacking
tools installed and system logs were deleted on 14 computers in
Groton, Connecticut and six at other US Navy sites including Pearl
Harbour
US Air Force: - a computer was infiltrated at Crystal City,
Virginia
Nasa: - access was gained to 16 Nasa systems in Houston
Texas and other states, used for commerce and communication
US Department of Defense: - two computers were penetrated at
Fort Meade, Maryland, the availability of data, systems information
was impaired
Pentagon: - two computers were penetrated at Arlington,
Virginia
Non-military systems: - computers were hacked belonging to
Tobin International in Texas, the University of Tennessee,
Frontline Solutions in Pennsylvania, Louisiana Technical College,
Martin Township Library Illinois, and Bethlehem public library in
Pennsylvania.
Total estimated damage: $900,000