'Average hacker' skills shut down US defence systems

The latest case of hacking demonstrates the need to have up-to-date patches on every PC in your business. Bill Goodwin reports

The latest case of hacking demonstrates the need to have up-to-date patches on every PC in your business. Bill Goodwin reports

Unemployed systems administrator Gary McKinnon is accused of exploiting well-known security vulnerabilities in the Windows operating system to gain access to sensitive computer systems at Nasa, the Pentagon, and the US Department of Defense.

The 36-year-old from Hornsey, North London, faces a possible life sentence if found guilty following accusations that he hacked into more than 90 military computers and caused more than £570,000 worth of damage to US government computers.

McKinnon is charged with exploiting readily-available network analysis software to identify computers that were missing crucial security patches, during automatic scans of tens of thousands of US military computers connected to the Internet.

The case demonstrates the difficulty that organisations with tens of thousands of PC systems face in ensuring that every one of them is kept up to date with the latest and most secure version of the operating software.

"When you have an IT environment like the US Department of Defense, where they have well over two million different computers, it's not that difficult to find an unpatched machine," said security expert Bob Ayres.

"Think of it this way. You have the job of ensuring every night that every door in the City of London is locked. The burglar has only got to find one unlocked door to get in. That's a very similar analogy to information systems," said Ayres, who co-ordinated a security testing project for the US military in the 1990s.

Once he had identified the vulnerable machines, McKinnon is alleged to have downloaded files of user-names and used brute force techniques to guess the passwords that would gain him deeper access. He is alleged to have installed an off-the-shelf network administration tool, Remotely Anywhere, giving him the ability to remotely control machines from a PC in his home.

US prosecutors said that McKinnon's attacks had a profound impact on the ability of the US naval weapons station at Earle, New Jersey, which is responsible for replenishing suppliers to the US Atlantic fleet, just after the 11 September terror attacks. The entire network of 300 computers was effectively shut down for a week, with military and civilian staff unable to receive or send external e-mails for another three weeks.

Security experts remain unimpressed, however, by McKinnon's technical skills. Bart Vansevenanp, director of security strategy at security firm Ubizen, which provides IT security advice to defence organisation Nato, said McKinnon was only slightly more advanced than the teenage script kiddies, who download automatic hacking programmes from the Net.

"This is something that an average hacker can do. This is not someone of the black hat community. The only thing professional about it was that he spent a lot of time on it," he said.

McKinnon's case is the first attempt by US authorities, which are currently debating legislation that will increase the maximum sentence for hacking to life imprisonment, to extradite a British citizen for alleged hacking offences.

It follows the failure by UK authorities to secure prison sentences for Londoners Richard Pryce and Mathew Bevan in the mid-1990s after they were accused of hacking into US Air Force and Nasa sites. Charges against Bevan were dropped and Pryce was fined £1,200.

From school to arrest for hacking
: Highgate Wood School, London. Gained O-levels in English, French and Maths
1991-1994: Student at University of North London
1994-1996: A variety of IT and non-IT-related jobs, including working in a wine retailer
December 1996 - March 1997: Fired from a job overseeing the hardware stockroom at IT reseller Alphagen, after failing to turn up for work, but not before the firm gave him a PC to help him learn IT skills at home
January 1998 - February 1998: Technical support and Windows roll-out at JP Morgan
March 1998 - June 1998: Support and work on Windows upgrade at Rowe & Maw Solicitors
June 1998 - December 1998: Manned the telephone helpdesk of Internet service provider, Global Internet, answering support calls from home users
November 1999 - October 2000: Systems administrator at telecommunications firm, Corporate Business Technology. Claims to have carried out security audits of internal computer and phone systems and provided technical support
August 2001 - January 2002: McKinnon claims to have worked as a penetration tester with IT consultancy Interrorem but the firm said this week that it has not heard of him
January/February 2002: Nasa starts investigating hacking attacks against its computer systems
19 March 2002: Arrested by the UK's National High-Tech Crime Unit under the Computer Misuse Act and bailed until 8 August
September 2002: Released on UK police bail as US authorities decide to begin extradition procedures
November 2002: US government attorneys call a high-profile press conference to announce plans to extradite McKinnon.

Trail of hacking across 14 US states
Earle Naval Weapons Station, New Jersey - a port services computer used for monitoring the battle readiness and for re-supplying US Navy ships was hacked. From 18 June to 21 June 2001, unauthorised access was gained to the machine, about 950 passwords were stolen. Critical computer files were deleted and security compromised, causing $290,431 in damage

US Army Fort Myer Virginia: - 1,300 user accounts were deleted and critical systems files were destroyed in a computer system used for commerce and communications. A file containing user-names and encrypted passwords was downloaded. A 52 further computer systems in other US military establishments were penetrated. Total damage $10,000 plus

US Navy: - administrator privileges were obtained, hacking tools installed and system logs were deleted on 14 computers in Groton, Connecticut and six at other US Navy sites including Pearl Harbour

US Air Force: - a computer was infiltrated at Crystal City, Virginia

Nasa: - access was gained to 16 Nasa systems in Houston Texas and other states, used for commerce and communication

US Department of Defense: - two computers were penetrated at Fort Meade, Maryland, the availability of data, systems information was impaired

Pentagon: - two computers were penetrated at Arlington, Virginia

Non-military systems: - computers were hacked belonging to Tobin International in Texas, the University of Tennessee, Frontline Solutions in Pennsylvania, Louisiana Technical College, Martin Township Library Illinois, and Bethlehem public library in Pennsylvania.

Total estimated damage: $900,000

Read more on Hackers and cybercrime prevention