Pentagon hacker worked for City IT departments

City IT firms that employ consultants should conduct thorough checks, experts warn. Bill Goodwin reports

City IT firms that employ consultants should conduct thorough checks, experts warn. Bill Goodwin reports

Businesses were put on alert this week after it emerged that the British IT contractor accused of causing $900,000 (£570,000) of damage by hacking into US military systems had inside access to the IT systems of major London firms.

Gary McKinnon, an unemployed systems administrator, faces extradition to the US after prosecutors there named him as the man who broke into the systems of Nasa and the Pentagon.

McKinnon, from Hornsey, North London, claims to have worked on a series of short-term contracts in the IT departments of organisations including City firm JP Morgan, solicitors Rowe & Maw, and the Employment Service.

IT security experts said McKinnon's work could have given him ready access to sensitive IT systems.

"They should be extremely worried and they will need to carry out a thorough audit of their systems to make sure that there were no bits of server software hanging around that could give remote access to their machines," said Peter Sommer, IT security expert at the London School of Economics.

According to employment details sent by the out-of-work 36-year-old to prospective employers, McKinnon provided IT support services and assisted in the roll-out of Windows 95 for law firm Rowe & Maw, in 1998.

He also claims to have worked on a short-term project at JP Morgan from Windows 3.11 to Windows NT and installing a Windows computer system at the Employment Service.

Messages posted on the Internet by McKinnon in 1999 show that he had a keen interest in password cracking and was offering advice on network administration tools frequently used by hackers.

"It highlights the problem for all corporations that hire contractors - they need to make sure they know a lot about them," said Sommer.

Bob Ayers, an IT security consultant, responsible for overseeing penetration tests at the US Department of Defense in the 1990s, said that any organisations that believed they had been hacked should rebuild their systems. "You cannot just use a back-up copy because you do not know whether he contaminated the back-up copy or changed it or put a trojan in place," he said.

A spokeswomen for Rowe and Maw, now part of Mayer, Brown, Rowe & Maw Gaedertz, said that the firm had extensive scanning systems and was not worried about potential damage. "He worked as a contractor for two weeks, filling in for our onsite engineer. He was a contract engineer, fixing computer hardware and did not have access to the main computer systems," she said.

Janet Eagland, director of IT reseller Alphagen, which hired McKinnon in the mid-1990s, said that although he sometimes appeared to be "on a different planet," he did his job well. He was fired after he failed to turn up for work. "They will be wasting a lot of time and money prosecuting a boy who should talk to a counsellor," she said.

Former colleagues of McKinnon said they were amazed that the contractor was at the centre of such a high-profile hacking case.

Most recently McKinnon claims to have worked as a penetration tester for consultancy Interrorem, which provides security advice to businesses, though this was denied by the firm this week.

The Employment Service and JP Morgan declined to comment.

Hacker's £570,000 trail across US
  • Earle Naval Weapons Station, New Jersey

  • US Army's Fort Myer, Virginia

  • US Navy

  • US Air Force

  • Nasa

  • US Department of Defense

  • Pentagon

  • Non-military systems at Tobin International in Texas; University of Tennessee; Frontline Solutions in Pennsylvania; Louisiana Technical College; Martin Township Library Illinois; and Bethlehem public library in Pennsylvania.

Read more on IT risk management