Hacking US military systems was child's play, says Gary McKinnon

Gary McKinnon, who is currently fighting extradition to the US, describes how hacking US military systems was child's play, and offers his top tips on protecting your network from hacking attacks.

Self-confessed hacker Gary McKinnon goes to the House of Lords on Monday to fight against extradition to the US.

By his side will be human rights watchdog Liberty and David Pannick, a specialist public and human right QC who has argued many times before the lords.

Opposing him will be the Crown Prosecution Service, acting for the US government. British taxpayers will pay both the CPS's costs and much of McKinnon's. The total so far is estimated to be close to £900,000.

The law lords will decide whether US prosecutors unfairly tried to coerce McKinnon into a plea bargain. If they judge that the officials' actions were an abuse of the extradition process, McKinnon will not be extradited, says McKinnon's attorney, Karen Todner.

US prosecutors accuse McKinnon of hacking into nearly 100 federal computer systems and causing damage worth £350,000 to systems and data files.

McKinnon admits to gaining access to various US government computer systems, but denies causing any damage or disruption on the scale claimed.

The former National High Tech Crime Unit arrested McKinnon in 2002, three years after he began looking for evidence of extra-terrestrial beings and technologies on US computers.

McKinnon was obsessed with finding evidence that the US government was hiding alien technology that would provide free energy. Had he found it, he "was going to blow it to the world's press", he said.

It was child's play to get into US military systems, McKinnon said. Many were running Netbios over TCP/IP with blank or default passwords, which allowed him to access-administrator privileges.

He admitted writing scripts to harvest passwords, and to using password crackers to get into more protected systems.

Gaining secret access was clearly seductive. McKinnon speaks of "megalomaniacal" feelings when he was deep inside systems. But he was not alone, he said. By querying who else was connected and investigating IP addresses, he found Chinese, European and other nationals visiting the same computer systems. "At first I thought they might be offsite contract workers, but that was not the case," he said.

Once he was inside a network, especially a military network, McKinnon found that other computer systems considered him a trusted user. This was how he was able to get into the Pentagon's network. "It was really by accident," he says.

The most secret system McKinnon said that he hacked was China Lake, a facility that develops airborne weapons for the US Navy and Marine Corps.

He found little evidence of other-world natives or technology, except for a spreadsheet that listed "non-terrestrial officers, ships' names and goods movements", and a picture of what he said was a UFO with a perfectly smooth surface.

Would he do it again? "Never. I would go through legitimate channels such as the Freedom of Information Act," he says.

The former systems administrator supported himself by driving a forklift truck as he waited for the legal process to run its course. The work dried up as employers grew unhappy with the attention the media focused on him. He now lives on benefits.

McKinnon says National Hi-Tech Crime Unit officers told him then a British court would probably give him six months' community service, which he was prepared to accept. If extradited and convicted, he faces 60 or more years in a US jail.

Hacker Gary McKinnon's top tips on how to protect your network

Gary McKinnon, who is fighting extradition to the US to face hacking charges, offers CIOs and network administrators a few words of advice on network protection.

The advice is based on his own experiences of unauthorised access to US federal, defence and space systems.

1. Make sure your PCs run only in business hours, ie. 9 to 5.

2. Do not have blank or default passwords for local administrator privileges.

3. If you set up a password on a PC for a local administrator, make sure each PC has a different password for that administrator.

4. Do not put unprotected files on the network that describe what each machine on the network does.

5. Do not use Netbios over TCP/IP.

6. Do not run Windows.

For more, see: Hacker Gary McKinnon - Computer Weekly Essential Guide

Photo: Copyright Ian Grant 2008

Read more on IT risk management