The British House of Lords has decided to extradite Gary McKinnon, a British citizen who hacked his way into several U.S. military, defense and NASA computers, to the United States to stand trial. McKinnon has been fighting extradition since the discovery in 2002 that he was the one who broke into the U.S. government’s most sensitive networks — reportedly from a friend’s aunt’s house — between 2001 and 2002. He allegedly caused US$900,000 in damages to computers located in 14 states.
What is remarkable about McKinnon’s case is that he managed this feat with little high-level hacker expertise — and that his quest was not for military secrets or sensitive design plans, but for secret documents that would reveal the existence of alien life. In interviews with news media, McKinnon claims his search was successful, uncovering photographs of alien spacecraft and the names and ranks of “non-terrestrial officers.”
The U.S. government does not place much weight on McKinnon’s odd motives. McKinnon reportedly left a note on an Army computer criticizing U.S. foreign policy as government-sponsored terrorism.
In the indictment against him, the U.S. government accuses McKinnon of handicapping it in the aftermath of September 11.
“The entire network of 300 computers at NWS Earle, located in Colts Neck, N.J., was effectively shut down for an entire week. … [F]or another three weeks afterward, military personnel and government civilian employees at NWSE were only able to send and receive internal e-mail. It was only approximately a month after McKinnon’s last intrusion into the network that NWS Earle was able to automatically route Naval message traffic and access the Internet,” according to the indictment.
In fighting extradition, McKinnon maintained that a trial in the U.S. could subject him to terrorist sentencing guidelines. With the House of Lords rejecting that argument, he has just one other option: appealing to the European Court of Human Rights.
That McKinnon was able to access secure government information using basic hacking software is not all that remarkable, said Matt Shanahan, SVP of marketing and strategy for AdmitOne Security.
“In most cases, when people hack into a system — the vast majority of the time — they are able to get in because reasonable controls were not in place,” he told TechNewsWorld. “In the case of McKinnon, there were a number of devices the systems administrator had not set.”
A highly fragmented systems administration environment, together with the fact that a lot of controls are manual, usually results in some vulnerability, Shanahan said.
“People usually forget to set something, or they are using a virtual machine that might not have been set up correctly and then copies the same mistake 100 times,” he explained. “McKinnon was able to find, and then take advantage of, these vulnerabilities.”
The answer is reducing fragmentation as much as possible, Shanahan suggested, and automating the process instead of relying on individuals to make necessary adjustments.
No doubt, a red-faced U.S. administration has patched the vulnerabilities that McKinnon was able to exploit.
What is worrisome is that high-level professional hackers still have ways to access these systems if they want to, said Bill Johnson, CEO of TDI.
“We have become a big proponent of securing the computer baseboard manager controller, or BMC,” he told TechNewsWorld.
The BMC is network-accessible once a hacker can get past the firewall, and it allows command and control of the main motherboard, he said.
“Even systems in NASA would be vulnerable to this method of attack,” noted Johnson.