Johnson space center

You've been hacked

Cybercrime is a real and growing problem. As the internet grows, so do the numbers of people ready to able and exploit its vulnerabilities.

You've been hacked

"With my method, I would start off from a very weak server - logistics or something. And then I would exploit what they call the trust relationship," says Gary McKinnon, a 42-year-old British computer systems administrator, more famously known as the hacker accused by the US of perpetrating the biggest military computer hack of all time.

"Other military systems trust you if you're already coming from another military IP address, and that's how you sort of leverage your access and go up the ladder. If you wanted to infiltrate the Pentagon directly, you probably couldn't do it. But, because I went in a roundabout manner throughout the military systems, the Pentagon trusted me. That was their weakness."

McKinnon is at his London residence and I'm interviewing him over the phone. Email or any other form of Internet-based communication is strictly off the cards since he is not allowed any Internet access at all as part of his bail conditions. Ever since he was caught in November 2002 by the National High Tech Crime Unit (later absorbed by the Serious Organised Crime Agency), McKinnon has been fighting extradition to the US, where he could face up to 70 years in prison.

At the time of writing, he was getting ready to appeal to the House of Lords starting on 16 June. "If I were to win the case, I think I'm correct in saying that the Americans can't appeal further than that. So that would be party time," he says.

If he is not successful, he will face extradition to the US within four weeks of the hearing, unless he decides to lodge a final appeal with the European Court of Human Rights.

Like in any other legal case, there are two sides of the story. According to the American prosecutors seeking to trial McKinnon for 20 different charges, he stole computer files, accessed sensitive information that might have been useful to an enemy, intentionally damaged a computer and interfered with maritime navigation equipment in New Jersey. He also turned the US military district of Washington inoperable - they claim - which took $700,000 to repair.

Then there's Gary's take on why he's being chased: "America is passing a lot of cyber terrorism laws at the moment and, in a way, they need a so-called poster boy to prove that it really is possible [to threaten homeland security via cyber attacks]. All I'm guilty of is unauthorised access and, for that, in this country I'd get a year in prison - or perhaps not even that, maybe six months' community service."

Black or white?

If you are to believe Gary's recount of events, in the five years or so during which he infiltrated the multiple military and NASA networks he acted as what in hacking circles is known as a 'white hat hacker'. That implies he never meant to delete, modify or steal any of the files he accessed; just to look at them.

He insists he was never politically motivated. Instead, he was trying to find evidence to prove whether there was any substance to a number of conspiracy theories involving alleged UFO cover-ups and the intentional suppression of free energy technology.

"I know a lot of people laugh at the UFO scenario, but there are a lot of very serious men and women, many of them in the military. There's one group [called the Disclosure Project] that has 400 expert witnesses who say they do have this technology, which has been reverse-engineered from captured or shot-down extraterrestrial craft," says McKinnon.

"I did find one picture and some documents in a place [Building Eight of NASA's Johnson Space Center] where an ex-NASA scientist with secret clearance had previously said these things existed. I think I did get very close, and that's probably the main reason  [why they want to bring him to justice].

"There was an investigative journalist who went to America and interviewed the top brass in the military, and they said the only damage I did was to [hurt] military egos by exposing how easy it was to get in there and how weak their security was."

But was it really that easy to hack into the military networks of the world's biggest superpower? McKinnon swears it was: "I mean, these systems could have had firewalls," he says. "I was not at all clever; I was very lazy: I just searched for blank passwords by running large-scale phishing [attacks].

"Also, there are federal guidelines in protecting military systems, and none of these systems came up to scratch. So, really, this is a case of [network] administrators who are guilty of negligence."

Regardless of McKinnon's culpability (which will have to be eventually determined by the relevant judicial authorities), it is undeniable that, as the Internet reaches deeper and deeper into every corner of every nation, every public or private organisation and even every household, valuable information is increasingly falling into the wrong hands.

According to David DeWalt, CEO of McAfee, speaking at the InformationWeek 500 conference in Tucson, Arizona last September, cybercrime has become a $105bn business that is now bigger than the value of the illegal drugs trade worldwide.

In denial

The corporate sector is the one that currently stands to lose the most from information security breaches. For years, companies of all sizes have been building up entire business models in which their always-on IT infrastruc-ture has been left to play a vital role at channelling sales and managing both back-office and supply chain operations.

The scope of threats these companies face everyday includes anything from sophisticated cyber espionage operations to denial of service (DoS) attacks, phishing scams, stolen intellectual property, stolen personal data and website defacements.

A successful DoS attack (the shutting down of a targeted network resource by intentionally flooding it with incoming messages) costs an affected organisation on average $97,000. Companies that rely heavily on their websites to generate income (such as airlines or online betting companies) are usual targets of DoS attacks perpetrated by organised crime groups which will then try to obtain money by extortion.

A report published in April by the British-North American Committee warns that chief executive officers are underestimating the seriousness of the threat that cybercrime is posing to their businesses.

"Few CEOs or managing directors are prepared to lead their companies against these dangers," says the paper. "Too often, CEOs and directors fail to understand the level of potential risk and liability, and cede responsibility for dealing with cyber attacks to their IT department. Instead, [they] should know enough to at least ask the right questions of their chief information officer (CIO)."

This might sound reasonable, but - given the direction in which the information security industry is moving - it might also be wishful thinking.

Bruce Schneier, a renowned security expert and the founder and chief technology officer of BT Counterpane, is convinced that the arsenal of security products and services that organisations need to protect the integrity of their data is getting way too complex for the CIOs (let alone the CEOs) to understand.

"You could go to a security vendor and ask what they do, get a five-minute spiel and still not know. We are effectively seeing the emergence of security products and services that are now 'unsellable' because the buyer isn't sophisticated enough," Schneier says.

The 'increasing complexity problem' isn't of course confined to the phase when security products have to be purchased. Then there's whole business of running them effectively and, here, too, companies are finding it difficult to keep up.

This is leading an ever growing number of enterprises to outsource their information security processes. Large telecom operators, Internet service providers and systems integrators have recently been buying a raft of security firms in an effort to obtain the required expertise to service this new demand.

It was that vision that prompted BT to buy Counterpane, IBM to acquire Internet Security Systems, EMC to snap up RSA (all of these in 2006) and Verizon to buy Cybertrust in 2007. Rumours have it that Symantec, the vendor of the Norton antivirus programme, is next up, with Hewlett-Packard expected to make an offer.

This isn't the captain speaking

In the aftermath of the September 11 terrorist attacks, industry observers, politicians and newspapers began to voice fears about the prospect of extremists taking advantage of the ubiquity and anonymity of the Net to terrorise civilians.

Mayhem would ensue - most of these stories and alarming warnings argued - if terrorists could somehow gain virtual control of nuclear power stations, dams or sensitive military systems.

But the fact remains that no single act of cyber terrorism has yet been carried out.

"There's no such thing as cyber terrorism," says Schneier. "It's silly. It's a media invention
- a good media invention, but it's not a real threat."

One of the main reasons many security experts agree with this view is because the truly critical IT-controlled systems (those that could actually cost people's lives if they were to fall in the hands of cyber terrorists) aren't accessible via a public communications infrastructure such as the Internet.

In the US, the computers and networks attached to nuclear weapons, air traffic control systems or organisations such as the FBI are all 'air-gapped', meaning there's no physical link between them and any other type of equipment.

That's not to say a passenger plane couldn't one day be brought down by a terrorist using a laptop and an Internet connection as their single weapons. In fact, if it wasn't for the US Federal Aviation Administration, the new 787 Dreamliner jet that Boeing has almost finished developing could have been launched with just such vulnerability.

A routine FAA inspection into the plane's design revealed earlier this year that the compu-ter network designed to give passengers in-flight Internet access and that of the aircraft's control, navigation and communication systems were not air-gapped - potentially leaving the door open for a skilful passenger-hacker to have a go at piloting.

When this news was reported in the UK technology website, an anonymous reader posted an intriguing comment. He insinuated that the physical link between the plane's navigational and public Internet networks wasn't really a security blunder but the result of a secret instruction that the FBI had given Boeing, so that "the feds could take control of the plane from the ground if it were hijacked".

It's a shame that the FBI network is air-gapped. It would have given Gary another chance to prove how much of a conspiracy theory there was in all this… that is, of course, if he's allowed the "party time" he's so desperately wishing for.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them