Tuesday, April 03, 2007

British Nasa Hacker Loses Extradition Fight

Taken from The Telegraph, UK, 03/04/2007
By staff and agencies

A British computer hacker accused of committing one of the largest ever cyber-attacks on the US government has lost his High Court challenge to avoid extradition to America.



Gary McKinnon, a 41-year-old former computer systems administrator known online as "Solo", had challenged a decision by John Reid to send him to the US to face trial for illegally accessing military and NASA computer systems.

A judge ruled last May that McKinnon, indicted in New Jersey and northern Virginia, should face trial in the United States and Mr Reid signed off on the request.

McKinnon, who was arrested in 2002, is accused of hacking into around 100 US government computers between February 2001 and March 2002, causing around $700,000 (£354,400) damage.

One attack, which occurred immediately after Sept 11 targeted the Earle Naval Weapons Station in New Jersey and shut down its computer system for a week.


McKinnon was caught after some of the software used in the attacks was traced back to his girlfriend's e-mail account.

The Briton had claimed he could face prosecution under US anti-terror laws and told a British court he accessed systems because he was looking for evidence that America was concealing the existence of UFOs.

But Judge Nicholas Evans said at an earlier court hearing that McKinnon had left notes on computer systems criticizing American foreign policy.

"US foreign policy is akin to government-sponsored terrorism," Judge Evans quoted one such note as saying.

Lord Justice Maurice Kay and Justice Goldring, at the High Court, said McKinnon had no grounds to appeal his extradition, but also expressed their disquiet at an alleged American threat to deny him the right to serve out part of his sentence in Britain.

McKinnon's refusal to plead guilty in the United States had earned him the ire of the American authorities, who were preparing to prosecute him as cyber-terrorist and bar him from serving out part of his sentence in Britain, his lawyers said in a statement.

"His punishment could not be more severe," the statement said. "It amounts to a life sentence in a foreign country."

McKinnon is applying to have his case heard in the House of Lords, Britain's highest court of appeal.

--------------------------------------------------------------------------

So how did he do it? The Guardian (April 3, 2007) explained everything...

With national security a primary concern after September 11, you would assume puncturing the protective layers around military computers would be of Herculean difficulty. So how did Gary McKinnon become a "master hacker"? Very easily, it turns out.

From a house in north London, Mr McKinnon - a self-confessed "bumbling computer nerd" - spent hours laboriously testing different ways of accessing US computers in his quest, he claims, to prove that UFOs exist.

After discovering the addresses of some computers at the fringes of the military system - in departments such as logistics and support - he found it easy to break in. With a management tool usually used by IT staff, Mr McKinnon was then able to work his way into networks at Nasa and the Pentagon.

The biggest loopholes had been created by users who failed to follow basic security measures - such as changing their password from the default "password".

With such glaring errors leaving the backdoor wide open to intruders, Mr McKinnon said it was a simple task to control computers remotely, from the other side of the world.

Deliberately working at times when American staff would be asleep, he would hop on to more secure systems that were impenetrable to outsiders but wide open to "trusted" users.

By time he was caught, Mr McKinnon was even leaving messages on the desktops of the computers he had hacked into.

He has admitted his efforts were more like those of the Keystone Cops than a masterful thriller. "It got a bit silly," he told the Guardian last year. "I suppose it means I'm not a secretive, sophisticated, checking-myself-every-step-of-the-way type of hacker."

No comments: