Security threats Toolkit

NASA hacker is no Neo

Tags:
Hacking

Leader ZDNet.co.uk

Published: 10 Jun 2005 14:30 BST

The news this week that the 'World's biggest hacker of military networks' may be extradited to the US where he faces up to 70 years in prison is a great story, if you’re a journalist, work in the IT security industry or the US government. For everyone else, including the protagonist, it’s a divisive, misleading, pile of spin.

An unemployed UFO obsessive from North London may really be public enemy number one. Gary McKinnon, 39, may even be in league with al-Qaeda and anyone else you can think of. Or it could be the silly season starting early, with the American establishment happy to spin stories that the UK media is happy to pass on.

This pleases the IT security industry. If NASA, the US Department of Defense, and even the shadowy spooks at the National Security Agency can be hacked then what hope has the average enterprise got? Best buy things - lots and lots of things. How else to explain the British Airports Authority (BAA) decision to invest £23m in 'Shield', a programme to combat the threat of cyber-terrorism, when nobody has ever seen a cyber-terrorist? McKinnon, you're hired.

McKinnon's plight is also a great excuse for the US authorities. By building him up into the Matrix's Neo made real, they are able to sidestep the rather embarrassing fact that an unemployed bloke from Wood Green was able to breach what should be the toughest IT security systems in the world.

The facts, as they are known so far, do not support the idea that McKinnon was a professional or even particularly expert. For one, he failed to conceal his IP address or use any false identities to cover his tracks. McKinnon also apparently used a very common port scanner that is widely available on the Internet. There is even the posibility that McKinnon accessed the military systems by checking whether any users had used the word 'password' as their log-in.

The real story here is how US authorities allowed a hacker with rudimentary tools to crack their systems. If he could do that, then the real experts must be wreaking havoc. Seen any havoc recently? Odd, that.

As a report from analyst Gartner this week claims, most security threats are over-hyped; the real problem lies with IT systems not being installed correctly: "Two out of three successful external attacks are due to mis-configured systems", the group claims. "The problems were mainly to do with people and processes rather than IT. The IT industry is trying to sell its products hard, but it’s not where the issue is at."

If McKinnon is found guilty he deserves to be punished but it should be punishment proportional to the crime. Hopefully, justice will be served in this case and he will be allowed to have his case heard in the UK where hopefully headlines such as 'World's biggest hacker' or 'Biggest military computer hack of all time' will eventually be superseded by 'NASA launches investigation into security blunder' or even 'NASA Chief Security Officer Resigns'.