US Busts Military Network Hacker

yorgasor writes " KATU has an article announcing the case of a mysterious hacker who has broken into roughly 100 military networks has been solved. The hacker is a British citizen and authorities were considering extradition for the case. Although no networks containing classified information were compromised, they do consider the hacker to be a professional rather than recreational due to the large number of networks he hacked."

100 penetrations later...

Wow! It took'em 100 or more tries to notice something was not quite right?

They probably had to bait and switch to catch him...

Re:100 penetrations later...

[machine+of+god]

More likely they're trying to screw him. Like he got into a box connected to a couple of networks so they count each one against him.

That guy kicked the military's a$$

[dirvish]

I know the military is a big target and all but 1 GUY, 100 NETWORKS? Those military network security folks must be pretty lame. Seems like the could have tracked him down a lot sooner if they knew what they were doing.

Re:That guy kicked the military's a$$

[jared9900]

Also, you should consider that they don't mention how long he'd been attacking the networks. He could've done it slowly over a longer period of time. Many of the break-ins may've only been connected to him after they noticed a pattern somewhere down the line.

Re:That guy kicked the military's a$$

[zmooc]

NAT cripples TCP/IP-functionality and was only invented to work around the lack of IP-addresses. It is not meant as a security-measurement and does not really add much security over a decent firewall. There's nothing wrong with this approach though it happens to be less safe when there is not decent firewall (which should be there).

Re:That guy kicked the military's a$$

[slamb]

NAT cripples TCP/IP-functionality and was only invented to work around the lack of IP-addresses. It is not meant as a security-measurement and does not really add much security over a decent firewall.

True, but as a practical matter, I'd say that NAT has improved security in general. NAT requires a connection-tracking firewall to work. So it means many people have them who wouldn't otherwise. And it enforces a specific good practice in setting up the firewall: no incoming connections to any of the internal hosts unless you explicitly configure them. Nothing people couldn't get otherwise, but something they probably wouldn't get otherwise.

There is one thing it adds over a properly-configured firewall: hiding information about how many computers you have, which one opened a connection, etc. You might or might not consider that information sensitive.

Why must we persist in...

[BrokenHalo]

calling crackers hackers?

Re:Why must we persist in...

[Capsaicin]

Why must we persist in calling crackers hackers?

Give it up. This one has been lost, just like split inifinitives or latin plurals. Why must we persist in calling fora forums?

Guess you just have to accept that the word 'hacker' now has more than one meaning, it happens to words sometimes. One of them is a synonym of 'cracker,' the other(s) is(are) something quite else.

100 Sites?

[dubious9]

He must have been pretty damn good to evade capture and continue to crack 100 sites. Makes me wonder home they caught him. If you are a professional and can break into 100 US military sites, what's to stop you? I figure if you are good enough to crack 10 or twenty without messing up, they are probably not going to catch you.

Anybody have any good stories of catching elusive hackers, or insights into how they might have got him?

Re:100 Sites?

[Minna+Kirai]

Yeah, and that shows he wasn't a professional, but someone out for fun. A professional cracker would've gotten his data, got out, and collected his paycheck.

Same with the snipers- the police can hardly claim to have beaten them. (the number of bodies they left behind made it a phyrric victory at best). A professional assasin would've killed his target, got out, and collected his paycheck.

So far we can barely defend ourselves from recreation "hackers" and gunmen. If some real terrorist group starts funding some, it will be much much worse.

Re:100 Sites?

[kiwimate]

A professional assasin would've killed his target, got out, and collected his paycheck.

Yes and no. Mostly yes -- a professional assassin is typically hired to kill a specific target. A true mercenary does the job purely for financial gain, not for ideological purposes, and so the motivation to escape is obviously high.

But what if your aim is to instill fear? Suicide bombers don't care about getting out; they want to take as many with them as possible. Similarly, I wouldn't be surprised if we discover the motivation for the snipers was to instill as much fear as possible in the American population. To that end, it was a big success -- no apparent link between the targets, which meant anyone could be next, and they just kept on going day after day with no-one having a clue who they were.

So, the lesson is that, while professional is usually taken to mean that one gets paid for the task, that's not the only definition. It can refer to someone who performs a task to high standards and with a certain degree of expertise (look it up on Merriam-Webster).

(Oh, and it's Pyrrhic, not phyrric. Even without the correct spelling, it still refers to Pyrrhus, so you should at least capitalize it as a proper noun. Classical education ain't what it were.)

Re:100 Sites?

[2short]

"If I leave my doors unlocked and the key in the car my insurance won't pay out, it's called negligance"
But if I take your car, it's still called Grand Theft.

"If they could have stopped the hacker after a few hackes (or attempts) but didn't because they wanted to watch the attacks then that's aiding and abetting"
No, it's not. Buying him a better computer would be aiding and abetting. Telling him he should try to hack you a bunch more times would be entrapment. Watching and taking notes, even though you could stop him is neither.

Is it just me...

[alargeduck]

Or is this really dirty:

Once, the FBI tricked two Russian computer experts, Vasily Gorshkov and Alexey Ivanov, into traveling to the United States so they could be arrested rather than extradited. The Russians were indicted in April 2001 on charges they hacked into dozens of U.S. banks and e-commerce sites, and then demanding money for not publicizing the break-ins.

FBI agents, posing as potential customers from a mock company called Invita Computer Security, lured the Russians to Seattle and asked the pair for a hacking demonstration, then arrested them. Gorshkov was sentenced to three years in prison; Ivanov has pleaded guilty but hasn't been sentenced.

Why not just extradite them? The US has a extrdition treaty with Russia I'm sure. Now I'm not saying that arresting them was "wrong", but why resort to deceptive law enforcement tactics like this?

Re:Is it just me...

[totallygeek]

Why not just extradite them? The US has a extrdition treaty with Russia I'm sure. Now I'm not saying that arresting them was "wrong", but why resort to deceptive law enforcement tactics like this?

Stings like this are done all the time within our own country. Creating a "new" crime that has a well-documented beginning and arrest becomes a more solid conviction. Proof of activity across the Internet by multiple people at undocumented times leads to reasonable doubt in the minds of jurors.

Punish those responsible...

[Minna+Kirai]

Throw some military sysadmins to a court-martial for dereliction of duty!

Ok, don't be that harsh on them. Scare em a little, then let the go with a warning. But national western militaries cannot continue to run their networks like this. It's dangerously irresponsible.

For a national military to assume they can use police arrests (force of arms) to secure their networks is folly. Armed force only works against attacks that are perpetrated from inside your range of military dominance. For the US that's a big area, but there's still many places where they can neither call in a SWAT team, nor direct an unmanned plane to assasinate the target.

If this fellow had been a professional (earning money from these hacks), then he'd be living in a secret compound provided by his employers in Iraq/Korea/China. True, the internet bandwidth isn't that great there, but a good hacker doesn't need it. He can just compromise some broadband PCs in the US or UK (possibly with the help of an agent on scene- a retailer who sells trojaned machines for instance) and use that to leapfrog to the real targets.

(If this guy was any good, we'll find out that this British suspect was just a patsy)

One big argument against more stringent computer-crime laws in the US is that they permit businesses and the military to postpone installing real network security. Why bother defending yourself, if the FBI just busts the punks for you?

This sets us up for disaster in 20 years, when the economy really needs the internet to survive day-to-day, and China has caught up to our 2005-era connectivity levels. If President Bush the 3rd angers China and they set 200 top computer professionals at making mischief, the damage could be real.

("Vaccinate now! Free Heckenkamp")

Re:Punish those responsible...

[Klaruz]

Court martial military sysadmins? No way. It's not their fault.

Hear me out here. The people running these systems (from my ex-air force perspective) are between kids out of high school (Airmen) and 20-sometings that have been doing military computer stuff since high school (NCOs). All they know is what the military trained them to do. Guess who decides what to train them in? NCOs and Officers. That's for the military people. There are civilians too, usually retired military. They all have to abide by policies set out by the DOD which are something short sited and not very well thought out. They also leave very little room to impliment no ideas and take care of important problems right away.

The best and the brightest who can actually secure a system don't go into the military. When they do, they're ignored because they're 'young' and have no 'experience'. I fell in the later catagory. There's nothing like the feeling of fixing somebody else's screw up (usually a contractor) and 30 minutes later be taking out the trash or doing some other degrading duty. Needless to say I got out and now make alot more money with alot less hassle, have a boss who listens to me (mostly), and can actually advance in the company and my career without having to wait X number of years and take a test on things that have nothing to do with my job.

Anyway, without going off topic. You can't blame these guys, most of them don't have a clue, those with a clue have their hands tied by stupid policies.

If you want to blame somebody, blame the high ranking Officers, they make the policies and the training programs that made this happen. Of course, that would never happen, some poor Airmen or overworked NCO will get railroaded.

Oh well, I'm free and clear now. At least I got a jump start on life and some free college out of the deal.

Re:Punish those responsible...

[lommer]

"(If this guy was any good, we'll find out that this British suspect was just a patsy)"

No actually, if this guy is any good we won't find out that this Brit is just a facade...

Re:Punish those responsible...

[WaKall]

>>(If this guy was any good, we'll find out that this British suspect was just a patsy)

Actually, if he was VERY good, that would be true but you wouldn't find it out.

Watch to see their target...

[Goonie]

The article was vague. Maybe he made a mistake and gave the investigators something that identified him. Equally likely, maybe the infosec guys decided the payoff for letting him continue hacking for a while (firm up the evidence for a conviction, be able to convict him for more serious offences, and most importantly figure out what his motives and techniques were) was more important than having him arrested immediately.

Re:This is not 'hacking'

[teamhasnoi]

If the guy is from Britain, he is considered a hacker. If he were from Iran, he would be considered a terrorist.

They should just scrap the term hacker and call him a terrorist, because thats what breaking into the US millitary is, terrorism.

Would breaking into British Military also be terrorism? How about Iraq?

There is a difference between breaking into a companies network out of curiosity and breaking into a millitary network. At worst, it could be considered an act of war from the country where the hacker originated against the country that was hacked. This would be bad for britain as they are totally dependant on America for support and are controlled by America's millitary policy.

Britian is dependent on the US? Tony Blair certainly is Bush's Yes Man, but I wouldn't go so far as to say that they are dependent on us, or controlled by our policy.

100 successful hacks is quite impressive, and it's good to see that America's war on terrorism is paying off and this man was caught before he could have caused serious damage to the western world.

Yes. The war on terrorism is paying off, just like the war on drugs. We prevented this guy from breaking into *every* military network, just like we've taught kids to 'Just Say No' and quelled the importation of millions of dollars of coke and dope.

Thank you Geoilrge Bush, and God Bless Amerika!

Yes, I know, IHBT,IHL,HAND - I just wanted to practice my italics and paragraph tags.

At least quote it right!

[Scaebor]

"All your base are belong to us". Please, when posting shitty jokes, at least post them correctly.

"professional"

[g4dget]

they do consider the hacker to be a professional rather than recreational due to the large number of networks he hacked.

Sleeping with a lot of men/women makes someone a slut; it requires getting paid for it to be considered a professional.

Re:"professional"

[infiniti99]

Not necessarily. I visited Merriam-Webster to check on this, and "receiving financial return" is just one of the many definitions of a professional.

I believe there was a related debate on a recent Slashdot poll involving programming, where two of the options were "Professional" and "Open Source". This was a poor choice of words, since the two are not mutually exclusive.

Re:This is not 'hacking'

[Twirlip+of+the+Mists]

They should just scrap the term hacker and call him a terrorist, because thats what breaking into the US millitary is, terrorism.

The term "terrorist" has certainly been overused in the past year or so, but what many people don't realize is that it actually has a strict legal definition. (Well, actually several strict legal definitions, depending on the jurisdiction you're paying attention to at the time.)

Way back in 1937, the League of Nations defined terrorism as, "All criminal acts directed against a State and intended or calculated to create a state of terror in the minds of particular persons or a group of persons or the general public." So under that definition, an act is terrorism only if it's specifically intended to create a state of terror. September 11, yes. This guy, no.

In 1999, the UN defined terrorism this way: "Reiterates that criminal acts intended or calculated to provoke a state of terror in the general public, a group of persons or particular persons for political purposes are in any circumstance unjustifiable, whatever the considerations of a political, philosophical, ideological, racial, ethnic, religious or other nature that may be invoked to justify them." So here to we have the idea that the act must be specifically intended to invoke a feeling of terror. So by that definition, too, this incident is not terrorism.

The USDOD defines terrorism to be, "The calculated use of violence or the threat of violence to inculcate fear; intended to coerce or to intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological." Once again we have the idea that the act must be calculated to cause fear. If an act merely incidentally causes fear or terror, it's not strictly terrorism.

Since 9/11, laws have sprung up in several US jurisdictions making it a crime to plan, enact, or carry out any act designed to produce a fear response in the population. In fact, the DC sniper suspects are being indicted in Maryland under just such a law. But all of these also have the same basic thread: that the act must have been done with the specific and deliberate intent of causing fear.

So no, what this loser did isn't technically terrorism.

At worst, it could be considered an act of war from the country where the hacker originated against the country that was hacked.

Not really. In order to make the leap from crime to act of war, there has to be an element of direct or indirect state sponsorship. An individual acting on his own to carry out a criminal act-- even a horrible or devastating one-- in another country does not automatically constitute an act of war. But if another government sponsors the act, that's a different story. The basic idea here is that war is a state of armed conflict between nations, not between groups or individuals. Rhetorical shorthand aside, the United States could never be in a state of war against al Qaeda, or against Osama bin Laden personally. The concept of war can't be applied to those sorts of conflicts in any meaningful way.

Re:Extradition

hmm the US isnt great for its human rights record in the courts.

Re:Kinda OT

[ceejayoz]

You can hardly compare the electronic voting systems to military servers. The military servers are connected to the public internet - the best way of securing a computer is to smash its network card into itty bitty pieces.

The voting machines, on the other hand, aren't connected to the internet - they save the votes onto removable cards (compactflash cards, IIRC) that get taken (under guard) to a location where they're all downloaded and the results determined.

They're two completely different problems.

Re:Flamebait?!?

You'd have been fine if you left it at the first paragraph. The second exhibited an underlying bigotry. If you'd been writing about an African American or a Jew, you would have been accused of racism.

BTW, you could claim that the British did successful invade the US. Although Canada wasn't very Canadian then. They burnt down D.C., leaving the Whitehouse.

Finally, I think you'll find that the US also has some dependency on the UK. Politically as they give them international legitimacy, a bridge between them and the less gung-ho Europeans, and they still have a lot of ties, influence and experience around the world, although that diminishes with each passing year. Also, strategically: they have bases in Cyprus (not many minutes flying time from Israel), which are good listening and staging points for the Gulf, as well as Diego Garcia, which I believe the US leases. And of course, they're also closer by several hours, which is why the US asked to have their B2's relocated to a base in the UK.

Re:This is not 'hacking'

Something like a threat to bomb Iraq? Before you go apeshit, think: the US comes in, bombs, leaves and then the civilian population has to live another 11 years in poverty before the next wave. So, civilians DO get hurt in the process, albeit not directly.

Read more closely

...who broke into roughly 100 unclassified...

Did you folk all miss this phrase? Focus on the word 'unclassified.' This retard probably hax0red a bunch .mil web sites designed to attract Army recruits or something.

Extradition?

[panurge]

We all know that the US govt. will not sign up to the International Criminal Court, yet tries to extend US jurisdiction outside its borders. But this is ridiculous. If the actions took place in the EU, on what basis could there be extradition to the US? Extradition is in respect of a crime committed in the country requesting the extradition.

Basically what he did was sit at a keyboard typing and looking at a screen in, presumably, the UK. At what point was the crime committed? When he hit the return key, or when he viewed the resulting data? I would suggest that is the case, and any prosecution should take place in the UK - there is plenty of existing legislation.
I am sure that someone will start bleating on about the theft of CPU cycles, or whatever. But this is extremely abstract. If the sites were non-secure, then presumably they had public access. If we are going to pass laws that people can only view websites as the designer intended, it may suit the kind of Government idiots that once threatened someone with prosecution for telling them they had an open SQL port with anonymous login on a military server, but is hardly going to promote good design (or be enforceable).

This is exactly the kind of case that makes the notion of a World Court reasonable. But I can just imagine his lawyers going to the EU Courts to argue that (a) the US is refusing to allow its citizens to be subject to the ICC, thus demonstrating that US law is not even-handed, (b) in the present climate of hysteria he could in any case not get a fair trial, (c) that US law is in conflict with EU human rights legislation.

It seems to me we have more to fear from the kind of idiots that go in for the kneejerk "This guy looked at a Govt. site! He is a terrorist!" reaction. The word for them is Stalinists, and the last thing we want is for the delightful security and political policies of the former Soviet Union to gain a foothold in the Republican Party.

Of course he didn't get to any classified info

[LazLong]

Classified networks are air-gapped from unclassified networks, which the Internet is by definition.

I love it when some U.S. gov't computer getting hacked makes headlines....The most sensitive info a hacker could ever get would be HR type info.

Echelon

[Martin+S.]

So let me see if I have this right.

The US Military want to prosecute somebody for doing something they've been doing for years ?

Re:This is not 'hacking'

[moz25]

He's evil, he's fascist, he kills his own people, his own countrymen... He lives in luxury, while his own public starves.

You do realize that this of course also applies to the fundamentalistic theocracy of Saudi Arabia? The country where medieval style punishment is still 'ok', women are not allowed to drive, homosexuals simply do not exist, the increasingly larger poorer segment of the population barely has enough food to live of, while the filthy rich 'princes' live in luxury in their palaces

The difference between a friend (Saudi Arabia) and a foe (Iraq) doesn't appear to lie in the extent to which their leadership is despicable, it's about the extent to which they are willing to play along. Saddam wasn't any more of a 'swell guy' when his regime was considered friendly to the western countries...

And yeah, oil makes everything all the more relevant

Moz.

Re:Kinda OT

[Chriscypher]

Actually, during the last election on 11/5, I recall a news blurb extolling the virtues of electronic voting in Florida. The poll worker brought a touchscreen tablet *out to a car in the parking lot* so that an elderly voter could place her vote. I noticed a floppy wire that looked eerily like an antenna hanging off the side of the box, which immeditatelt said to me "wireless network". So, if wireless networking is in fact being used, I'd say their "secure" voting LANs will get cracked by the next general election, if they haven't been already.

To be above suspicion, elections require voting metohds are difficult to forge and have ballots can be confirmed after the fact (re-count). Electronic voting places all points of failure in an unexaminable variable in the system software. If done well, compromise of this system would be difficult if not impossible to detect, and there will be nothing to manually re-count: game over.

How do you *prove* the election was not rigged? Elections must have the appearance of impossibility of being rigged. It is very hard to forge 400,000 ballots with filled in dots (a la standardized tests; they can be both electonically and manually tallied).

The new voting machines in Florida are a exellent example of technology being more unrilable than simpler/cheaper/proven methods.