US Busts Military Network Hacker

yorgasor writes " KATU has an article announcing the case of a mysterious hacker who has broken into roughly 100 military networks has been solved. The hacker is a British citizen and authorities were considering extradition for the case. Although no networks containing classified information were compromised, they do consider the hacker to be a professional rather than recreational due to the large number of networks he hacked."

That guy kicked the military's a$$

[dirvish]

I know the military is a big target and all but 1 GUY, 100 NETWORKS? Those military network security folks must be pretty lame. Seems like the could have tracked him down a lot sooner if they knew what they were doing.

100 Sites?

[dubious9]

He must have been pretty damn good to evade capture and continue to crack 100 sites. Makes me wonder home they caught him. If you are a professional and can break into 100 US military sites, what's to stop you? I figure if you are good enough to crack 10 or twenty without messing up, they are probably not going to catch you.

Anybody have any good stories of catching elusive hackers, or insights into how they might have got him?

Re:100 Sites?

[Minna+Kirai]

Yeah, and that shows he wasn't a professional, but someone out for fun. A professional cracker would've gotten his data, got out, and collected his paycheck.

Same with the snipers- the police can hardly claim to have beaten them. (the number of bodies they left behind made it a phyrric victory at best). A professional assasin would've killed his target, got out, and collected his paycheck.

So far we can barely defend ourselves from recreation "hackers" and gunmen. If some real terrorist group starts funding some, it will be much much worse.

Punish those responsible...

[Minna+Kirai]

Throw some military sysadmins to a court-martial for dereliction of duty!

Ok, don't be that harsh on them. Scare em a little, then let the go with a warning. But national western militaries cannot continue to run their networks like this. It's dangerously irresponsible.

For a national military to assume they can use police arrests (force of arms) to secure their networks is folly. Armed force only works against attacks that are perpetrated from inside your range of military dominance. For the US that's a big area, but there's still many places where they can neither call in a SWAT team, nor direct an unmanned plane to assasinate the target.

If this fellow had been a professional (earning money from these hacks), then he'd be living in a secret compound provided by his employers in Iraq/Korea/China. True, the internet bandwidth isn't that great there, but a good hacker doesn't need it. He can just compromise some broadband PCs in the US or UK (possibly with the help of an agent on scene- a retailer who sells trojaned machines for instance) and use that to leapfrog to the real targets.

(If this guy was any good, we'll find out that this British suspect was just a patsy)

One big argument against more stringent computer-crime laws in the US is that they permit businesses and the military to postpone installing real network security. Why bother defending yourself, if the FBI just busts the punks for you?

This sets us up for disaster in 20 years, when the economy really needs the internet to survive day-to-day, and China has caught up to our 2005-era connectivity levels. If President Bush the 3rd angers China and they set 200 top computer professionals at making mischief, the damage could be real.

("Vaccinate now! Free Heckenkamp")

Re:Punish those responsible...

[Klaruz]

Court martial military sysadmins? No way. It's not their fault.

Hear me out here. The people running these systems (from my ex-air force perspective) are between kids out of high school (Airmen) and 20-sometings that have been doing military computer stuff since high school (NCOs). All they know is what the military trained them to do. Guess who decides what to train them in? NCOs and Officers. That's for the military people. There are civilians too, usually retired military. They all have to abide by policies set out by the DOD which are something short sited and not very well thought out. They also leave very little room to impliment no ideas and take care of important problems right away.

The best and the brightest who can actually secure a system don't go into the military. When they do, they're ignored because they're 'young' and have no 'experience'. I fell in the later catagory. There's nothing like the feeling of fixing somebody else's screw up (usually a contractor) and 30 minutes later be taking out the trash or doing some other degrading duty. Needless to say I got out and now make alot more money with alot less hassle, have a boss who listens to me (mostly), and can actually advance in the company and my career without having to wait X number of years and take a test on things that have nothing to do with my job.

Anyway, without going off topic. You can't blame these guys, most of them don't have a clue, those with a clue have their hands tied by stupid policies.

If you want to blame somebody, blame the high ranking Officers, they make the policies and the training programs that made this happen. Of course, that would never happen, some poor Airmen or overworked NCO will get railroaded.

Oh well, I'm free and clear now. At least I got a jump start on life and some free college out of the deal.

Watch to see their target...

[Goonie]

The article was vague. Maybe he made a mistake and gave the investigators something that identified him. Equally likely, maybe the infosec guys decided the payoff for letting him continue hacking for a while (firm up the evidence for a conviction, be able to convict him for more serious offences, and most importantly figure out what his motives and techniques were) was more important than having him arrested immediately.

"professional"

[g4dget]

they do consider the hacker to be a professional rather than recreational due to the large number of networks he hacked.

Sleeping with a lot of men/women makes someone a slut; it requires getting paid for it to be considered a professional.

Re:This is not 'hacking'

[Twirlip+of+the+Mists]

They should just scrap the term hacker and call him a terrorist, because thats what breaking into the US millitary is, terrorism.

The term "terrorist" has certainly been overused in the past year or so, but what many people don't realize is that it actually has a strict legal definition. (Well, actually several strict legal definitions, depending on the jurisdiction you're paying attention to at the time.)

Way back in 1937, the League of Nations defined terrorism as, "All criminal acts directed against a State and intended or calculated to create a state of terror in the minds of particular persons or a group of persons or the general public." So under that definition, an act is terrorism only if it's specifically intended to create a state of terror. September 11, yes. This guy, no.

In 1999, the UN defined terrorism this way: "Reiterates that criminal acts intended or calculated to provoke a state of terror in the general public, a group of persons or particular persons for political purposes are in any circumstance unjustifiable, whatever the considerations of a political, philosophical, ideological, racial, ethnic, religious or other nature that may be invoked to justify them." So here to we have the idea that the act must be specifically intended to invoke a feeling of terror. So by that definition, too, this incident is not terrorism.

The USDOD defines terrorism to be, "The calculated use of violence or the threat of violence to inculcate fear; intended to coerce or to intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological." Once again we have the idea that the act must be calculated to cause fear. If an act merely incidentally causes fear or terror, it's not strictly terrorism.

Since 9/11, laws have sprung up in several US jurisdictions making it a crime to plan, enact, or carry out any act designed to produce a fear response in the population. In fact, the DC sniper suspects are being indicted in Maryland under just such a law. But all of these also have the same basic thread: that the act must have been done with the specific and deliberate intent of causing fear.

So no, what this loser did isn't technically terrorism.

At worst, it could be considered an act of war from the country where the hacker originated against the country that was hacked.

Not really. In order to make the leap from crime to act of war, there has to be an element of direct or indirect state sponsorship. An individual acting on his own to carry out a criminal act-- even a horrible or devastating one-- in another country does not automatically constitute an act of war. But if another government sponsors the act, that's a different story. The basic idea here is that war is a state of armed conflict between nations, not between groups or individuals. Rhetorical shorthand aside, the United States could never be in a state of war against al Qaeda, or against Osama bin Laden personally. The concept of war can't be applied to those sorts of conflicts in any meaningful way.

Re:Kinda OT

[ceejayoz]

You can hardly compare the electronic voting systems to military servers. The military servers are connected to the public internet - the best way of securing a computer is to smash its network card into itty bitty pieces.

The voting machines, on the other hand, aren't connected to the internet - they save the votes onto removable cards (compactflash cards, IIRC) that get taken (under guard) to a location where they're all downloaded and the results determined.

They're two completely different problems.