US Busts Military Network Hacker

yorgasor writes " KATU has an article announcing the case of a mysterious hacker who has broken into roughly 100 military networks has been solved. The hacker is a British citizen and authorities were considering extradition for the case. Although no networks containing classified information were compromised, they do consider the hacker to be a professional rather than recreational due to the large number of networks he hacked."

zerg

[Lord+Omlette]

Huh? Something must have been left out of the blurb. If I wank 100 times a day to porn, does that mean I'm a professional wanker?

Re:zerg

[pyrote]

and you said it was the keyboard that gave you Carpal Tunnel.

That guy kicked the military's a$$

[dirvish]

I know the military is a big target and all but 1 GUY, 100 NETWORKS? Those military network security folks must be pretty lame. Seems like the could have tracked him down a lot sooner if they knew what they were doing.

Professional Hacker?

[ejunek]

Does that come with a 401k plan and a good dental plan? It still probably has a better retirement plan than Enron :P

Re:Professional Hacker?

[mr_z_beeblebrox]

Does that come with a 401k plan and a good dental plan? It still probably has a better retirement plan than Enron :P

Best 401K around, you invest all the 'half cents' that are left over from other transactions.

100 Sites?

[dubious9]

He must have been pretty damn good to evade capture and continue to crack 100 sites. Makes me wonder home they caught him. If you are a professional and can break into 100 US military sites, what's to stop you? I figure if you are good enough to crack 10 or twenty without messing up, they are probably not going to catch you.

Anybody have any good stories of catching elusive hackers, or insights into how they might have got him?

Re:100 Sites?

[Minna+Kirai]

Yeah, and that shows he wasn't a professional, but someone out for fun. A professional cracker would've gotten his data, got out, and collected his paycheck.

Same with the snipers- the police can hardly claim to have beaten them. (the number of bodies they left behind made it a phyrric victory at best). A professional assasin would've killed his target, got out, and collected his paycheck.

So far we can barely defend ourselves from recreation "hackers" and gunmen. If some real terrorist group starts funding some, it will be much much worse.

Re:100 Sites?

> Anybody have any good stories of catching elusive hackers, or insights into how they might have got him?

The Cuckoo's Egg by Clifford Stoll is an engaging story of a grad student assigned to track down a 75 cent discrepency in computing resources. He eventually uncovers a ring of crackers working out of Germany for the KGB.

Read a review .

Re:100 Sites?

[ArmedGeek]

This is the problem with the criminal mentality (unfortunatley it sometimes affects us geeks as well). I have worked in law-enforcement in the past and there is something that people who break the law really should understand.
Just because they haven't come for you, doesn't mean they don't know.
Generally, law enforcement (usually with organized crime or the white-collar variety) will track a suspect for a while, gathering evidence. You'd be amazed at the truckload of intelligence data amassed during a large narcotics investigation. (I never worked computer crimes).

The point is, why bust the guy after the first "penetration" so he gets probation? If you feel he's a threat, then you wait, let him continue to add to the charges, then pop him and put him away for a long stretch. They probably "had him" long before they busted him.

note: anyone cracking US government networks, either has an agenda or is incredibly self-destructive.

This fits here..

[RebelTycoon]

All your bases are belong to us...

Punish those responsible...

[Minna+Kirai]

Throw some military sysadmins to a court-martial for dereliction of duty!

Ok, don't be that harsh on them. Scare em a little, then let the go with a warning. But national western militaries cannot continue to run their networks like this. It's dangerously irresponsible.

For a national military to assume they can use police arrests (force of arms) to secure their networks is folly. Armed force only works against attacks that are perpetrated from inside your range of military dominance. For the US that's a big area, but there's still many places where they can neither call in a SWAT team, nor direct an unmanned plane to assasinate the target.

If this fellow had been a professional (earning money from these hacks), then he'd be living in a secret compound provided by his employers in Iraq/Korea/China. True, the internet bandwidth isn't that great there, but a good hacker doesn't need it. He can just compromise some broadband PCs in the US or UK (possibly with the help of an agent on scene- a retailer who sells trojaned machines for instance) and use that to leapfrog to the real targets.

(If this guy was any good, we'll find out that this British suspect was just a patsy)

One big argument against more stringent computer-crime laws in the US is that they permit businesses and the military to postpone installing real network security. Why bother defending yourself, if the FBI just busts the punks for you?

This sets us up for disaster in 20 years, when the economy really needs the internet to survive day-to-day, and China has caught up to our 2005-era connectivity levels. If President Bush the 3rd angers China and they set 200 top computer professionals at making mischief, the damage could be real.

("Vaccinate now! Free Heckenkamp")

Re:Punish those responsible...

[Klaruz]

Court martial military sysadmins? No way. It's not their fault.

Hear me out here. The people running these systems (from my ex-air force perspective) are between kids out of high school (Airmen) and 20-sometings that have been doing military computer stuff since high school (NCOs). All they know is what the military trained them to do. Guess who decides what to train them in? NCOs and Officers. That's for the military people. There are civilians too, usually retired military. They all have to abide by policies set out by the DOD which are something short sited and not very well thought out. They also leave very little room to impliment no ideas and take care of important problems right away.

The best and the brightest who can actually secure a system don't go into the military. When they do, they're ignored because they're 'young' and have no 'experience'. I fell in the later catagory. There's nothing like the feeling of fixing somebody else's screw up (usually a contractor) and 30 minutes later be taking out the trash or doing some other degrading duty. Needless to say I got out and now make alot more money with alot less hassle, have a boss who listens to me (mostly), and can actually advance in the company and my career without having to wait X number of years and take a test on things that have nothing to do with my job.

Anyway, without going off topic. You can't blame these guys, most of them don't have a clue, those with a clue have their hands tied by stupid policies.

If you want to blame somebody, blame the high ranking Officers, they make the policies and the training programs that made this happen. Of course, that would never happen, some poor Airmen or overworked NCO will get railroaded.

Oh well, I'm free and clear now. At least I got a jump start on life and some free college out of the deal.

Kinda OT

[teamhasnoi]

When someone can bust into ONE HUNDRED MILITARY SITES and only get caught on the 101st, it makes me really doubt the 'security' of our electronic voting systems which are:

Closed Source
Admin'd by a Private Buisiness
Secured by Microsoft
Run by volunteers at each polling place.

Kinda makes you wonder if you really did/will vote, eh?

If this guy does get extradited to the US, I bet he'll be working for someone in a five-sided building real soon.

Re:Kinda OT

[wadetemp]

Damn. You're right. I knew I shouldn't have given my ballot to that bearded guy carrying the 80s-era Soviet anti-tank missle launcher.

Re:Kinda OT

[ceejayoz]

You can hardly compare the electronic voting systems to military servers. The military servers are connected to the public internet - the best way of securing a computer is to smash its network card into itty bitty pieces.

The voting machines, on the other hand, aren't connected to the internet - they save the votes onto removable cards (compactflash cards, IIRC) that get taken (under guard) to a location where they're all downloaded and the results determined.

They're two completely different problems.

Watch to see their target...

[Goonie]

The article was vague. Maybe he made a mistake and gave the investigators something that identified him. Equally likely, maybe the infosec guys decided the payoff for letting him continue hacking for a while (firm up the evidence for a conviction, be able to convict him for more serious offences, and most importantly figure out what his motives and techniques were) was more important than having him arrested immediately.

Re:This is not 'hacking'

[lpontiac]

thats what breaking into the US millitary is, terrorism

No, it isn't. Terrorism is the use of violence and/or threats to frighten a civilian population, to coerce or punish them.

Re:This is not 'hacking'

[njchick]

So, a guy from Iran who breaks into just one military computer is a recreational terrorist, right?

hmmm.

[_ph1ux_]

military cyber-guards.

I was watching this discovery channel documentary and there was this military type, jar-head cyber guard guy. He was standing there talking about how they monitor all the traffic on their networks, and keep a close eye out for any signatures of attack.

He was stressing how secret they keep all their information about their networks - that they dont let anyone know even their IP sets assigned to different networks, and that this information could help an attacker find out the machines they would need to attack.

The whole time he was talking about this - he was standing in front of a bunch of monitors, and the ones to the left of him was scrolling some sort of log and it was showing IPs to hostname mappings and some traceroutes as well. They were all in the really low IPs - and their hostnames were all .mil and *all* of it was easily readable by the viewer....

and i do not think it was something that was done on purpose and made to look like an accident. Not by the way these people were acting.

especially since they avoided filming any of the screens that people were working on.

So I am not too surprised.

"professional"

[g4dget]

they do consider the hacker to be a professional rather than recreational due to the large number of networks he hacked.

Sleeping with a lot of men/women makes someone a slut; it requires getting paid for it to be considered a professional.

Re:This is not 'hacking'

[Twirlip+of+the+Mists]

They should just scrap the term hacker and call him a terrorist, because thats what breaking into the US millitary is, terrorism.

The term "terrorist" has certainly been overused in the past year or so, but what many people don't realize is that it actually has a strict legal definition. (Well, actually several strict legal definitions, depending on the jurisdiction you're paying attention to at the time.)

Way back in 1937, the League of Nations defined terrorism as, "All criminal acts directed against a State and intended or calculated to create a state of terror in the minds of particular persons or a group of persons or the general public." So under that definition, an act is terrorism only if it's specifically intended to create a state of terror. September 11, yes. This guy, no.

In 1999, the UN defined terrorism this way: "Reiterates that criminal acts intended or calculated to provoke a state of terror in the general public, a group of persons or particular persons for political purposes are in any circumstance unjustifiable, whatever the considerations of a political, philosophical, ideological, racial, ethnic, religious or other nature that may be invoked to justify them." So here to we have the idea that the act must be specifically intended to invoke a feeling of terror. So by that definition, too, this incident is not terrorism.

The USDOD defines terrorism to be, "The calculated use of violence or the threat of violence to inculcate fear; intended to coerce or to intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological." Once again we have the idea that the act must be calculated to cause fear. If an act merely incidentally causes fear or terror, it's not strictly terrorism.

Since 9/11, laws have sprung up in several US jurisdictions making it a crime to plan, enact, or carry out any act designed to produce a fear response in the population. In fact, the DC sniper suspects are being indicted in Maryland under just such a law. But all of these also have the same basic thread: that the act must have been done with the specific and deliberate intent of causing fear.

So no, what this loser did isn't technically terrorism.

At worst, it could be considered an act of war from the country where the hacker originated against the country that was hacked.

Not really. In order to make the leap from crime to act of war, there has to be an element of direct or indirect state sponsorship. An individual acting on his own to carry out a criminal act-- even a horrible or devastating one-- in another country does not automatically constitute an act of war. But if another government sponsors the act, that's a different story. The basic idea here is that war is a state of armed conflict between nations, not between groups or individuals. Rhetorical shorthand aside, the United States could never be in a state of war against al Qaeda, or against Osama bin Laden personally. The concept of war can't be applied to those sorts of conflicts in any meaningful way.

If you do it a lot, you're a "professional"

[Jeremiah+Blatz]

Hrm, "they do consider the hacker to be a professional rather than recreational due to the large number of networks he hacked."

Wow, I guess I'm a professional /. reader? This is so cool! I thought I was unemployed, but no, here I am, practicing my profession *right now!* Rawk!

Re:This is not 'hacking'

They should just scrap the term hacker and call him a terrorist, because thats what breaking into the US millitary is, terrorism.

No, it is not. Terrorism is the use of terror tactics against a civilian population (which presumably isn't able to defend itself). Attacking military targets is perfectly legitimate acts of guerilla warfare, and the perpertrators of such are entitled to be treated as prisoners of war, and not this "enemy combatant" category that Bush invented.

So:
* attacking that supertanker the other month - terrorism.
* ramming the Cole - legit.
* blowing up the WTC - terrorism.
* blowing up the Pentagon - legit.
* shooting off-duty US marines in Yemen - legit.
* hacking military bases - legit act of war, or civil crime. Definitely not terrorism.
* dropping a 2000 pound bomb on a wedding party - a regretable accident.

Essentially, any act against a government office or military base would be a legitimate act of war.

Re:British Hacker ...

Over 100 before he was caught out. That's better than the entire England cricket team...