Dot-Mil Hacker's Download Mistake

Wired ^ | Nov. 15, 2002 | Brian McWilliams

[stainlessbanner]

Gary McKinnon, the Briton indicted this week for hacking into scores of U.S. military computers, left behind few clues on the compromised systems of his victims. But download log files from a Wisconsin software firm may have led investigators straight to his London door.

[stainlessbanner]

ping!

[rdb3]

Hacked from across the big pond. I wish the writer of the piece had included more info, like what he was using (although I have my own ideas on that).

Do you know what the military systems are running?

No mercy.
Coming soon: Tha SYNDICATE.
101 things that the Mozilla browser can do that Internet Explorer cannot.

[coloradan]

Looks like it's for Windoze:

A powerful remote access solution for Windows XP/2000/NT and Windows 98/ME http://www.remotelyanywhere.com/.

Obligatory bump to linux-hater Bush2000.

[general_re]

Szopinski said McKinnon likely obtained a "crack" or illegal license key to unlock copies of RemotelyAnywhere and place them on numerous computers.

Note to self: make sure that software used to break into other machines is properly licensed and paid for.

[stainlessbanner]

A powerful remote access solution for Windows

It sure was for this hacker!

[stainlessbanner]

From Slashdot newsgroups:

"...the reason this guy didn't get into any classified information is because the military doesn't store classified information on the NIPRNet, that is, Unclassified but sensitive Internet Protocol Router Network. This NIPRNet is the Internet that DARPA originally developed and that everyone here uses today. Classified information is transmitted only along a SIPRNet, or Secret Internet Protocol Router Network, which is not actually connected to the public Internet.

Releasing or altering classified information would almost certainly require physical access to one of the computers that's already linked to the military SIPRNet. If the rest of the computers across the military are protected in similar fashion to the ones where I work--behind a foot-thick wall of steel with armed guards stationed at the entrances--I feel pretty good about the security of our classified information networks."

[Jack of all Trades]

Sounds like the sys admins at the target site left some screen doors open. I'm a recovering computer luddite, and even I know that there are programs that can monitor installed programs and control their network activity. I run ZoneAlarm on my Win 98 machine at home. I know it just improves my illusion of security, but it did alert my to the fact that my ISP was regularly sending me PCAnywhere pings. It also tells me that it controls network access of installed programs although I don't fully believe that. The fact that I am aware of these things tells me that security was pretty lax at the targets.

As an aside, I wish I had skipped reading most of what what I've read about Linux. After weenying around for about a year, I finally bought Redhat Linux. What a snap it's been to install and use.

[justlurking]

Sounds like the sys admins at the target site left some screen doors open.

It was probably an unpatched version of IIS. Remember the CodeRed worm? All you would have to do is look at your own webserver log to get a list of servers that had been compromised. After that, it would have been a trival exercise.

Or you, could have modified a copy of the worm to target a specific IP address range. Your probes would have been lost among all the other unwitting participants.

I run ZoneAlarm on my Win 98 machine at home. I know it just improves my illusion of security, but it did alert my to the fact that my ISP was regularly sending me PCAnywhere pings.

Are you using dialup or cablemodem/DSL? If it is the latter, invest about $80 in a dedicated firewall/router from someone like Linksys. I have Win2K, WinXP and Linux systems, but all of them are behind a firewall.

[Jack of all Trades]

Thanks for the suggestions. That's just what I did. It was Worldcom that was pinging me. It was quite frustrating to get them to stop. I've since switched to cable. My trusty Linksys router sits between me and the outside world. Reviewing the access logs has helped me keep track of things since the switch.

[sauropod]

correct.

[justlurking]

It was Worldcom that was pinging me. It was quite frustrating to get them to stop.

Was it actually a WorldCom server? If so, it could have been one of two things: One of their own systems had PC Anywhere and was misconfigured. Or, they had actually written something to search for unsecured PC Anywhere ports so they could warn/notify their subscribers.

The other possibility was that it wasn't Worldcom at all: it was just another subscriber. Unless they have their DNS servers configured so that reverse lookup tells you something useful, it's hard to tell.

[Jack of all Trades]

They told me they had one or more computers at an office near me running PCanywhere, and that they were misconfigured.

[justlurking]

They told me they had one or more computers at an office near me running PCanywhere, and that they were misconfigured.

Wow, that means they probably also had a security hole the size of a Mack truck. If I remember right, the default configuration of PC Anywhere was either completely open or any security was easily cracked.