A Blast from the Past – Gary and the Egg

There would seem to be a suggested lack of understanding as to how the sources are for Cyber Crime flourish. This is linked to a suggested lack of appreciation of what should be considered as 'adequate' levels of Corporate Responsibility for securing the operational enterprise, and other associated deployments may be causing a rift in the mission to deploy appropriate physical, procedural and, above all, logical defences.

Here I would focus on the actions of Mr Gary McKinnon who is accused of attacking, and hacking into a number of US Government systems. First of all, and to clarify the observation, what was done here was illegal and reckless. However, in this case, there was also an element of arrogance seeking out infamous notoriety for the actions, as the attacker left commentary, supplying some form of a Cyber Digital Footprint making detection a little easier – so as most sound minded, reasonable people would agree, based on the presented facts, and the collected artifacts, here an offence would seem to have been committed by McKinnon.

To consider the position of Corporate and Government Responsibility, one should ask the question as to just how secure the attacked systems and servers were? First of all, given they were pointing at, and accessible from the Internet, in pure risk terms, these were in the higher-end risk category. Secondly, given the reachable systems were, as we are led to believe, hosting ‘Official’ information, then one would expect the associated risk to have been elevated. On this basis, would it not be a valid expectation that the Administrators of such systems would have applied the necessary steps to secure these devices from hackers, and any other casual opportunist. Above all, should it not be a valid expectation that International Governments are patching, and securing their assets against ease of compromise, and attack – one would hope so. As perverse and unpalatable as it may seem, whilst McKinnon did wrong, some good came out of his actions.

Now based on that controversial opinion, let us consider the alternatives. First of all, should we except that international governments and intelligence agencies are actively engaged in seeking out vulnerable targets on the Internet? Based on the Titan Rain attacks which took place, when Chinese hackers targeted UK and US government agencies, one could argue yes! Secondly, should we anticipate that the Internet will subject them to regular and sustained attacks from hackers and cybercriminals? Again, based on current press coverage, and statistics provided by reputable organisations, the answer would seem to be yes. So it may be concluded that the overall risk for any web facing assets, let alone government systems, would be high risk.

Going back to the miscreant activities of Mr McKinnon, when compared to say a government-sponsored, or cybercriminal attack – in his case there was an addition to his own modus operandi that included leaving comments, and remarks eluding to the model of RTFM! It is here where McKinnon’s practices differ from those of professional government, or sponsored cybercriminal – in their case they would just seek out access of exposed resources, read, copy, and/or change where they are afforded the appropriate levels of system privilege. Unlike McKinnon, leaving only a minimal footprint of activities, if any at all, would slip away.

Some years ago, based on a real life example of international spying, and cybercriminal activities, Cliff Stoll wrote the Cuckoos, which documented attacks against government systems, and outlined the methodologies that were used. Here one is left wondering, has anything been learned after all this time?
 
As a final observation one may enquire – Were the systems discovered by McKinnon  a one off and chance find? With all others being subject to appropriate levels of security, including up to date patch and fix? Or do other such insecure systems exist, which could have been compromised by hackers, or for that matter, are still being compromised with more covert practices. The real conclusion may be, if corporate and government responsibilities are lacking, which manifest in insecure systems being deployed into operational areas, does this not also amount to a culpable offence?

Comment on this blog