A British man who allegedly hacked into US military and Nasa computer networks has been arrested, say Scotland Yard.
Gary McKinnon, 39, of Wood Green, north London, faces extradition proceedings over claims he hacked into 53 military and Nasa computers in 2001 and 2002.
The US government believe tracking and correcting the alleged problems has cost around $1m (£570,000).
He is accused of then deleting around 1,300 user accounts.
The indictment alleged Mr McKinnon also “deleted critical system files” on the computer, copied a file containing usernames and encrypted passwords for the computer, in addition to installing tools to gain unauthorised access to other computers.
At the time of the indictment, Paul McNulty, the US Attorney for the Eastern District of Virginia, said: “Mr McKinnon is charged with the biggest military computer hack of all time.”
Biggest? Really? So a rootkit and rm /etc/shadow is bigger than the one about a guy from East Germany breaking into MITRE and other places and trying to sell secrets to the Russians during the Cold War is significantly smaller?
Or is this a matter of the US Army lawyers cranking up the numbers to aid the case?
That’s one of the perennial problems with hacking cases – just like ROI of security itself, the monetary cost of an intrusion is meaningless to measure. It can be as small or as large a you want to make it. Do you add-in the salary time of systems administrators who are repairing the damage? The salary time whilst they restore from backups? The cost of consultants? The cost (and this is often the big one) of service downtime whilst you find out where the mice have gotten-into, what they have nibbled and upon what they have widdled?
I have an intuitive feeling for how you should measure the cost of an intrusion, though I am sure many will argue with me, and being as I am writing this at 0659am my summary here is far from likely to be cogent.
My short, assumption-laden version is:
The systems administrators would be employed by you anyway, playing Quake, rebooting windows boxes and feeding and watering the mailserver, so you can’t add their salary as part of the costs of a hacker intrusion.
You also can’t add the costs of chasing-down the hacker yourself, because (a) that’s not your job and (b) it’s a cost which your own incompetence can inflate; after all, when you are burgled your insurance claim won’t include the cost of police time (hey – there’s an idea, Police Time Chargeback, that’s a new one, someone should suggest it to Charles Clarke).
Likewise you can’t add the costs of retreiving virgin data from secure storage, or other logistical stuff that is at your own discretion; it was your choice to do it that way, and it would be the same disaster-recovery overhead if a datacentre got soaked by burst air-conditioning drainage.
Measurable costs which I would permit:
- Cost of Service Outage.
- Cost of Security Auditors to check that you’re good to go before return to service.
- That’s all. By and large I think that’s all which constitutes the actual cost of an intrusion, regardless of what actuaries might say.
…and no, you can’t bill the hacker for the cost of learning about security and re-architecting your system. You should have learned beforehand.
Ooh – maybe the US Army do have a sense of restraint:
A loss of over $5,000 (£2,725) to the Army stemmed from the alleged damage, according to the indictment.
…which is a far more reasonable cost figure than their other statement. Oh. Aha. So that’s what they are trying to pull, is it?
IT COST US ONE MILLION DOLLARS TO TRACK HIM DOWN. IT IS THE BIGGEST MILITARY COMPUTER HACK OF ALL TIME. Please ignore the fact that it only cost us 5000 bucks and give us a conviction so we can pay our lawyers and have someone to hang out to dry and so we don’t get asked too many embarrassing questions.