Hacker loses extradition appeal

Gary McKinnon could face a long prison sentence

A Briton accused of hacking into secret military computers has lost his appeal against extradition to the US.

Glasgow-born Gary McKinnon was said to be “distraught” after losing the appeal to the European Court of Human Rights. He faces extradition within two weeks.

The unemployed man could face life in jail if convicted of accessing 97 US military and Nasa computers.

The 42-year-old admitted breaking into the computers from his London home but said he sought information on UFOs.

Mr McKinnon asked the European Court of Human Rights in Strasbourg to delay his extradition pending a full appeal to the court against his extradition but his application was refused.

He claimed the extradition would breach his human rights.

‘Absolutely devastated’

His solicitor Karen Todner said this had been her client’s “last chance” and appealed to Home Secretary Jacqui Smith to intervene.

Our client now faces the prospect of prosecution and imprisonment thousands of miles away from his family in a country in which he has never set foot Solicitor Karen Todner

“He is absolutely devastated by the decision,” she said. “He and his family are distraught.

“They are completely beside themselves. He is terrified by the prospect of going to America.”

She added Mr McKinnon had recently been diagnosed with Asperger syndrome and would ask for the case to be tried in this country.

“The offences for which our client’s extradition is sought were committed on British soil and we maintain that any prosecution ought to be carried out by the appropriate British authorities,” she added.

“Our client now faces the prospect of prosecution and imprisonment thousands of miles away from his family in a country in which he has never set foot.”

Mr McKinnon, from Wood Green, north London, was arrested in 2002 but never charged in the UK.

He first lost his case at the High Court in 2006 before taking it to the highest court in the UK, the House of Lords.

Computer nerd

The US government claims he committed a malicious crime – the biggest military computer hack ever.

The authorities have warned that without his co-operation and a guilty plea the case could be treated as terrorism and he could face a long jail sentence.

The former systems analyst is accused of hacking into the computers with the intention of intimidating the US government.

It alleges that between February 2001 and March 2002, he hacked into dozens of US Army, Navy, Air Force, and Department of Defense computers, as well as 16 Nasa computers.

Prosecutors say he altered and deleted files at a naval air station not long after the 11 September attacks in 2001, rendering critical systems inoperable.

However, Mr McKinnon has said his motives were harmless and innocent. He denies any attempts at sabotage.

He said he wanted to find evidence of UFOs he thought was being held by the US authorities, and to expose what he believed was a cover-up.

Net address bug worse than feared

Courtesy BBC

Attackers could use the loophole to redirect web users to fake sites

A recently found flaw in the internet’s addressing system is worse than first feared, says the man who found it.

Dan Kaminsky made his comments when speaking publicly for the first time about his discovery at the Black Hat conference in Las Vegas.

He said fixes for the flaw in the net’s Domain Name System (DNS) had focused on web browsers but it could be abused by hackers in many other ways.

“Every network is at risk,” he said. “That’s what this flaw has shown.”

The DNS acts as the internet’s address books and helps computers translate the website names people prefer (such as bbc.co.uk) into the numbers computers use (212.58.224.131).

Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website.

In his talk Mr Kaminsky detailed 15 other ways for the flaw to be exploited.

Via the flaw hi-tech criminals or pranksters could target FTP services, mail servers, spam filters, Telnet and the Secure Socket Layer (SSL) that helps to make web-based transactions more secure.

“There are a ton of different paths that lead to doom,” he said.

‘Hype’

But the DNS threat was played down by net giant VeriSign which issues many of the security certificates used in SSL. It told BBC News its system was “not vulnerable”.

The Silicon Valley company looks after two of the net’s 13 DNS root servers. It also controls the computers that contain the master list of domain name suffixes such as .com and .net

“If there is a silver lining in all of this, it’s that users will become more aware and more consious of who they do business with.”

Ken Silva, chief technology officer at Verisign, said: “We have anticipated these flaws in DNS for many years and we have basically engineered around them.”

He believed there had been “some hype” around how the DNS flaw will affect consumers. He added that while it was an interesting way to exploit DNS on weak servers, there were other ways to misdirect people that remained.

Mr Silva said he was concerned that people would read too much into the doom and gloom headlines that have surrounded the discovery of the DNS flaw.

“It’s been overplayed in a sense. I think it has served to confuse the consumer into believing there is somehow now a way to misdirect them to a wrong site.

“The fact of the matter is that there have been many ways like phishing attacks to misdirect them for a long time and this is just yet another of those ways that will be surgically exploited.”

Security gap

Mr Kaminsky kept news of the flaw out of the public domain for months after its discovery to give companies time to patch servers.

Mr Kaminsky said that 75% of Fortune 500 companies have fixed the problem while around 15% have done nothing.

Major vendors like Microsoft, Cisco, Sun Microsystems and others have issued patches to close the security hole.

“The industry has rallied like we’ve never seen the industry rally before,” said Mr Kaminsky.

Computer users need to be educated to surf the superhighway more safely

DNS attacks are not new but Mr Kaminsky is credited with discovering a way to link some widely known weaknesses in the system so that the attack now takes seconds instead of days or hours.

“Quite frankly, all the pieces of this have been staring us in the face for decades,” said Paul Vixie, president of the Internet Systems Consortium, a non-profit that makes the software run by many of the world’s DNS servers.

Mr Silva at VeriSign said even though patches have been put in place, this doesn’t mean users can sit back and relax.

“The biggest gap in security rests between the keyboard and the back of the chair,” he said.

“The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly.”

Mr Silva said education is fundamental in making the net a safer place.

“We have been trained since we were young to lock the door to our house, our car. We take these sensible security measures in the environment we are functioning in.

“Yet when it comes to computer safety we forget to look both ways before crossing the internet highway.”