Gary McKinnon, the Briton indicted this week for hacking into scores of U.S. military computers, left behind few clues on the compromised systems of his victims. But download log files from a Wisconsin software firm may have led investigators straight to his London door. . .
Gary McKinnon, the Briton indicted this week for hacking into scores of U.S. military computers, left behind few clues on the compromised systems of his victims. But download log files from a Wisconsin software firm may have led investigators straight to his London door.

In an apparent effort to avoid detection, McKinnon, 36, installed copies of a commercial remote-access utility called RemotelyAnywhere on Navy and other military systems he allegedly hacked last year.

The unusual strategy almost worked. Unlike underground "backdoor" utilities like NetBus or Back Orifice, the popular RemotelyAnywhere program doesn't trigger antivirus software. For nearly a year, McKinnon was able to control a vast network of defense computers without detection, authorities said.

But McKinnon's choice of RemotelyAnywhere ultimately may have been his undoing.

Using a personal computer connected to an ISP in England, McKinnon downloaded a trial copy of RemotelyAnywhere in March 2001 from a server maintained by Binary Research, the Milwaukee-based distributor of RemotelyAnywhere. To obtain a special code to unlock the demonstration software, McKinnon also provided his girlfriend's e-mail address, Binary officials said.

The Internet protocol address left in Binary's server log files from McKinnon's download, along with the e-mail address, gave investigators two "very critical" pieces of evidence, said Binary vice president Jim Szopinski.

"Not only were his finger prints on military computers, they were on ours as well," said Szopinski, who also noted in an affidavit that the version of RemotelyAnywhere McKinnon downloaded matched the one installed on the hacked military systems.

This week McKinnon, an unemployed system administrator, was indicted in federal courts in Virginia (PDF) and New Jersey on eight counts of computer crimes.

New Jersey Assistant U.S. Attorney Scott Christie said he was unable to comment on the evidence that led investigators to McKinnon, citing grand-jury restrictions.

Szopinski said McKinnon likely obtained a "crack" or illegal license key to unlock copies of RemotelyAnywhere and place them on numerous computers. Once installed on a Windows system, RemotelyAnywhere allows remote users to access files and control a computer through a Web browser.

Although investigators said the indicted hacker used the nickname "Solo" when online, according to Christie there was "no evidence" to show that he was the same hacker who took credit for defacing several high-profile sites in the late 1990s, including an Air Force site.

Chris McNab, a security analyst who uses the online handle "So1o" and is currently technical director for Matta Security, a London-based consulting firm, said in a telephone interview that he was not aware someone else was using his nickname until McKinnon's indictment.

"This guy is able to use whatever alias he wants. But the fun and games I used to have under that handle was almost four years ago," said McNab.

Authorities are seeking the extradition of McKinnon, who is not currently in police custody, Christie said. McKinnon faces on each count a maximum sentence of 10 years in prison and a $250,000 fine.

Szopinski said U.K. authorities told him that McKinnon did not appear to be linked to terrorists. Instead, investigators characterized the hacker as "a conspiracy theorist" who "seemed to think that the government was controlling all sorts of things," Szopinski said.

The link for this article located at WiredNews is no longer available.