What Security Teams Can Learn From Mc Kinnon

Introduction

The McKinnon case is still useful for cybersecurity teams because it shows how damaging an intrusion can become when basic controls are missing: weak or blank passwords, poorly governed remote access, limited monitoring, and exposed legacy systems. Gary McKinnon’s stated motive was a search for UFO-related material, but the operational lesson is more ordinary and more durable. US prosecutors alleged that, between 2001 and 2002, he accessed and damaged dozens of US military and NASA computers; UK court records later described the use of remote-administration software and concealment tools after access had been gained. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…One count charges McKinnon with accessing and damaging witho…

For security teams, the case is not mainly a story about unusual hacking skill. It is a reminder that attackers often succeed by finding neglected systems, permissive accounts and administrative tools that behave exactly as designed. The practical lesson is that “basic” security controls are not low priority. They are the layer that stops curiosity, opportunism or ideology from becoming a serious incident.

Why the McKinnon case remains a security lesson

McKinnon became famous because of the UFO motive he described in interviews, but the cybersecurity value of the case lies in the gap between the sensitivity of the target environment and the apparent simplicity of some of the access paths. The US Department of Justice said the affected systems included computers belonging to the Army, Navy, Air Force, Department of Defense and NASA, as well as private businesses. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…One count charges McKinnon with accessing and damaging witho…

That matters because high-value environments are often assumed to be protected by high-end technology. The McKinnon case shows why that assumption is unsafe. A sensitive system can still be exposed by ordinary administrative mistakes: default credentials, poorly segmented networks, remote tools left reachable, and logs that are either not watched or not protected well enough.

The case also illustrates a common cultural failure. Organisations may treat weak password hygiene or forgotten machines as housekeeping issues, while attackers treat them as entry points. McKinnon’s own public accounts and later commentary repeatedly point to weak or blank administrator passwords as part of the access story; even where such accounts are retrospective and partly self-reported, they align with a broader lesson now formalised in modern guidance: default passwords and weak administrative credentials are not minor defects. [Schneier on Security+2Tarr Daniel]schneier.comon Security Gary Mc KinnonSchneier on SecurityGary McKinnonAugust 4, 2008 — 4 Aug 2008 — The interview I saw with McKinnon implied that he just hit systems with th…Published: August 4, 2008

Weak password hygiene: the obvious failure that still matters

The clearest security lesson is that passwords are infrastructure. If administrator passwords are blank, shared, default, predictable or reused across large deployments, a single mistake can become a fleet-wide exposure.

One account attributed to McKinnon describes a network image being deployed with a blank administrator password, leaving thousands of machines with the same weakness. That specific claim is difficult to independently verify from public technical evidence, but it is a credible example of the class of failure the case is remembered for: copying an insecure configuration at scale. [Tarr Daniel]tarrdaniel.comTarr Daniel UFOTarr DanielUFO - Ufology - The Gary McKinnon CaseOn this particular network the image had been made with a blank administrator password…

Modern guidance has moved in the same direction. CISA’s secure-by-design guidance explicitly tells technology manufacturers to eliminate default passwords, because default credentials continue to be implicated in attacks. NCSC password guidance similarly frames password policy as a system-owner responsibility, not just a user-behaviour problem. [CISA]cisa.govOpen source on cisa.gov.

For implementation, the McKinnon lesson is not simply “make passwords stronger”. It is more precise:

• Remove default and blank credentials before deployment. A system should not enter production with a known, shared or empty administrator password.
• Protect privileged accounts differently from ordinary accounts. Administrative access should require stronger controls, such as multi-factor authentication, device checks, restricted locations and session logging.
• Avoid cloning insecure images. Golden images, templates and automated builds should be security-tested before they are reused across an estate.
• Use technical controls, not hope. Block common passwords, rate-limit guessing, monitor failed logins and remove stale accounts.

This is where the case remains current. The technology has changed since 2001, but the failure mode has not. A cloud tenant, remote desktop gateway, VPN appliance or software-as-a-service admin console can reproduce the same pattern if deployment speed outruns credential governance.

Access control: remote administration needs ownership

UK Law Lords’ records described McKinnon as installing “Remotely Anywhere”, remote-access and administrative software that allegedly allowed access and alteration of data while masquerading as a Windows operating system process. That detail is one of the most important technical lessons in the case: remote administration tools are dual-use. They are legitimate when authorised, inventoried and monitored; they are dangerous when unmanaged. [UK Parliament]publications.parliament.ukmckinn 1UK ParliamentMckinnon V Government of The United States of America…30 Jul 2008 — Having gained access to those accounts he installed u…

This is not an outdated concern. CISA’s guide to securing remote access software treats remote administration and remote monitoring tools as a specific risk area because they can provide broad access into an organisation. CISA has also warned about malicious use of remote monitoring and management tools, including the need to audit which tools are present and authorised. [CISA]cisa.govGuide to Securing Remote Access Software clean Final 508cGuide to Securing Remote Access Software clean Final 508c

The practical lesson is that security teams should govern remote access as a privileged service, not as a convenience feature. That means knowing which tools are installed, who can use them, what they can reach, and how their sessions are recorded.

A good control set would include:

The McKinnon case is a useful warning because the alleged post-access behaviour was not exotic. Installing remote tools, returning later, moving between machines and hiding activity are familiar intrusion patterns. The defence is not only better perimeter security; it is better control over what happens after an account or machine is compromised.

Monitoring and intrusion response: detection must be usable during the incident

Another lesson from the case is that organisations need monitoring that can answer practical questions quickly: Which account was used? Which systems were touched? What software was installed? What files were changed? Did the intruder move laterally? Which logs can still be trusted?

The DOJ alleged that McKinnon accessed and damaged many systems over roughly a year, while court and media accounts described disruption, copied credentials and deleted or altered material. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…One count charges McKinnon with accessing and damaging witho… The exact disputed details of loss and damage belong to the legal history, but the operational point is simpler: long-running intrusion claims expose the weakness of reactive security. Finding out after the fact is much worse than spotting abnormal access early.

NCSC guidance says logging and monitoring help identify patterns of activity and indicators of compromise, and that logs help establish the source and extent of compromise during incidents. Its “10 Steps” logging guidance adds several practical requirements that map directly onto the McKinnon lessons: logs should be available for analysis, retained long enough, centralised where useful, checked to ensure they are still being captured, and protected from tampering. [National Cyber Security Centre]ncsc.gov.uklogging and protective monitoringlogging and protective monitoring

That last point is especially important. If an intruder can alter local logs, uninstall monitoring agents or blend remote software into normal administration, the organisation loses its timeline. The response team then has to rebuild events from fragments rather than act from reliable evidence.

The practical response model is:

The McKinnon case therefore supports a practical shift from “we have logs” to “we can use logs under pressure”.

Legacy-system risk: old systems become soft targets when no one owns them

The case belongs to the early-2000s internet, but that does not make it obsolete. Many organisations still run old operating systems, unmanaged servers, unsupported applications and forgotten administrative interfaces. The label “legacy” should not mean “accepted risk with no owner”.

Legacy risk is not only about age. It is about systems that no longer fit the organisation’s current security model. A machine may be hard to patch because it supports a specialist application. A remote tool may be kept because a vendor needs support access. A shared administrator account may survive because no one wants to break an old process. Each exception may appear reasonable in isolation; together they create the kind of environment in which basic intrusion techniques work.

NCSC New Zealand’s critical controls summary describes asset lifecycle management as a way to keep an environment accurate and up to date, including monitoring when systems become legacy: unsupported by a vendor or no longer maintained by the organisation. [NCSC NZ]ncsc.govt.nzNCSC NZCritical ControlsNCSC NZCritical Controls That framing is useful for the McKinnon case because it turns “old machines” into a management problem with owners, dates and decisions.

For security teams, the implementation lesson is to maintain a living inventory that records:

Where a legacy system cannot be retired quickly, compensating controls matter. These include isolating it on a restricted network, removing direct internet exposure, using jump hosts for administration, disabling unused services, enforcing stronger authentication at the access layer, and increasing monitoring around the system.

The deeper lesson: basic controls must be treated as mission-critical

The McKinnon case is sometimes remembered through the more colourful UFO narrative, but its cybersecurity lesson is deliberately unglamorous. A motivated outsider did not need to defeat a perfect security architecture; the public record describes alleged access across sensitive systems, use of remote administration software, and disruption serious enough to trigger a major criminal and extradition case. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…One count charges McKinnon with accessing and damaging witho…

That is why the case still works as a training example. It connects security basics to real consequences. Weak passwords are not merely audit findings. Poorly governed remote access is not merely untidy asset management. Missing logs are not merely an inconvenience for compliance. Legacy systems are not merely technical debt. In the wrong combination, they become an intrusion path.

The strongest practical takeaway is to treat the following as one decision cluster, not separate projects:

• identity and privileged access management; [nist.gov]nist.govSource details in endnotes.
• secure configuration of deployed systems; * remote-access governance; [publications.parliament.uk]publications.parliament.ukmckinn 1UK ParliamentMckinnon V Government of The United States of America…30 Jul 2008 — Having gained access to those accounts he installed u… * centralised logging and monitoring; [ncsc.gov.uk]ncsc.gov.uklogging and protective monitoringlogging and protective monitoring
• incident response playbooks;
• legacy-system ownership and retirement planning.

Handled separately, each can be postponed. Handled together, they form the basic security fabric that would have made the McKinnon-style path harder to start, harder to sustain and easier to detect.

Amazon book picks

Further Reading

Books and field guides related to What Security Teams Can Learn From Mc Kinnon. Use these as the next step if you want deeper reading beyond the article.

Book

Security Engineering

By Ross Anderson

Covers system ownership, legacy infrastructure risk, access control and organisational security failures.

See on Amazon

Book

American Cosmic

By Diana Walsh Pasulka

Explores the intersection of UFO beliefs, technology communities and claims of hidden knowledge that motivate figures like UFO hackers.

See on Amazon

Book

Cybersecurity

By Peter W. Singer, Allan Friedman

Explains practical cyber risks, governance failures and attack pathways.

See on Amazon

Book

The Hacker Crackdown

By Bruce Sterling

Provides historical context on hacking, computer intrusion cases and the culture surrounding high-profile cyber investigations.

See on Amazon

Browse more on Amazon: Security Engineering American Cosmic Cybersecurity

As an Amazon Associate I earn from qualifying purchases.

eBay marketplace picks

Marketplace Samples

Example marketplace items related to this page. Use the search link to explore similar finds on eBay.

Shop location

Using USA USA USAUKCanadaAustraliaIreland

Example eBay listing

UFO Shado Metal & Enamel Pin Badge Brooch Alien Defence Organisation New

Search eBay.co.uk: UFO enamel pin

Browse similar on eBay.co.uk

Example eBay listing

UFO Pin Gerry Anderson TV Series Alien Craft Spaceship Enamel Lapel Tie Tac

Search eBay.co.uk: UFO enamel pin

Browse similar on eBay.co.uk

Example eBay listing

Space UFO Black White Minimalist Metal Enamel Pin Badge Collectable | Brand New

Search eBay.co.uk: UFO enamel pin

Browse similar on eBay.co.uk

Example eBay listing

The truth is out there Aliens UFO Horror Scary Movies Enamel Metal Pin badge

Search eBay.co.uk: UFO enamel pin

Browse similar on eBay.co.uk

Browse more on eBay.co.uk

Example items shown for inspiration; availability and pricing can change. Branchoria may earn a commission if you purchase through outbound eBay links.

Endnotes

1. Source: justice.gov
   Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict.htm
   Source snippet

   Department of JusticeLondon, England Hacker Indicted Under Computer Fraud...One count charges McKinnon with accessing and damaging witho...

2. Source: publications.parliament.uk
   Title: mckinn 1
   Link: https://publications.parliament.uk/pa/ld200708/ldjudgmt/jd080730/mckinn-1.htm
   Source snippet

   UK ParliamentMckinnon V Government of The United States of America...30 Jul 2008 — Having gained access to those accounts he installed u...

3. Source: schneier.com
   Title: on Security Gary Mc Kinnon
   Link: https://www.schneier.com/blog/archives/2008/08/garuy_mckinnon.html
   Source snippet

   Schneier on SecurityGary McKinnonAugust 4, 2008 — 4 Aug 2008 — The interview I saw with McKinnon implied that he just hit systems with th...

   Published: August 4, 2008

4. Source: cisa.gov
   Link: https://www.cisa.gov/sites/default/files/2023-10/SecureByDesign_1025_508c.pdf

5. Source: cisa.gov
   Title: Guide to Securing Remote Access Software clean Final 508c
   Link: https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf

6. Source: cisa.gov
   Link: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a

7. Source: ncsc.govt.nz
   Title: NCSC NZCritical Controls
   Link: https://www.ncsc.govt.nz/protect-your-organisation/summary/

8. Source: justice.gov
   Link: https://www.justice.gov/archive/usao/nj/Press/files/pdffiles/Older/edva_mckinnon_[indictment

9. Source: justice.gov
   Link: https://www.justice.gov/opa/page/file/1318666/dl?inline=

10. Source: justice.gov
    Title: elec sur manual
    Link: https://www.justice.gov/sites/default/files/criminal/legacy/2014/10/29/elec-sur-manual.pdf

11. Source: justice.gov
    Title: 02.14.23. Protests Supreme Court Residences Part 1
    Link: https://www.justice.gov/d9/2023-02/02.14.23.%20–%20Protests%20Supreme%20Court%20Residences%20–%20Part%201.pdf

12. Source: publications.parliament.uk
    Link: https://publications.parliament.uk/pa/ld201011/ldhansrd/lhan130.pdf

13. Source: publications.parliament.uk
    Link: https://publications.parliament.uk/pa/ld201011/ldhansrd/text/110323-0001.htm

14. Source: publications.parliament.uk
    Link: https://publications.parliament.uk/pa/cm201011/cmhansrd/chan42.pdf

15. Source: publications.parliament.uk
    Link: https://publications.parliament.uk/pa/cm201011/cmhansrd/chan36.pdf

16. Source: publications.parliament.uk
    Link: https://publications.parliament.uk/pa/cm200809/cmhansrd/chan106.pdf

17. Source: publications.parliament.uk
    Link: https://publications.parliament.uk/pa/cm200910/cmhansrd/chan17.pdf

18. Source: publications.parliament.uk
    Link: https://publications.parliament.uk/pa/ld201213/ldhansrd/lhan21.pdf

19. Source: publications.parliament.uk
    Title: uk PARLIAMENTAR Y DEBATES
    Link: https://publications.parliament.uk/pa/cm201011/cmhansrd/chan187.pdf

20. Source: publications.parliament.uk
    Link: https://publications.parliament.uk/pa/ld199697/ldhansrd/pdvn/lds06/text/61010-0015.htm

21. Source: cisa.gov
    Title: principles approaches for security by design default 508c
    Link: https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf

22. Source: cisa.gov
    Link: https://www.cisa.gov/resources-tools/resources/secure-demand-guide

23. Source: cisa.gov
    Link: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a

24. Source: cisa.gov
    Title: best practices event logging and threat detection
    Link: https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection

25. Source: cisa.gov
    Title: guide securing remote access software
    Link: https://www.cisa.gov/resources-tools/resources/guide-securing-remote-access-software

26. Source: cisa.gov
    Link: https://www.cisa.gov/resources-tools/services/logging-made-easy

27. Source: ncsc.nl
    Link: https://www.ncsc.nl/en/producten-en-diensten/security-advisories

28. Source: media.defense.gov
    Title: JOINT GUIDE SECURE BY DEMAND PRIORITY CONSIDERATIONS OT OWNERS OPERATORS
    Link: https://media.defense.gov/2025/Jan/13/2003626906/-1/-1/0/JOINT-GUIDE-SECURE-BY-DEMAND-PRIORITY-CONSIDERATIONS-OT-OWNERS-OPERATORS.PDF

29. Source: malicious.life
    Link: https://malicious.life/episode/us_vs_gary_mckinnon/

30. Source: time.com
    Title: hack attack 2
    Link: https://time.com/archive/6943962/hack-attack-2/

31. Source: tarrdaniel.com
    Title: Tarr Daniel UFO
    Link: https://www.tarrdaniel.com/documents/Ufology/gary_mckinnon_case.html
    Source snippet

    Tarr DanielUFO - Ufology - The Gary McKinnon CaseOn this particular network the image had been made with a blank administrator password...

32. Source: ncsc.gov.uk
    Link: https://www.ncsc.gov.uk/collection/passwords

33. Source: ncsc.gov.uk
    Title: logging and protective monitoring
    Link: https://www.ncsc.gov.uk/collection/device-security-guidance/managing-deployed-devices/logging-and-protective-monitoring

34. Source: ncsc.gov.uk
    Title: logging and monitoring
    Link: https://www.ncsc.gov.uk/collection/10-steps/logging-and-monitoring

35. Source: ncsc.gov.uk
    Title: updating your approach
    Link: https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

36. Source: Wikipedia
    Title: Gary Mc Kinnon
    Link: https://en.wikipedia.org/wiki/Gary_McKinnon

37. Source: security-guidance.service.justice.gov.uk
    Title: justice.gov.uk Passwords
    Link: https://security-guidance.service.justice.gov.uk/passwords/

38. Source: cyber.gov.au
    Link: https://www.cyber.gov.au/sites/default/files/2024-08/best-practices-for-event-logging-and-threat-detection.pdf

39. Source: cs.cornell.edu
    Link: https://www.cs.cornell.edu/~shmat/courses/cs5438/passwords.pdf

40. Source: assets.publishing.service.gov.uk
    Link: https://assets.publishing.service.gov.uk/media/5a806bb9e5274a2e87db9b6a/Password_guidance_-_simplifying_your_approach.pdf

41. Source: npsa.gov.uk
    Title: cyber security risks users
    Link: https://www.npsa.gov.uk/cyber-security-risks-users

Additional References

1. Source: youtube.com
   Title: The Biggest Computer Hacks in History
   Link: http://www.youtube.com/watch?v=yY3Hq-qiQdA
   Source snippet

   "Gary McKinnon" cybersecurity hacking documentary Gary Mckinnon: The Hacker Who Found UFOs Thinker...

2. Source: nist.gov
   Link: https://www.nist.gov/identity-and-access-management

3. Source: enzoic.com
   Link: https://www.enzoic.com/blog/nist-password-requirements/

4. Source: wired.com
   Link: https://www.wired.com/2002/11/brit-accused-of-hacking-pentagon

5. Source: infini-tech.co.uk
   Link: https://infini-tech.co.uk/resources/password-security-guide

6. Source: linkedin.com
   Link: https://www.linkedin.com/pulse/cisa-fbi-updates-product-security-bad-practices-7r8ae

7. Source: secportal.io
   Link: https://secportal.io/frameworks/cisa-secure-by-design

8. Source: instagram.com
   Link: https://www.instagram.com/reel/DTveyiaANbn/

9. Source: reddit.com
   Link: https://www.reddit.com/r/UFOs/comments/t0imdw/hi_im_gary_mckinnon_i_was_in_the_news_for_a/

10. Source: reddit.com
    Link: https://www.reddit.com/r/hacking/comments/1etqs6b/how_gary_mckinnon_did_what_he_did/