Within Lessons
Remote Access Tools Are Not Harmless by Default
Remote access software is useful for support, but the McKinnon allegations show why unmanaged admin tools can become persistence mechanisms.
On this page
- Why legitimate admin software becomes dangerous when unmanaged
- What the Remotely Anywhere allegation illustrates
- How approved tool lists and session logging reduce abuse
Page outline Jump by section
Introduction
One of the clearest cybersecurity lessons associated with the Gary McKinnon case is that the most dangerous software on a network is not always malware. Legitimate remote administration tools can become powerful persistence mechanisms once an intruder has already obtained access. In the allegations against McKinnon, the critical issue was not merely the initial compromise of systems but the subsequent installation and use of remote-access software that allowed repeated entry, administration and movement across networks. The case illustrates a broader security principle that remains relevant today: approved tools can become security liabilities when organisations do not control where they are installed, who uses them, and how their activity is monitored. [Department of Justice]justice.govDepartment of Justice British National Charged with Hacking Into N.JNaval …At that time, he is alleged to have installed the software program RemotelyAnywhere on the Port Services computer and on other c…
Why Legitimate Admin Software Becomes Dangerous When Unmanaged
Remote administration software exists for sensible reasons. IT teams use it to troubleshoot systems, manage servers, support remote staff and perform maintenance without travelling to a machine physically. The same features that make these products valuable to administrators, however, also make them attractive to intruders.
Once installed, a remote administration package can provide:
- Persistent access without repeatedly exploiting the original weakness.
- Full control over files, services and system settings.
- Remote execution of administrative actions.
- A familiar interface that may blend into normal IT activity.
- The ability to reconnect from anywhere with an internet connection.
The risk is not necessarily the software itself. The risk emerges when deployment is uncontrolled, poorly logged or invisible to security teams. An attacker who acquires administrator privileges and then installs a legitimate remote-management product can effectively convert a one-time intrusion into a continuing presence on the network. This is why modern security frameworks increasingly monitor the use of remote-management and remote-monitoring tools alongside traditional malware detection. [Department of Justice]justice.govDepartment of Justice IndictmentDepartment of JusticeIndictmentJanuary 24, 2012 — RemotelyAnywhere is a software program that provides a remote access and remote adminis…
A recurring lesson from real-world incidents is that organisations often focus heavily on preventing entry while paying less attention to what happens after entry. Remote administration tools occupy that post-compromise stage. They are frequently part of the transition from initial access to long-term control.
What the Remotely Anywhere Allegation Illustrates
Court records and US indictments relating to McKinnon repeatedly referenced a commercial remote administration product called RemotelyAnywhere. Prosecutors alleged that after obtaining administrative access to systems, he installed the software on compromised machines and used it to return to those systems remotely. According to the indictment, the software enabled remote control and administrative access over the internet. [Department of Justice]justice.govDepartment of Justice IndictmentDepartment of JusticeIndictmentJanuary 24, 2012 — RemotelyAnywhere is a software program that provides a remote access and remote adminis…
The significance of the allegation is not the particular product. Many legitimate products offer similar capabilities. The important lesson is the sequence:
- Administrative credentials were allegedly obtained.
- Remote administration software was installed. [publications.parliament.uk]publications.parliament.ukmckinn 1UK ParliamentMckinnon V Government of The United States of America…30 Jul 2008 — Having gained access to those accounts he installed u…
- The software enabled ongoing access without repeating the original compromise.
- Additional actions could then be performed through that persistent foothold. Department of Justice+2Department of Justice
A UK House of Lords judgment summarising the allegations stated that unauthorised remote-access software was installed after access had been gained and that it enabled continued access and modification of data on affected systems. The judgment further noted allegations that additional tools were then installed to facilitate further compromises and conceal activity. UK Parliament
This distinction matters because many discussions of the McKinnon case focus on passwords, scanning or the UFO-related motive. From an implementation perspective, the remote administration component may be the more enduring lesson. Weak credentials may have opened a door, but persistent remote-control software allegedly allowed repeated use of that opening over time. Department of Justice
Why Commercial Tools Can Be Effective Persistence Mechanisms
Security teams often expect malicious software to look unusual. Commercial administration products challenge that assumption because they are designed to appear legitimate.
Several characteristics make them particularly effective after an intrusion:
- Familiar network traffic: Connections may resemble ordinary administration activity.
- Legitimate functionality: The software’s intended purpose is remote control.
- Operational reliability: Commercial products are often stable and feature-rich.
- Lower suspicion: Administrators may recognise the product name and assume it was installed for a valid reason.
Contemporary commentary on the McKinnon allegations noted that choosing a legitimate remote-access product could help avoid immediate attention because the software had ordinary business uses and was not inherently malicious. Cybereason
The broader lesson is that defenders cannot classify software simply as “good” or “bad”. Context, authorisation and monitoring are what determine whether a remote administration tool is performing a legitimate support function or enabling unauthorised access.
How Approved-Tool Lists and Session Logging Reduce Abuse
The most practical lesson from this aspect of the McKinnon case is governance rather than technology.
Approved-Tool Inventories
Organisations should know exactly which remote-access products are authorised and where they are installed.
An approved-tool programme helps answer basic but important questions:
- Which remote administration products are permitted?
- On which systems may they run?
- Which users may operate them?
- Are they configured according to policy?
When a remote-access product appears outside those approved boundaries, security teams have a strong signal that further investigation is needed.
Without such inventories, defenders face a difficult problem: distinguishing authorised remote management from unauthorised persistence.
Session Recording and Audit Trails
Remote administration activity should generate records that can be reviewed later.
Effective controls typically include:
- Authentication logs.
- Session start and end times.
- Command and administrative action records.
- Alerts for new installations of remote-management software.
- Retention of logs in locations that ordinary administrators cannot easily alter.
The McKinnon allegations included claims that logs were deleted or altered after access was obtained. Whether viewed as a legal allegation or a security lesson, it highlights why organisations should protect audit records separately from the systems being administered. If an attacker controls the host machine, locally stored evidence may not remain trustworthy. Department of Justice+2UK Parliament
Detecting the Unexpected
Many organisations now monitor for remote-management software as a distinct category of activity.
Useful indicators include:
- New installations of remote administration packages.
- Remote-control services appearing on systems that do not normally use them.
- Connections originating from unusual locations.
- Administrative sessions outside expected maintenance windows.
- Sudden growth in remote-management activity across multiple hosts.
These controls are effective because they focus on behaviour rather than specific malware signatures.
The Enduring Lesson for Modern Defenders
The remote administration element of the McKinnon case remains relevant because it demonstrates a simple but often overlooked reality: after an attacker gains access, they frequently prefer to use existing administrative capabilities rather than exotic hacking techniques. Prosecutors alleged that remote-control software became a mechanism for maintaining access, moving through networks and carrying out subsequent actions. Department of Justice
For modern organisations, the lesson is straightforward. Remote administration software should be treated as privileged infrastructure. Every installation should be authorised, every session should be attributable to a specific user, and every significant action should be logged. Remote access tools are indispensable for support and operations, but the McKinnon allegations illustrate why they are not harmless by default. When unmanaged, the same software that helps administrators maintain systems can also help intruders remain inside them. Department of Justice+2UK Parliament
Amazon book picks
Further Reading
Books and field guides related to Remote Access Tools Are Not Harmless by Default. Use these as the next step if you want deeper reading beyond the article.
Security Engineering
Explains trust, access management and secure administration practices.
The Practice of Network Security Monitoring
Directly relevant to monitoring remote administration activity and misuse.
Blue Team Handbook: Incident Response Edition
Covers detection and investigation of suspicious administrative activity.
eBay marketplace picks
Marketplace Samples
Example marketplace items related to this page. Use the search link to explore similar finds on eBay.
Endnotes
-
Source: publications.parliament.uk
Title: mckinn 1
Link: https://publications.parliament.uk/pa/ld200708/ldjudgmt/jd080730/mckinn-1.htmSource snippet
UK ParliamentMckinnon V Government of The United States of America...30 Jul 2008 — Having gained access to those accounts he installed u...
-
Source: justice.gov
Title: Department of Justice [Indictment]({{ ‘indictment/’ | relative_url }})
Link: https://www.justice.gov/archive/usao/nj/Press/files/pdffiles/Older/edva_mckinnon_indictment.pdfSource snippet
Department of JusticeIndictmentJanuary 24, 2012 — RemotelyAnywhere is a software program that provides a remote access and remote adminis...
Published: January 24, 2012
-
Source: justice.gov
Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict.htmSource snippet
Department of JusticeLondon, England Hacker Indicted Under Computer Fraud...McKinnon installed a remote administration tool, a number of...
-
Source: cybereason.com
Title: Malicious Life Podcast: The U.S
Link: https://www.cybereason.com/blog/malicious-life-podcast-the-u.s-vs.-gary-mckinnonSource snippet
vs. Gary McKinnonChoosing to use RemotelyAnywhere as a means of access was a sneaky move, because it's a software tool not only used by h...
-
Source: malicious.life
Link: https://malicious.life/episode/us_vs_gary_mckinnon/Source snippet
The US vs. Gary McKinnonGary McKinnon, a British hacker with Asperger's, broke into NASA & US Army networks - to find evidence of UFO cov...
-
Source: media.defense.gov
Title: [Mc Kinnon]({{ ‘mc-kinnon/’ | relative_url }}) comphacker
Link: https://media.defense.gov/2002/Nov/12/2001711901/-1/-1/1/McKinnon_comphacker.pdfSource snippet
Department of WarU.S. Department of Justice United States Attorney Eastern...12 Nov 2002 — Once he was able to access the computers, McK...
-
Source: schneier.com
Title: Gary Mc Kinnon
Link: https://www.schneier.com/blog/archives/2008/08/garuy_mckinnon.htmlSource snippet
Gary McKinnon - Schneier on SecurityAugust 4, 2008 — The interview I saw with McKinnon implied that he just hit systems with the default...
Published: August 4, 2008
-
Source: Wikipedia
Title: Gary Mc Kinnon
Link: https://en.wikipedia.org/wiki/Gary_McKinnonSource snippet
Gary McKinnonGary McKinnon (born February 1966) is a Scottish systems administrator and hacker who was accused by a US prosecutor in 2...
Published: February 1966
Additional References
-
Source: vlex.co.uk
Link: https://vlex.co.uk/vid/mckinnon-v-united-states-793612009Source snippet
McKinnon v United States of AmericaHaving gained access to those administrative accounts, he installed unauthorised remote access and adm...
-
Source: pinsentmasons.com
Title: pentagon hacker mckinnon fights extradition
Link: https://www.pinsentmasons.com/out-law/news/pentagon-hacker-mckinnon-fights-extraditionSource snippet
'Pentagon hacker' McKinnon fights extradition28 Jul 2005 — McKinnon is accused of scanning networks for vulnerabilities and extracting ad...
-
Source: verticalvertical.com
Link: https://verticalvertical.com/hacking-the-pentagon-in-search-of-ufosSource snippet
Hacking the Pentagon in search of UFO'sIn November 2002, Gary McKinnon was indicted by a federal grand jury in the Eastern District of Vi...
Published: November 2002
-
Source: en.wikisource.org
Title: US v Gary Mc Kinnon Indictment
Link: https://en.wikisource.org/wiki/US_v_Gary_McKinnon_IndictmentSource snippet
v Gary McKinnon Indictment27 Feb 2021 — RemotelyAnywhere is a software program that provides a remote access and remote administration pa...
-
Source: futureintelligence.co.uk
Title: Gary Mc Kinnon was unlucky
Link: https://www.futureintelligence.co.uk/2012/10/18/gary-mckinnon-was-unlucky-hes-not-even-a-good-hacker/Source snippet
He's not even a very good hacker18 Oct 2012 — The penetration testing company, working with Surrey Police, quickly found that a backdoor...
-
Source: reddit.com
Title: Hi, i’m Gary Mckinnon
Link: https://www.reddit.com/r/UFOs/comments/t0imdw/hi_im_gary_mckinnon_i_was_in_the_news_for_a/Source snippet
I was in the news for a decade after getting...February 24, 2022 — I was arrested in March 2002 for 'hacking' into various.gov/.mil net...
Published: February 24, 2022
-
Source: theguardian.com
Link: https://www.theguardian.com/technology/2005/jul/27/hacking.internetcrimeSource snippet
Hacker 'left note on US army computer' | Hacking27 Jul 2005 — Mr McKinnon, 39, faces extradition to the US over claims he accessed dozens...
-
Source: csoonline.com
Link: https://www.csoonline.com/article/520766/data-protection-u-k-hacker-fights-u-s-extradition.htmlSource snippet
Hacker Fights U.S. Extradition - CSO OnlineFeb 13, 2007 — Gary McKinnon of London is accused of deleting data and illegally accessing inf...
-
Source: youtube.com
Title: The Man Who Hacked the U.S. Government
Link: https://www.youtube.com/watch?v=ND0zQX1rGdgSource snippet
No Malware. No Alerts. Just Breach. | Living Off the Land Attacks...
-
Source: theguardian.com
Link: https://www.theguardian.com/technology/2005/jun/09/hacking.internetcrimeSource snippet
'Biggest hacker' fights extradition | Hacking9 Jun 2005 — US prosecutors have alleged that Gary McKinnon, 39, from Wood Green, north Lond...
Topic Tree