by Jack Davis
Part Ten
47 | Setting the Trap
NYFO, 10/07-09/09, 0615 hours
By the day Alvaro was set to leave New York, everything was ready. Unshaven and haggard, Swann and Greere triumphantly stumbled into the gym holding a disc looking for Morley at 0615 hours. Later, Morley would learn the two had not gone home since being given the assignment. Working nonstop, they had just finished the testing when they handed him the disc.
“Sorry to interrupt your workout, but we figured you’d want this as soon as we finished,” said Swann.
Morley, sitting on the weight bench, took the disc. “Do I want my prints on this?” He laughed.
Swann smiled malevolently. “We’ve got a cast of your prints on file anyway, so it don’t matter. We can frame you with or without your knowledge.”
“Yeah, it’s sort of an insurance policy,” said Greere.
Morley could only smile. “Okay, what’s this do?”
“Exactly what you asked for,” replied Greere with somewhat of a what’d-you-expect expression.
Swann dove into the details. “There are two programs along with instructions. One is labeled, MicrosoftVisla.exe, L for lurker, the other is labeled MicrosoftExet.exe. The first program is actually two programs. Once it’s installed, the .exe program would bury itself within level three of the bios, making it almost impossible to detect. The second program would be installed as a harmless .doc,” Swann stopped and clarified, “a document file…”
“I know what a .doc file is,” said Morley in a jokingly defensive manner.
“Yeah, we’re never sure how much you retain after you do protection assignments,” shot Swann before continuing. “The .doc program will seek out the appropriate subdirectory, the one with the most documents. To help avoid detection, the program is designed to conduct a check of the dates when most of the other files were created and choose a date approximately in the middle. That way it won’t be the last or first file created when the folder is opened again. It won’t stand out if someone was only looking for recent files.
Morley nodded approvingly, acknowledging the stealth of his agents’ program.
“At preset times, the program in bios would contact the document file and change it from a .doc file to a .exe,” Swann paused, smiled and then explained what .exe meant, “or executable file,” Morley squinted and shook his head as Swann continued, “and prompt it to start running. Once the program had completed its instructions, its last command would be to convert itself back into a .doc file. It would stay in that state until the bios program woke it up again. In this way, even if the bios file were discovered and destroyed, we’d only have to reinstall it again somewhere else on the machine, because the .doc file would still be there.”
After ten more minutes of describing the intricacies of the program Morley could tell the two men were proud of what their accomplishment. Then they moved to the second program.
“As for the beacon,” Swann admitted, “we can’t take credit. It’s OTS, the cow shelf that is.”
“You’ve analyzed it, tested it, and are comfortable there isn’t anything in it that’s gonna be a problem?”
“Yeah,” said Greere “It’s harmless, super intricate, but harmless.”
As the adrenalin of their initial enthusiasm gave way, Morley could see how tired the two were.
“You two need some sleep. Go hit the rack for a couple hours before we try and install these,” he hesitated, looking for the proper word, “programs?”
“Yeah, let’s call ’em programs,” agreed Greere with an unconvincing smile.
As his two agents trudged toward the door, Morley couldn’t resist, “Guys, the office does have a shower.”
Alvaro and Maria Leave New York (10/07/09, 0700 hours)
Alvaro, Maria, along with agents Posada and Pencala, were scheduled to travel back to the Bahamas on a 1000 hours flight. From there they would catch a connecting flight back to Mexico. Pencala had recommended the itinerary in case there was anyone watching Alvaro’s comings and goings back in Mexico. She pointed out that Alvaro should not be returning through the US. To avoid any hiccups in transit they decided to have the two agents travel with them through to Mexico City. There, the agents would meet RAIC Loral, stay the night, and fly back to New York the next morning.
The whole group, including Dunn and his daughter, met at the Field Office at 0700 hours where Alvaro and Maria were briefed again. Alvaro knew the plan backwards and forwards. He obviously had the most to lose if there was a flaw and had gone over it in minute detail.
As the team got up to go their separate ways, Morley shook Alvaro’s hand. Through Posada he reiterated they would do everything they could to keep him and Maria safe. Alvaro thanked him. As he did Maria moved around her husband. She kissed Morley on the cheek while saying something in Spanish. He blushed as she hurried past her husband out the door. Alvaro shrugged and nodded.
“She said Alvaro is a good man,” Posada translated. “Thank you for helping him and her children; we will be in her prayers.”
If anyone needs divine intervention, it’s your husband, thought Morley.
After the departure of Lopez, Morley sat in his office watching a thunderstorm beat against the canyons of concrete and steel. He liked the storms. They cleaned his city…at least temporarily. The water cleaned the soot from the air and dirt from the streets. He liked the sound of rainfall; it was soothing and helped him think.
He used the solitude of the office to spend time running through the case. He looked at it from all angles and tried to foresee the results of his next moves. How would MichaelTAA react? If he knew that, he could be ready for him. Morley needed to know more about his adversary.
Dr. Ronald Peyton; Profile (10/07/09, 1200 hours)
There were few people in the Service Morley enjoyed talking to, or respected, as much as ATSAIC Ron Peyton. Actually, it was Dr. Peyton, but the majority of the people Peyton worked with didn’t know it. He was a Renaissance man in the truest sense of the word. By thirty-three, the inner-city kid from Philadelphia had a PhD, two masters, and three black belts.
Morley had met Peyton while they were on the President’s Detail. The two became quick friends and martial arts sparring partners. They had kept in touch through follow-up assignments; Morley in NYFO, Peyton in the Behavioral Science Section of the Intelligence Division. Now Morley needed his friend’s keen analytical mind to provide insight into his prey.
The first few minutes of the call were spent catching up on family matters and USSS rumors before Morley got to the point. “So, were you able to develop anything from the files I sent?”
“A little, not too much I’m afraid. I’ll go with what I know for certain, then what I believe. I’ll forward you my notes after.”
“Thanks.”
“Your suspect is over forty. He uses classical top-down coding, which hasn’t been taught since the eighties. He would have been taught to do it that way; he couldn’t have learned this himself, not at this level. We can reasonably assume your subject has a college degree. Figuring he was taking college programming courses in the eighties, he’s probably in his mid-to-late forties. Add to that the fact he puts two spaces after a period instead of one, and you can guarantee he’s over forty.
“Looking at the code, my guess…”
“Define ‘guess’,” said Morley
“Sorry, by ‘guess’ I would say seventy percent probability. Looking at the code and based on all the folks we’ve arrested and interviewed, my guess is this guy is—and don’t take this personally—more regimented than you!”
“So, you’re saying he’s perfectly normal?”
“Noooot really. I see this guy as an individual who is not comfortable in social settings or around people. He prefers to do his work alone. He has his whole life tremendously organized and structured. Lifestyle and clothing could be significantly out of date. His house will be meticulous, with things labeled, lined up, and categorized based upon some
criteria.” Peyton paused, knowing how orderly Morley was from their time on The Detail together. “That kind of freakish behavior. Makes me wonder how he’s able to function in society on a day-to-day basis.”
Anticipating where his friend was headed, Morley decided to put in a preemptive strike. “I’m not sure I can arrest this guy. We may have been separated at birth. Besides the hacking, if we had more people like this, society would be so much better off.”
“Yeah, you may have to recuse yourself from this case.”
“I may ask to represent the guy. It would be like defending myself.” Then, as if presenting a summation, “He’s not bad, he’s just misunderstood. We can channel his power for good and not evil. Ladies and gentlemen of the jury, I ask you, can a man with a label maker really be a criminal?”
Peyton laughed. “In terms of hackers, I think this guy’s somewhat stereotypical. Loner, socially inept, etc., etc., I can’t tell you if he is married or not. If he is, it’s to someone who is completely dominating, the alpha-female of the household, or someone that he completely dominates. Like someone from the Philippines or a mail-order bride from some other country, who doesn’t speak much English. Someone he can dominate without having to worry. He’ll do whatever he can to keep her from being independent. Probably no children. Children are messy, disorganized, and disrupt routines. If he’s in charge, there are no children.”
“Wow, you’re really goin’ out on a limb on that one. ‘He’s either married or he’s not.’ You goin’ into weather forecasting next? That certainly narrows down my suspect pool.”
“For someone askin’ for help you sure have an attitude. If you don’t want to hear what I have to say, then I’ll just go back to watching CSPAN and let you try and catch this guy yourself.”
Morley chuckled, “Okay, let’s get back to your little, subject profile guess-fest, shall we?”
Peyton moved on. “Based on the language used in the text and a few other factors, I’m confident your suspect is a native English speaker. Statistically, and from what was written, I believe your suspect is a white male, probably from the Northeast or Midwest. Definitely not from the South, but he could be from the West; I just don’t think so. If you get more text let me know and I should be able to nail the region down for you. Keep in mind that’s where he’s originally from, not necessarily where he lives today. I don’t have enough to make a determination on that yet.”
“Any thoughts on how to catch this guy?”
“A few. If you can narrow down the number of suspects, I would see where they went to school. In the eighties, there weren’t many colleges with computer programming curriculums. You might use that as a differentiation factor if you have a reasonable suspect pool.
“I would also say you should be looking for this guy’s tools on some of the hacked database cases. I would start by looking at cases that have similar content to the one in Delaware—credit cards and/or PII.”
“Yeah, we’ve looked for the name MichaelTAA in the databases,” said Morley, “but I’m not sure if the guys have checked for the tools he used. I’ll have them start doing some backtracking and look into the PII cases.”
“If I was you, I’d have your team look at some large porn sites.” Before Morley could say it, Peyton did, “I know they’re doing that already, but tell them there might be more there than the pictures—look for the tools. The only other time anyone has ever seen this guy’s name before is what, ten years ago on some porn site in Virginia? The way I figure it, if he’s like all other males, he likes porn. If he has the option of paying for it or getting it for free by using his tools, he’ll use his tools. If he has the smarts to hack into a pharmaceutical giant, hacking into a mom-and-pop porn site is nothing. In all likelihood he’s lurking there just picking up free porn. Since he might not be ‘stealing’ anything he might not be thinking anyone will really care. So, he might not be bringing his ‘A game.’ He’s probably saving that for his high-risk hacks, the ones where he feels he has to be careful. For this kind of stuff, he might not be as cautious if he doesn’t think the potential repercussions are as high. Why use a sledgehammer to kill a gnat?”
“Makes sense,” said Morley. “He knows no one is going to go after him criminally for hacking into the sites just to get free porn. At worst, they’ll block him, and he’ll have to go to another site. I’ll have my folks start looking into that.”
“You could also narrow the field by seeing what type of site he hacked into in Virginia. It’ll show what he liked to watch back then; it might not have changed. I think it was a ‘mature’ site or something like that. It would narrow your search a little.”
“Sounds reasonable. Anything else?”
“Not at this point. I’ll go over the files again and I’m having a colleague look at ’em also. If she comes up with anything different, I’ll let you know.”
“Thanks, buddy. I appreciate this.”
“You kidding’ me? This is the fun stuff! I’d love to do a lot more profiles and a lot less nut interviews. I’ll talk to you.”
“Take care. Be safe.”
Peyton’s profile was a mix of science and art. It was based as much on facts as possible. But then, by its very nature, it had assumptions that Peyton used to draw conclusions. He was one of the best at the second part. He could take various disparate pieces of an information puzzle and put them together to make a logical whole. He spliced his knowledge of criminals and human nature to develop conclusions that others either overlooked or simply couldn’t deduce.
The profile Peyton created, would later be found to be unbelievably accurate. It was of great help to the investigators, and would be used to identify the right individual. But unbeknownst to everyone at the time, it started out with one of its major underlying assumptions being wrong.
It was the same assumption that had plagued the case since the first bodies had been found years earlier. It was the same assumption that allowed the case to claim twenty-two more victims in nine other states. It was the assumption that allowed all the various law enforcement agencies that had identified a computer intrusion to divorce that aspect of the case with the brutal slayings.
It was the assumption that computer hackers are not killers. All of the investigators who had even found the hacking tools, which was a small subset up to this point, had made the leap of faith to two separate and distinct crimes based upon that initial assumption. None of the excellent police minds could conceive that the same individual responsible for the network intrusions could also be their sadistic killer. They had all been wrong, just as the Secret Service agents who were now looking at the hacking were wrong.
New Version of the Virginia Hacking Program (10/07/09, 1600 hours)
Shortly after the call, Morley had the team together to get a quick update on the case.
Greere started, “After showering,” he stared at Morley with fake disdain, “Doc and I did an analysis of the image from Leesburg PD. We did a side-by-side comparison to the code found on Alvaro’s machine. They’re not exactly the same program, but close enough.
“It’s like the Virginia code is an older version of the same program. The author appears to have updated it over the past eight years,” said Swann.
“We’re reasonably sure both were written by the same individual,” added Greere.
“How sure is reasonably sure?” Morley asked.
“It’s the same guy boss,” said Swann, and then he answered Morley’s infamous briefing question even before it was asked. “Yes, we could explain it in simple enough terms to make a grand jury understand.”
That was all Morley needed to hear; he was satisfied.
The only other significant aspect of the case to change that day was based upon another wrong assumption. After Murray heard the nic MichaelTAA, and associated it with the porn sites, he said, “Well I guess we know what TAA stands for.” When only Kruzerski nodded, Murray sheepishly clarified, “Tits and ass.” The others hadn’t given it much thought, but
it did make sense. With that, the team took a detour off the path of identifying the killer.
48 | All Enemies, Foreign and Domestic
NYFO, 10/07-13/09, 0918 hours
The first of Morley’s positive responses from his foreign counterparts came in the form of a call from Inspector Talbot of the Royal Canadian Mounted Police. Morley, in the middle of his conversation with Peyton, had to let the call go to voicemail.
“PJ, how’s it goin’? Things are good up here in Ottawa, we’re just getting the first taste of winter.
“Regarding your MichaelTAA nic, yes, we have one case where that’s come up. I’ll send you the file, but the short story is, in 2002, the Nova Scotia National Bank noticed one of their credit card holding company’s databases had been hacked.
“The RCMP was only called after the bank hadn’t been able to keep the hack out of the news.
“We didn’t solve the case, but analysis of the exploit identified MichaelTAA as the author of the hacking tools. Our traceback resolved to an account at the University of Oklahoma; from there the trail went cold.
“I’ll send the file. If you need anything, or find this shithead, you know where to reach me.
“Stay warm.”
Morley would later learn from the case file that the stolen credit card numbers had been used throughout the United States, Canada, the Caribbean, and some even in Mexico. There was little additional information of investigative value, but all was added to the USSS case file and a copy of the code and images of the hard drives were requested.
The Brits, with whom Morley didn’t have a personal relationship yet, sent a more formal response via encrypted email. The file indicated they had uncovered two cases involving the nic MichaelTAA. The first was a Royal Bank of Scotland hack in 2003, and the second was a 2008 Westminster Bank of London network intrusion. Both had led to over a hundred thousand credit card numbers being compromised, but no one had been developed as a suspect. In both cases, the hacking tools had been authored by someone using the name MichaelTAA.