White-Hot Hack
Page 8
It wasn’t quite the same as being there, but it was still a contribution, and surely that counted for something.
She’d hired a housekeeper, a nice woman named Renee who would come a few days a week to clean, do the laundry, and buy the groceries on the list Kate left for her. Cooking was the one thing she had no desire to give up, and at the end of each day she looked forward to pouring a glass of wine, rolling up her sleeves, and making dinner. She was currently working her way through a series of Thai recipes, which pleased Ian immensely.
He had insisted on accompanying her on all of her previous social engineering assignments, but lately he’d needed to spend more time with the task force, so she’d convinced him she could start going on assignments alone. He’d reluctantly agreed. She thought it might actually be easier without him watching her because she wouldn’t have to pretend they didn’t know each other. Besides, having an audience to her potential failure, even if that audience was her husband, made her slightly nervous.
Her phone pinged with an incoming text as she was pulling into the parking lot fifteen minutes before her appointment.
Ian: I might have forgotten the new housekeeper was starting today.
Kate: Oh God. How naked were you?
Ian: Everything was just swinging in the breeze when I walked into the kitchen.
Kate: Now she’ll be with us forever.
Ian: My naked body does have that effect on women.
Kate: It’s why I’m with you.
Ian: I thought you were with me because of my hair?
Kate: Your hair is just a bonus.
Ian: Are you in the parking lot?
Kate: Just arrived. I’m sitting in the car until it’s time to go in.
Ian: Don’t be nervous. You can always retreat and try again if it doesn’t feel right.
Kate: Okay. Wish me luck!
Ian: You’ll do great. Go get ’em, sweetness.
It had taken Kate over a week to complete the pretexting for this particular assignment. She’d started by identifying her target—Garrett Linder, the VP of marketing. Then Ian hacked the DMV to determine the make, model, and license plate number of his car. For several days in a row, when Garrett pulled out of his work parking lot, Kate followed him. She knew an amazing number of things about him by then: phone number, personal e-mail address, college major and GPA, social media accounts and passwords, hobbies, and his favorite genre of music. He was divorced but in a new relationship, and he liked to stop at a small upscale bar every night on the way home where he appeared to know the bartender personally. He never stayed for more than two drinks.
One night soon after, she was sitting at the bar when Garrett came in. Pretending to be engrossed in her phone, she let her hair fall across her face and never looked directly at him as she sipped the glass of wine she’d been nursing for the past forty-five minutes. She was close enough to his stool that she heard him order a gin and tonic and watched as the bartender reached for the Hendrick’s.
The next night, Kate and Ian waited in the parking lot until she saw Garrett walk through the front door of the bar. Ten minutes later, she went inside and sat down at the bar, leaving an empty stool between them. She was wearing her wedding ring because Ian wanted there to be no doubt about her marital status or for her to inadvertently send the wrong signal. “Gin and tonic,” she said when the bartender asked for her order. “Hendrick’s, please.”
Garrett glanced over at her and raised his glass. “A fellow gin connoisseur.”
She smiled at him. “If you’re not going to drink Hendrick’s, why bother?” The bartender set the drink down in front of her and she took a sip. “After the day I’ve had, I deserve it.”
“Tough one?”
She took a long drink and sighed. “Mostly frustrating.”
“What do you do?”
“I was an account executive, but my employer implemented some budget cuts and laid off almost the entire department. Now I’m temping as a receptionist until I can find another position.”
“I’m in marketing too.” He dug out a business card and slid it across the bar to her.
She pretended to read the words because she already knew what they said. Then she turned to him and smiled. “I really wanted to apply for a job there, but I didn’t see any openings on the website.”
“We do a lot of promoting from within, but we still hire from the outside.”
“Do you think—” She stopped speaking suddenly as if she were embarrassed by the request she’d been about to make.
“What is it?”
“I was just wondering if I could drop off a résumé. I know I’d have to go through the proper channels and fill out an application, but it would be great to have a professional contact.”
“Sure. No problem. Just check in at the front desk and tell the receptionist you’re there to see me. I play squash from one to two on Tuesdays and Thursdays, but otherwise I should be there. If not, my assistant Sheila will be.”
“Thank you. That would be great. I really appreciate it.”
“Sure. No problem.”
She nursed her gin and tonic while he conversed with the bartender and waited patiently until he finished his drink and left.
“All set?” Ian asked when she got back in the car and they drove away.
“Yep.”
“Any roadblocks?”
“None. I’ll be paying a visit to the company on Tuesday between one and two.”
“When he’s not there.”
“Exactly. But his assistant Sheila will be.”
“Nicely done.”
“It was actually very pleasant. He’s a nice guy, easy to talk to. Do you know what the worst part was?”
“What?”
“I discovered I really hate gin.”
Kate watched the minutes tick by on the dashboard clock. At exactly 1:50, she walked into the building and approached the reception desk. There were public restrooms in the lobby—a separate one for men and women—but to Kate’s relief they looked as if they could only accommodate one person at a time, and both doors were closed. Just beyond the reception desk to the right was a long hallway. She spotted the conference rooms Ian had noticed when he’d visited the company to obtain the CIO’s signature on the audit agreement. Next to them, a drinking fountain separated a set of larger employee restrooms.
“Good morning,” she said, careful not to sound too chipper. “Garrett Linder asked me to drop off my résumé.”
The receptionist dialed a number, and when no one answered, she hung up the phone. “I’m sorry. Mr. Linder is not answering his phone.”
“Oh, right. He mentioned he plays squash on Tuesdays and Thursdays and if he wasn’t here I could walk it back to Sheila.”
“I’m sorry, but that area is restricted and I’d need his approval to issue a visitor badge.” The receptionist smiled and extended her hand as if she was happy to accept the résumé. “I can hold on to it and make sure he gets it.”
“That’s very kind of you, but I really wanted to give him the résumé personally. He was so nice to agree to take a look at it.” Kate glanced at her watch. “I’m sure he won’t be long.”
She swallowed hard and covered her mouth with her hand. She’d applied foundation that was two shades lighter than she normally wore, and she’d skipped the blush entirely. The result had been a paler-than-normal complexion. She’d come up with the idea on her own, and if it worked, she’d be sure to use it again.
“Are you okay?” the receptionist asked.
Kate leaned in, lowering her voice a little. “Morning sickness. The name’s a bit of a misnomer because I seem to have it all day long. It’s especially bad today, but I was in the area and really wanted to cross this off my list.”
“I know exactly how you feel. I had it something awful with my daughter.” She looked at Kate sympathetically and motioned to a row of chairs. “You can wait over there if you’d like. Hopefully he’ll be back soon.”
K
ate waited five minutes and approached the desk again. “I think I’m going to be sick, and someone is already using the lobby restroom,” she whispered urgently. “Do you have a garbage can?” There were tears in her eyes, and she hoped her expression conveyed her mortification at something so embarrassing happening in such a public place.
The receptionist looked at Kate in horror and pointed toward the conference rooms over her shoulder. “There’s another set of restrooms back there. I’ll buzz you in.”
Kate took off and right when her hips hit the low metal turnstile, she heard a buzzing sound and it swung open. Running, she ducked into the bathroom, and as soon as the door closed, she smiled and nonchalantly walked over to a stall and locked herself inside. From her bag, she pulled a USB drive, pen, and notebook and placed everything on the floor. On the first page of the notebook she’d jotted a to-do list. The first two items were mundane, scheduling meetings and replying to e-mails. The last item was starred and said in all caps: RUN REPORT FOR TED BROWN, which was the name of the CEO. She left another USB drive and notebook with a similar to-do list but a different name on the counter next to the last sink. When she left the bathroom, she ducked into one of the conference rooms and left a third set of materials on the table.
On her way out, she kept her head down as if she were too embarrassed to make eye contact with the receptionist and walked out the door.
It was over an hour’s drive home, and her phone rang when she was almost there. “Yes, lover,” she said.
“Hello, sweetness. I’m calling to congratulate you on a job well done. You know how happy it makes me to have control of a client’s network.”
“All of them?”
“Two out of three. I expect the third will soon follow. The bathroom drives were used first. They always are.”
“I can’t believe people will stick an unmarked USB drive they found in a bathroom, one of them on the floor next to a toilet, into their work computers.”
“Unbelievable, isn’t it?”
“And gross.”
When she got home, she walked into Ian’s office and leaned down to give him a kiss.
“Do you feel okay?” he asked.
She threw herself down on the couch and sighed as if she felt terrible. “I’m in the throes of a wicked bout of morning sickness.”
An affectionate smile appeared on his face. “Are you trying to tell me something?”
She could not love him more.
“Your reaction is the sweetest thing I have ever seen and my heart just melted, but unless we’ve recently had a birth control failure I’m not yet aware of, this baby is only the pretend kind. I used foundation to make myself look pale so the receptionist would think I wasn’t feeling well. I dropped the VP’s and his assistant’s name so she’d buy that I had a legitimate reason to be there. But then I worried she might not let me walk it back to Sheila, which is exactly what happened. Plan B involved forcing her to buzz me back by telling her I had morning sickness and making it seem like I was about to throw up all over the lobby.”
“Man, you’re good.”
“That ruse is definitely going in my arsenal. I have a feeling there will be a high rate of success with it.”
“Are you up for a team assignment?”
She’d never considered the possibility of the two of them partnering on a social engineering job and could not think of anything more entertaining than working with her husband.
“I just brought on a new client, and I have to tell you, Katie, his smug arrogance is bugging me a little bit.”
She laughed. “He must really be arrogant if it bothers you.”
“The last two firms he hired were unsuccessful in their penetration attempts. I got the feeling he gave me the business solely for the satisfaction of making us number three.”
“Oh, it is on, Ian.”
“That’s what I thought, sweetness. I’ll have the pretexting done by the end of the weekend. We’ll start on Monday.”
CHAPTER THIRTEEN
“Those are some sweet khakis,” Kate said.
“Aren’t they?” Ian turned in a circle to give her the full view. “Help Desk Todd wears them every day.”
“I bet he’s a real lady-killer.” Ian was also wearing a light blue short-sleeve polo, which he’d told her mirrored the uniform worn by the majority of the male employees who were not part of upper management. His hair had been tamed into some semblance of order, which wasn’t easy considering it hadn’t been cut in a while.
He took a step back and assessed her appearance. At his directive, Kate had dressed in neutral colors and had chosen a cream-colored cardigan sweater and a pair of pants in a muted tan. Their wedding rings would remain at home because Ian had found they encouraged people to ask questions that they might not want to answer. He’d told Kate that the fewer things people could ask her about¸ the better her chances were of avoiding a lie that might quickly spiral out of control.
“The clothes are perfect. I just wish we could do something about your face.”
She’d applied minimal makeup, and the only thing she’d done to her hair was blow it dry. “What’s wrong with my face?” she asked, looking genuinely concerned.
“A good social engineer blends into the scenery, but you—Jeannine from Legal—are way too beautiful. You’ll stand out, and they’ll remember you.” He studied her. “Can you pull your hair back?”
Kate slipped an elastic from around her wrist and scraped her hair into a ponytail with her fingers. Ian slid a pair of black-rimmed Wayfarer-style glasses with nonprescription lenses onto her face and sighed. “I was trying to make you less attractive. It has backfired spectacularly because now you look even hotter.”
“Does someone have a naughty librarian fantasy?”
“Come to bed tonight looking like this and you’ll find out.”
“I’ll even bring a book.”
He removed the glasses and took Kate’s hair down, tucking it behind her ears. “Better,” he said. “But still stunning.”
“Flatterer.”
“Here’s your lanyard.” Kate slipped the cord over her head and scrutinized the badge attached to it. It looked official, but it was a dummy and incapable of buzzing her through any of the company’s doors. What they were about to attempt was the riskiest type of social engineering because it required them to infiltrate a company and impersonate its employees. Ian had told her that wearing the lanyards around their necks in plain sight instead of clipped to their shirts would go a long way toward deflecting suspicion. They might not be able to use their badges, but it would look like they could.
“I did some digging, and the reason no security firm has been successful in penetrating this company has less to do with its current security practices and more to do with the fact that the IT manager knows about the audits and likes to leak the news about them so his direct reports will be more vigilant.”
“Isn’t that counterproductive to discovering their security weaknesses?” Kate asked.
“Yes, but it makes him look like he’s running a tighter ship than he is.”
Kate looked nervous. “So we’re going into this with giant targets on our backs?”
“We would if we were starting the pentesting three weeks from now, which is what the CIO and I agreed on. But I found out last week that he and the CEO will be away at off-site meetings for the next three days, which is why we have to start today.”
“The rules just don’t apply to you, do they?”
He looked at her as if the answer to that question was obvious and shrugged. “We both know how bad I am at following them.”
“Won’t the CIO be furious when he finds out what we did?”
“Not after I show him all the ways we were able to penetrate the company. I’m going to drive home the point that black hat hackers aren’t going to agree ahead of time to only attack on a particular date. They can strike at any time.”
“So the IT manager would rather cheat than let a sec
urity firm discover legitimate ways to help his company become more secure. Isn’t that a giant waste of money?”
“Yes. And after the CIO tried unsuccessfully to get rid of me by saying they were already secure and didn’t need an audit, he admitted their budget wouldn’t allow for another one, which is why I told him we’d do it for free.”
“Why would we do that?”
“Because we don’t need his money, but we do need his referral. Several of his contemporaries at other companies have already turned me down. I don’t like that.”
Kate shook her head sympathetically. “Of course you don’t.”
“I was able to overcome his objections by pointing out how much sense it made to take advantage of a service that would cost him nothing, and if we’re successful—which we will be—then he’ll really be motivated to sing our praises. I used to do this occasionally when I was building my company the first time around. Works like a charm.”
“We need to penetrate the hell out of this company, don’t we?”
“We’ve got three days to get way up in there, sweetness. As deep as we can go.”
Kate picked up her purse. “Then let’s do it.”
They drove separately. Though it was unlikely, Ian didn’t want to risk someone seeing them getting out of the same car and putting two and two together later.
Kate called him when she arrived. “I’m here.”
“I saw you pull in. I’m parked a few rows over. I’ll text you when it’s your turn. Do it just like we planned.”
“I’m ready.”
She stayed in her car and watched as Ian walked across the parking lot palming two cups of coffee in one hand and a large white box in the other, the strap of his laptop bag over his shoulder. When he didn’t return, she assumed he’d successfully entered the building, and he confirmed it a moment later.
Ian: Hurry inside before this coffee gets cold. We can drink it with our donuts.
Kate: There are donuts?
Ian: I bought them when I stopped for the coffee. If I’m going to use the box trick, it might as well have something good inside it. I got you a chocolate one.