Breaking and Entering
Page 30
“Send stats,” Alien typed to the members of her call center.
“9 reached, 6 wins,” wrote Cheryl.
“6 reached, 3 wins,” Gus wrote.
“5 reached, 4 wins,” wrote Luke.
So: twenty calls total. And thirteen openings to the law firm’s supposedly privileged inner communications.
“We’re done,” typed Alien. “Great batting average, Luke.”
Cheers sounded in the next room. High-fives. Alien heard knocking and opened her office to greet a delivery guy from the sandwich shop around the corner. TSC was treating. It was another way to make the interns feel appreciated—and keep them on task.
As Alien carried the sandwiches in to her employees, “You’re the Best Around” started playing in their office.
“Good job today,” she said. “Next time, Luke, you’re going to run the prep.”
Alien was becoming a small business owner with big responsibilities—a lot like her parents, even if information security was a very different enterprise from selling restaurant supplies or preparing tax returns. When Luke graduated in May 2010, she hired him full-time at the same starting salary she’d received at Los Alamos and issued him a company credit card of the kind Elite Defense never provided her. Alien moved the TSC file server offsite, to a secure colocation facility, and brought in new desks for Gus and Cheryl. A part-time office manager came on to keep the books, handle payroll, and arrange health insurance, duties she had previously split with Cheryl.
Each new commitment was a trade-off: greater capability and more to worry about. And Alien was still feeling her way as the boss of young and spirited people for whom this was their first real work experience, and in an unconventional field that deliberately encouraged them to think outside the box. A particular challenge was drafting the company’s first human resources policy guidelines.
“No icing in the office,” read one of the provisions. “No vacuuming another employee’s lap” was another.
And a third: “‘You’re the Best Around’ may be played a maximum of three times per person, per day.”
In late July, Alien flew the team with her to Vegas and DEF CON, where their ToneDef contest and a related presentation had both made the program. Earlier in the month, the holding company that owned the Riviera had declared bankruptcy, citing diminished guest visits, yet DEF CON attendees again filled the hotel to capacity—and beyond.
“We’re out of rooms,” a harried front-desk clerk told Alien when she tried to check in after Luke, Gus, and Cheryl.
“But I reserved a year ago,” said Alien.
The clerk conferred with her manager. “We can offer you a suite,” he said.
It doesn’t get better than this.
To avoid being hacked by other conference-goers, Alien had told everyone to leave their laptops and smartphones at home and got them “burner phones”—cheap, easily disposable flip phones. In addition, she and Luke carried frequency-hopping spread-spectrum walkie-talkies. “Take the rental car and go with Gus to Whole Foods,” Alien radioed him upon examining the suite’s kitchenette. “Get enough milk, cereal, sandwich stuff, snacks, and drinks for everyone for the weekend. Plus chips and dip.” The entire supermarket bill would be less than one group meal at the hotel.
Afterward, all three employees were to roam the conference, handing out newly printed stickers—“TSC” emblazoned in silver letters above a globe on which was a Charlie’s Angels–style female silhouette, “the ToneDef temptress”—advertising their contest and talk.
“Put these on and pass them out wherever you go,” Alien instructed.
She had come a long way since her first DEF CON visit. Who would have guessed, two years after sleeping in a bathtub, she would have her own suite, with her own staff, thinking of ways to expand the range of her own company?
The four of them gathered that night in the suite to coordinate their plans for the rest of the evening. By now, Alien had changed into black high heels, fishnet stockings, and a puffy black-and-white feathered Cruella de Vil dress with an oversized collar and cuffs. Luke and Gus wore jeans and dark dress shirts, Cheryl a mid-thigh little black dress.
“Have fun and keep an eye on one another,” said Alien. For the first time, it occurred to her that she had taken three young people from small-town Colorado to Sin City.
“Stay safe. If you go off on your own, please call or text someone to say where you are and where you’re going,” Alien continued. “And”—the words that followed could have been uttered by her own mother—“if you have any problems at any time, call me right away.”
Four big pentests awaited the week they got back from Vegas. All required tight turnaround times. At Elite, Alien had used Adderall and Ambien to power through one emergency after another. Now the last of her pills was gone. She wanted to get pregnant, so she hadn’t renewed the prescriptions. She’d even cut down on drinking tea, lest caffeine affect conception. Her employees had to step up.
Alien supervised the interns closely, writing an Nmap script they could feed lists of Internet addresses to scan by client, checking for thousands of potential holes. With this and other custom scripts, she helped Cheryl penetrate a well-advertised insurer’s internal Web server, and Gus avoid the intrusion detection system guarding a Pentagon-funded academic research network. So far, so good.
She looked at the clock. “Don’t forget—you have that social engineering gig soon.”
“Already on it,” Luke said. “We’re meeting in fifteen minutes.”
The contract was for a “spearphishing” test, or customized phishing attack targeting specific high-value employees—in this case, a Northeast power company’s president and vice president. Alien observed as Luke held his prep session, coaching Gus and Cheryl to work separately but simultaneously, trying scenarios similar to what she had practiced in person at Castle Bank headquarters. Then it was go time.
On one side of the interns’ office, Gus called the vice president’s executive assistant, posing as a member of the IT staff. “I’m seeing a lot of bandwidth usage on your computer,” he said. “Is this business usage?” Gus asked imperiously.
“It should be,” the assistant replied. Her voice sounded shaky, though, Alien overheard. The specter of having been caught doing something wrong—exchanging personal messages, shopping online, idly browsing the Web—scared everyone.
“Hmm.” Gus pretended to ponder the situation. “Maybe you have a virus. Let’s see. Can you go to this IT page and download a virus scanner?”
As Gus offered directions to a fake IT website they’d set up, Cheryl, on the other side of the room, was tying up the power company’s real IT help line. Her ploy was pretending to be the executive assistant to the president. “He forgot his password,” she said in a panicked voice. “It needs to be reset right away because he’s in a meeting and he needs it to present.”
Alien watched as Cheryl waited. “My favorite color?” Cheryl said into the phone, repeating IT’s security question to her. On her laptop, Cheryl flicked to the actual executive assistant’s Facebook page, having located it in her preparatory reconnaissance. Social media was a boon to social engineering. First, it was a new, often more informal way to reach people than phone and email. Second, your targets tracked and tagged themselves.
In this case, the executive assistant’s profile showed a plump mid-fifties woman in a purple dress, backgrounded by a field of violets.
“Purple,” Cheryl answered confidently.
She gave Luke a discreet thumbs-up. “Okay . . . ‘Smith3’?” Cheryl asked IT. “With a capital ‘S’ and a ‘3’ at the end? Got it! Thank you!”
Gus and Cheryl hung up at the same time. Alien shook her head, smiling. A hacker could exploit the power company president’s account immediately, stealing files or sending orders under his name. The executive assistant’s account was perfect for a long con, intercepting messages and installing malicious software for months or even years to come.
“G
reat job!” Luke told the interns. “Time to debrief.”
Alien moved to Luke’s desk when he did. Onscreen was the Medusa password-guessing tool, probing a remote access server for one of Southern California’s largest banks.
“ACCOUNT FOUND,” it said. “User: test Password: fuckyou.”
“Classy,” Luke said. They both laughed. Everyone thought hackers were the immature and irresponsible ones, but “fuckyou” and other expletives were incredibly common user passwords, no matter how eminent or prestigious the entity.
“Check the privileges,” said Alien.
Luke logged in. “Root,” he said incredulously.
The insurer. The military research network. The power company. The bank. Millions of people trusted billions of dollars—and their lives and livelihoods—to these institutions. But when it came to computer security, a trained adversary could pwn almost anyone.
Luke entered a directory full of image files. He typed a quick command to open the first ten.
The monitor filled with loan documents and copies of scanned checks.
Alien, acting as a representative of Antidote, prepared to call her contact in California within the next half hour. Every minute that they knew other hackers could get in and they weren’t fixing the problem was a minute the bank could be bleeding both dollars and its clients’ vital data. The possible consequences ranged from embarrassment to ruin.
“Take enough screenshots to illustrate what you accomplished,” she said. “Black out the account numbers and any PII”—personally identifiable information, specific to a single person. “Do it again and document everything. Fast.”
Luke nodded, already moving confidently back through the system. He’d have done the same without her standing next to him, Alien realized. It was a good feeling. A year ago, the guy had been hacking his college professor’s desktop. Now he had the skills to save a bank.
Alien thought as she saw Luke work. He’d come so far. But he could still go further.
“What?” Luke asked, seeing her scrutinize his sneakers, jeans, and untucked shirt.
“Do you have a suit?” Alien asked.
Alien introduced Luke to Bill Rogers. “Call him once a week,” she told Luke. “I’ll handle the other two times.” Together, they talked up TSC taking on challenging and generously compensated on-site gigs for Antidote, on par with any Elite Defense engagement.
In late September, a steakhouse chain with franchises in forty states contracted with Antidote for a security assessment of their Miami headquarters. The next day, Antidote subcontracted with TSC.
DEF CON aside, it was Luke’s first trip outside Colorado.
Alien did all she could to prepare him. “When you get there, introduce yourself and review the schedule and goals for the week,” she told him. “Set clear, conservative, and realistic expectations. And remember: encrypt everything, back it up to the TSC file server at night, and physically remove and store your laptop hard drive in the hotel safe if you leave it behind when you go out to dinner.”
Her parting gift was a mini-screwdriver set to keep with him, a useful good luck charm.
Luke left on an afternoon flight. The following morning, Alien pictured her former intern waking up at his hotel, dressing in his new suit (jet black, black button-down shirt, and bright pink tie), and driving a rental car to the restaurant chain’s corporate offices.
Pride and happy anticipation swept Alien as she drove to work herself. Luke was a smooth talker. People liked him. And by now his technical moves had been practiced time and time again. She knew he’d do great.
All the same, it was impossible to tell him everything. Alien remembered every detail of stepping out of the car with Richard on that first Castle job, and how nothing could have prepared her for the rush of what would follow.
Alien parked. She climbed the stairs to the fifth floor, greeting Gus and Cheryl, who were already vying for Luke’s desk. Alien had barely sat down before she received a text.
Luke.
“r00t dance!” he wrote.
She picked up the phone and called him. “Forty-five minutes,” Alien checked the time. “Nice. How’d you do it?”
“Oh, so easy,” he said. “The default port scans didn’t come up with anything, but the full SYN scans showed open telnet on a weird port. It was the Aloha POS”—the restaurant chain’s point-of-sale system. “I looked up the default admin password, and boom—I was in.”
Luke uploaded photos and screenshots, and then went to work seeing what else he could do on the network. Gus and Cheryl started working on the report by examining what Luke was sending.
“Check this out!” they called to Alien.
Alien looked. The first photo Luke had taken showed a bland beige-walled basement. Down the hall, though, was the bright-red entrance to a full-scale exact replica of every restaurant in the steakhouse chain, installed in corporate headquarters for training and testing purposes. And the photos continued inside.
Each COWBOY CROSSING sign, set of elk antlers, and other décor was the same as in a real restaurant. So was the kitchen, bathroom, employee break room, and every piece of furniture and silverware. And so was the computer network and point-of-sale system.
Luke had pwned both, his notes showed, from a red-cushioned booth.
“Wow,” said Alien quietly. A malevolent hacker emulating Luke from the same seat at any restaurant in the chain could grab the credit card information of every customer.
Antidote sent Luke on other road assignments—one week to one of Washington, D.C.’s most visited museums, the next to a prominent Silicon Valley venture capital fund. “r00t dance!” he texted Alien again, both times within the first hour.
From a public conference room at the museum, he’d plugged into their network, sniffed traffic, and set himself up with administrator credentials. Now, as his screenshots showed and “r00t dance!” proclaimed, he could grab email messages, log every keystroke anyone typed, and access—or destroy—all their files, from payroll records to secret auction notes.
The VC fund was even easier pickings: the usual port scan, combined with a password cracker, gave up confidential records on the financial standing of hundreds of tech companies.
With Luke out of the office, Gus and Cheryl joined forces, pentesting a popular Web hosting service that provided domain name registration and online server space for individual and organizational websites. “Hey—I think I found a directory traversal issue,” one of the interns reported their second day on the project. By default, the hosting service made only the Web pages of each site accessible to a browser. But if you figured out where other files were stored on the server, you could access any document, no login necessary.
Alien watched as Cheryl bypassed the authentication process for one of the hosted sites, an online pharmaceutical service. Gus scanned their records, finding dozens of familiar names. “Oh my God,” he said. “These are all professional athletes.”
Alien knelt beside him, studying the list. She wasn’t a sports fan, but these people were so famous even she knew who they were. In seconds, TSC could search who had a cold and who had herpes, who was playing on a sprained ankle and who was weaning himself from painkillers. Sports fans would find this intel fascinating, and sports gamblers would find it highly profitable.
“Write it up,” said Alien. “No screenshots.”
She walked back to her office to call the client. Alien had stopped being surprised by how easy it was to hack everyone. But rather than exult in TSC’s success, she found it disturbing. She and her team were cracking open important organizations on a daily basis. Almost every time, what they found was a mess: vulnerable systems and leadership unable to tell where their computers were or who was on them even as they ceded ever more control to technology. And the people who relied on those organizations had no idea. Take the professional athletes. Because the ultimate client was the Web hosting provider, it would get an immediate report of its hole. But the online pharmacy would
never know it had been breached. And neither would the pharmacy’s clients—the athletes and others.
Each case was like discovering that all the homes in an entire city had been built on rotten foundations, Alien thought. And the larger dilemma presented by the world’s dependence on the Internet was that there was no safer place to go.
Alien rubbed her stomach protectively. She and Elliot weren’t telling anyone yet, but she was twelve weeks pregnant.
15 / /
Phoning Home
Alien scowled, searching the racks of the pastel-walled maternity shop in the Parkmont mall for business clothes she could wear to work. She liked to dress professionally, and these would be important in any face-to-face meetings and presentations, as with her lawyer, or at a security conference like SCAN. It was January 2011, and she was well into her second trimester. All they had here were jeans with big black stretchy fabric in place of buttons at the waist, and dresses that looked like pink tents.
Alien gave up on the maternity shop, purchasing nothing but a navy blue baby sling, and then crossed the mall to a regular women’s clothing store, where she bought a business-y black skirt three sizes larger than usual. Back in her office, she ordered a nursing pump and Pack ’n Play portable crib online.
What would happen when the baby cried, though? And who was going to pull in work or deal with clients while she was nursing?
She walked next door, where Luke, Gus, and Cheryl sat typing. Alien cleared her throat and waited for all three to look up. “We have to get the business to the point where you can run day-to-day operations without me,” she said.
Luke was the first to respond. “Don’t worry about it,” he assured her. He turned to Gus and Cheryl. “We’re ready, right, guys?” They nodded in agreement.
Alien waited to exhale until she had walked out again.
Before the end of January, Alien rented yet another new space in the building, an office area for herself at the far end of the hall with a view to the east of snow-topped mountains. Its crucial feature was a small adjoining room where her baby could sleep and she would be able to nurse or pump milk in relative privacy.