“Of course they have TLS. I have to spoof that. So, I show you. I get certificate from Trustnode. Not direct, but someone I know, he buys one, then gives to an Israeli friend, who gives to another Israeli friend, who gives to me.”
The screen image changed to a screenshot for the certificate authority’s Verisign certificate.
“Nice,” said Morris.
“Now Kohler makes his reservation. He types in all his information, credit card, everything else, thinking this is TLS-protected, but he doesn’t know it’s me. I show you.”
Shimansky brought up more screenshots that showed the capture of Kohler’s basic data, name, address, credit card number, security code.
“So you went phishing, without phishing.”
“You got it, Mr. Birkman. I have all his information. And also, because I own the proxy server, I know the IP address that Herr Kohler is coming from. He shouldn’t be using his company computer to make his personal ski reservations, but, you know, he is like most people, so he does.”
“Got it,” said Morris.
“I even ask Kohler for a password for the charter flight reservation. Because I know maybe he uses the same password multiple times. People shouldn’t, but they do.”
“People are stupid,” said Morris, with a wink that was barely visible behind his oversized glasses. He had already decided to hire the Israeli kid, but he wanted to see the rest of his demo.
“Yes, this is a useful and true fact, Mr. Birkman. So now I have his password, too. His bank is small, so it doesn’t use two-factor authentication, but only static passwords for remote access. And it has stupid employees, who use the same password everywhere. So what do I do now? I go to the Bank Gstaad site and pretend that I am him.”
Shimansky typed some more, and the monitor displayed the Bank Gstaad employee’s screen, in real time. The Israeli typed in the username and password he had stolen from Kohler, and he was in the system, seeing a display of the bank’s proprietary information.
“I am lucky. I see what the bank vice president sees. Here, I show you, these are the numbered accounts that Herr Kohler manages.”
A series of numbers came up on the screen, followed by some large amounts in Swiss francs. All were over ten million; some were over one hundred million.
“But there is a problem,” said the Israeli in a sly voice. “I know the numbers, but I do not know who they belong to. How do I fix that?”
“You tell me,” said Morris.
“Easy. The URL of the bank’s public website is gstaadbank.com.ch. Here it is.”
Shimansky typed in the firm’s Web address and the monitor displayed the client-friendly interface of its website, with the white of the Alps and the blue sky as a background behind the basic information.
“So the bank’s customers come to this site all the time, to check their accounts. They shouldn’t do it, I know, but they do. Okay, so I use a cache version of the real Gstaad site to build a proxy that looks just the same, exactly the same, except that the URL of mine is one letter off. So the address of my dummy site is gstasdbank.com.ch. Here is what it looks like.”
He typed in gstasdbank.com.ch, one mistyped letter, an s instead of an a, an easy mistake to make, and sure enough, up came a site that looked identical to the one before. Like the real site, it asked clients to register the usernames and passwords to get information about their accounts.
“God bless ‘fat fingers,’” said Morris.
“Yes, and I can tell you, Mr. Birkman, that rich people’s fingers are pretty fat. So when they go to the Gstaad site, sometimes they mean to hit that second a but they miss it and hit the s that is next to it. And so they are at my site, and not the bank’s. Here, like I show you.”
On the monitors was a screenshot of a customer’s completed sign-in, with username and password typed to access the site.
“When they go to look at their money, the site crashes, what a pain this is, so maybe they go back again, but this time, they hit the right letters, the a and not the s, and they are back at Bank Gstaad for real, but it’s okay for me, because I have their username and password, and also, I have their IP address.”
The Israeli displayed the IP address information for the Bank Gstaad customer he had most recently hacked.
“So if I do a little detective work on this IP address, I can see that it belongs to Mr. Alireza Najafi-pur, who does his commercial banking through Dubai . . .”
Shimansky typed some commands, and the screen displayed the IP address of a Dubai branch of a global commercial bank.
“. . . but who really lives in Tehran.’’
The Israeli typed again, and now the screen displayed the image of a simple commercial website written mostly in Farsi, but an English-language address visible in the upper left-hand corner that showed the firm in question was a food-distributing company based at 3 Dr. Bahonar Street, off Bahonar Square, in the Niavaran district of Tehran.
“So now I know something, eh?” said Shimansky.
“Yes, you do,” agreed Morris.
“But you see, this is really only the beginning of how I can make mischief. Because I can inject SQL into the system of the bank and the accounts of the users, too. And then I really begin to know some things.”
A few more clicks on the keyboard, and Shimansky showed the rudiments of an attack using Structured Query Language that is injected into a database and then can read, write, delete or modify data stored there.
“So this is what I do,” said the Israeli. “And you just watched me do it, so you know this is no bullshit. If your clients need, what, protection against this, okay, I am ready.”
“Roger that,” said Morris. “We’d like to offer you a fellowship. No bullshit.”
“So now I ask again, how much, please.”
“That depends. Our research fellowships begin at a hundred fifty thousand dollars annually. With bonuses, that can go higher. This is for exclusive work. No freelancing.”
“I can make this much at a bank. No way. I stay unemployed, I make more money.”
“Maybe, but you have visa problems.”
“You solve them?”
“Of course. Our institute has many friends here in the UK.”
“Okay, very nice, but a hundred fifty thousand still is not enough. Sorry.”
“Let me ask you a question that might affect how much we can offer you. Did you ever work for Unit 8200 when you were in the Israeli army?”
“What are you? An Israeli spy?”
“Maybe,” said Morris. “But answer my question. Were you in 8200? Did you do any cyber-work when you were in the army?”
“Sure. Of course I did. What you think they would do with someone like me? Turn me into a paratrooper? I have trouble taking a walk on the beach in Tel Aviv with my shirt off, too many people laugh at me.”
“I won’t ask you what you did for 8200, but I take it you know your way around classified cyber.”
“Who’s asking? China?”
“No, me. Hubert Birkman.”
“Yeah, sure. I know my way around lots of things.”
Morris wrote a number down on a piece of paper and passed it to Dr. Li, who had been silent throughout the interview. The Chinese man pursed his lips.
“Could you excuse us for a minute?” said Morris, motioning for Dr. Li to join him in the hall. The Israeli resumed fidgeting.
Morris returned thirty seconds later, with the Chinese man who was his nominal boss.
“Dr. Li has authorized me to make an unusual offer to you. We are prepared to pay two hundred fifty thousand as an annual research stipend, plus full use of the computer lab here, plus bonuses for any unusual penetration work, such as zero-day exploits, to reflect the value they would have in the marketplace. Plus we will take care of your visa problem, and find you housing here in the Cambridge area. How does that sound?”
“Pretty fucking great, actually.”
The Israeli was finally smiling, dropping his cynical ex-junkie hacke
r pose as he contemplated all that money and, for once, a hassle-free lifestyle.
“We need you to start work right away, and we want to focus you on large banks; very large banks. Are you cool with that?”
“Why not?” he said, trying to sound unimpressed.
“Okay,” said Morris, shaking Shimansky’s hand. “We have a deal. You ready to sign the contract and nondisclosure agreement?”
“Whatever,” said the Israeli.
Morris pushed a four-page agreement across the desk. It was marked with the letterhead One World, which was one of the cover names Morris was using for his project. Dr. Li got up and left the room.
“Initial each page at the bottom and sign the last page where the red sticker is,” said Morris coolly.
Shimansky began reading the document.
“Don’t try,” said Morris. “It’s all legal bullshit. You won’t understand it, believe me, and I don’t have time. Just initial and sign.”
The Israeli shrugged. He signed as instructed and pushed the paper back to Morris.
The young American’s face and posture changed. The slouch was gone, and so was his lackadaisical manner.
“Welcome to my world, Mr. Shimansky. This is a legally binding document in the United Kingdom and everywhere else that has a legal system. It says that if there are any disputes, they will be arbitrated by a mediator of our choosing. It also includes a nondisclosure agreement that holds you responsible, with unlimited liability for damages, if any warranties are breached. If you say or do anything we feel violates this contract, we can take you to court.”
“What kind of agreement is that?” asked Shimansky.
“My kind, your kind, it doesn’t matter, because you just signed it.”
The Israeli glowered at Morris. He didn’t like to be manipulated so crassly.
“So I can leave,” he said.
“Try it,” said Morris. “Be my guest.”
Shimansky rose and opened the door of the interview room. An armed guard was standing in the hallway. The Israeli tried to pass but the guard pushed him back into the room and down into the chair he had just vacated.
“We’re going to be friends, honest,” said Morris. “You’ll like the work. But don’t try that again.”
“What is the work?” asked the Israeli. “And please, Mr. Birkman, no more bullshit about your clients.”
Morris smiled. He took off his wig, which was itchy, revealing his short brush of hair.
“I’m glad you asked that, Yoav. How would you like to hack a bank with me and some of my pals: the biggest goddamn bank in the world? How would you like to take money out of one account and put it into another? How would you like to make debtors become solvent at the push of an ‘enter’ key? Does that appeal to your sense of mischief? Nu?”
The Israeli cocked his head. What hacker wouldn’t want a challenge like that? It was like asking a bank robber if he wanted to take down Fort Knox.
“You pay me, like you said, and I’m in.”
“Attaboy. I knew I would like you. So let me explain a few things about what we have in mind.”
Morris laid out his scheme. Even Yoav Shimansky, a man who made it a point never to show his emotions, could not help but be impressed.
23
CAMBRIDGE, ENGLAND
James Morris had vanished. He wasn’t answering his phones and he was ignoring all electronic messages. His location was concealed from his CIA colleagues, and even from the staff who worked for him in the joint NSA cover office in Denver. He had given his contact information in East Anglia to only one person. So Morris knew that it could only be that very particular friend who left an unsigned letter for him with the receptionist downstairs at the Fudan–East Anglia Research Centre. The note read: Meet me at 5:00 at The Silver Locket. The handwriting was distinctive, small letters, sharply formed, branching like spindly roots.
When Morris received the note, it was nearly four-thirty. He told Dr. Li to delay the last interview; he needed to take a walk and would be back as soon as he could. It was dusk when Morris set out, and in the low light the fields were plush green and the furrows and hedgerows a deep velvet. He walked quickly toward the pub on the outskirts of the little town. Morris passed the memorial to Rupert Brooke, the World War I poet who had made the village modestly famous. Morris didn’t care about poetry. The only poems he could remember liking had been generated by an AI program he’d created when he was at Stanford: You typed in the theme, say love, and the names of the characters, the setting and a metric scheme, and out came a poem.
Morris went into the Silver Locket and asked the barman for a pint of lager. It took a few moments before his eyes adjusted to the light. Then he saw Ramona Kyle, sitting at a table in the corner. She was drinking a glass of fruit juice. Morris sat down beside her. She was wearing a wool sweater with a crew neck, the kind that teenage boys wear in prep school. Her red curls were tied in a tight ponytail. She closed her eyes and formed a kiss with her lips, without touching him. He smiled.
“Hey, you,” he said. “What’s up?”
“I was in England seeing some people, and I got worried about you. I thought you might be lonely.”
“Me? No way. I hate people. I like being alone.”
Kyle smiled. She looked to the other tables. The pub was beginning to fill with people coming in after work.
“That’s my man,” she murmured. She put a finger to her lips for quiet.
“Seriously,” he whispered, “why did you come? I’m okay. Nobody knows I’m here. I want to keep it that way.”
“The truth?”
“Always.”
“I was afraid you might be getting cold feet. I wanted to check your temperature.”
“I’m chill. I’m recruiting my last engineers now. This is going to be the hack of the century. Don’t be nervous about me, K. I’m all in.”
“Good. You have to move soon. The heat is on the Independent again after that story. Eventually it will be on you.”
Morris’s face lost what little color it had. He licked his lips, which had suddenly gone dry. He leaned toward her and spoke in her ear.
“Did you plant that?”
“Don’t ask,” she said. “That’s our deal.”
He took his beer and drained the glass.
“I don’t care anymore. Let’s blow it all up.”
“Shhh!” she said, her finger to her lips again. “You need to be careful, Jimmy.”
“I am. That’s why I’m here. You’re the one who broke security.”
“There’s someone I want you to meet,” she said, very quietly now. “That’s the other reason I came.”
“I’m not meeting people now.”
“He’s over there.” She looked across the lounge to a muscular young man in a blue blazer and a purple and white college scarf. Morris followed her eyes. The other man looked like a Cambridge undergraduate, almost. He nodded. He’d seen Ramona before, in a desolate park in Maryland.
“His name is Roger. At least that’s his work name. When I get up, he’s going to come over here and introduce himself.”
“What if I don’t want to meet him? I told you, I don’t like people.”
“Not an option. But you’ll appreciate him. He can help.”
Ramona Kyle finished the last of her fruit juice and donned a raincoat over her sweater. She leaned toward Morris.
“I am so proud of you,” she said. “Most people do nothing. You’re doing everything.”
She walked away. The front of the bar was full now; she disappeared into a knot of people before she reached the door.
The young man in the scarf came over and sat down next to Morris, where Ramona had been. Someone watching them would have guessed it was a gay pickup. He was carrying a paperback book on “Scala,” a new high-level programming language.
“How are you doing, man?” he began. There was a slight accent in his voice. Morris couldn’t place it, but it was east of Germany. “I’m Roger. Can I buy
you a beer?”
“I have to go,” said Morris. “I have an appointment.”
“No problem, man.” He put his hand on Morris’s knee. Morris was startled, but he didn’t move.
“When you get up to go, take the book with you.”
“I have plenty to read,” said Morris.
“Take the book,” whispered the man. “It has some information that will be helpful for you. It also has the time and place of our next meeting.”
Roger stared into Morris’s eyes. He was a powerful person, handsome, but more than that. He had an operative’s way of subtly establishing rapport and control at once,
Morris removed the man’s hand from his leg and stood up. “I’ll think about it,” he said. He turned and walked toward the door. Under his arm was the Scala book.
Dr. Li was waiting just inside the door when Morris returned to the office. He was looking at his watch. It was after six. The five-thirty appointment had already arrived, with annoying punctuality. Morris muttered an apology. He went upstairs and locked Roger’s book in his safe. He wanted to lock himself away, too, but it was too late for that. The time for deliberating or holding back had passed, he wasn’t sure when, but the opportunity to withdraw was gone. Now he had to execute.
The last appointment was a Chinese research student named Bo Guafeng. Dr. Li had found him through a friend who was a fellow of Girton College, where Bo was a research student. Dr. Li learned that he was from Wuhan in the interior, which probably meant that he wasn’t from a rich family and needed money. He was proficient in computer science, and he had something of a reputation as a hacker. Within the Chinese student community, he was known as a rebel who wore his hair long and dressed in a leather jacket.
Can be controlled, wrote Dr. Li on the margin of the young man’s résumé.
Morris nodded. He was trying to pay attention, but he was distracted.
Young Mr. Bo was wearing a black gabardine suit with his hair trussed in a ponytail. From the moment he shook Morris’s hand, it was obvious that he was trying hard to appear to be a diligent student, as opposed to his natural demeanor of mildly antisocial rebellion. That was precisely the wrong strategy to adopt for a meeting with Morris, but there was no way for the Chinese student to know that, and enough bits of maladapted behavior showed through to make him a believable hacker.
The Director: A Novel Page 21