Book Read Free

Guilty Minds

Page 19

by Joseph Finder


  We’d considered creating a false identity, but backstopping it—largely, seeding the Internet with enough plausible appearances—was time-consuming, and we didn’t have the time. Whereas a billionaire like Simon Troy, seldom photographed and never interviewed, seemed relatively easy to impersonate. Mandy Seeger provided me with a download of what little information on him existed, and I studied it, hard. Dorothy then called the law firm from a spoofed Tulsa phone number to arrange this last-minute meeting.

  “Well, Mr. Norcross was happy to clear some time in his schedule to meet with you.”

  We didn’t talk again as she led me along a corridor to a corner office. A rotund man with a red face and silver hair bounded from behind his desk, his hand extended.

  “A great pleasure to meet you, Mr. Troy. I’m Ash Norcross.”

  I gave him a limp, diffident shake, took note of the keycard clipped to his belt.

  “Can we get you a cup of tea? I understand you don’t drink coffee.”

  “Nothing for me, thanks.”

  “Thanks, Val,” Ashton Norcross said, dismissing his admin. To me he said, “I understand you got my name—”

  “I don’t have a lot of time,” I said languidly. “I have to get back to Capitol Hill. A few senators I need to see.”

  “Well, then, let’s get right to it.” He half-bowed and indicated a seating area with two brocade sofas. I sat, and then he sat across from me. I set down my briefcase to my left, close to him, a few feet away from his keycard. Close enough, I hoped.

  “As you may or may not know, I tend to stay out of politics,” I said. “In any public way, I mean. You won’t find my name on any FEC databases, or at least not in a long while. But I’ve come to believe our republic is under assault.”

  “And so it is, Mr. Troy. And so it is. No argument here. In fact, we at Norcross—”

  “But as you may know, I don’t like to see my name in the paper.”

  “Absolutely.”

  “I stay as low profile as possible.”

  “Understood. You’ve come to the right place.”

  “Now, I’ve had a bad experience with one of our local law firms in Tulsa. Turned out that their security was lax. I want to know what precautions you take.”

  “Well, our security is state-of-the-art.”

  “If I were to become a client, where would you be storing the files you’d keep on me?”

  “Oh, data security is paramount here, Mr. Troy. All digital client files are kept on a partitioned, air-gapped, encrypted server.”

  “What about paper files?”

  “Kept in a separately locked, highly secured strong room.”

  “I’d like to see that.”

  “Certainly. In fact—”

  Someone knocked on Norcross’s open door. I turned. A trim guy around sixty with a thick thatch of gray hair stood there with a stupid grin on his face.

  Ash Norcross waved him in. “Oh, Jeff, come on in, let me introduce you to Simon Troy. Simon, this is Jeff Winik, one of our partners and a fellow Stanford grad.”

  Winik strode toward me, gave me a firm handshake, and said, “You were Stanford ’79, right?”

  I nodded.

  “I was Stanford ’80!”

  “Oh yeah?” I said, smiling blandly as my stomach plummeted.

  He went on: “Where’d you live freshman year?”

  I regarded him for a few seconds. He wasn’t challenging me, trying to determine whether I was really Simon Troy. He was genuinely attempting to bond.

  It was not credible that “Simon Troy” would have forgotten where he lived freshman year in college. Several long seconds went by while I frantically grappled for an answer. A bead of sweat trickled down the back of my neck into my shirt collar.

  Finally I said, “Larkin.” The name suddenly popped into my head after the hours I’d spent cramming, poring over the Simon Troy dossier that Mandy had assembled for me.

  “Oh yeah? I was in Branner!”

  “Well, nice to meet you,” I said, but Winik was not done with me.

  “But then I got a bad lottery number,” he went on, “and I ended up in the trailer park.”

  “Huh,” I said. I had no idea what he was talking about. Trailer park?

  “Ever used to hang out at the O?” he said.

  The O? What was that, a bar? The freshman union? I took a flyer and said, “I sort of kept to myself. I didn’t really hang out.” An all-purpose answer, but it seemed to satisfy him.

  “Well, Mr. Troy doesn’t have much time,” Norcross said, blessedly cutting the conversation short. “He wants to see the strong room.”

  52

  About an hour later I was back at the hotel. The dining table was covered with electronic equipment—cables and wires and little black boxes and white plastic cards and such. I set down the briefcase I’d brought into Norcross and McKenna.

  “How’d it go?” Dorothy asked.

  I shrugged. “Fine.”

  “No problem?”

  “No problem.”

  “You get the briefcase close enough to a keycard?”

  “I think so.”

  “Let’s see what you got.”

  —

  The day before, Mandy had made her own undercover visit to the same law firm.

  She’d entered the building where the firm was located with the morning rush, tailgating on someone who was entering. She took the elevator to the fourth floor and briefly stood outside the firm’s glass doors and took pictures with her smartphone, as subtly as she could, of the little black box mounted on the wall next to the glass doors.

  Then she went right in to the firm’s offices and told the receptionist that she lived just down the street and was looking for temp work, and asked what agency they used to hire their temps. She spun a story about having a young child at home and needing to find work in the neighborhood. The receptionist gave her the name of an employment agency but apologized that there was nothing available at the time, so far as she knew. Mandy thanked her, and that was that.

  Now Dorothy examined the photos on Mandy’s phone.

  “Okay,” she said, “this is good. They’re using an HID system like just about everyone else uses. Almost certainly a low frequency 125 kilohertz system. Like eighty percent of the keycard users in the world.”

  “Why is this good?” I asked. When it comes to technology, I long ago stopped worrying about sounding stupid. I ask, and Dorothy explains. This kind of technology is her forte. She enjoys being smarter than me, and I don’t mind it a bit.

  “Because a couple years ago there was an interesting talk at Black Hat USA about how to defeat it.”

  “How involved is this? You think we should bring in Merlin?”

  Merlin’s real name was Walter McGeorge, an old army buddy who’d been a commo sergeant on my Special Forces team and later became a TSCM specialist, an expert in technical surveillance. He lived in the area, in Maryland. When I lived in DC I used to bring him in frequently to help me on jobs.

  “You don’t need Merlin for this,” she said. “I promise. I can set it all up for you myself. Plug-and-play. Easy.” She tapped at her laptop. “Here we go.” She turned her laptop’s display toward me. It was an eBay page with a lot of listings, pictures of what looked like square boxes.

  I recognized them. They were proximity readers, also known as badge readers. They’ve become ubiquitous in the corporate world. They’re the little black boxes mounted next to office doors at which you wave your plastic keycard to gain entry. You also see bigger versions of prox readers at the entrances and exits to parking garages. They allow drivers who have the right keycard to pass right through.

  “I know what a prox reader is,” I said, “but I don’t see how that gets us in.”

  “Okay. I buy one of these long-range RFID readers and d
o a trivial amount of futzing around to weaponize it. Stick in a PCB, a circuit board, and twelve double-A batteries. Like that. This thing can read a badge from three feet away, normally. So pay a visit to Norcross and McKenna, and you bring it in, in a backpack or briefcase, and just make sure to be within three feet of someone who’s got a badge around her neck or on his belt.”

  “Then what?”

  “You don’t need to know how it works. It’ll read any Wiegand protocol card that gets close enough. It captures the data on the keycard. When you get back here, I download the data and write it to a blank keycard, and that’s all she wrote. We’ve cloned the key to their front door.”

  “Hold on,” I said. “Those things beep when they read a card. Am I going to be beeping audibly whenever I get near someone’s keycard?”

  She smiled. “You do think ahead. Good question, and thanks for mentioning it.”

  I shrugged. “Just another accidental flash of brilliance.”

  “I’ll toggle a dipswitch in the thing to turn off the beep sound. Anything else?”

  “Foolproof?”

  “Well, idiot-proof. You should be okay.”

  She placed an order through eBay with a company in South Carolina and one in Eagle Mountain, Utah, and requested overnight shipping, and the next day several large boxes arrived at the hotel, and we were in business.

  53

  Now, Dorothy took the briefcase, unzipped it, and pulled out the badge reader. It was about a foot square by an inch thick. It was a long-range 125 kilohertz MaxiProx proximity card reader manufactured by the HID Corporation, the Texas-based company that makes most of the keycards and readers used in corporations around the world.

  She turned the thumbscrew on top of the box and removed the front cover. She popped out the micro SD card and stuck it in her laptop.

  She blinked a few times. Then she smiled. “You captured four separate cards.”

  “The receptionist, the partner—Ashton Norcross—and probably a couple of employees I was next to in the elevator on my way out,” I said.

  She nodded. “I don’t know if there are levels of access, but Norcross is a partner, and he’ll no doubt have the highest level. We’ll clone his.”

  Dorothy and I went through everything I’d observed on my visit to the firm—the placement of the CCTV cameras, which areas appeared to be separately locked, and what kind of security protected the vault, which they called a strong room. “The vault is locked separately with a Kaba Simplex mechanical push-button lock,” I said.

  “Know anything about them?”

  “Come on. This is why I want Merlin now. It’s at least a two-man job.”

  She shrugged. “Okay. Now here’s an extremely cool piece of hardware called a Rubber Ducky.” She handed me something that looked like a thumb drive.

  “A Rubber Ducky.”

  “Correct. I know it sounds silly, but it’s dead serious. You plug this into the USB port of any of their computers and it goes to work.”

  “I’m going to need you to come along and help me deal with this thing.”

  “That’s the beauty part, Nick. It’s fire-and-forget.”

  “What happens when I plug it in and some antivirus program comes up? Which is likely.”

  “Someone’s been paying attention in class. But that’s not going to happen. This is configured to be an HID, a human interface device, like a mouse or a keyboard. The computer will detect that it’s an HID and trust it.”

  “Okay. So I plug it in—then what?”

  “It immediately injects code at a thousand characters a minute. It creates a shell on the network, and pretty soon it’ll give us root-level access. It runs something called Metasploit that looks for weaknesses in the software. It creates a username and password. And then . . . I’ll be able to get onto the Norcross and McKenna server from here.”

  I picked it up, toyed with it, and put it down. “If you’re right, this really is cool. Just plug-and-play, huh?”

  “Well, I’ve got to do a bunch of programming on it this afternoon to deploy the payload. But it will be.”

  —

  Merlin—I never called him Walter—was short, maybe five feet seven, and lean. His physical type was surprisingly common in the Special Forces. He had a black buzz cut with some gray starting to move in, a pushed-back porcine nose, and a thin black mustache. The vertical lines carved into his forehead between his eyes made him look angry.

  He had no family, as far as I knew, and one singular devotion: sport fishing. He lived in Dunkirk and kept a boat in the Harbour Cove Marina, in Deale, and was always out on the water. I reached him onshore, though, and told him about the job. It was a simple black-bag job of the sort he and I had worked several times before. I offered him a couple thousand bucks, double if we encountered any surprises, and he quickly agreed. His TSCM business was slow, and evenings he was never busy.

  In the afternoon I did a bunch of errands, picking up everything we could possibly need. We rendezvoused at a dive bar in a strip mall in Leesburg around midnight. He’d chosen it because it had a separately ventilated smoking section, which was permitted because of some loophole in Virginia law. Neither one of us had anything alcoholic to drink; wanting to keep sharp for the job, we both had Cokes. We sat at a booth. He smoked continuously.

  I showed him the Halloween masks I’d picked up from a costume store, transparent masks, one of a young man, one of an old man. They both transformed our appearances, made us unrecognizable. Merlin insisted on wearing the young mask. In the bar’s restroom we changed into the navy polo shirts with the Compuservice logo on the left. I had toolboxes for each of us to carry in.

  This was the part of a black-bag job that always jazzed me: the preparations, thinking of every eventuality, everything that might go sideways. The high-wire tension. Assembling equipment, making lists, making sure that if we were caught, we’d have a way out.

  But you can’t ensure everything. Things go wrong.

  Shit happens.

  54

  It was a few minutes after two o’clock in the morning. The parking lot was dark and almost empty. A cold wind whipped our faces. The only lights on in the building, as far as I could see, were in the lobby, where a lone security guard sat at a counter and probably was browsing aimlessly on the Internet.

  The front door to the building was unlocked. We passed the guard, and I said, “Good evening, or is it good morning?”

  The guard smiled and gave us a sort of salute. We were confident, we knew where we were going, and we looked like we belonged. He probably assumed we were computer nerds coming to solve some middle-of-the-night crisis. We headed for the elevators. That was the limit of building security. Easy.

  We got off the elevator on the fourth floor. The hall was dimly lit. We quickly came upon the entrance to Norcross and McKenna. The glass doors were dark. Apparently no one was inside. That had been a worry of mine: Lawyers often work very long hours. At midnight I wouldn’t have been surprised to find someone toiling there, a lone beleaguered partner, even several associates. At two in the morning, there was less chance of encountering someone.

  I pulled our masks out of my toolkit and handed the young man one to Merlin. I put on the old man mask. I’d noticed earlier that there was a CCTV camera just inside the glass doors, pointed at the entrance. From now on we were being photographed. Our ball caps and masks made it impossible for the cameras to record our likenesses.

  I waved my cloned keycard up to the card reader, a little black box mounted to the wall next to the glass doors. I bit my lip.

  The little light switched from red to green and it beeped. I pushed the door and it came right open.

  Until that moment, when something relaxed inside me, I hadn’t been aware of how clenched with anxiety I’d been.

  There was low-level emergency lighting here in the office, just like in the
hallway, so although it was dim, there was just enough light to make our way. I knew where I was going.

  I led Merlin through twisting corridors to the strong room. The door appeared to be wooden, mahogany, like all the other doors in the firm, but I knew that it was actually a sandwich of wood over several inches of high-grade steel. This was not a room you could slip into through the air-conditioning ducts and the ceiling tiles. There was no dropped ceiling. The wall, floor, and ceiling were reinforced concrete, Norcross had told me proudly, eight inches thick. Not only was the room fireproof, but it was protected against intrusion.

  Merlin knocked on the door a few times and chuckled at its dead sound. He glanced at the steel lever attached to the Simplex lock, a vertical row of five steel buttons. He nodded and ran his fingers down the buttons. It was a familiar lock, the sort of thing you see inside all sorts of businesses, including jewelry stores and watch shops and casinos. FedEx uses them to secure their drop boxes.

  “You start working on this,” I told him. “I’ll head over to Norcross’s office.”

  “Don’t go anywhere,” Merlin said. “This shouldn’t take more than a few seconds.”

  He unlatched his toolbox and pulled out a small cloth bag. From the bag he drew an oblong block of metal about two inches by three inches. “Watch,” he said. He placed the shiny metal block on the side of the Simplex lock. Then he grabbed the lever and tried to turn it. Nothing happened.

  “Shit,” he said. “They fixed it.”

  “What are you doing?”

  “This is a rare-earth magnet. Neodymium. A couple of years ago some security expert figured out that if you put one of these next to the Simplex lock, it messes with the combination chamber and unlocks it right away.”

  “Doesn’t look like it’s doing anything.”

  “Yeah. They must have upgraded to one that uses a non-ferrous metal inside. Oh, crap. That would have been too easy, wouldn’t it?”

  “Now what?”

 

‹ Prev