An Inconsequential Murder
Page 14
The Forensics people were still working on the vehicle when he had left the reservoir shore. They would surely turn up some valuable evidence, but now he didn’t need any of it to understand what had happened there.
When Lombardo had arrived on the scene he had walked around until he had found the spot where it was most likely that they had put Victor into the water. It was a curved depression in the reservoir’s edge that was about 20 meters from the car. The trees and tall reeds that grew along the shore would have hidden Victor and his torturers from the view of anyone strolling or fishing around the dam itself or from anyone driving along the road that ran along the edge of the reservoir.
Lombardo had walked along the edge of the depression and looked into the shallow water, which was transparent under the afternoon sun. He had seen the remnants of charcoal, some bones, and trash people had thrown in the water after broiling meat perhaps for a picnic. Nearby he had found signs of a campfire and empty beer bottles. Yes, his instincts told him, this was the place where they had killed Victor.
Some Sunday, in the late afternoon, perhaps after a picnic, or some warm summer night when someone had spent a night fishing from the spot, charcoal ash from a fire had been dumped or swept into the edge of the reservoir where it had lain, waiting for the young man’s head to be dunked into the muddy water, waiting for it to be aspirated as bits of charcoal and flakes of ashes into the lungs of the unlucky Victor.
There, in that lonely stretch of road, called La Cortina because it passed by the cement “curtain” that was the dam, they had dragged him out of their car and beat him; then, when he had lost consciousness, they had put his head into the water. The cold water had revived him; but, startled, he had opened his mouth to breath, perhaps to scream, and he had sucked both dirty water and the small wad of paper down into his trachea.
The darkness probably hid from his abductors his desperate eyes and spasms of choking. When they guessed what was happening to him, they might have tried to help him, but not knowing about the paper, their efforts to revive him had been futile; they were unable to prevent his death.
“These damned gringos were not only incompetent bastards,” Lombardo said to himself, “they had badly misjudged Victor.” They thought that with a bit of roughening up he would crack, but he had resisted to the point where the blows had become violent enough to make him lose consciousness.
Lombardo had seen this before in Viet Nam—the interrogators, frustrated at the resistance of a prisoner, becoming extremely violent and the punishment reaching a point so severe that it had nothing to do with gaining information or intelligence anymore. It was just an outpouring of frustration, hatred, and rage that turned the interrogator into something inhuman whose only purpose now was to tear the victim apart.
These “methods of coercion” had always been like that. Whether in Mexico in the sixties, in Argentina in the seventies, in Chile, in China, in every country where there has been a repressive regime. The last resort of such a regime has always been indiscriminate violence. It is the human condition: despise the “other” so he has less value as a human being. Call him or her a terrorist, a communist, an enemy of the people, a subversive, a capitalist pig—anything to justify the illegal incarceration, the torture, the wanton murders. There’s not much difference between the Turks who killed Armenians, the guards in Auschwitz, the Argentinean secret police, Pinochet’s interrogators, or that woman in Abu Ghraib. Now we have a brand-new reason for wholesale slaughter: the billions of dollars to be made from illegal drugs. We have learned nothing in the last 100 years.
The damned politicians who let loose these beasts on the population or their own country or, indeed, on the world, always justified the unjustifiable by claiming that they were saving democracy, the party, the country, the something or other. They claimed to be heroes fighting the monster—until someone held up a mirror and they saw in the reflection that the only monster was them. Now the ambition and lust for power of the politicians is being matched by the ambition and lust for power of the Cartel chiefs. As usual, the population is caught in between, ground to a pulp by the struggle. “We’re really in fucking trouble now,” said Lombardo.
As the police car left the highway and joined the traffic in the city, Lombardo called David López:
“David? This is Captain Lombardo. I left you a message earlier about coming to see you. Yes, I am on my way to the University. (pause). Well, I am sorry if you are busy but this is very important. We are on Garza Sada Avenue, just about to enter Lázaro Cárdenas so it will take us about half an hour to get there. Please wait for me, ok?”
As the police car sped into the overpass that led to Lazaro Cárdenas Avenue, Lombardo reread the notes he had made with Lupe about what the encryption keys might be guarding. It was obvious that the information was not Victor’s alone; he had been working for the Dean, at least the paper the widow had given Lombardo pointed to that. But, what could the Dean have that the three foreigners wanted? What was so important to them that they killed Victor for it?
After he had a look at the contents of the information, he would have to have a serious talk with the Dean, but he must get to the information first before the Dean or someone else destroyed it.
Lombardo had the feeling that David might be working for someone other than the University, too. He might have been the one that alerted Victor’s abductors that the information was being encrypted. If that was true, the bastard was probably aware that his snitching had been responsible for Victor’s death. But that was irrelevant now. Going after David was a waste of time. Lombardo needed his help to understand what Victor had been doing on the last day of his life and to find out what was inside the files or documents Victor had encrypted.
Once he reached the University Computer Center, he barged into the waiting room, grabbed a visitor’s card from the startled receptionist, and went straight to where David was.
David blinked, surprised at seeing Lombardo bursting into his office. Without a word, Lombardo put the keys on the desk then he sat down and said, “I know that these are the keys that Victor used to encrypt and decrypt some files. I know those files are somewhere in the labyrinth of computers in this Center, and I also know that there must be logs somewhere that could tell us what Victor was doing that last night. What I want from you is, one, to get the damned logs and tell me what he was doing, and two, to find the files, decrypt them and tell me what’s inside.”
David started to complain that if there were such files or information they were the private property of the University and that he did not have the authorization to show them to anyone without the proper permission from the Center’s director.
“Look, David,” Lombardo said in a quiet voice that in spite of its low volume still carried a lot of threat, “I have no time for this bullshit. You either give me what I want or I will drag you down to the police car that is waiting for me and take you the Public Ministry building and jail you for obstructing an investigation and then find you suspicious of five or ten more things; it would take your lawyers five years to prove you are innocent of any of the charges. But I promise you that you would spend every minute of that time behind bars. So, you tell me how we’re going to proceed here.”
“OK, OK, what do you want to see?”
“Do you know where the files are—the ones he was working on that night?”
“Not exactly, but I have an idea. Let’s start with the logs as you suggested.”
As Lupe had explained, logs record a lot of things—events, as computer people call them. The amount of events recorded is huge in an organization the size of the University which has so many computers online. The log entries themselves are almost unintelligible to anyone outside of the systems management profession. Agents (little programs on the lookout for what’s going on in the computers and networks of an organization) send out brief, abbreviated reports related to specific events. These little reports are recorded into a file, which becomes a log of events. Each agen
t has a specific task: one watches file activity, another watches user activity, and so on.
There are a lot of different logs indeed, and many of them have to do with security. These are the first that David started to read, but they were so complicated that he called someone whose job is specifically to manage the logs.
When the logs manager showed up, he said that the problem would be to ascertain the time slot we wanted and the kind of activity in which we were interested.
Lombardo gave him the date and the time: “I’m interested in what Victor Delgado was doing between 10 p.m. and 1:30 in the morning the day he was murdered.”
Lombardo knew from the surveillance recordings that Victor had left an hour and a half after midnight; and the amount of those strange cigarettes told him that the killers had waited for him at least a couple of hours. Someone, perhaps David, had told them he was working late; or perhaps they had been watching him for sometime and knew he would be working until the early morning hours. In any case, Victor had had a good reason for not going home at the usual time, skipping his dinner, and working until past midnight. Lombardo wanted to know what was so urgent that it had kept him there working so feverishly.
The engineer that managed the logs was so small and frail that he seemed more a child than a young man. His hair grew so far down his brow that it covered the top half of his glasses; he had to constantly brush it aside. He sniffed and constantly flicked his hair away from his eyes as he explained that log files are a problem because there are many sources. Not only did they get information from agents, but also from system programs, and even computer hardware, which generates log entries with different types of information in varying formats.
“So, to start looking for what you want,” said the waif-like kid, “we’ll look first at the authentication logs.” Authentication servers, he explained, log the time and location of the person logging into a system or network. Programs that are in charge of looking out for intrusions and unauthorized entry keep a close watch on logins and record the activity of every user.
After a moment of peering at his screen and scrolling through what seemed like gibberish, the log manager stared at something and said, “It seems that Victor was logging into and out of several machines; yes, he seems to have done this constantly, as if he was.…”
He turned to a laptop that he had set up next to David’s computer. “Let me look at something else,” he said.
After a moment, he said to David, “It seems as though he was chasing after someone who was telneting into your machines. See how his login appears every time after this one? He logs in just a minute or two after this other guy.”
“Telneting?” asked Lombardo. “Do you mean someone was logging into University computers from a remote machine? Someone from outside the University?”
“Yup,” said the little guy.
David rolled his chair over to have a closer look at the screen. “But that’s impossible! Those ports are supposed to be closed.”
“Well, somebody enabled them,” said the little guy. “Let me see something else.” He clicked and clacked on his keyboard and then said, “And then, he quarantined a computer.”
David seemed astounded that all of this had been going on. Either he really was surprised or he was a good actor.
Lombardo asked, “What do you mean by quarantined?”
The little guy explained: “There are programs that check computers to see if they can be trusted, that is, that they haven’t been compromised, before they are allowed to communicate with other computers in the network. If there is a doubt about their reliability or security, they are quarantined; that is, they are not allowed to join the network.
The little engineer further explained that such computers are put into a “VLAN”—a virtual network. Since the programs or servers that do this job log everything they do, including the checks they performed and the reasons they quarantined a machine, the log manager showed us that the machine had been separated from the network because it was considered compromised by intruders.
“But, how come we never got any alerts about all this?” asked the astonished David.
“It’s very simple,” said the log manager, “Victor lowered the priority of those messages so they would not issue alerts. It looks like he had been fighting off intruders that were invading the system and had finally thwarted them by isolating a machine they were trying to penetrate.”
“OK, so can we go look at that machine and see what’s in it?” asked Lombardo.
“Let’s find out first which one it is,” said David.
Another series of log entries scrolled on the screen:
[**] [1:1407:9] SNMP trap udp [**] [Description: Attempted unauthorized login] [Priority: 0] 03/06-8:14:09.082119 112.147.1.167:1052 -> 110.30.156.27:143 UDP TTL:118 TOS:0x0 ID:150947 IpLen:50 DgmLen:47
11:14:07 PM,"Trigger ""Block Windows File Sharing"" blocked (112.147.1.54, netbios-ssn(139)).","Rule ""Block Windows File Sharing""blocked (112.147.1.54, netbios-ssn(139)). Inbound TCP connection. Local address,service is (UNIMTY(102.30.128.27),netbios-ssn(139)). Remote address,service is (112.147.1.54,39922). Process name is ""System""."
3/3/2006 9:04:04 AM,Firewall configuration updated: 398 rules.,Firewall configuration changed: 254 rules.
11:33:50 PM,Definition File Download,UNIMTY,userk,Definition downloader 3/4/2006 11:33:52 PM,AntiVirus Startup,UNIMTY,userk,System 3/3/2006 3:56:46 PM,AntiVirus Shutdown,UNIMTY,userk,System
240203071234,16,3,7,UNIMTY,userk,,,,,,,16777216,”Virus definitions are corrupted.”,0,,0,,,,,0,,,,,,,,,,SAVPROD,{ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx },End User,(IP)-192.147.1.121,,GROUP,0:0:0:0:0:0,9.0.0.338,,,,,,,,,,,,,,,
DSO Exploit: Data source object exploit (Registry change, nothing done) HKEY_USERSS-1-5-19SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1004!=W=3
“Man, look at all the stuff that was going on!” said the log manager.
David moaned and said, “We’d better have a look at the audit records.”
David explained that there would be a lot of security information in the audit logs. If someone was trying to gain access to the computers and had failed to login several times, it would show up there. Also, if rules, regulations, or policies had been violated or sidestepped, the audit information would tell us.
What amazed David and the log manager was the amount of activity of account creation and account deletions, changes to privileges in the accounts and then changes denied. It had been a battle between someone trying to gain access and giving himself or herself privileges to do very much what he or she pleased, and Victor trying to deny the intruder access. Then a “strange” security log entry appears on the auditing system.
Event Type: Success Audit Event Source: Security Event Category: (1) Event ID: 517 Date: xx/xx/xxxx Time: 1:16:40 AM User: SYSADMIN AUTHORITYSYSTEM Computer: UNIMTY-2 Description: Cleared Audit Log Primary User Name: SYSADMIN Primary Domain: UNIMTY AUTHORITY Primary Logon ID: (0x0,0x4F9) Client User Name: SYSADM-0909 Client Domain: UNIMTY Client Logon ID: (0x0,0x22ACC)
Victor had quarantined the server; then, he did something very unusual for a Systems Manger—he cleared the Audit Log.
According to this trail of electronic evidence, Victor had spent part of the night following an intruder; he then quarantined the computer the intruder had tried to penetrate. He must have had been confident that he had expelled the intruder and that it wouldn’t be back because after midnight he had worked on the quarantined computer and his login had remained there for an hour. After he was done, he cleared the audit files so that no trace would remain of what he had done, and since he had lowered the priorities of the security system no one would be alerted as to what had happened. Before he left, he brought system alerts back up to normal security levels.
But, if we had seen the battle, or the signs of the battle that were left here and there, the intruder too must have realized it had been defeated and that whatever it had been after was now inaccessible.
“That about sums it up,” said the little log manager.
“And since they could not get it that way,” said David, “they came and got him.”
“That too sums it up,” Lombardo said.
There followed a deep silence after which Lombardo said, “Let’s have a look at what he hid in the quarantined system.”