Mayflower was hardly alone in confronting a potential data breach. In late May, the U.S. Department of Veterans Affairs reported that a contractor’s laptop and unencrypted hard drive had been stolen. On it, too, were names, birthdays, and Social Security numbers, as well as disability ratings. The scale of the information at risk was breathtaking: 26.5 million veterans, their spouses, and active-duty military personnel were affected. There were similar revelations from ChoicePoint, a commercial data broker; LexisNexis, the research database giant; Equifax, the nationwide credit bureau; Bank of America; and the U.S. Department of Energy. With this information, criminals could get a bank loan, credit card, or driver’s license, obtain medical care or prescription drugs, or even buy a house, all in a victim’s name.
“Something happened at work,” said Alien. “I can’t tell you exactly what. But something went missing and we can’t find it. And I don’t think they’re going to tell anybody.”
Keenan moved his hands in a gentle circle on her back. He virtually never spoke but was happy to listen. Confiding in him was a way to think things through for herself.
Alien stared up at the night sky. The moon and stars peeked through streaky white clouds.
“It just seems wrong,” she said. “To not tell anybody. How can I take this job seriously if we don’t tell people what happened?”
Her job at the hospital had always required compromises Alien didn’t like. When the exchange was having to get up early, sit at a desk in a cubicle, and deal with bureaucracy in return for an increasing opportunity to do meaningful work in a new and exciting field, she accepted it.
With this case, the balance changed. Now she felt shut out from and maybe even betrayed by the decision making of the people in power above her—and in her specific area of interest, expertise, and (she had thought) authority.
“Am I just a human checkbox?” Alien asked Keenan. “It feels like I’m here so that the executives can say, ‘Yes, someone’s job is to try to protect you.’ They don’t really mean it. They just want to check off a box.”
Six hours later, Alien climbed off Pepper, passed through the turnstile, and up the elevator into Beigeworld. She didn’t want to quit her job. But to continue at the hospital, something had to change, something within her control.
How about herself? In recognition of everything Alien was doing and how much more she wanted to accomplish, Grant had suggested she take some kind of class.
While Chris complained and Harry kibitzed, Alien began an online search. “S•C•A•N,” said four large stenciled letters across the top of the website she loaded. Below was the promise: “Secure Computing and Networking.”
Alien scrolled down. Information security was growing into a multibillion-dollar industry. SCAN was the new field’s foremost training institute. Though headquartered outside Washington, D.C., it advertised regular workshops in locations across the continent and around the world—this week Miami, next week New York, and so on through Houston and San Francisco, London and Paris, Sydney and Singapore, Dublin and Dubai. The instructors were top people who took these gigs for some extra cash and to develop new clients from the companies that sent them students.
“Fundamentals of Information Security,” “Advanced Information Security,” “Defending Windows,” “Defending Linux/UNIX,” “Incident Handling and the Hacker Mindset”—Alien halted, curious, and clicked on the last of these class listings.
“The bad guys have to find one opening to succeed. Security has to find all of them,” the course overview stated. “Learn EVERYONE who is attacking you, how, and how to stop them in this fast-paced, hands-on workshop designed for incident response team leaders.”
Alien read on another twenty minutes and then clicked the button marked “Registration.” She focused on a six-day session in July in Toronto. She had also heard of the instructor, Bruce Rich, and his company, Elite Defense. The tuition was three thousand dollars.
Alien took a deep breath, stood up, and walked into Grant’s office.
The question was out of her mouth almost the moment she saw him: “What’s our funding for professional development?”
// Part III:
Agents and Jedis
09 / /
Capture the Flag
Toronto. July 2006.
Alien carefully tucked a black button-down shirt into black slacks. She laced up low-rise leather boots, looped the lanyard with the laminated SCAN badge over her head, picked up her laptop case and a travel thermos of hot Earl Grey tea, and headed for the hotel elevator. At five minutes to nine this Sunday morning, she entered the conference room where she would spend most of the next six days.
The front wall of the room was covered with a screen, before which was a table holding a projector. Facing the screen were three rows of chairs positioned behind tables meant to serve as desks, underneath which were floor outlets. At the rear of the room was one more table that held a carafe of coffee, pitchers of water, and two piles of spiral-bound coursepacks, ten to a pile.
Alien assessed the nineteen other badge wearers—her classmates—milling about the room. Most were in their mid-thirties or older and wore jeans and a T-shirt. All were guys.
The extreme gender imbalance didn’t surprise Alien. By now she was accustomed to it. InfoSec combined two male-dominated industries: technology and security. The whole field originated in hacker groups, on the one hand, and the defense industry, on the other, both of which were boys’ clubs at heart. And even at MIT, where women were a much larger minority, she had often been the only woman in a particular class.
People introduced themselves awkwardly. Alien stepped smiling into a cluster of four. “Hi. I’m Elizabeth.” She extended her hand to each guy in counterclockwise order, reading the name tags as she shook with them. “And you’re Doug? Dan? John? James?” She took half a step back and asked, “Where are you all coming from?”
“Google,” the first guy answered.
“Apple,” said the second.
The elder of the last two answered curtly for both of them: “We work in government.”
The Google guy chortled. “You know what that means, don’t you?” he told Alien as these two excused themselves to grab coffee.
Alien guessed. “NSA?” she said.
“Right,” the Apple guy answered. “‘No Such Agency.’”
Alien chose a seat in the middle of the first row and booted up her laptop. Thirty seconds later, a sudden hush fell upon the room. She looked up to see the instructor enter.
Maybe thirty-five years old, he led with his beard. Bright red and bushy, the size and shape of a saddlebag, his facial hair extended from his gauged earlobes to the third button of a green, red, and blue tartan plaid shirt only partly tucked into loose-fitting corduroy pants. Narrow patches above his chin and below his nose were shaved, as if clearing a landing area for his lips, which he formed into a broad, jovial expression that matched his twinkling eyes and Santa-worthy potbelly. He introduced himself—“Bruce Rich”—to the class.
“Welcome,” he said in a booming voice. “You’re here because you’re incident handlers. I’m here”—he raised a woolly eyebrow archly—“to turn you into defenders.”
Alien tensed in anticipation. She was tempted to peek back again quickly to see what the other students made of this mission statement. But she’d read everything she could on Bruce before taking the class and didn’t want to miss a word he had to say.
In the 1980s and 1990s, almost everyone who broke into and explored computer systems was a hobbyist, hacking out of curiosity, for fun or fame, even at the risk of arrest. Government leaders promised comprehensive action to improve security, but failed to deliver, even as the threat became too big to ignore.
Now corporations from Microsoft and Cisco on down had begun hiring hackers of their own to help defend themselves against other hackers. What had been a hobby was quickly professionalizing and splitting into separate, if overlapping, camps. There were black hat hackers, who
hacked with malicious or criminal intent, for power or profit; white hat hackers, who hacked to test, evaluate, and ultimately improve computer security; and gray hat hackers, who moved between both worlds.
Bruce and his colleagues at Elite Defense were white hat rock stars: high-priced, rapidly deployed independent global operatives for major businesses, corporations, and government agencies interested in testing their systems against potential attack.
“All of you are charged with defending your assets and responding to break-ins,” he told the class. “But to achieve real security, you also need to understand your adversaries.” Bruce quoted Sun Tzu: “‘To secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy himself.’
“If you know how hackers think, and the tools and techniques they use, you can beat them,” he continued. “Or”—Bruce shrugged and threw his arms wide—“at least you can stop them from beating you.”
The class, including Alien, chuckled keenly. Bruce himself, though, shifted to a more solemn expression after a moment’s pause.
“Today is going to be hard,” he said in a low, serious tone. “Tomorrow is going to be harder. And the next day is going to be harder than both of them combined. I’m here to push you every moment and to bring you to the edge of the cliff. There’s a better view there. There’s better ventilation. And”—another shrug, eyes sweeping the room slowly, making momentary eye contact with each student—“I will occasionally jettison one or two of you.”
Everyone chuckled again, but more nervously.
Alien was hooked. Bruce was so mesmerizing a speaker he could have read UNIX online manual pages aloud and held her rapt.
“This week,” Bruce went on, “you’re all going to get your hands dirty. If you can go back to work afterward and get promoted, that’s great. But even more awesome is if I can put that hacker pathway in your brain.”
He powered on the projector. “And here is your final warning,” he announced.
With everyone else, Alien leaned forward.
Bruce slipped his own laptop from its case and lifted the machine in the air. “This is my kingdom, my court, my shield, and my sword,” he said. “Whether you like it or not, your computer is probably the same for you.”
Another pause. “If you have any sensitive data on it, you’d better remove that now.”
For the rest of the morning and afternoon, Bruce paced back and forth as he spoke. He never seemed to tire, but when he let them go, all the students were exhausted.
“Rest up” were his parting words. “Tomorrow the perspective flips.”
The formal part of the instruction was over for the day, but more remained. That evening, both instructor and class re-gathered to unwind in a bar called Postman’s Pub, a ten-minute walk from the hotel.
Ostensibly they were there to enjoy a drink or two in a casual atmosphere. In fact, though, Bruce was holding forth, with students listening spellbound.
Bruce had discovered hacking the way many kids did—in middle school and high school, he said, when he and his friends decided they needed to reverse-engineer the copy protection measures on computer games. From there, for fun, he moved on to dissecting computer worms and viruses. Soon he was present at the birth of the full disclosure movement, when security researchers like him fought to publicize new vulnerabilities.
“Back in the day,” Bruce told Alien and her classmates, meaning just four or five years ago, “everyone was after us.” The computer giants whose product flaws they exposed said the technical findings revealed proprietary business matters, and threatened to sue them. For their part, the FBI and other government agencies claimed the information abetted criminals and terrorists. Some fellow hackers attacked the most prominent white hats as glory hounds intent on giving away hard-won secrets and ruining the fun of hacking for everyone else.
“I remember my first SCAN class,” Bruce continued. The instructor was a SCAN co-founder. “I was too intimidated to say anything all week. Then we ended up talking in the parking lot.” He chuckled. “It turned out that we’d actually been on the same white hat IRC”—Internet Relay Chat—“channel for years.”
“Then what did you do?” said Alien.
“We decided to start Elite Defense,” Bruce said.
He stood to get a drink. Alien followed. A few feet away from the bar, however, she found her path blocked by a fellow student who had risen suddenly, trying to make it look as natural as possible, as if he just wanted to order another pitcher for his table.
“Amazing class today,” he said a little too emphatically to Bruce, who nodded.
“So . . . ,” the guy offered as an awkward segue. “What kind of firewalls do you think are better?” he said at last. “Cisco or Juniper?”
“Both are like condoms,” Bruce said. “If they don’t break, I don’t care.”
“It’s where you place them that counts,” Alien jumped in.
When Bruce laughed, so did the other student.
“That’s what I always say,” the student added as a follow-up. With nothing more to offer, he went on to fetch his pitcher, leaving Alien alone with Bruce.
“Do you get to travel a lot?” she asked.
“All the time,” Bruce said. “I’m just back from Kyoto. I found this amazing hot spring in the woods and soaked for hours with the locals.”
“Wow. What did you talk about?” said Alien.
“It’s a long story. What are you having to drink?” he asked.
“Sapphire and tonic,” said Alien.
Bruce signaled to the bartender. “Another Steam Whistle Pilsner for me,” he said, “and we’ll have a Bombay Sapphire and tonic for the lady.”
The next four days of class were, as promised, even more grueling than the first. Step by step, incident handlers were taught how to transform themselves into hackers.
Monday, Bruce led the class through attacker footprinting—gaining information about a target; scanning—probing the target’s network to identify hosts, ports, and services on it; and enumerating—extracting information on usernames, machine names, and settings. To get them into the frame of mind he wanted, he called them “samurai.”
Tuesday and Wednesday, they practiced accessing and exploiting—everything from cracking passwords and capturing traffic to hiding files and remotely running applications.
Thursday centered on maintaining access and covering tracks despite the target’s best efforts at detection. Take complete command and you rooted the computer and pwned—pronounced poned, a play on “owned”—your victim. At the moment of triumph, some guys in the class celebrated with whoops and trash talk.
Alien typed on in silence. What was there to be proud of? Bruce had told them exactly what to do. Following his instructions didn’t make you a hacking genius any more than transcribing Paradise Lost word for word made you a poet.
Friday night she walked beside Bruce and chatted him up on the way to the bar, as she had every evening since Monday.
Halfway there, Bruce pointed up at the sky. “Look,” he said. “Jupiter.”
Alien searched until her eyes found the pale cream-colored dot, 450 million miles away, amidst a sea of stars. “There’s a little perspective,” she said.
They watched in silence until clouds obscured the distant planet.
“Do you believe in God?” Alien asked.
“Do you?” said Bruce.
Alien shrugged. “The universe is so old and so big that someone, somewhere must have rooted it,” she said.
The next day, as she and the other students returned to the classroom after lunch, Alien saw Bruce had been busy. A wheeled cart now shared space in the front of the room. On top of it were six computers. As Bruce turned on the projector, he ordered, “Lights off!” and someone in the back row jumped up to hit the switches.
Backlit by the reflection off the screen, Bruce became a bearded phantasm. “So it begins!” he cackled happily. “Capture the flag!�
��
Bruce had set up each of the six computers to simulate a different server used in most networked office environments: file storage, printing, communications, applications, databases, and domain management (translating machines’ names to Internet addresses and vice versa, for example). Each server had a special file, or “flag,” at the root of its system. Together, the flags could be combined like puzzle pieces to reveal a secret message.
To get the flags, though, you had to hack into each computer.
“Remember: don’t try this at home,” Bruce mock-warned them. As they knew, the tools and techniques they were using would be illegal on any machines they didn’t own.
Bruce quickly divided the class into five teams, each with four members. Alien didn’t know her teammates very well and so relied on their facial hair to distinguish among them. One was clean shaven, another had a carefully cultivated stubble, the third a soul patch. They let her choose their team name: Ziggy Stardust, after the David Bowie album. Their rivals, meanwhile, were the Road Warriors, Alpha Force, Hack Attack, and Pissed Officers. The lineup for the last was the guys from Google and Apple, and the two suspected NSA-ers.
The captain of the first team to finish got a signed copy of Security by Ferris, an InfoSec textbook by Bruce’s Elite Defense co-founder, Jules Ferris—a legendary pentester, or penetration tester, a professional white hat hacker hired by companies to probe their own systems for security holes.
“Five, four, three, two, one—go,” Bruce commanded, and twenty laptops flipped open.
For the first twenty minutes, Stubble insisted that he lead Ziggy Stardust. Alien deferred to him. After all, he seemed confident, and the last time she had really measured her technical abilities against other people was at MIT. But then he stumbled trying to type commands. Mr. Clean Shaven took over for ten minutes but missed obvious hacking openings. The teammate with the soul patch, meanwhile, seemed more interested in his cell phone than in the competition. Alpha Force and the Pissed Officers took early leads.
Breaking and Entering Page 17
