Breaking and Entering
Page 22
“I’m there,” she reported, as a prompt—“Password:”—appeared onscreen.
“Lowercase a-b-c-1-2-3,” Jason said.
Alien, shaking her head in disbelief at such a common password, typed as instructed.
“$,” the terminal returned a moment later, showing a standard UNIX command line.
“It worked,” Alien said. Exactly like in the capture-the-flag contest. Only this wasn’t one of Bruce’s simulations. It was a real airline’s reservation system, for actual passengers in actual planes.
“Okay,” Jason said. “Type ‘su -l.’”
Alien did so, shaking her head again. That Elite had found and cracked the test user account was bad enough. Pivoting from there via the su command to “superuser” status would be a much more dramatic accomplishment. Normal users could see and modify only their own files and programs. The superuser, or root, had full access to everything.
“Ready,” Alien told Jason when she saw the new prompt for a password.
“Capital A. One. Lowercase r-p-l-a-n-e,” he said.
Now she groaned. As if password crackers didn’t try basic letter variations.
Alien entered the characters, one by one, and hit Return.
“#,” the command line said now—the sign that she had, indeed, become superuser.
“Oh my God,” Alien whispered, to herself as much as to Jason. “I’ve got root on a fucking airline network.” And it was so easy.
“What now?” she asked.
“Knock yourself out,” Jason said. “Look around, see where you can go. Take screenshots. We’ll talk later and then put it in the report. Bye.”
Alien didn’t say anything but just sat there as Jason disconnected the call from his end.
She looked around the café. Just another morning in Somerville. People were reading, doing crossword puzzles, typing, and chatting as they sipped their drinks and nibbled on scones. There were Picasso prints on the walls and notices for Iyengar yoga classes, piano lessons, and improv comedy on the bulletin board.
And soon, with maybe a few more hours of exploration, Alien could change or cancel the tickets of any or all of the airline’s customers, and reschedule any of a thousand flights, wrecking travelers’ itineraries and throwing airports everywhere into chaos.
And so could anyone else, anywhere in the world, with Internet access and the skills at her command.
Alien ran ifconfig, netstat, and other diagnostic commands in the system, just to get the lay of the land. Yup. She could do just about anything she wanted.
Her heart was beating as it had when she had made her way inside Castle. Alien didn’t trust her own fingers.
Log out, she told herself. Don’t risk hitting the wrong key.
She hurriedly took several screenshots and exited the reservation system.
That night, following an Ambien, Alien dreamed she was boarding an airplane. She buckled up and put on an eye mask as the safety presentation started. Soon they were in the air. Alien slipped headphones over her ears, plugged in her iPod, and scrolled to select a playlist. Brian Eno, Music for Airports. She could vaguely hear the pilot’s announcement: “Ladies and gentlemen, we’re at cruising altitude.”
A piercing rattle followed. Flickering lights. A sudden stomach-lurching drop.
Alien threw off her eye mask and looked out the window. The wings were on fire.
She bolted up in bed beside Tanner.
Alien rubbed her eyes. It’s just a dream, she told herself.
She reached for the bottle of Ambien. Alien washed a fresh pill down her throat with water and waited for the pull back toward unconsciousness.
The plane crash dream recurred several times a week for several weeks. Alien had trouble shaking the fatigue and disorientation from bad sleep, so she relied more on Adderall for energy and focus. She sped through work impressively, but couldn’t turn her mind off afterward. So more Ambien. And more Adderall. And a lot more assignments for Elite.
At the end of April 2007, the Jedis sent Alien on the first major forensics job of her own. The client, code-named “Cheeseburger” and headquartered in Seattle, was one of the country’s largest fast-food restaurant chains. One of its computer systems had been compromised. She was to assess how, and how badly.
Alien proudly affixed her bent spoon pin to the jacket of a fitted suit. As she entered Cheeseburger’s bright and airy lobby, decorated with framed quadruple-life-sized images of every one of the chain’s diet-busting menu items, she pulled her equipment behind her in a rolling suitcase.
The Cheeseburger contact, an Asian American man in his late twenties named Dexter, led her to their data center three stories underground. “We noticed the first file transfers yesterday,” he said. “I don’t know if it’s a virus, or we’ve been hacked, or both.”
“And the target was your credit card processing system?”
Dexter nodded. “Yep, we’re concerned about PCI”—payment card industry—“compliance.”
“Makes sense,” said Alien. Cheeseburger franchises served hundreds of thousands of customers a day, and more than half of them used credit and debit cards. If the cashiers couldn’t take plastic, the places might as well not open.
Dexter showed her to the machines in question. Alien sat down and started unpacking hard drives and cables from her equipment suitcase. “We’ll get the analysis started as soon as I finish the data acquisition,” she said.
Dexter thanked her and shook her hand. As he was leaving, he turned and asked, “Anything I can bring you?” He smiled. “The company test kitchen is right upstairs.”
Fueled by waffle fries and test-kitchen-only “bacon” veggie burgers, Alien worked three straight sixteen-hour days. While the enormous amount of data was being copied, she met with Dexter to discuss larger issues that might have caused the vulnerability. For example, she’d discovered that Cheeseburger had missed several security updates, or patches, on almost every machine.
“Where do you think you need more resources for patch management?” she asked him. “Is the issue with your funding for equipment, or funding for staff?”
“We have the equipment,” he said. “But we don’t have the staff to keep everything up to date.”
Alien opened a new Moleskine notebook. “I’ll highlight that in the report as one of my recommendations.”
Dexter, who had been consistently tense and somber, seemed to brighten and loosen up.
“That would be fantastic,” he said.
Alien got home and worked all weekend on the Cheeseburger report. As soon as she submitted it, the Jedis sent her to three more consulting engagements in quick succession. With all the travel, the only house chore she could perform was Fireberry’s weekly group grocery shopping. Since she was on the road so much, when she woke each morning Alien had to remind herself what city she was in. But at last she was a real Agent.
In early June, Bruce asked her to work side by side with him on a big new case. An emergency: a breach in the computer systems of a southeastern state government.
He told her they needed to get there right away, to book the first flight available, regardless of cost.
After a quick search, Alien had her flight picked. It left in three hours. The ticket cost $1,200. In order to pay, she typed in her credit card number.
CARD DECLINED, her screen shouted at her.
Alien sighed, but there was no time to waste. She found her purse on the floor, returned to the ticket purchase page, and gave her backup credit card information.
Ten seconds of hope. Then the site crushed it. CARD DECLINED, it repeated.
Tanner messaged her. “Do you want to get dinner before poker night?” he asked.
Shit. She’d said she’d be there tonight. “I have to go out of town,” Alien typed.
“Again?” Tanner wrote. “Already?”
“Sorry!” Alien told him. The sound of gunshots echoed downstairs, succeeded almost immediately by happy hoots. Friends and housemates in the s
econd-floor lounge watching Bonnie and Clyde.
Alien pawed through her desk drawer for her old khaki-colored traveler’s money belt. She unzipped the pouch and extracted her backup backup credit card, holding it to the light of her screen.
Alien typed in the numbers, expiration date, and security code.
She waited. More gunshots sounded.
TRANSACTION COMPLETED, the website said at last.
Alien grabbed her suitcase and then SSH’d back into her Elite Defense account. “Dear Jedis,” she emailed the founders:
I find I am fronting the company $800–$4,000 before reimbursement. Often these expenses are large and on very short notice. For example, my last plane flight was $1,000, hotel was $1,400, and car rental was $700. Would it be possible for me to have a company credit card to use?
Alien packed in fifteen minutes. Afterward, she checked her work email. One reply to the credit card request.
“No,” Richard had written. “Agents don’t get company credit cards.”
State and local governments were prime hacker targets. First, they frequently used outdated hardware and software, with weak security settings, and thus were easy to footprint and scan without detection. Second, they held vast quantities of sensitive information. Various agencies stored the names, addresses, birth dates, and Social Security numbers of public employees and vendors, welfare and worker’s comp recipients, children in foster care, and members of the National Guard, for example. Identity theft rings could have a field day with such data. There was so much to choose from, they could even develop specialties, selecting certain kinds of victims. Using the Social Security number of a child, for instance, was an increasingly common way to establish a fraudulent line of credit, because the minor might not have any other financial dealings for years.
The state’s department of information technology was in a two-story redbrick building eight blocks from the capitol. Bruce explained the situation. “Five weeks ago,” he began, “IT changed firewalls”—the part of a computer network restricting outside access. As a rule, firewalls were configured to block everyone. Then you added each trusted point of contact, one by one. “During the shift,” Bruce said, “the ‘Deny All’ rule was accidentally removed.” Now the entire Internet could walk through the gate.
Elite Defense was hired to learn who got in—and what got out—in the month before the problem was discovered.
Jedi and Agent worked together for five days, meticulously examining the firewall, performing vulnerability scans, and checking event logs. Every day, Bruce taught Alien—and then entrusted her with managing—more of the operational details and logistics.
“With limited time and a large network like this, you want to make sure your scans aren’t getting hung up,” he said. “First, ping the systems you’re scanning”—that is, send a timed request for contact—“and find the average roundtrip time of a packet.”
In Nmap, Bruce explained, there were options to set the minimum and maximum times the program waited to get results. “Don’t just accept the default. When you have the average, you can set reasonable numbers, but you’re not going to wait around forever.”
He offered an analogy. “It’s like mapping a cave,” Bruce said. “What do you use? Probably echolocation. The sound waves go out and they bounce back to you.” In surveying an unknown network, you started by sending packets. “They go out, and they bounce back to you. You’re waiting for that system to respond.”
Alien felt privileged to have the tutorial. Bruce was as great as a one-on-one mentor as he had been in the classroom.
Once they knocked off for the day, well into the evening, Bruce dedicated himself to researching and choosing which upscale restaurant they’d eat at, a new one every night. Although there were only two of them, he ordered half the menu so that they could sample as much as possible. He didn’t know the meaning of downtime.
“We’ve been on-site all day,” said Alien the second evening. “We have to be up early tomorrow morning.”
“C’mon. Work hard, play hard,” Bruce said.
As the sun set on their final day, Alien watched the dying light out a second-story conference room window with physical longing, wishing she could feel its heat on her body for even a few seconds, rather than endlessly recycled air conditioning. She turned back, though, as Bruce cleared his throat. “Ms. Tessman will bring you up to date,” he said.
Alien nodded, first to Bruce and then to the state’s chief information officer—a poised middle-aged woman—and the four men who made up her IT leadership team. The government employees prepared for the worst.
“We found evidence that the systems were penetrated over a period of three weeks by attackers who spoke four different languages,” said Alien. “The intruders appeared to come from addresses in Vietnam, Egypt, Thailand, Turkey, and Estonia. We know this based on logs that happened to remain on certain host systems. However, because the firewall was open and not logging, there is not enough evidence to determine what, if any, data they may have transferred.”
The CIO pursed her lips. Her staffers slumped. Bruce nodded encouragingly, however, signaling Alien to continue. As the natural light from outside diminished, fluorescent bulbs overhead gave everyone’s face a sickly pallor.
“There was no central server collecting or retaining logs,” Alien went on. “So, for the Windows systems, at least, we have no way of telling when anyone logged in, when they logged out, where they were coming from, or what they did on the systems. Because local system logs were retained only for thirty days, we don’t know precisely how or when this all began. We worked with Steve”—she gestured to one of the IT staffers—“to see if we could recover logs from backups of the systems. Unfortunately, after attempting a test restore, the backups do not appear to be working.”
Steve looked at his shoes. The CIO frowned.
Alien wrapped up. “We also examined several Linux servers,” she said. “These did have logs stored on them, and we were able to confirm that they were accessed by unauthorized users. In one system, we found Social Security numbers, health information, and other records. So it is likely that many state residents have had their information compromised. I’ve shared the important log files with your team, and all of the details will be in our report.”
She stopped. No one said anything for a moment. Alien glanced out the window again. It was totally dark. The glass reflected her own gaze back like a mirror.
“Excellent work,” said Bruce, sweeping in. “Ms. Tessman is a very thorough investigator,” he told the others. “Do have any questions?”
The CIO spoke. “The governor is being considered for an ambassadorship,” she said. “Discretion is very important.”
Alien didn’t wait for Bruce. “I recommend consulting with your legal counsel and your PR team,” she said. “Legal will make the decision on who needs to be notified. We’ll have the full forensic report ready for you in two weeks, and you’ll have the opportunity to review the draft and let us know if you need any changes. It’s been a pleasure working with you.”
The IT managers filed out. Bruce excused himself to take a phone call, leaving Alien alone with the CIO. While Alien packed up, the woman asked her, “Have you been enjoying your visit?”
“Oh, yes,” Alien replied politely as she zipped up her laptop case. “It’s been lovely.”
“Any interest in staying?”
Alien looked up.
“If you want a job with us, we’d love to have you,” the CIO said.
Alien considered it. Warm weather year round. The power to help ordinary people. Weekends to herself. But go back to sitting in a cubicle?
No way.
Bruce reentered the room.
“Thank you very much, but I’m happy where I am,” said Alien. “Perhaps Elite Defense can consult with you on proactive measures, and I can visit you again soon.”
In mid-June, Alien and Tanner broke up. Her work schedule wasn’t the only problem, but it was a big
one. Any personal cost seemed a fair exchange, however, when Bruce called again.
“The Pentagon booked us to do a security briefing July ninth,” he said. “Interested?”
“Really?” Alien’s voice rose in excitement.
Bruce chuckled. “I’ll take that as a yes. And one more thing.” His voice turned serious. “You have to get great evals,” he warned her. “Over nine”—on a zero-to-ten scale—“or you won’t get a gig like this again.
“And before that,” Bruce went on, without waiting for a reply, “we want you to do a wireless network assessment for an outfit outside Los Angeles, code name ‘Neptune.’ They’re a big defense contractor. It’ll be a good warm-up for DoD culture.”
Tuesday, July 3, Alien flew to LAX, rented a car, and drove south. Neptune’s head of IT, Rafael, was, like Alien, from New Jersey. “Would you like me to give you a tour?” he asked after they shook hands in the company’s carpeted lobby and reception area.
They walked down a flight of stairs from reception to a guard station, and then through a door to the Neptune manufacturing plant, a white-painted, almost windowless concrete box the length and width of a football field, with tall, shiny metal exhaust towers like a cruise liner.
Inside, Alien passed men and women wearing thick protective gloves and goggles. They worked with industrial-sized lathes, drills, saws, and other equipment, which produced impressive sparks en route to tall stacks of shaped metal. Behind the stacks, other employees, using much smaller tools, including lasers, performed careful detail work. A third set of employees tracked everything produced with low-beeping handheld barcode scanners, with most of the remaining floor space taken up by a gigantic tub of water.
“What’s that for?” asked Alien.
“Testing,” Rafael said. “Almost everything we make has to work underwater.”