Breaking and Entering
Page 32
“We have to turn the report in right away,” she told Luke, Gus, and Cheryl each time they completed a project.
At first, they didn’t understand. “The client doesn’t care if it’s another week.”
“The client doesn’t care about your paycheck.”
In June, six weeks after the birth, Adrienne started day care. Alien developed a drop-off and pickup routine, and playdates at the park and public library. She joined a monthly book group with other mothers. One connection led to another, and soon two Parkmont police officers had asked Alien and her team to consult on recovering deleted cell phone texts and photos for a cyberstalking investigation.
With TSC’s tools and talents, meeting the technical challenge would be easy enough. Yet hosting the cops in her office—surrounded by her books and (hidden) breast pump, business papers and (air-freshened) burrito funk—Alien felt exposed. And the more local work she had the opportunity to take on, the more often the issue would come up.
In July, Alien rented and furnished the fifth and last office available on the fifth floor, in the middle of the hall, as a conference room to receive current and potential clients. The same month, she advertised for a new intern and hired Milo, a self-taught computer programmer in his mid-twenties, with neat black-framed glasses and sandy-colored hair. His initiation was running ToneDef 2, TSC’s second annual hacking challenge at DEF CON.
Whether the conference room or contest led to anything else, Alien was back to the broadest form of social engineering: Look successful to be successful.
For a while, Alien held back her own salary and lived off her credit cards, like many small-business owners, considering it another investment she would someday pay down. Although he didn’t know it, Luke was taking home more than she was. Alien couldn’t share this information with him, not because it would embarrass her, but because she needed everyone to have faith in the future of the company.
One day in mid-September, she spent the morning editing project reports. Alien checked her email afterward and saw a new message to the general TSC address.
The sender was an IT network manager at one of the largest companies in the Rockies—Treeline Bank. He had taken a SCAN class taught by Elliot at which he had picked up a TSC folder.
“Enclosed is a request for proposal for Treeline Bank’s annual security testing,” Alien read.
Alien took a deep breath. It all had to start somewhere, and this could be it. The first real chance to do business on their own, independent of Antidote. If they got the job, and Treeline liked them, a big bank was the ideal reference for other clients. But she’d need to convince them that TSC was the right hire.
In her proposal, Alien provided a quote for a remote pentest, an on-site pentest, and a social engineering assessment. She landed the contract. The entire TSC team conducted the work in October and November. They were successful enough that the bank signed an agreement for a year of quarterly assessments. The first-quarter phishing test, in late February 2012, went off perfectly. The second phishing test started on a clear seventy-degree morning in mid-June.
Sitting forward in her chair with her fingers never leaving the keyboard or her eyes the screen, Alien jumped back and forth between the command line and her simultaneous online chat with Luke, Gus, and Cheryl in their offices:
Alien checked her watch, her heartbeat increasing steadily as the second hand ticked forward. Fifteen seconds. Ten. Five. Now.
As the countdown ended, Alien hit Return to start her phishing script. “Emails launched,” she typed. She watched a separate terminal window that showed the mail server logs. It scrolled automatically as hundreds of emails were sent.
And then, suddenly, it stopped.
Alien hit Enter. Nothing. She opened a new terminal and SSH’d into the server again. No luck.
Chat, command line, warm and hot phish logs, Web browser—everything onscreen that used the Internet had frozen.
Alien felt a sudden jolt of alarm throughout her body. The worst thing was that she had no idea of the status of the phishing attempt, so there was no clear way to fix it.
Had the emails been sent? If so, only some of them, or all? If some, which ones? How many undeliverable and how many out-of-office messages had they gotten? Were employees reading now? Were they clicking? How long until the first person filled out and submitted a poll? How long until a dozen did?
She rushed out of the office and into the hall. Luke joined her a few seconds later, followed closely by Gus and Cheryl. Everyone clutched their printed call scripts.
“What’s going on?” they asked.
Luke threw open the door of the Playlab. Milo had been set to work inside, trying to organize stray chargers, cables, circuit boards, memory boards, processing chips, CD drives, power strips, and keyboards into sealed plastic tubs. At some point, however, the cleanup efforts had taken him into the network closet, where he was standing now.
In Milo’s left hand was a mini-Maglite. In his right was a thick black cord.
“What?” he said drily.
“You broke the Internet!” Luke yelled.
Replugging and restarting didn’t work. They tried again—and again. Nothing changed.
Treeline was a fifty-thousand-dollar contract. The test this time covered almost five hundred employees. Equally important, two smaller banks, a local law firm, and a community health clinic had all hired TSC on the strength of their work for Treeline.
The life of her company flashed before Alien’s eyes.
“Grab your stuff and get in the car! Everybody in the car!” she shouted.
Everyone but Milo swooped up phones and laptops. They stampeded down all five flights of stairs, nearly flattening a blue-suited attorney carrying a cup of coffee.
At the parking lot, Alien hopped in the driver’s seat of the dark green Subaru Outback with which she’d finally replaced her Volvo. Luke joined her in front. Gus and Cheryl shared the rear, shoveling aside Duplos and a yellow plush giraffe. A black car seat encrusted with Cheerios held in place by dried apple juice forced them close to one side.
Alien peeled out. Less than five minutes later, she screeched to a halt at the end of her street. Alien jumped out of the car, ran up the flagstone walk, and threw open her front door.
“Go! Go! Go!” she yelled, along with the Wi-Fi password.
The hackers spread out—Alien to the master bedroom, Luke to the square oak kitchen table, Cheryl to the red velour living room couch, and Gus to Adrienne’s bedroom, strewn with stuffed animals, board books, boxes of fresh diapers and containers of baby wipes, and a crib on whose railing was mounted a musical mobile.
Alien’s hands shook as she logged in. “Remember to block caller ID!” she shouted. “We can do this!”
We have to.
Alien loaded the phishing spreadsheet and logs from the server and started handing out assignments.
“Hi,” she heard a moment later. “This is Luke in IT . . .” “Hi. This is Cheryl in IT . . .” “Hi. This is Gus in IT . . .”
Half an hour later—less than forty minutes after the botched launch—they reached their thirty-call target. “Done!” Alien typed, her entire body still trembling.
In the few minutes TSC had burned in the emergency relocation to Alien’s house, hundreds of Treeline employees had “self-alerted,” warning others throug
hout the company that the online poll was a scam.
But not everyone. Gus pwned a commercial loan officer. He’d done this under circumstances as difficult as they were absurd: sitting on the floor, his shoulders and head up against the slats of Adrienne’s crib. And in the dark, since in his rush he hadn’t been able to find the light switch. “w00t!” he sent over IRC.
The win was enough to keep Treeline committed to further testing. But rather than congratulate themselves, Alien and her team thought about how they could have pwned the bank harder—and that they’d only barely escaped disaster.
The TSC Internet outage was a far louder and more urgent wakeup call than the buggy phishing site. “What happened?” Alien again asked everyone. “How do we do better?”
It was clear that they needed procedural changes for improved communications and workflow, as well as a more robust infrastructure, with a backup power supply and multiple network connections. Either way, the company had outgrown its jerry-built arrangement of offices. A new space was required to ensure the effectiveness of the security services TSC was selling. And to set a stage where it could continue to expand in the future.
The following week, Alien drove to a new five-story glass-and-steel building one block east of the Parkmont mall. A made-up blonde with a stylish bob—her Realtor—was waiting for her. The woman carried a black leather attaché case with which she beckoned Alien inside.
“It’s very modern,” the Realtor said. “They don’t use keys, they have cards.” She demonstrated by swiping her own card by an RFID reader, which beeped to allow access.
Alien affected a calm and appraising expression. Inside, however, her heart swelled with each new security feature. A bank, the embodiment of safety and stability, anchored the street level. Taking the elevator required a special fob. When they reached the L-shaped space available to rent—ten rooms along two interior hallways and occupying 2,500 square feet—a small lobby and solid wooden door separated it from any other offices.
Alien entered first, expecting traffic noises, cross-chatter from elsewhere in the building, or the whir and rumble of various vents and pipes, as in her current offices. Instead, the loudest sound was her own heels swishing on fresh pale gray carpeting almost identical to the floor covering in her father’s accounting firm.
Light streamed in from tall glass windows. An airy break room with round tables offered a central space for people to gather. There was central HVAC with programmable thermostats and a full kitchen with a built-in microwave and pod coffeemaker.
As the Realtor chatted about “great signage” and “ample parking,” Alien was already picturing who and what would go where.
Luke would get a corner office and she’d get a middle one, so she could keep an eye on everything. Gus, Cheryl, and Milo could all have their own work areas, with more room for future interns, a salesperson, a full-time office manager, a bookkeeper, and a safe. They’d build out a conference room (that phrase alone—build out—felt delicious to contemplate), along with a new, improved Playlab and a dedicated forensics lab. But what to do with the open space by the front door, just big enough for a single desk?
“And here’s your receptionist area,” the Realtor said, reaching it.
Alien nodded. Her receptionist. How about that?
This was a long way from the Fireberry spare bedroom. Her primary identity wasn’t hacker, or pentester, or even “senior security consultant” anymore. It was business owner and manager. And her business needed someone to welcome visitors and answer the phones.
Alien scrimped and saved to staff up. With the receptionist and other new hires, TSC grew to nine employees. Four were older than Alien. Unlike her former interns, now all full-time, they had conventional job experience and expectations. Having to help them cover as many as thirty open projects a week pushed Alien to her limits. Then came the slow season, when she never knew how she was going to pay the bills beyond a two-week window. In early 2013, Alien went to the bank and took out TSC’s first line of credit. And she negotiated TSC’s last major subcontract with Antidote, for client 0666.
At first the deal seemed a dream come true: 0666 was a vast retail chain that needed remote and on-site penetration tests, mobile and Web app assessments, and a security review of its credit card processing systems. Each was an interesting assignment worth eighty to ninety thousand dollars. Taken together, it was enough work to occupy and fund the company for months.
That was the upside. The downside was that Alien soon discovered Antidote had handed off the gig only because the client was so difficult. The company’s technology was severely out of date, and it was strapped for the cash it needed to deal with this and several other priorities. Its management didn’t have the resources to improve its security more than the absolute minimum necessary to comply with state and federal regulations. On top of that, 0666 was very disorganized, which resulted in its imposing odd conditions on TSC. The client required that all testing take place after hours—which meant any consultants on the job had to work seven p.m. to four a.m.
In April 2013, Alien escaped the office just long enough to host Adrienne’s second birthday party. A battery-powered blower filled the air with soap bubbles as a dozen happy children and their parents gathered in her grassy backyard. Alien herself felt terrible, however. Her head hurt. Her limbs ached. Her clothes irritated her skin. She was nauseous and completely drained.
Could stress do this? Her team was begging her to refuse any further work with 0666. Yet monthly payroll and overhead were more than fifty thousand dollars, no matter how many or how few their paying clients. The overwhelming pressure to bring in new business, preferably long-term contracts, never stopped. She kept thinking that if she just continued growing the company, eventually she’d be able to step back.
With her skills, Alien could rob a bank and run away to Vietnam, or anywhere else with good weather and loose extradition laws. And if she was ever short on cash, she could always go phishing. All she needed was an Internet connection and a phone.
But Alien never even imagined going rogue. She was thirty-two years old, and building lasting relationships. Her friends and neighbors were here. Her lawyer. Her banker. Her local clients. And, of course, her family and her employees. After four and a half years, Parkmont wasn’t just her base of operations anymore but her home.
Alien watched her daughter, dressed in a pink jumper and purple hair bow, tear through the wrapping paper of her presents.
“Say ‘thank you,’” Alien told her.
“Cake!” Adrienne responded.
“Cake! Cake! Cake!” the kids all clapped and screamed together. But Alien heard and saw them only in a haze, and took what seemed like hours to find and light the necessary candles and then carry out the birthday cake, though she’d had everything set up since morning.
Weeks later, still feeling sick, Alien finally visited her doctor.
“I’m exhausted,” she said. “Maybe I’m going through early menopause?”
The doctor examined her carefully and ran a few quick tests.
“It’s not menopause,” she said. “You’re pregnant again.”
It was clear to Alien how naïve she had been during her first pregnancy when she thought a larger staff would mean less work. Now, with triple the team and a second kid on the way, she needed a full-time director of operations. Life had thrown her into another curve, and it was time to hit the accelerator again.
Alien hired a tech-savvy Denverite in her mid-forties, Susannah, who was seeking a change of scene after twenty years in government, where she had overseen a staff of thirty. Susannah, not Alien, would lead the team, assigning technical work and managing projects. As her welcome to the role, Alien gave Susannah a small statue of a bulldog draped in the British flag, modeled after the equivalent prop in the James Bond movie Skyfall.
“You’re the new M,” said Alien, referring to Bond’s boss, fictional head of MI6, dishing out assignments to her agents.
Alie
n knew the new hierarchy was working when she stopped a young man at the office door one day that summer.
“Can I help you?” Alien interrogated him.
The stranger stammered nervously, surprised. “I’m the new intern,” he said.
Susannah hastened over to intervene. “He was just hired,” she explained. “It’s his first day.”
“Ah,” said Alien, shaking hands. “I’m Elizabeth. Welcome.”
As she walked to her office, Alien passed Gus, Cheryl, and two new pentesters gathered around the break room table discussing their latest work with client 0666.
“Who’s on-site now?” asked Alien.
“Milo,” Gus answered. “He cracked their wireless network from a café inside one of their stores, and then wormed his way into the company’s central systems.”
“He got root on the badge-printing system,” said Cheryl. “He could add his name and photograph to the badge system and give himself access to any building. Any room. You name it.”
One of the new pentesters piped up, “We found this internal database that had the entire shopping history of every single customer.”
“Every customer?” asked Alien. She shopped at 0666. Everybody did.
Gus hemmed. Cheryl tittered.
“What?” said Alien.
“We found you!” Cheryl said. “The earliest entry was from nineteen ninety-three”—ancient history to the twenty-four-year-old.
“Congratulations.” Alien opened the fridge and grabbed a water bottle. She pictured the entire break room papered with her life story as told through 0666 receipts, from her first bra to Adrienne’s crib. The feeling was akin to crossing the Fifth East ledge naked.
That was fifteen years ago, though. It was in the dark. And François’s towel theft aside, being naked had been her choice.
The Internet was much, much worse, exposing everyone in far profounder ways that were beyond anyone’s control.