Breaking and Entering
Page 33
In mid-September, Treeline Bank called TSC on behalf of one of its customers, a construction company based in Salt Lake City. A day earlier, the company’s payroll manager had clicked on a phishing email link that infected his Web browser with a “man-in-the-middle” attack, allowing hackers to see everything he typed and even replace his familiar Treeline online banking page with an exact replica asking for additional credentials. Only a second layer of security, requiring special executive approval for large wire transfers, had stopped the firm from losing almost sixty thousand dollars to an offshore account.
Could TSC investigate and find out what happened and how to fix it?
Susannah sent Luke on-site to image any affected computers and interview staff. When he returned, Milo took over, using the equipment in the forensics lab to inspect everything carefully. The payroll manager had clicked on nineteen links in as many different phishing emails, he discovered.
Alien volunteered to help finish the job. Business operations aside, having to come up with original material every year for ToneDef, TSC’s DEF CON contest, gave her an extra reason to keep up with new hacking developments.
“I’ll do the malware analysis,” she said.
To understand how the malware worked, Alien set it up in a “sandbox,” or cordoned-off virtual machine environment, on a computer in the Playlab. This gave her the digital equivalent of a high-level biosafety lab, where the software could be safely stored, inspected, and dissected. Alien started by viewing the page source for the emailed link that led to the man-in-the-middle attack. It was neatly written by sophisticated programmers.
These bad guys are good.
Of late, the best black hats had emulated successful Silicon Valley entrepreneurs, licensing the use of their work through cloud-based commercial software suites called “exploit kits.” To begin a mass attack, you didn’t have to know how to write a computer program—or even have your own computer. You just logged in from anywhere, chose the kind of hacks you wanted, and paid by the day, month, or year. Some black hat services accepted payment by deducting a percentage of the take.
Alien infected the virtual machine, and then came back forty-eight hours later to check what the digital thieves had been doing.
The software began by configuring itself to run at startup. Then it phoned home once every twenty minutes, seeking updates or further instructions from one of a series of modern command-and-control servers around the world.
“What do you want me to do?” the program asked, in essence.
And the criminals at the other end of the connection could order whatever they wanted.
“It’s impressive,” she told Susannah afterward. “And more than a little frightening.” Not just in itself but for what it portended. This wasn’t a solo hit-and-run operator. It was the work of a group of professional hackers, just like TSC.
As she had gone from novice to student, student to practitioner, practitioner to teacher, and managed to manager, all as a white hat hacker, black hat hackers across the globe had followed a parallel path, organizing their operations, establishing reputations, and finding clients. And bringing in money to their communities.
Alien had never realized it, and she had never wished for it, but one could even say she had needed the black hats to keep growing and getting new opportunities herself.
“How many employees do you think they have?” Alien asked.
“I don’t know,” Susannah said. “But their sales team is definitely bigger than ours.”
Alien laughed. From Susannah’s desk, she picked up the little bulldog statue she had given her. “I wonder if they have an M . . . ,” Alien said. “Maybe somewhere, on the other side of the world, there’s an evil Susannah.”
Susannah raised an eyebrow wryly. “Well, then there would have to be an evil Elizabeth, too.”
Tuesday mornings, Alien took off work to spend extra time with Adrienne. Ten a.m., the day before Christmas, the two of them moved through the aisles at the supermarket with Adrienne in the kiddie seat of the shopping cart. Alien was eight months pregnant, dressed in stretchy jeans and a loose black sweater, while Adrienne, now two and a half years old, wore her favorite princess pajamas and sky-blue faux-fur booties.
Leaving the produce section, they passed a stand with the Denver Post, USA Today, and the Parkmont Messenger. Each paper featured a photo or illustration of a computer screen on its front page. And every other headline seemed to be about information security.
In May, former NSA contractor Edward Snowden had fled the country with hundreds of thousands of files documenting secret government surveillance programs around the world. Then, this past week, 70 million Americans learned they’d had their credit cards and personal information compromised by shopping at Target—all because an employee of a heating and cooling subcontractor in Pennsylvania had clicked on a phishing email link, letting his or her computer be captured and used to reach the rest of the company network, then Target’s network, and then its point-of-sale machines nationwide.
Overnight, ordinary people realized they were being tracked and targeted. New revelations came daily—not necessarily because hacking had increased, but because the media were finally on the lookout for it.
Alien turned in to the snack aisle. A moment later, she felt her cell phone vibrate in her pocket. It was her main contact at Treeline Bank, one of their senior vice presidents.
“Our cash management representatives really need some cybersecurity training,” he said. “They’re the ones who have the relationships with our corporate clients. And they’re the ones who get a call if there’s a suspicious wire transfer. Can you come in and give a presentation?”
Spend an hour showing you exactly how TSC can protect your biggest clients?
“Absolutely,” said Alien. “We can make videos of the malware in action from one of your recent customer cases. That’ll drive the point home.”
Her phone beeped—incoming call—before she was even off the line. Susannah.
“We just got a new client,” she said when Alien picked up. “Never seen a request like this before, but I told them we could handle it.”
“Okay,” said Alien. She looked down at Adrienne, trying to raise herself out of her seat to snag a box of graham crackers from the nearby shelf. “I’ll be in this afternoon,” Alien closed out the call. “Let’s figure out a battle plan.”
She lifted up Adrienne and rested the toddler against her left shoulder. Alien was in a good mood, and excited about both new projects.
“Crackers?” Adrienne pleaded.
“No,” Alien said. “Hackers.”
Adrienne looked at her quizzically.
Alien smiled. “And crackers,” she said, grasping the box her daughter wanted with her free right hand and placing it in the cart before returning Adrienne to her seat. “When we get home,” she added.
Adrienne clapped enthusiastically as Alien leaned over to kiss her on the head.
Epilogue / /
Fast Forward
In the years that followed, TSC expanded to employ more than two dozen people. Today, her staff, not Alien, perform most of the company’s pentests, forensics investigations, and incident response work, under the direction of the chief operating officer, Susannah. Alien, meanwhile, leads TSC and focuses on community and training events.
It’s a growth field. In 2014, not long after the birth of her son, Isaac, the company moved again, to larger offices in downtown Parkmont.
One year later, Alien bought the building.
I slid an orange laminated card across Alien’s kitchen table. When she recognized what it was, she smiled.
Months had passed since she’d agreed to share her story with me. In the interim, I’d crisscrossed the country, with and without her, interviewing other members of the diverse hacker and information security communities—American and international, activist and academic, government and corporate, legal and illegal. Now I had my own souvenirs from Las Vegas nightclubs and
Los Alamos research labs, the bar scene by NSA headquarters and the tunnels, tombs, ledges, and domes of MIT. My favorite item, however, had been a loaner.
Soon after we got back from traveling to DEF CON together, Alien had let me borrow her old MIT hacking card. That was what I had just returned to her. One side listed eleven different “Methods of Entry” to be used, in order, in trying to access any physical location. The other side contained a code of conduct to follow in pursuing these methods. The card itself was bent from late-night use opening locked doors almost twenty years earlier.
It was a guide, a belief system, and a tool—all in one.
Along with the many twists and turns, the successes and dead ends, the risks and rewards, important continuities ran through Alien’s path from freshman hacker into unknown or forbidden physical spaces at MIT to InfoSec expert and entrepreneur. These went beyond her intelligence, ingenuity, and energy to her attraction to situations, problems, and challenges that most of the rest of us would rather avoid or ignore.
“Where’s cybersecurity going next?” I asked.
“Have you heard of the Internet of Things?” she said.
I nodded. The term included networked security cameras, spy drones, and missile launchers, but also “smart” watches, pacemakers, baby monitors, and slow cookers.
By 2020, Alien told me, “there are going to be an estimated thirty billion connected devices with really no security management, ready to do a hacker’s bidding.” Imagine ransomware in self-driving cars, she elaborated. Bot armies of “enslaved” fitness trackers, covertly “mining” cryptocurrency. Remote-control voting machines.
“That’s off the top of my head,” Alien said. “And it’s just the beginning.”
I got a sinking feeling in the pit of my stomach. After researching and writing this book, I now locked my phone and logged off my computer when I wasn’t using them. I set up hard drive and email encryption, and a VPN, or virtual private network, for my phone, laptop, and other devices, so I could access public wireless networks more securely. I used multi-factor authentication and a program that generated and managed strong unique passwords for all my online accounts. I updated system software regularly, to keep security patches up to date. And I deleted suspicious email attachments and double-checked Web links to defend myself against phishing attacks.
Anyone could do this quickly and easily, following instructions online. Everyone should.
But Alien’s quick summary of technology’s growth and dynamism made it clear that there was no such thing as absolute security in this world, or any definitive and final fixes. Black hats would keep striking where and when they could, in ways that were impossible even for her to predict. That made white hats like Alien all the more essential. They were the best defense we had.
Her phone rang. It had done so repeatedly during our conversation. Now I more fully understood why she still did so much work after midnight. This was the only time when calls wouldn’t interrupt her.
I closed my notebook and stood up to go. I could just let myself out while she spoke with whoever was on the line, but Alien raised an index finger to signal that I should hold on.
“Uh-huh, uh-huh . . . ,” she said into the phone. “Sure . . . We can do that . . . Yes . . . Of course . . . No problem . . . I’ll call you back in fifteen minutes.” Alien hung up and looked at me.
“Sorry,” she said. “It never stops.”
Alien picked up the worn MIT hacking card and looked it over fondly as she walked me to the door. “You can teach hacking processes, but people either have the personality or they don’t,” she told me.
“You mean it’s impossible to become a hacker?” I asked.
“The only thing you can become,” Alien said, “is yourself.”
While one of her recurring fantasies was to live a normal, boring life, for her that would be the hardest hack of all.
Acknowledgments / /
Thank you to Alien for trusting me to tell a story worthy of her extraordinary experiences. I could not have written this book without her encouragement and assistance, and that of her friends and colleagues from the past two decades. In the midst of very busy lives, they welcomed me into their circles, recounting—and often reenacting—many of their most significant adventures. For that generosity of time, effort, and spirit, I am deeply grateful.
I also interviewed dozens of experts to understand the past, present, and future of hacking, among them phone phreaks and lock pickers, bank officers and corporate executives, NSA veterans and academic researchers. To state the obvious, not all of my sources agree ideologically with one another. Probably no two of them would agree on a single definition of hacking. But all of them are almost entirely self-educated in the field. They all have hair-raising stories to tell. And they’re all deeply concerned about the many ways our modern ingenuity—and ingenuousness—is spurring our vulnerability.
The more everyone knows about how hacking really works, and who hackers really are, they believe, the better we may all be protected.
As well as online and technical references, I relied on How to Get Around MIT, Nightwork by T. F. Peterson, and The Journal of the Institute for Hacks, TomFoolery, & Pranks at MIT by Brian M. Leibowitz in my research. Hackers by Steven Levy, and The New Hacker’s Dictionary, compiled by Eric S. Raymond, have entertained and intrigued me since I was a teenager. Special technical support shout-outs to Al Barrentine, Amy Butler, Jamie Butler, Denis Foo Kune, Laura Mullane, Deviant Ollam, Skylar Rampersaud, and Chris White.
I cannot express enough praise for my team at Tessler Literary Agency and Houghton Mifflin Harcourt. My agent, Michelle Tessler, is every writer’s dream advocate: strong, smart, sympathetic, and far-seeing. Our partnership makes my entire professional life possible. My editor, Eamon Dolan, is both mentor and mensch. He taught me to show and tell, demonstrated a hacker-like acuity and focus in finding and fixing narrative holes, and kept me on deadline while never wavering in his kindness, good spirits, and poise. Collaborating with Michelle, Eamon, Liz Anderson, David Eber, Amanda Heller, Rosemary McGuinness, Heather Tamarkin, Michelle Triant, and Joe Veltre is unfailingly inspiring work.
My family and friends are my greatest gifts. Aaron Shulman and Haley McMullan told me to pursue this project before anyone else, and offered crucial advice and camaraderie throughout the drafting process. My father, Carl, and my wife, Crissie, were my most stalwart supporters, and voices of clarity and wisdom whenever I was stuck or overwhelmed. My mother, Jane, sister, Lucia, and daughter, Rasa, are models of love, compassion, intelligence, and good humor. Others who lifted—and sometimes carried—me during this project include Felicity Aulino, Tod Bachman, Latham Boyle, Glenda Bradshaw, Matt Butkus, Amanda Dawsey, Holly Deluca, Zach Deluca, Josh Engelman, Roe Erin, Patrick Fagan, Abie Flaxman, Emily Freeman, Fred Haefele, Bob Hlynosky, Kristin King-Ries, Katie Koga, Max Lieblich, Tamara Love, Elina Mer, Sam Mills, Kevin Moore, Mary Jane Nealon, Manu Samuela, Josh Schanker, Kisha Schlegel, Rob Schlegel, Sharma Shields, Soren Spies, Mark Sundeen, Igor Teper, Aaron Thomas, Hank Trotter, Jason Wiener, Danette Wollersheim, and Ping Xu. Thank you all.
About the Author
Jeremy N. Smith has written for the New York Times, the Atlantic, and Discover, among other outlets, and he and his work have been featured by CNN, NPR News, and Wired. A graduate of Harvard College and the University of Montana, Smith is the author of Growing a Garden City and Epic Measures. He lives in Montana.
Learn more at wjeremynsmith.com
Connect with HMH on Social Media
Follow us for book news, reviews, author updates, exclusive content, giveaways, and more.
lter: grayscale(100%); -ms-filter: grayscale(100%); filter: grayscale(100%); " class="sharethis-inline-share-buttons">share