Armchair Safari (A Cybercrime Technothriller)

Home > Other > Armchair Safari (A Cybercrime Technothriller) > Page 11
Armchair Safari (A Cybercrime Technothriller) Page 11

by Jonathan Paul Isaacs


  Then her mom didn’t wake up one day, and in short order Lucy was on her own. And she found that Billy was no longer content with petty crimes to fuel the gas and the coke and the booze. He needed more cash, and that escalated into a bank robbery attempt and a shootout with the cops in the parking lot, and then Billy was gone too. And Lucy was smart enough—and coincidentally on the day in question, sober enough—to realize that sooner or later she was going to be on the same path with the same conclusion.

  So she begged Billy’s cousin to help her, and after a lot of pleading and crying on her part he got her a job doing inventory at a friend’s business, San Diego Computer Sales & Service. To her surprise, working and accomplishing the mundane things that helped a business run turned out to be actually pretty rewarding. She went back and got her GED. She saved her money instead of blowing it on liquor. By that time she was taking apart computers when they came in for repair, learning how they were built and how software made them work. She enrolled in community college and took some programming courses. She started hanging out with a different crowd—the geeks, the nerds, the guys that were ugly and quirky and awkward but at the same time brilliant and insightful and that would challenge her to know more than she did. She learned about hacking, how to make software do things that the authors didn’t want it to do. How to get information that wasn’t hers. And she learned about how to steal money. The path was seductive and she had almost gone down it, save for one event that had her step back from the precipice. And that’s when things started clicking for her. Not around hacking, but from keeping others from doing it. There was money to be made there, too. Honest money.

  So, over the course of ten years, Lucy Sonheim had managed to make quite a little name for herself in the technology world. Interest in cyber-security took off along with the Internet and there was a real need to make sure businesses worked securely and efficiently. Lucy went to work at UC San Diego—then to an internet startup where she met Roger, whom she followed to Netertainment. And now she was in her dream job: leading I/T operations for a company that had a genuine chance to make it big. Real big.

  This is what you asked for.

  Lucy smoothed the front of her black skirt in the mirror. She always dressed nice now, working hard to cultivate the image of a high-powered businesswoman rather than a random piece of trailer-trash shit leading an accidental life. But no matter what she did, she still had the tattoos on her arms to remind her of where she came from.

  She opened the door and walked back onto the main floor where the lighting was turned down for the night. Her office was one of the executive offices that ran around the rim. It was nothing palatial. But it had a window, and in Netertainment’s corporate pecking order, that was as good as the office real estate got.

  She noticed the lights on in one of the other offices down the hall. That was odd. It had been dark when she went into the restroom. Lucy walked closer and saw Derek docking his laptop at his desk.

  “What are you doing here?” Lucy asked from the doorway, hands on her hips.

  Derek looked up in surprise. “Oh. Hello.”

  Lucy stared at him, waiting.

  “Sorry.” His eyes flitted across her body. “I guess I didn’t realize I was violating your space.”

  Lucy shifted on her feet, suddenly feeling defensive. She didn’t like Derek. She recognized his type: an ‘expert’ who had come in to save their company from the mistakes it was making. An I-know-better-than-you-do attitude coupled with an expectation that he was going to make a pile of money in stock options, even though he would have less to do with Netertainment’s success than she did, or Roger, or Manmeet, or Dave, or anyone else. He represented the type of person she despised.

  She had had to climb up from nothing. Why shouldn’t he begin at the same starting line?

  Lucy strode over to the credenza behind Derek and sat down on the edge. She felt like there would be a more level field without a desk between them. “I like to work late. It’s easier to get things done without distractions. What’s your excuse?”

  Derek glanced over at his laptop. “I couldn’t connect to the network from home. Got tired of fighting it.”

  “We have a lot of security set up here. You’ll also find that any personal device you want to use here has to have my security agent installed on it if you want network access.”

  “Oh. That sounds extreme.”

  “Is it?” Lucy said flatly.

  Their new CFO just stared at her. Studying her.

  Lucy had never really spent any time in Derek’s office before. She noticed two framed photographs on the credenza next to her. One of them was of a bunch of soldiers posing in the desert. The other showed a young toddler wearing a red polo shirt. Lucy picked up the picture of the kid and saw more than a passing resemblance to Derek.

  “Must be kind of inconvenient for your family for you to come in so late, huh?”

  Derek leaned back in his chair. He seemed aware that he was being challenged but didn’t seem to mind. “That’s my son, Robby. He’s still up in Boston. I’m down here by myself right now.”

  “Married?”

  “No, he’s only six.”

  “Not your—I meant, I assume your son is up in Boston with your wife?”

  A slight hesitation. “Yes.”

  Lucy wondered what that meant. “You don’t have a Boston accent.”

  “I grew up in Virginia. Where are you from?”

  “California. How did you get to Boston then?”

  Derek paused for a moment. A small smile curled up the corner of his lip. “I-95.”

  “You can stop that.”

  “Yeah, sorry.” Derek chuckled to himself. His eyes narrowed as he tilted his head. “You sure are inquisitive.”

  Lucy put the picture frame down and looked at Derek’s smug little smile. “Jim tells me that on your first day here, you thought I was one of the receptionists.”

  “You were sitting at the receptionist desk.”

  Lucy waved her hand in a dismissive gesture. “I was reimaging the receptionist’s computer. The stupid girl had downloaded some sort of malware from a website pretending to have the latest celebrity news, so I took the PC off the network and wiped it clean.”

  “Those movie stars do tend to get dirty.”

  Lucy wasn’t amused. “You should know that this company has an awful lot of people getting on and off the system every day,” she snapped. “A lot of money changes hands between our players. The crooks don’t announce themselves—you have to watch for the signs. So I’ve learned to be inquisitive. That applies to people I work with, too.”

  Especially when they’re not friends, Lucy thought to herself.

  Derek seemed to accept that explanation. “All right, then, I’m happy to share. I graduated from the University of Virginia. Then I worked for a little consulting company right out of school for a few years. I left and went to Deloitte, which is a bigger firm—”

  “I know who Deloitte is.” What, did he think she was stupid?

  Derek blinked. “Of course you do. I was just going to say that while I was with them, I worked with a lot of software companies.”

  “Then what?” Lucy jabbed impatiently. She wasn’t looking for the resume game.

  Derek looked puzzled from all the staccato questions and stared at her for a moment. He took a long breath. “Then, 9-11 happened.”

  “What?”

  “We got attacked,” Derek said. “You know, jumbo jets flying into Manhattan skyscrapers? I didn’t like that too much. I thought I ought to do something about it. So I joined the Marines.”

  “You joined the Marines because of 9-11? Seriously?”

  “Yes.”

  He sat silently for a few moments. “Anyway, long story short, when I got out I went to Harvard Business School, which took me to Boston. I joined up with Deloitte again in their software strategy practice—a lot of helping businesses nail down their operating plans. Jim was a HBS alum too, and he an
d I had crossed paths a couple times at that point. I ended up working with him on his last business. Not that that turned out great, of course, but that was an economy problem. Jim thought I might be able to help out here. So there you go.”

  Lucy wondered what sort of man it was that left behind a career she could only dream about, to join the Marines and run around in the desert. It sounded pretty foolish to her.

  “So your son, your family... still in Boston?”

  “Yes. We’re working on the move. I’m looking forward to not having to live out of a corporate apartment.”

  Lucy spotted a piece of lint on her skirt and swept at it. It didn’t seem to want to let go, so she pinched at it until she got it and flicked it onto the floor.

  “Your tattoos are beautiful,” Derek said.

  She glanced up at him. He was staring at her, not in an unfriendly way, with that tiny smile on his lips again. Lucy suddenly felt very self-conscious about her arms. There was a strong fantasy element to the artwork. The dragons of alcohol, the fallen knight for Billy. The Grim Reaper for her mother’s death. Sometimes she wondered why she had added the princess in the tower.

  Lucy felt herself blushing and shook off the thought. “Thanks.”

  “I understand you have a big security background?”

  “You could say that,” Lucy said, glad to shift the conversation off her. “Like you, Jim brought me in. We already get lots of unwanted attention based on the nature of our business, and we’re still just a startup. It will get worse as we grow.”

  “Tell me about it.”

  “I’ll spare you the details of how information security is changing,” Lucy said with a raised eyebrow. “Suffice it to say that the old ideas of setting up perimeter security to keep out hackers and malware is pretty obsolete.”

  “Why is that?” Derek asked. He shifted in his chair as if he were genuinely interested.

  “You’ve been around our developers, haven’t you? Every single one of them has, like, five devices they use during the course of the day. They put them all on our network and fold work around their lifestyle. There’s no telling how much crap is floating around our system. Twitter, Facebook, downloaded DVDs on BitTorrent... you name it.”

  “That sounds like the Wild, Wild West,” Derek said. “Why do you allow it?”

  Was that an attack on her? “Because if we didn’t, no developers would work here. It’s the ticket to entry now. You’ve seen our game environment—we need the talent that is required to produce it.”

  Derek nodded. “Fair enough. How do you still protect the company, then?”

  “It starts with monitoring in our data center. Malware can morph quickly in an environment like ours, so the key is to have monitoring and pattern recognition using the largest, most real-time reference base possible.”

  “Is that data center here?”

  “No, we contract one down in San Antonio.”

  “Wouldn’t it be more secure if it were here?”

  Lucy shook her head. “We get a better economy of scale by having our servers with a company whose core business is hosting. Better costs, better support, better security. The one we use leverages a security services company called SecureNet. They have a lot of ex-NSA types who work there—spooky guys who really know their stuff. Even then, security is relative. It’s not a matter of if you get hacked. You will. In fact, I’m sure we are, right now. It’s a matter of detecting and containing on an ongoing basis.”

  “Interesting,” Derek said. “So, what sorts of threats worry you the most, then? Given the nature of how all this is set up?”

  She thought for a moment. “Identity theft. It’s probably the easiest way for a hacker to get a payoff.”

  “Tell me more.”

  “Do you know what spoofing is?”

  “No.”

  “Someone emails you and pretends to be a legitimate agent of some website that you use—eBay, for example. They send an official looking form that says something like, ‘There’s a problem with your account, follow this link, log in, and answer some questions.’ If the idiot who got the email follows the link, they think it’s taking them to eBay. But it’s not. It takes them to a false copy where they input their user name and password, and go through some bogus Q&A routine. Then the hacker takes that information, logs into the real website later, and steals that user’s credit card or bank numbers.”

  Derek had his finger across his lips, thinking.

  “This sort of thing goes on all the time, everywhere,” Lucy continued. “We can’t stop it. But we can educate our users on it—how they might be swindled, how not be goaded into thinking that any sort of email like what I described ever comes from us, because we don’t do that. Knowledge is really the best weapon.”

  “So,” Derek said, “a thief sends out an email to one of our gamers, pretending to be us so they can grab account information. I can see how that would be a problem. I use the same password for everything. If someone ever gets it, they’ll own me.”

  Lucy felt like she was talking to a second grader, given the appreciation Derek seemed to have for protecting himself. She decided to push him.

  “Let’s talk about you, then, Mister CFO,” she said, leaning forward. “Someone like you probably gets spear-phished.”

  “Huh?”

  Lucy narrowed her eyes. “Imagine if you got an email from Jim—only it wasn’t from Jim. It looked like it was, and it looked like it came from his email address, and it’s written in perfect English talking about how he wanted to share some story in the news about our company, and there’s a pdf attached to it. But it’s not from Jim. It’s from a Rocketmail account that’s spoofed his name. And it’s not a pdf. The file name says something-dot-pdf and then there are a hundred spaces before you see that the actual file type is a dot-exe extension. And you can’t tell because those spaces push the filename’s extension out of the text box and even the icon has been changed so that it looks like a pdf. So you open it. That file installs a small back door like Poison Ivy or Gh0st RAT that calls home from our network. Do you know why hackers set it up that way? Because firewalls are good at keeping stuff on the outside from communicating in, but not vice versa. So our hacker exploits that weakness. And then you’re screwed. They go to work, spying, stealing, or killing us from the inside, like a cancer. And it would all be at your hand.”

  She had his attention. Derek looked uncomfortable.

  “You, Derek Callahan, CFO, could single-handedly wipe us out. Think about that.”

  “So once they get in... what do hackers go for? How do you stop them?”

  “Identity theft is usually about stealing financial information,” Lucy explained. “How do I get at your cash? There’s a tale that’s famous around security circles about a hacker from the Netherlands a few years back. He broke into a bunch of online sites—an events ticketing website, a computer game distribution site, some others—and stole tens of thousands of credit card numbers. He somehow managed to burn through thirteen million euros playing online poker before the Dutch police caught him. Can you believe that? That’s almost twenty million dollars.”

  Derek scrunched up his forehead. “I’d say he’s a pretty bad poker player.”

  The dry wit was starting to get to her. Lucy almost smiled but quickly squelched it. “I’m not surprised he wasn’t good at poker, because he certainly couldn’t stay under the radar about his exploits. That was how the cops caught him—he was bragging online about it. But before he got busted he bought tons of electronics, flat screen TVs, notebook computers, stuff like that. That cost real money, in addition to his gambling losses.”

  Derek had folded his arms across his chest and was thinking hard. “Lucy... how does a hacker accomplish all that from my account? I mean, I’m the CFO, and I certainly don’t have the ability to access one of our gamer’s credit cards.”

  “They don’t need your user access to be you,” Lucy explained. “They just needed you to get into the network.”


  It was clear Derek didn’t quite get it, so Lucy let out a sigh and continued. “A hacker uses his new back door to start scanning everything, Derek. Maybe they use a sniffer program to monitor passwords, emails, files, and whatnot passing through misconfigured routers or firewalls. It is not terribly hard to grab data in transit and reverse engineer the user credentials. Eventually they find an account with the right I/T access that they use to set up their own ghost account with the highest possible privileges. Then they can open a command shell and do anything that I could do—display network connections, list running processes, show other accounts with administrator privileges, anything. They can go find interesting files such as lists of credit card numbers, archive it, and transmit it out in the middle of the night.

  “All it really takes is finding just one node on the network not current on its security. You get in, establish yourself, and then steal what you want or cause any damage that suits you.”

  Derek rubbed his chin, deep in thought. Lucy thought he looked impressed. As well he should be. She had one of the most important jobs at the company, one that included being the primary defender of all their hard-won intellectual property and clientele. It was not something she would let someone else screw up. And that was what worried her the most when someone less than two months into the job was making strategic decisions that could seriously impact their operations.

  “I guess I should change my password,” he said smugly.

  Sigh.

  Maybe he was still trying to be playful, Lucy thought, but that’s just not where her head was at.

  “You know,” Lucy said, switching topics, “I don’t like this idea you have about us taking ownership of our players’ money. We have a nice, clean system that leverages what our offshore bank is very good at, and they assume all the risk if something goes wrong. We should keep it that way.”

 

‹ Prev