They set up an alarm to notify them when the selected user was establishing his jump server connection, then resumed mapping more of the intranet systems and users. They created organizational charts, along with a thorough map of the network. This included the names and roles of users, names of servers and software installed on them, and the systems to which the users had access. They would submit this evidence with their report as proof they’d successfully penetrated the core of the trading engines and reinforce the picture of the damage they could have caused if they’d been genuine hackers.
During this phase they determined that the UTP system was running Linux and was locked down with “whitelisting,” a security policy that allowed only software digitally signed with a special key that only specific users had access to. They would have to place their own software on the system in the secure zone, and for this it had to be signed so it would appear to be authentic. To this end, they monitored the e-mail of several users until they spotted a programmer who was about to submit an update package to the UTP system. They immediately planted their software, along with configuration information that caused it to connect out to their software on the jump server once it was deployed to the UTP system through him. In this way, it was taken as part of the legitimate package and was digitally signed by the NYSE Euronext signature along with the update and then installed on the UTP system.
Now they just needed their user to connect so that they could plant their software that would act as a bridge from the UTP system to the compromised Dynamo Payments software via the jump server. Only then would they be able to reach into the UTP system and remotely control the software they had just planted there, giving them unfettered access to the most important financial trading engine in the world. This would complete the entry they’d already begun.
The hours passed as they waited anxiously for the last piece in the puzzle to fall into place. They continued their mapping effort and documentation until their alarm alerted them that their primary user was connecting to the jump server.
“We’re up,” Jeff announced while not taking his eyes from the screen. Frank rushed to stand behind him, and they monitored the programmer’s progress, then rode in with him without difficulty. They took no time at that moment for celebration, only exchanging a quick glance of elation. The minor crack they’d created was now an open door.
Once inside, they established their own connection, placing their software on the jump server, which connected it to the UTP system, completing the link and establishing remote control from their own system. Before exiting, they set up their second backdoor on the other side of the jump server, one that meant they could bypass this process in the future.
“That went smoothly,” Frank said.
“I told you we were good.”
12
THE UNION JACK
CEDAR STREET
NEW YORK CITY
6:32 P.M.
Richard Iyers scanned the crowded bar and eyed a young woman at the far end. Blond and trim though a bit plain, with an oval-shaped face—and with that perpetual pout, just his type. She was laughing as she held her iPhone in front of her. From time to time, she took a quick look at a chubby man with a bright face, who was sitting at a table with two others not far away. They were playing a game, very likely one of the new ones on Toptical, currently the hottest social networking site. The man looked like a coworker, not a boyfriend.
Iyers checked his watch. There wasn’t enough time. Well, he’d seen her here before and would see her again. Athletic, naturally slim, Iyers was an attractive man. His light hair was brushed across his forehead in a boyish cut. His eyes, however, were set just a bit too closely together. They and his mildly lanternlike jaw prevented him from being genuinely handsome.
He looked at the menu and considered ordering a cold beef sandwich. This might not be London, but the pub did a decent job with it. No, better later. Iyers took a sip of Double Diamond ale, then over the glass spotted Marc Campos weaving his way toward their table through the noisy happy hour crowd. The man’s beer was waiting for him.
Campos scowled as he sat, his chin at an accusatory angle. He didn’t touch the drink. “I think you’re nuts,” he said without a greeting.
Iyers grinned. “Maybe. I’m inclined to think the possibility is one of my assets.”
Campos looked around, then leaned forward. “You’re the one who made the coding mistake. I warned you about it at the time, and when you didn’t act, I told you to fix the problem, not—” He hesitated, lowered his voice, then said, “—kill someone. I was talking about the file you left hanging out there.”
“Dead men tell no tales.”
“What’s that supposed to be? Funny?”
“Not at all. It’s a statement of fact, one you should appreciate, given your emphasis on security.”
“You may very well have ruined the entire operation.”
“I don’t think so. No one’s going to find anything.”
“They don’t know he’s … gone for good yet, but he didn’t report to work today. When he doesn’t tomorrow, they’ll check. Before long, people will be looking.”
“So he took off.” Iyers lowered his own voice, though with the surrounding noise there was no chance of being overheard. “They aren’t going to find him. I weighted him with rocks and dropped him into a sinkhole just off the stream. It was all overgrown with vines and crap. He’s fish food and gone for good.”
“Maybe you were seen.”
Iyers shook his head. “No chance. We were in a remote area. Relax. I was careful.”
“Listen to me. This guy took yesterday off; you called in sick. Someone looking at this might wonder about the coincidence.”
“You’ve got to be joking. I live in New York, this happened outside Chicago. There’s no connection between the two of us. Anyway, I took the train. There’s no record I ever left the city or that I was ever in Chicago.”
Campos stared at Iyers, then said, “I hope you know what you’re talking about. Because if they find him, who knows where the trail will lead.”
Iyers shrugged. “Not to us. You worry too much, Marc. Anyway, he’s a nerd. Nobody kills a nerd for writing code.”
“When I sent you a copy of his report and told you to fix the problem, this isn’t what I meant. You had to know that.”
Iyers made a face. “Yeah, I understood, but the guy was closing in. He reviewed operational logs while looking at a software failure from last month. You saw the report. He spotted that there’d been more than an acceptable number of connections between Vacation Homes and the trading engine. Automated security didn’t spot it, but he had.”
Iyers leaned forward. “Marc, he wasn’t going to let it go. He’d spotted our file. He didn’t know what it did yet, but he was working on it. I checked on this guy. He was tenacious and ambitious. Come on. There was nothing I could do that would have diverted him. In fact, if I’d changed anything in the software like you wanted, he’d have become suspicious that the culprit was someone who’d seen his report and was trying to cover his tracks. There aren’t that many. We don’t want anyone checking into what we’ve been doing this last year. There’s a lot at stake. You’ve said so yourself. It’s worth an extra risk or two.” Iyers sipped his drink, then changed the subject. “How’s Carnaval coming?”
Campos looked reluctant to move on. After a long pause, he said, “I think it will be ready for Toptical next week. There are still some bugs to work out.”
“This will be our first IPO,” Iyers said greedily. “If it goes smoothly, our take should spike dramatically. It’s ideal for an expanded version of Vacation Homes.”
“I agree, but no more mistakes. We’ll be uploading the code soon. It must be seamless, understand?”
“I get it.” Iyers looked aimlessly about the room, then said, “Did you find out about those two guys in the office?”
Campos, though, was still on subject number one. “Don’t go off the reservation again.
You hear me?”
“I hear you. What about them?”
“I’m serious. The next time you do, you’ll have to answer for it.” Campos leaned back in his chair, then drew a deep breath. “Stenton told me they have nothing to do with Vacation Homes.”
“Do you believe him?”
Campos thought about that a moment. “I guess. I’m pretty sure we’re not their target.”
“I can’t get them to talk about what they’re up to. I’ve tried without being obvious. They’re very closemouthed. I did a little online research on them. They both used to work for the CIA, did you know that?”
Campos briefly looked stunned. Then he lifted his drink and took a long swig.
“Jeff Aiken’s the boss,” Iyers continued. “It’s his company. He’s big in cybersecurity. He’s rumored to have saved the world a couple of years ago.” He smiled.
“What are you talking about?” Campos’s thoughts were still on the idea these men worked for the CIA. He’d read once that no one ever really left the Company. The thought was sobering.
“Some kind of Internet terrorist attack. You remember all those incidents, the ship that ran aground in Japan, the near meltdown, some hospital deaths? They’re supposed to have been caused by al-Qaeda. I read on some forum this Aiken guy blunted the attack. There’ve been other things too. A plane crash in Turkey.”
“What? He’s some kind of secret agent?”
“Nothing like that. Just really good at snooping around systems.”
“Shit. Just what we need.”
Iyers leaned even closer and spoke very quietly. “I can fix this too, you know.”
Campos was startled. “Don’t even think about it.” He looked about again. The place was really getting crowded. “If more people … go missing, it’s going to draw attention we don’t need, especially with Carnaval coming online.”
Iyers pursed his lips. “I can make it look like an accident.”
“I said no, and I mean it.”
“Ask your boss. I’ll bet he sees it my way.”
“My boss?” Campos pulled himself up. “What are you talking about?”
“You don’t think I bought that line about this being your operation, do you? It’s too slick, too big, and sometimes you don’t make decisions right away. I’m just saying, check with your boss. Don’t take this on yourself.”
“Richard, when I came to you about this, I never said a word about violence. We write code. Vacation Homes is about making money. Nothing else.”
Iyers stared at Campos, and then he took a drink to mask his thoughts. The guy’s a fool.
Iyers was from Upstate New York. He possessed a congenial manner and had the knack of getting along with everyone while being close to no one. Since he formed his partnership with Campos, his self-image had taken on an unexpected aspect. He’d never seen himself as an outsider before, though if he were honest with himself, he always stood aside and looked in on normalcy. Those who played by the rules and lived conventional lives had always seemed to him to be suckers. Only when it came to women had he always felt himself to be a bit outside the norm, and even then, he wasn’t entirely convinced his behavior was all that unusual. Men just didn’t talk about it.
Then the economic meltdown had come, and with it a fresh appreciation of the worldwide financial system. He’d always stayed within his specialty, but now he studied the so-called system and saw it for what it was: an elaborate means for the corrupt to profit with the appearance of legality. That didn’t surprise him so much as his failure to realize it sooner.
An infrastructure specialist at the Exchange, Iyers managed the deployment of software and the configuration of the NYSE Euronext data center systems. It was a position of extreme sensitivity. The systems included third-party software, such as antivirus and systems management software as well as internal software. He was also part of the team responsible for deploying much of the trading software that was the heart and soul of the Exchange.
He’d met Campos three years earlier, and within a few months, over beers in this very pub, Iyers shared his thoughts. A few weeks later, Campos met with him in private and laid out the scheme, presenting the operation as his own. The two men were ideally suited to make it happen, given their responsibilities.
“I estimate our personal take at ten million dollars each,” said Campos on the night they closed the deal.
Iyers had nodded, his eyes flashing in greed. For an instant his mind had been filled with the thoughts of what he could do with that kind of money, the life he’d lead. Images danced before him, living rich in the Caribbean someplace, hosting parties full of hot girls. But the truth was, Campos already had him when he’d described the operation. This was his chance to hurt the Exchange, hurt it badly, to get back at the rich fat cats who thought they had it all figured out, a chance to make a statement.
And it was an opportunity to see just how far he could assert his power. He’d have done it just for that. The money made it an even better deal.
“You know,” Iyers said, “there’s talk about missing money.”
“What talk?”
“Some of the big brokers are complaining about not making what they expected in trades. I’ve not heard anything official, just comments during breaks, but Stenton’s getting nervous about it.”
“Stenton’s always nervous. That’s why he drinks so much.”
“He’s a drinker?”
“You didn’t know? Take a hard look at him on Mondays. You’ll see. Anyway, if you can believe it, I was told to trace one of our own transactions.”
Iyers found that amusing and chuckled. “How’d it go?”
“I was impressed. I did everything I’d normally do, and after two days, the trail finally just vanished into nonsense. I knew what we’d done, but from the side I was working on, I couldn’t make anything out.”
“See? We have nothing to worry about.”
“I guess. But if our code gets identified and reverse engineered, they might trace it to one of us, no matter how clever we think we’ve been.”
“I don’t see how. We routed it through other users and servers that you and I don’t have rights to. I used half a dozen laptops to set my part up and ditched each of them. There’s absolutely no trail back to me.”
“Let’s hope so.”
Iyers suppressed his immediate response. Instead he said, “So what did you tell Stenton?”
“Just what I told you.”
“Did he believe you?”
Campos nodded. “Sure. Why not? I don’t think I’m the only one he talked to about this, and no one had any luck, from what I heard. That’s when I asked him about those two guys.”
The men sat without comment; then Iyers said, “So what do we do? From what you say, we need to neutralize Aiken and Renkin. If you don’t want me doing it the easy way, I’m open to suggestions, but I still think you need to take this to your boss.”
“I don’t have a boss. Just drop it.”
“If you say so.”
Neither spoke for some minutes. Iyers finished his drink and gestured at the waitress for two more. Campos looked deep in thought. The blonde at the bar laughed in triumph. The chubby guy at the table grimaced and set his phone down. The place was getting very noisy.
After the drinks arrived, Iyers said, “I haven’t seen any real money yet.” This was his recurring complaint. Campos had given him less than $100,000 so far.
“It’s cooling off. I told you. We agreed.”
Iyers shrugged. “I’m just saying.” He looked around the room. “You know,” he continued, “I have the feeling that time is running out on us, and a whole lot faster than you talked about. I haven’t taken these chances for what little I’ve seen so far. Just so you know.”
“You may be right about time. I’ll get back to you on how we’ll proceed.” Iyers smirked but didn’t say what he was thinking. After a long pause, Campos said, “Can you insert Carnaval without any bells going off?”
/> Iyers pursed his lips. “I don’t know why not.”
“No shortcuts.”
“Enough of that. I told you at the time why I had to do it that way. There’s nothing I can do about it now. If we make any changes at this point, they’ll spot it and know for a fact something’s up.”
“Yeah. I get it.” Campos picked up his second drink.
“I don’t like these two guys working in the system,” Iyers said.
“I don’t either.” Campos set his drink down and looked off to the side, still not answering the implied question. And in that gesture and silence, Iyers got the unstated message.
He grinned and extended his hand. He touched Campos’s forearm in reassurance. “No problems, amigo. No problems. I’ll take care of it.”
DAY THREE
WEDNESDAY, SEPTEMBER 12
THE IPO HIGH-FREQUENCY TRADERS DESTROYED
Commentary
September 12, 11:30 A.M.
Palo Alto—Every IPO contains risk. It’s an axiom of the stock market, yet time after time, financial experts behave as if each IPO is a guaranteed win for all concerned. For evidence of the inherent risk, you need look no further than the IPO for the well-regarded, high-frequency trader BATS Global Markets, Inc., in 2012.
No company appeared better prepared to launch an IPO. BATS was at the time the third-biggest U.S. stock exchange company and was a highly respected, innovative player in high-frequency trading. It was seeking an infusion of capital through its IPO to better compete with NASDAQ and the New York Stock Exchange. Since it ran its own exchange, it elected to handle the IPO itself. Everything was set for what was expected to be a highly profitable day. Instead, the stock opened just below the projected IPO price of sixteen dollars, and then continued falling as high-frequency traders came on board.
Rogue Code Page 7