The Doodlebug War
Page 12
As Frank watched the evening news over the days that followed, he witnessed victorious troops in pickup trucks “liberating” city after city as joyous crowds lined the road and cheered. Each day the tide of red spread farther north, east, and south on the map displayed by the news anchors. And there appeared to be no end to their advance in sight but the sea.
* * *
11
To Catch a Thief
Frank had a message on his phone, and the calling number wasn’t Marla’s. That was unusual, as his contacts with the outside world, such as they were, were conducted almost exclusively by email. He dialed up his voicemail and listened.
Hello, Mr. Adversego. My name is Sara Ravitz, and I’d like to discuss an issue I’m having at my business. I believe that someone is hacking my computer network, and I need to find out how to stop it. If you’re able to take on any new business at this time, I’d like to arrange an appointment. My number is…
He scrabbled in his pocket to find a pen and replayed the message. How about that. A real client at last! He’d been so preoccupied trying to flush out Foobar’s intentions that he’d avoided thinking about how he was going to make a living after the CIA project wound up.
Then he scowled. What right did he have taking on new business with Foobar on the loose? Still, right now, he didn’t have anything to do until Tim and Keri got back to him with the results of their latest research. And that would likely take a few more days. Why not see whether this was a project he could fit in?
Then he scowled again. He’d been using Foobar as an excuse to put off finding a real office instead of admitting that avoiding interacting with anyone face to face was the real reason. Time to bite the bullet on that one.
* * *
Frank was feeling uncomfortably bogus as he waited in the small conference room for Sara Ravitz. It had cost him a five-hundred-dollar shared office facility membership fee for the right to sit for one hour in a room he might never use again. Promptly at 2:00, there was a knock at the door. It opened to reveal a dark-haired, earnest-looking young woman perhaps a few years older than Marla.
She held out her hand. “Mr. Adversego? Hi, I’m Sara Ravitz.”
“Pleased to meet you. Did the receptionist offer you a cup of coffee or something?”
“Yes. I’m fine. Thanks for seeing me on such short notice.”
“No problem at all. How did you find out about me?”
“I went online looking for a cybersecurity firm and ran into your site. I’ve read your book, so, of course, your name was familiar to me. I’m sure my problem isn’t as interesting as what you’re used to, but if you have time, I’d like to engage you to help me out.”
He cringed at that; so she’d read the exaggerated account of his first adventure his ghostwriter had concocted. Thank goodness, she hadn’t mentioned the imaginary wolverine.
“I’d be happy to. What is it that you’d like me to do?”
She frowned. “This isn’t the kind of thing I’m used to dealing with. Where would you like me to start?”
This being his first client meeting, he had no better idea than she did.
“Wherever you’d like.”
“All right. Well, I guess it would help for you to know something about the non-profit I run. It’s called the Responsible Technology Foundation.”
“Yes, that would be helpful. I’ve spent some time at your website, but I’m sure there’s a lot more to know.”
“Oh, good. Then you already know that our mission is to hold technology companies accountable if they don’t operate in a socially responsible manner. In the past, we’ve focused on issues like the environmental impact of improper disposal of electronic equipment and exposing the exploitation of workers by contract electronics manufacturers in places like China and Vietnam. Most recently, we’ve started looking into the vulnerability posed by concentrating computing resources and records in cloud computing data centers. Is that something you’re familiar with?”
If only she knew. “Yes, I’m very current on how vendors are trying to persuade customers to convert over from local to cloud hosting. I assume you’re concentrating on cyberattacks?”
“Yes, we worry about that, but there are enough other groups covering those risks already. We think we can be most useful by making people aware that physical attacks could be far more dangerous, since a cyberattack doesn’t usually damage the actual equipment. As, of course, you already know, an enemy conducting a cyberattack might be able to take the targeted system down for a while, but you can generally restore operations fairly quickly. True, an enemy could also delete or corrupt data, but if that data was backed up at a couple of other data centers, the attacker would have to attack almost all of them to have a catastrophic impact. We believe that physically destroying a much smaller percentage of the data centers would be sufficient to crash just about everything and keep it that way, so that’s what we’ve been focusing on.”
Clearly, Ravitz was going to get no argument from him, but it didn’t seem prudent to dwell on the topic for too long.
“Thanks, it’s helpful to me to have that context. Why don’t you tell me a bit about why you think your systems have been compromised?”
“Sure. Well, first of all, shame on us—we haven’t been as proactive as we should have about system security. We’re quite a small organization, so we don’t have any IT staff of our own. We use an outside service instead and let them worry about setting things up properly and keeping them secure. Until recently, we haven’t been aware of any reason to be concerned. Now I’m not so sure.”
“What have you noticed?”
“Nothing on the system itself—everything seems to be working just fine. But I’m worried that someone has been accessing our files to get information they can use against us.”
“In what way?”
“As you might imagine, we’re not too popular in some quarters, so there are always people out there who would love to see us slip up. We’re very careful not to let that happen, but unfortunately, there are some vendors and groups out there that are perfectly willing to spread damaging disinformation about us. Usually it’s pretty obvious and only gets believed by people who don’t like us already. But lately we’ve been taken by surprise several times in ways that I don’t think could happen unless someone had direct access to our systems.”
“Are you sure someone that works for you isn’t leaking information?”
“I expect everyone says that they’re sure that couldn’t be the case, but I really don’t think that’s it. We’ve only got a few staff, and they’ve been with me for years. We’re more like a family than a business. Plus, they’re true believers in our cause, and I can’t imagine any of them would want to damage our reputation.”
“Sometimes people get into debt and do things they wouldn’t normally do to get out of it. Or someone could be blackmailing one of your employees.”
“I know, I know. And if we don’t find another explanation, we should come back and look into that as a possibility. But I don’t think we need to start there.”
No problem, thought Frank. The first thing he’d need to do would be to figure out whether the RTF had been hacked, and if so, how. He could worry about who was responsible later.
“That’s fine. It makes sense to start where the odds are high rather than low. So maybe you could give me an example of something that has aroused your suspicion?”
“We’re planning on releasing a new report on the effects that the destruction of a significant, but not overwhelming, number of cloud computing data centers would have. We spent a good part of this year’s research budget to commission one of the top computer science institutes to write it. We’re very pleased—well, that’s a strange word to use in this context—with the predicted results, which are even more disturbing than we expected. The report make
s exactly the case we need to show Congress why it must require that all data centers either be limited to much smaller, more widely separated facilities, to make it much harder to destroy a meaningful percentage of them, or be buried at least fifty feet underground in order to make them much harder to damage.
“But—here’s the problem. Other than issuing a press release a few weeks ago, we haven’t shared any of the results or the methodology used to conduct the research with anyone yet. This week, though, stories started popping up that are targeted at debunking data center physical security concerns. And it’s worse than that: the articles seem tailor-made to undermine the credibility of our report before it’s even released. For example, some of the attack examples used in the articles are identical to those used in the report.”
“Couldn’t that be just a coincidence? I mean, there’s only so many ways to stage an attack on a data center.”
“Yes, but not in such detail. For example, one hypothetical scenario is that someone bribes a maintenance worker to take a couple of small incendiary devices to work every day for a month, and he hides them all over the data center he works in. After the devices have been installed, whoever is behind the attack sends a signal to all of them simultaneously. The resulting fires take out most, or all, of the servers in an entire facility; servers have a lot of flammable materials in them, you know.”
He did know, but he’d never thought of this scenario. It was a pretty good one, too. He wondered whether Foobar had thought of it, too.
“You’re right. If they got down to that level of detail, it would be a stretch to think that two different people would think of exactly the same scenario. Could you guess who might have hacked your system from where the articles appeared?”
“No. They appeared within a couple of days in several different media outlets and then got picked up and amplified in lots of others. It’s hard to tell whether that was just the normal news cycle in operation or whether the same person that planted the stories also promoted them to other journalists and bloggers.”
“Okay. So do you have any idea who might be likely to be behind the leaks?”
“I could come up with a list of people and organizations that don’t like us, but it wouldn’t be a short one.”
“That’s okay; this has been very helpful. It sounds like I should start by performing a forensic audit on your system. We can worry about who might be hacking it after we figure out how they did it. Can you set me up with an account, a password, and full admin access to all of your software and data?”
“Of course. I’ll have our service provider email the information to you. Oh”—she caught herself—“Or maybe I should give them to you over the phone?”
“You’re a fast learner. Yes, that would be a good idea. If you want to get in touch with me, don’t text or use email. Do you have a personal phone as well as one you use for work? Good. That will be the best way for us to keep in touch. I should be able to get back to you within a few days with the results of my forensic review. Would that be quick enough?”
“That would be fine. Can you give me an idea of how much this would cost?”
“Let me take a look around your site first. That will give me a better idea. Would that be satisfactory?”
“That would be fine.” She stood up and shook his hand again.
“I’ll look forward to working with you,” he said. “Oh, and one last question—do you know where your system is hosted?”
“Yes. I thought you might ask, so I called our IT service to find out. I guess it’s no surprise, but it is kind of ironic. Our IT contractor uses a data center cloud service. It’s called WeBCloud. Their prices are supposed to be great.”
Ravitz turned to leave but stopped when she reached the conference room door.
“Oh! I almost forgot—I meant to tell you how much I enjoyed that scene where you were fighting off the wolverine at your campsite! I never realized there were any wolverines in Nevada!”
* * *
Frank was seated in the middle of his living room on his decrepit couch, the single item left in that room now that the search and destroy mission against his belongings had been completed. He’d begun by triaging everything he had accumulated: the largest category had been determined to be junk: unread magazines, out-of-date computer gear, paperwork of no current relevance, and objects with no remaining sentimental value. They had been immediately consigned to the dumpster.
The next category comprised items of nominal value for which he had no realistic use. These were somewhat more difficult to acknowledge, since it didn’t make him feel particularly good to admit that a kitchen including two place settings and a one-quart soup pot would be adequate to meet his actual needs. He decided to compromise by retaining some extra place settings and never-used cooking gear in case someone ever opened one of his kitchen drawers or cabinets; there was a limit to how pathetic an image he was willing to present to the world, no matter how infrequently, if ever, he was visited by a human being other than Marla. Everything else in this category he dropped off at the neighborhood thrift shop.
Considering the little that was left, he wondered whether he should be moving into a rented room at the YMCA rather than buying a condominium. That would spare him the need—or worse yet, the urging of Marla—to go shopping for additional furnishings. Either prospect was dispiriting enough to direct him back from daydreaming to the topic at hand.
On the cushion next to him sat Thor, thoughtfully contemplating a stalk of celery Frank had placed in front of him. Together they were watching the evening news, a habit he’d acquired after the New York attack. Despite his direct access to high-level intelligence, he felt oddly compelled to be part of the shared experience of the population at large, who only learned of the latest terrible developments through the mass media. And it helped him keep perspective as well. Tonight, for example, the lead story focused on China’s increasing bellicosity. He watched as its second aircraft carrier was commissioned while seemingly endless squadrons of fighter planes roared overhead. Meanwhile, Russia was voicing extreme displeasure over China’s military buildup, and a growing chorus of nations along the Pacific Rim was calling for Japan to amend its constitution to permit it to re-arm to help offset China’s increasing military might. The world seemed to be going to hell in a hand basket with even more determination than usual. If the U.S. weren’t so preoccupied with the threat posed by the Caliphate, who knew what Washington might be doing in response?
Frank offered another piece of celery to Thor.
“Whadaya say, big guy? Is that enough identification with the masses for one day?”
Thor didn’t seem to have a particular opinion on that topic but deigned to accept the celery. Frank figured that was close enough and switched off the news.
Watching Thor’s slow but methodical deconstruction of the celery stalk, Frank reflected on where to go next on his project for Sara Ravitz. He’d just finished scanning the Responsible Technology Foundation website, which hadn’t taken long. It was fairly modest, although it did have a back end that was password protected with different levels of access for major donors and RTF staff. As he had expected, the level of security the cloud service provider offered was fair but not impressive. Still, everything looked perfectly in order. He moved on to the virtual server at the WeBCloud site that hosted the other software the foundation used. The protection was no more robust, but everything seemed to be fine there, too. Not a back door to be found.
He drummed the fingers of both hands. If the site was secure, where could the issue be?
He realized he didn’t actually know much about the leaks themselves—just that scenarios were getting to people who shouldn’t have them. Where again did those scenarios come from? He checked his notes. Right. A research institute. So whoever it was could have hacked that site instead, and that would be a touchier inves
tigation to pursue. If Sara didn’t want to share her concerns with them, or if they were unwilling to give him a password, that would be the end of that line of inquiry.
Of course, if all the hacker was interested in was the report the institute was working on, he wouldn’t have to hack either site on an ongoing basis—just intercept Sara’s email or the email of someone cc’d on her email.
He used the administration credentials he’d gotten from Sara to access the RTF’s virtual email server and scanned through the information he found there. Sure enough, there it was. Sara’s email address had been converted into a group address so that any email sent to Sara’s address would automatically go to anyone in the same group, which now included one additional address besides Sara’s. That address had also been made an automatic bcc on every email Sara sent. He checked out the address and found it led to a server in Romania. But that might just be the first in a number of reflectors between Sara’s account and the real address of the person shadowing her. And in any event, whoever was monitoring her could have hired a Black Hat to do the job rather than doing the dirty work himself. Frank could find someone on the dark Internet in fifteen minutes willing to set up such an elementary means of exfiltrating data.
Should he delete the extra address?
No. Not yet.
* * *
Frank was ensconced in his usual corner at the data center, surrounded by a no man’s land of empty seats. He was pleased that the younger set had figured out that the unreconstructed curmudgeon who frequently took up residence there was best left alone. He booted up his loaner laptop and began working through the extensive spreadsheets and associated graphics Tim and Keri had put together and began reviewing them.
Three hours later, he finished poring over all the geolocation data and communications materials, pondering the nature of the Caliphate’s suspected financial assets and those to whose care they had been entrusted, and puzzling over the travel preferences of its leadership. He was also knowledgeable now regarding the beard styles and tea brands favored by Foobar’s inner circle. There seemed to be no type of information the CIA believed to be devoid of potential significance, and hence, everything made its way into the agency’s infinite databases.