- Home
- Ian Sutherland
Social Engineer
Social Engineer Read online
CONTENTS
Title Page
Copyright
Dedication
- CHAPTER 1
- CHAPTER 2
- CHAPTER 3
- CHAPTER 4
- CHAPTER 5
ACKNOWLEDGEMENTS
INVASION OF PRIVACY
- CHAPTER 1
- CHAPTER 2
ABOUT IAN SUTHERLAND
SOCIAL ENGINEER
Ian Sutherland
Social Engineer
Ian Sutherland
Copyright © 2014 Ian Sutherland
Smashwords Edition
For Laura and Raquel, who constantly remind me through their own actions that in order to live your dreams you must be dedicated and apply yourself. Always.
CHAPTER 1
Six Days Ago
Dr Robert Moorcroft entered his office in the North Wing of HTL’s head office campus. He hung up his white lab coat behind the door and poured himself syrupy coffee from the glass flask. While he had been in the meeting reviewing the latest results of the pharmaceutical company’s new Alzheimer’s drug, the ochre liquid had stewed on the percolator machine’s heating element for most of the morning. He decided it should still be passable.
His mobile phone bleated from the holster on his belt. Unhooking it, he noticed the display showed a mobile number, but not one stored against a contact in the phone.
Immediately thoughts that Madeline, his beautiful wife of eighteen years, had been involved in another car crash raced through his mind. She’d had three in the last four months, but none had been serious. While she hadn’t yet been formally diagnosed, he was intimately familiar with the early signs of dementia, and suspected he should talk her into scheduling a check-up at the local GP surgery. He was dreading facing her initial reaction and the inevitable changes it would cause to their lifestyle, when, no doubt, the diagnosis would be confirmed.
“Hello?” he said into the phone.
“Dr Moorcroft?” The deep male voice sounded serious.
“Yes, who’s this?” And, before he could help himself, “Is Madeline all right?”
“Madeline? No, I’m not calling about your wife, Dr Moorcroft.”
“Who is this?” And, more importantly, how did whoever it was know Madeline was his wife?
“I’m not at liberty to say. You may call me Mr Smith for the sake of expedience.”
“I’m putting this phone down unless you immediately explain yourself, Mr Smith.”
“I work for GCHQ in Cheltenham. Does that name mean anything to you?”
“Yes, but only from the news. Something to do with government spying. MI5 or MI6.”
“Yes, that’s us. Among other things, we’re the agency responsible for providing intelligence analysis based on electronic communications to the other government departments.”
“Okay. But why the hell are you calling me?” And, although Moorcroft didn’t give voice to the thought, why call him on his mobile?
“One of our responsibilities is to protect British economic interests. As part of this remit, we’ve built up a liaison service with many of the larger UK headquartered multinational organisations.”
“Yes?”
“Let me cut to the chase. Does Project Myosotis mean anything to you, Dr Moorcroft?”
It meant a lot. It was HTL’s internal codename for their major Alzheimer’s prevention drug research program; Myosotis being the Greek name for the flowers more commonly known as forget-me-nots. It was the research project the whole company’s future was staked upon. Project Myosotis was about two years away from clinical trials, but initial results were incredibly promising. Moorcroft’s unspoken hope was that, by the time clinical trials were in play, Madeline’s dementia might become a treatable case.
“Maybe,” he said cautiously. “But how do you know this name? It’s not in the public domain.”
“As part of our electronic surveillance program, we’ve been intercepting some traffic relating to Chinese hacker groups. They may be working for large Chinese corporations or could even be state sponsored; it’s hard to tell. It seems that they’ve been targeting IP addresses registered to HTL, Dr Moorcroft. We believe they are attempting to infiltrate your company’s security defences and steal your secrets. I’m calling you now to bring this to your attention so that you can defend yourself appropriately. As I said, it’s not in Britain’s best economic interests for our country’s intellectual property to be stolen by the Chinese.”
“Are you sure HTL is being attacked?”
“Dr Moorcroft, we uncovered the term Project Myosotis from these intercepts. It seems to mean something to you, so I’d suggest that they’re making some progress.”
“But that’s impossible. Our Security and IT departments assure me that we have implemented the very best cyber defences.”
There was silence on the other end of the line. Moorcroft slowly digested the implications.
Smith attempted to placate him. “Even the best defences can still be compromised, Dr Moorcroft. It may be that the hackers have only gained peripheral access. I’m sure your firewalls and intrusion detection systems would have notified you of any unusual activity.”
“Yes, I’ll check with IT.”
“Good. And you could also . . .”
“What?”
“Well, I was going to suggest that you have a penetration test performed, but I’m sure your IT department has those done regularly.”
“Penetration test?”
“Hiring someone to test your cyber defences, as if they were a hacker attempting to break into your systems. It’s the best way to know for sure if you have any weaknesses. If they find anything, they’ll report it to you and you can put new defences in place.”
“I’ve not heard of our IT department doing that, but then I’m not close to their day-to-day activities.”
“Well, there’s pentesting and then there’s pentesting.”
“What do you mean?”
“Given the nature of your business, your company lives and dies by its patents and other intellectual property, yes?”
“Yes.”
“Well, then maybe you should retain the services of one of the best penetration testers in the industry. They’re not all the same, you know. And, if you do it without anyone knowing — especially IT — then it would be a true test. A bit like when you do a fire drill. You don’t warn employees it’s coming, otherwise it makes a mockery of the test itself.”
“I see. That makes sense.”
“It’s like turkeys voting for Christmas. The last thing most Security or IT departments want is to be embarrassed by poor pentest results, so they don’t necessarily do it justice. They just hire large IT security companies to make it look like they’re doing the right thing. But it’s a skilled job and it always comes down to the individuals doing the test.”
“Hmmm.”
Smith had a point. But the most important point was that GCHQ had intercepted the term Project Myosotis from the Chinese. This was serious. As Head of R&D, Moorcroft had every right to protect the company’s interests. No, more than that, as a registered company director, he had a responsibility to protect the company.
It had nothing to do with Madeline’s condition, he told himself.
“Is there anyone GCHQ recommends, Mr Smith?”
“Not officially, but . . .” Smith gave Moorcroft the names and contact details for three independent penetration testers.
“I really appreciate your bringing this issue to my attention, Mr Smith.”
“You’re welcome. Hopefully, you’ll never hear from me again.”
Smith ended the call. And only then did Moorcroft remember that Smith had called him on his mobile number. He supposed Smith had
done it to prove how resourceful GCHQ was.
Moorcroft took a slurp from his coffee and almost spat the disgusting, lukewarm, bitter liquid out all over his desk.
He picked up his desk phone and dialled the number at the top of the list.
Today, 8:50am
Avoiding eye contact with the three senior executives sitting confrontationally on the other side of the huge oak meeting table, Brody plugged the projector and audio cables into his top-of-the-line tablet computer. The absence of small talk heightened the sense of tension in the room. Brody thought about saying something, anything really, to break the ice, but then remembered he wasn’t here to make friends or seek their approval. He was here to make a point.
Not that Brody had many friends, well not in the real world anyway.
It was early on a rainy Monday morning in HTL’s head office campus near Shoreham in Kent. The pharmaceutical company’s Research and Development Director, Dr Moorcroft, had yet to arrive. Moorcroft had scheduled this meeting immediately following his reading of Brody’s report on Saturday morning, which Brody had submitted only the evening before. This had rankled Brody because he’d had to cancel his weekend’s plans at short notice, instead using the time to prepare the presentation he was now about to give. And he’d had to set his alarm for some ungodly hour this morning to make it here on time from his apartment in London. He made a mental note to never again submit a findings report on a Friday evening.
A mirror image of Brody’s tablet computer materialised on the large screen at the foot of the table. Satisfied the projector worked, he turned the mirroring off. On the desk next to his tablet, his smartphone flashed the receipt of a text message. He picked it up and saw it was from his girlfriend, Mel, confirming she could meet him for lunch later on. He patted his pocket nervously, feeling the shape of the small item it contained.
With nothing left to do but wait for Dr Moorcroft, Brody studied the HTL executives sat silently across the table: two men flanking one woman. Moorcroft had explained during their phone call on Saturday morning that he would summon the heads of IT, Human Resources and Security to Brody’s presentation. Moorcroft had not provided names but this hadn’t deterred Brody from checking out who they were ahead of the meeting.
He already knew which of them was the Head of Security, having previously researched him as part of the original brief. For the other two, he had browsed through the HTL corporate website and then searched LinkedIn, the ‘business’ version of the social networking site Facebook, to determine who they were and check out their backgrounds. Based on the photos in their publicly viewable LinkedIn profiles, he was pleased to see his quick investigation had narrowed down to the correct people.
The IT Director was called Rob Hall. His LinkedIn picture presented a lean, tanned face with a full head of hair but the photo must have been taken some years before. In real life, Hall was flabby and overweight with an aggressively receding hairline. He wore an ill-fitting light grey suit with open-necked pink shirt and was intently thumbing through messages on his BlackBerry.
The woman was much younger than her two colleagues, who both looked to be in their mid-forties. She was perhaps in her early thirties, similar in age to Brody. Brody had discovered that she was called Kate Wilson and ran Human Resources. She shuffled some papers and peered at Brody over the top of her rimless glasses, stage-managed to give her the air of seniority denied by her relative youth.
The last was Paul Jacobsen, HTL’s Head of Security. According to LinkedIn, he had originally been in the Navy, having served in the Falklands and then, up until a few years ago, had been a senior ranked detective in Greater Manchester Police. He was thin and well groomed, wearing a dark, pinstriped suit, plain white shirt with an inoffensive tie and cufflinks. The job title alone had made Brody believe that the Head of Security would be his biggest obstacle this morning and, watching Jacobsen nonchalantly twirl an expensive Montblanc pen around in his fingers, the impression was reinforced. In fact, having spotted Jacobsen’s shiny tan brogues as he entered the meeting room a few minutes earlier, Brody was now one hundred per cent positive there would soon be a head-on confrontation.
Finally, the door opened and Dr Moorcroft entered, wearing a white lab coat over a grey shirt and tie. He shook hands with Brody and, instead of taking the impartial seat at the head of the table, sat in the vacant chair beside Brody and next to the projector screen at the foot of the table.
That evened things up nicely.
Moorcroft asked the HTL executives to introduce themselves. They each provided their names and titles, nothing more. Before Brody could reciprocate, Moorcroft jumped in. “This is Brody Taylor, an independent security consultant. He’s here to present the findings of a penetration test I commissioned following the recent hacking attacks from China, brought to my personal attention by GCHQ.”
Jacobsen’s expensive pen clattered on the table. “Hold on a minute, Bob. That’s my domain. What gives you the right to —”
Moorcroft held his left hand up to silence Jacobsen.
“What’s a penetration test?” asked Wilson, warily.
Hall turned to her and explained, “A pentest is a method of testing our security defences by simulating computer hacking attacks.”
“Mr Taylor, please begin your report,” commanded Moorcroft.
“Please, call me Brody.”
Brody pressed some keys on the detachable keyboard connected wirelessly to his tablet via Bluetooth. An image appeared on the large screen at the foot of the table. It was a very long chemical formula, with lots of C’s and H’s.
“Do you recognise this?” Brody asked the group.
Hall frowned. Wilson shrugged. Jacobsen spoke for them, “Just because we work here doesn’t make us all chemists.”
Moorcroft, who had known what was coming from reading Brody’s report, maintained his severe gaze on his colleagues and answered Brody’s question. “It’s the formula for our new Alzheimer’s prevention drug. The one that is still in development, two years away from beginning clinical trials. The one on which the future financial success of HTL is riding. Let me put it this way.” Moorcroft leaned forward towards his three colleagues, fists clenched, enunciating each word precisely. “If this formula got into the hands of our competitors, especially an unscrupulous Chinese firm, HTL’s future would be wiped out overnight.” He paused, his eyes not leaving those of his three colleagues, and then asked, “Where did you get hold of this, Mr Tay— I mean, Brody?”
“I broke into your IT systems and stole it from you, Dr Moorcroft,” said Brody, matter-of-factly.
“That’s impossible!” barked Hall, sitting bolt upright in his chair.
“Impossible?” Brody frowned theatrically. “No, not impossible. I’d categorise it as . . . quite difficult.”
Hall countered, “But I’ve installed the most expensive, most sophisticated perimeter defences in the world! They’ve withstood hundreds of hacking attacks from all over the planet. Anyway, the new product development system this formula is located on is on a network physically ring-fenced from the main corporate network. It really is impossible to get to from the outside.”
“Yes, I agree,” conceded Brody, “Your firewalls are hardened well. Very few ports are open to the Internet. No obvious vulnerabilities. It passed a standard pentest.”
Hall sat back in his chair, seemingly relieved.
“It’s your employees that are the problem,” Brody continued.
“Are you saying that one of our employees gave you this formula?” It was Wilson. She had removed her glasses. Without them she looked softer, more approachable.
“Yeah, give me his name,” said Jacobsen, “I’ll have him dealt with.”
“No one employee gave it to me,” said Brody. “And you’re right, Mr Hall, the new product development system is on a separate network only accessible from within this building. Once I figured that out, I simply walked into the secure area, logged into the system, copied it and emailed it t
o myself.”
“That’s impossible!” It was Jacobsen, repeating Hall’s earlier denial.
“I thought we were done with that,” smiled Brody, coolly. “Have you heard of social engineering?”
Silence.
“I’ll take that as a no, then. Let me show you.”
Brody pressed a key on his laptop. His chemical formula gave way to a slide containing a video he had recorded last week when he had visited HTL’s campus the first time. The video began playing, audio emitting from the ceiling speakers. Brody narrated, “This footage was taken last Wednesday. I’m driving a white van towards this building. There’s a high-definition pinhole video camera inside the cap I’m wearing. It has a Bluetooth connection to a receiver in my bag which records everything I see.”
The video footage panned towards the rear-view mirror and Brody’s reflection was plainly visible. Under a dark grey cap displaying the trusted logo of Cisco, the world’s largest networking equipment manufacturer, his thick head of blond hair and neatly trimmed beard could clearly be seen. From the mirror, Brody grinned and winked cheekily for the camera. Although the onscreen reflection displayed utter confidence, Brody easily recalled the butterflies that had hurled themselves around his stomach at the time.
The image returned to the road, skirting the electric fences surrounding the HTL campus. The camera moved about as Brody’s head turned to take in the view. Acres of grass lay beyond the fences. In the distance stood the three-story glass enclosed building they were sitting in right now. Onscreen, two of the wings were visible but there were four in total, each protruding from a central hub in the directions of the compass. The building’s shape was a play on the green and black plus sign used in HTL’s corporate logo, which Brody knew was originally designed to allude to the Red Cross logo, a meretricious way of engendering brand empathy for the global pharmaceutical corporation.
Approaching the security guardhouse, the screen showed twenty or so weary protestors camped outside, sipping steaming beverages from flasks. Their billboards declared that they were angry with HTL for animal rights violations.