- Home
- Ian Sutherland
Social Engineer Page 5
Social Engineer Read online
Page 5
The idea became a plan.
The plan became a detailed list of actions in his mind.
He played out the likely scenarios.
And all outcomes led to her accepting the truth. And, once their relationship was on a solid foundation, then he could reciprocate his love for her with complete integrity.
He would execute the plan, beginning tomorrow.
CHAPTER 5
Today, 9:55am
Jacobsen had remained stubbornly silent since smashing his pen earlier. Red-faced, he finally erupted.
“This is a fucking joke, Bob! I can’t fucking believe you authorised this. You bastard.”
“Control yourself, Paul,” warned Wilson, her voice a shriek. “We’ve all got to deal with this.”
Brody zoned out of their argument and stopped mirroring his laptop to the large screen.
The raised voices railed on around him, arguing, debating, accusing.
Brody had enjoyed the challenges presented by this pentest, on all levels. He just hoped it would achieve its objectives.
Finally, Moorcroft touched Brody’s arm. The arguments had subsided.
Brody looked up. “Sorry, what did you say?”
“I said, Brody, that it’s clear that your exploits have shown us exactly how exposed we are.”
“True. But most organisations aren’t able to defend against an attack of this level of sophistication. However, for every white hat hacker like me, there are plenty of black hats available for hire, every bit as skilled in social engineering techniques.”
“He means ‘ethical hackers’ versus the ‘evil hackers’ you see in movies,” explained Hall, helpfully.
“You’ve seen what’s possible. Unfortunately, there isn’t an over-arching patch you can apply for human gullibility but there are some basic protections you can put in place immediately. Most of them revolve around employee education . . .”
Jacobsen remained stubbornly silent throughout the next hour, as Brody led them through a plan of action to strengthen their defences against social engineering based attacks. Hall and Wilson took most of the actions and Moorcroft seemed to relax a little. Ten minutes before the end of the meeting, Jacobsen stood up and left. No one said a word, although Moorcroft raised his eyebrows as if to say, “Well, that’s that then.”
Brody guessed that was the end of Jacobsen’s career at HTL.
Some time later, Brody began the two-hour drive back to London in his metallic orange and black, custom-designed Smart Fortwo coupe. As he drove past the electrified perimeter of the HTL campus, the animal activists, seeing a potential ally in such an in-your-face, anti-corporate, environmentally friendly vehicle let him pass peaceably. He drove slowly, scanning their faces for any he recognised, but didn’t spot any of Mel’s friends.
If only they realised he’d been the shameless driver of the white van just a few days before.
Six Days Ago
Brody finished his research and began the hack.
The first step was to call the R&D Director on his mobile phone. Obtaining his private phone number had involved its own convoluted deception. Normally, a search of Companies House would reveal the private contact details, including home address, of all registered company directors, but because this was a pharmaceutical company where directors of such companies had frequently come under personal attack from protestors, new laws had been set up in 2009 to protect their privacy.
In the end, he had phoned the company’s switchboard, pretending to be from a printing company with an urgent order for the R&D Director’s new set of business cards. It had been his second call to the same number, the first, timed just after midday, had been to make sure that his secretary was out for lunch. Brody explained to the operator that he’d just tried to call the secretary but had only reached her voicemail and that he just needed to confirm the details he’d been provided before he authorised the rush print job; the cards apparently needing to be with their owner by the end of the day in time for a charity function he was attending that evening. Brody read out the details he’d already collected from public sources and then a made-up mobile phone number, which the receptionist dutifully pointed out was wrong and helpfully rectified with the correct number from the employee directory available on her computer screen.
Brody took a deep breath and rang the mobile number.
“Hello?” Male, concern in the voice.
Brody put on a serious inflection, lowering the timbre of his voice. “Dr Moorcroft?”
“Yes, who’s this? Is Madeline all right?”
Brody’s research had revealed that Moorcroft was referring to his wife; although quite why there was so much concern Brody had no idea.
“Madeline? No, I’m not calling about your wife, Dr Moorcroft.”
“Who is this?”
Brody thought about how to respond and decided the more vague and mysterious he sounded, the better his chances. “I’m not at liberty to say. You may call me Mr Smith for the sake of expedience.”
“I’m putting this phone down unless you immediately explain yourself, Mr Smith.”
Okay, maybe a little explanation.
“I work for GCHQ in Cheltenham. Does that acronym mean anything to you?”
“Yes, but only from the news. Something to do with government spying. MI5 or MI6.”
“Yes, that’s us. Among other things, we’re the agency responsible for providing intelligence analysis based on electronic communications to the other government departments.”
Brody had lifted that line straight from the Wikipedia entry for GCHQ.
“Okay. But why the hell are you calling me?”
“One of our responsibilities is to protect British economic interests. As part of this remit, we’ve built up a liaison service with many of the larger UK headquartered multinational organisations.”
“Yes?”
“Let me cut to the chase. Does Project Myosotis mean anything to you, Dr Moorcroft?”
“Maybe.” Brody could hear caution. “But how do you know this name? It’s not in the public domain.”
That’s where Moorcroft was wrong. A quick search through LinkedIn and Brody had discovered an HTL employee who had specifically listed the name of the project he was working on as part of his publicly accessible résumé. Brody had no idea what the project was about, but a quick scan of the Internet showed him that it was not mentioned anywhere else, meaning referencing it would add credibility to his act.
“As part of our electronic surveillance program, we’ve been intercepting some traffic relating to Chinese hacker groups. They may be working for large Chinese corporations or could even be state sponsored, it’s hard to tell.”
Brody enjoyed dropping the Chinese threat into play. Over the last few years, they had become the new bad boys of the Internet, surpassing even the Russians. The US Department of Justice had gone as far as charging members of the Chinese military with cyber-espionage, which Brody found ironic, given the documents leaked by Edward Snowden the year before divulged that the USA had been hacking into Chinese computers for years.
He continued. “It seems that they’ve been targeting IP addresses registered to HTL, Dr Moorcroft. We believe they are attempting to infiltrate your company’s security defences and steal your secrets. I’m calling you now to bring this to your attention so that you can defend yourself appropriately. As I said, its not in Britain’s best economic interests for our country’s intellectual property to be stolen by the Chinese.”
“Are you sure HTL is being attacked?”
Only by me, Brody thought flippantly.
“Dr Moorcroft, we uncovered the term Project Myosotis from these intercepts. It seems to mean something to you, so I’d suggest that they’re making some progress.”
“But that’s impossible. Our IT and Security teams assure me that we have implemented the very best cyber defences.”
Brody stayed silent for a few moments, allowing the implications to build. “Even the best defences
can still be compromised, Dr Moorcroft.” Brody spoke the truth there. “It may be that the hackers have only gained peripheral access. I’m sure your firewalls and intrusion detection systems would have notified you of any unusual activity.”
“Yes, I’ll check with IT.”
“Good. And you could also . . .” Brody deliberately trailed off.
“What?”
It was crunch time.
“Well, I was going to suggest that you have a penetration test performed, but I’m sure your IT department has those done regularly.”
“Penetration test?”
Moorcroft was on the hook now. Brody went on to explain what a penetration test was and subtly threw doubt on whether his IT department would hire good enough security testers, not really wanting anyone to show them up publicly.
Eventually, Moorcroft asked, “Is there anyone GCHQ recommends, Mr Smith?”
Brody punched the air in triumph.
“Not officially, but . . .” He proceeded to give him three names, numbers and emails, with Brody Taylor at the top of the list. Whichever choice Moorcroft made, all roads led back to Brody.
Moorcroft thanked him.
“You’re welcome. Hopefully, you’ll never hear from me again.”
Brody, savouring the irony of his closing comment, sat back and waited for Moorcroft’s email to arrive, inviting him to carry out a pentest on HTL.
Now, where would he begin?
Today, 1:10pm
“I have something for you,” said Brody.
Mel looked up sharply, her final spoonful of dessert paused on its way to her mouth. She detected the solemn expression on his face and placed it back on the plate, pushing it to one side and giving him her full attention.
He slowly reached one hand into the pockets of his jeans.
A huge beam spread across her face. “You ’ave something for me?” she breathed, reaching out to clasp his other hand across the table.
“I’ve been wanting to say this since I met you,” he said, pulling a small item out of his pocket. “And I thought this would be the best way.”
“Brody, it ’as only been two months.” She squeezed his hand: a gentle warning. “Please, tell me you’re not going to propose marriage.”
It was only as he opened his other hand that what she had said registered. He hadn’t meant to imply that. What an idiot he was sometimes.
“Marriage? No, of course not . . .”
Her face dropped as the contents of his hand were revealed. He placed it on the table in between them.
“What is this thing?” Mel asked. Sensing she was in was premonitory moment, she withdrew her hand and wrapped both her arms around herself.
He was relieved she had steered the conversation back on track. “A USB memory stick. But it’s what’s on it that’s important.”
Mel inhaled deeply, gathering herself.
“Go on.”
“On here is video footage taken from inside HTL’s campus in Kent showing intolerable cruelty to rhesus monkeys, all in the name of drug research.”
Brody recalled the sickening images and the physical reaction he had experienced at the time. It was one of the sequences he had edited out from his presentation to the HTL executives that morning. At least, he mused, they had got some value from his pentest, even if he had manipulated Dr Moorcroft into hiring him to carry it out in the first place. Once this footage emerged, they would probably link it back to Brody. However, the contact details they had for him were fake. He had made sure they would never be able to track him down again.
Her brows furrowed and she tipped her head to one side, trying to understand.
“It will help you gain new media exposure against the drug companies. I was talking to Mary last week at dinner and she said it’s exactly what you all need to ratchet up the campaign to the next level. She said you needed one big uppercut . . . actually I said uppercut, but anyway, one big-hitting punch that the media couldn’t ignore.” His words jumbled together in his rush to explain. He stopped talking.
Nothing.
He waited a moment before pressing. “I thought you’d be pleased.”
“I am,” she said. Monotone.
He couldn’t help himself, after all the trouble he’d put himself through to get hold of the footage. “You could at least seem so.” As the words escaped his lips, he realised how petulant he sounded. The whole idea was for her to be delighted, cushioning the blows from the bombshells yet to come.
“How did you get this, Brody?” she asked, warily.
“Before I answer, I want to step back and explain something.”
Mel leaned back in her chair, an obvious gesture to distance herself from whatever was coming.
Brody launched the first barrage.
“Do you remember my advert on the dating site?”
Mel remained impassive.
“Not all of it was true.” There, he’d finally said it.
No reaction. He carried on.
“I am not a location scout.”
She repeated, without intonation. “You are not a location scout.”
Despite the situation, the film buff in Brody couldn’t help recalling the scene in Star Wars: Episode IV – A New Hope where, at a security checkpoint, Obi-Wan Kenobi uses the mystical ‘Force’ to trick some Stormtroopers into believing, “These aren’t the droids you’re looking for”. Fully accepting Kenobi’s statement as fact, the Stormtroopers repeat the line verbatim, and allow them to pass unchecked. Brody wished he had The Force at his disposal right now.
He continued, wanting to get it all out. “And I am not adopted. My parents live in Hertfordshire.”
Her eyes narrowed.
Brody persevered, more bombs still to drop. “And I have a sister who lives in Australia with her husband. They have an eight-year-old son. My nephew.”
Brody stopped and held his breath.
Mel placed her hands in front of her, palms flat to the table and leaned forward.
“You said, ‘Not all of it was true.’”
“Yes,” he said, hesitating, instinctively knowing she was going somewhere with this but having no idea where. “I did.”
“So tell me, Brody. Which part of your story was actually true? Because, from what I can see, none of it is true.”
She had a point. By way of response, he offered an impotent shrug.
She clenched one hand into a fist and made a soft pounding motion onto the table’s surface. Mournfully, she said, “Why, Brody?”
“Because I can’t carry on with this stupid deception. And that’s because I —”
“— No, Brody.” She had interrupted, just as he was about to say those three important little words. “Not why are you telling me now. I don’t care about that. Something like this you should ’ave told me at the beginning. No, I mean, why was there a deception at all?”
Oh, that.
“It’s because of what I really do for a living.”
“What are you?” She laughed, although it was full to the brim with spite. “A porn movie director? A traffic warden?” Her expression hardened. “Please tell me you’re not a vivisectionist. I couldn’t bear that.”
He shook his head and, just as he was about to answer, Mel leapt forward, jolting the table in her eagerness, the wine glasses wobbling before settling still. “You’re not embarrassed, are you?”
She placed a hand on his. Was this sympathy? What the hell was going on? Using his free hand, he took a sip of his wine, buying some time.
“Brody,” she smiled at him, “I don’t care if you deliver pizzas for a living.”
Brody choked on his wine. As he coughed and spluttered, she continued.
“I knew it was strange seeing you that time in Joyce’s reception carrying those pizza boxes. I told myself there had to be a simple explanation, and not the one you gave me. It makes sense now.”
Brody regained his composure. He considered giving up and telling her she was right. It would be so much easi
er, wouldn’t it? Why not continue as they were; just swap one set of lies for another? But, deep down, he knew that was foolhardy.
Slowly, he shook his head. “I wish that was true.”
Mel recoiled back to her side of the table. It was time to drop the final bomb.
“I am an independent IT security consultant.” He almost wanted to add a “Tah-dah!” Noticing her confused expression, he continued soberly, “More commonly known as a computer hacker.”
He allowed the words to sink in.
Suspicion oozed from her voice. “You are a computer hacker?”
“Yes. A white hat, to be specific.”
She nonchalantly splayed her palms in front of her to indicate that his last statement had added no clarification at all. The gesture also indicated how seriously pissed off she was.
“Because of the media, everyone believes computer hackers are evil. And yes, there are many that are. They are called black hats. And then there are those who do what they do to help companies improve their defences. They are called white hats. I am a white hat. Companies pay me to attack them and afterwards I help them fix the holes I discover in their defences, so that they can stop the black hats getting in.”
It was just about as simple as he could make it.
“So why?” Her tone was steely.
He wasn’t falling for that a second time. “Why what?”
“Why did you make up your profile on the dating site? Why not tell the truth if it is as simple as you say?”
“Because of all the negative connotations associated within being a computer hacker. No one would choose to date one. They would feel unsafe, that their identity was going to be stolen or something worse. And then there’s the fact that everyone thinks techies are boring. They think ‘nerd’. They think ‘geek’. They think ‘anorak’. Who’s going to want to date someone like that?”
“And the rest of your description? Why not have some truth in it?”
Mel had a point.