Social Engineer Page 7
Welland paused and surveyed his colleagues on the screens. Lots of nodding heads.
He continued his presentation, dropping into lower levels of detail, eventually hitting target market demographics, pricing strategies, menus, and launch costs. “And the best bit is that much of the marketing will be word-of-mouth; the best kind. As customers experience this totally new concept, they will mention it to everyone they know.”
With a touch of triumph, Welland concluded his presentation and began taking questions. While they debated the pros and cons of this new chain, Brody pressed a button on the control tablet and the image of his room was added to the others. Just a black screen. He stood up and peeled the duct tape from the webcams in his room, revealing his face in close up on the screen, his swept back white blond hair, green eyes and carefully groomed beard filling the screen. He sat back down, his every move mirrored on the screen, and unmuting his microphone, waited for someone to notice.
“What about hygiene? Surely we’d be liable to local food safety regulations if the customers don’t cook the ingredients properly?” asked Annabel Fielding, their Head of Legal, located in the Dubai office.
Just as Welland began to answer, Ulf Lubber in Germany exclaimed, “Who’s that?” He pointed at his screen, the others following his direction.
Brody waved and said, “Hi.”
On his tablet, Brody absent-mindedly noticed a new email arrive. He automatically clicked it open.
“Who the hell are you, young man?” demanded Andrew Lamont. “And where’s Rich Wilkie?”
“Me?” said Brody innocently, forcing himself to ignore the email. It could wait.
“I know who it is,” said Chu in Sydney. “He’s a ‘white hat’ security consultant called Brody Taylor. I recently contracted him to carry out a pentest. But what he’s doing there I’ve no idea!”
“What the hell is a pentest?” asked the CEO.
Brody stepped in. “A penetration test is a simulated attack on your organisation’s security defences to identify weaknesses. It’s done through computer hacking or social engineering or, as I’ve done, with a combination of both.”
“Social engineering?” prompted Lamont.
“The art of manipulating people into performing actions or divulging confidential information to give me the access I need. And, as you can clearly see, I’ve successfully broken through your security defences and have been sitting in on your board meeting for the last hour. But fortunately for you, the last part of a pentest is to report back the findings. And that’s what I’m here to do.”
Lamont turned on the CIO. “Did you agree to this, Chu?”
In Sydney, Chu visibly squirmed in his chair. “No. Mr Taylor was supposed to meet with me next week to present his findings. From there, I would block any holes he found and make sure we’re completely secure from a real cyber attack.”
Lamont turned back to Brody. “Okay, Mr Taylor, you’ve proved your point. Thank you for what you’ve done. Why don’t you leave us to our board meeting and report back to Chu as planned.”
“Hold on a second,” said Fielding. “Did you get him to sign a confidentiality agreement, Chu? He’s just heard all about our recent performance and future plans!”
“Yes, of course I did,” said Chu.
Brody nodded in agreement. Rising from his seat, he paused halfway and asked. “Before I go, do you mind if I ask you one question, Mr Chu?”
Lamont splayed his hands in exasperation and shook his head in disbelief.
“Why did you hire me for a pentest right now?”
“What do you mean?” asked Chu.
“Why now? Why not a year ago? Or in three months from now?”
“It’s part of our security improvement programme. We do this kind of thing all the time in IT.”
“From the vulnerabilities I’ve exposed, I very much doubt that, Mr Chu.” Brody looked at Lamont. “Mr Lamont, why don’t you ask Mr Chu the same question? Maybe you’ll get a straight answer.”
Lamont’s intent expression showed that he knew there was more going on here than was immediately apparent. “Chu?”
Chu shrugged. “I was talking with Welland about the plans for launching the new restaurant concept. He was worried that one of our competitors might break in and steal our ideas. As I’ve explained previously, IT doesn’t have anywhere near the budget necessary to put in place a comprehensive threat protection programme. So Welland offered to pay for a pentest to at least determine how exposed we are. Who am I to turn down a gift horse like that?”
“That makes sense, doesn’t it?” asked Brody. “No more to it.”
Tim Welland, the man who’d waxed lyrical about his new restaurant concept a few minutes before, was strangely silent. He clasped his hands together.
“Welland, what’s going on?”
“It’s as Chu said.”
“It’s called corporate espionage, Mr Lamont.” Brody said, sitting back down. “And your company is guilty of it right now. The last time I heard about a case like this was in the hotel industry. Hilton settled out of court with Starwood for $85 million.”
Lamont blew his top, spittle flying everywhere. “What the fuck is going on here?”
All the executives silently studied their hands.
“The funny thing about the presentation you’ve just heard from Mr Welland is that I’ve already read about an exceptionally similar concept for a grille-based barbecue restaurant chain. But in the documents I read there was one significant difference. Your number one competitor’s logo was all over them. Would you like to know where I found these documents, Mr Lamont?”
“Go on . . .” said Lamont tightly.
“As I’ve already mentioned, your security defences are so weak I was able to give myself access to each of your email accounts and —”
“You’ve read our private email?” shrieked Fielding.
“Well, yes. Fascinating reading. But the most interesting were the documents I found in Mr Welland’s account.”
“I can explain . . .” pleaded Welland.
As Welland attempted to defend himself under constant barrage from his CEO, Head of Legal and most of the other board members, Brody zoned out and read the email that had popped into his inbox earlier. It was from one of the members of CrackerHack entitled, Favour Required - Will Reciprocate. CrackerHack was an online forum used by computer hackers from all over the world to brag about their exploits and swap ideas, tips and techniques. Brody spent much of his spare time on there. The message was from a member called Crooner42, a username that Brody vaguely recognised from some of the discussion threads. Crooner42 had blasted it out to all of the subscribers to a forum entitled ‘Advanced Pentest Techniques’. In it, Crooner42 explained that he had built an experimental live video-feed based Internet site that was likely to attract unwarranted attention from law agencies around the world. He’d hardened it as best he could, but needed someone deeply skilled to pentest it thoroughly, to ensure it couldn’t be broken into or brought down.
Brody wondered what the ‘experimental’ site was for.
Crooner42 requested that members of the forum declare their interest in carrying out the work. He would then choose from one of the respondents. Brody expected that Crooner42 would select someone based on reviewing his historical activity on the site. Brody knew he would be a strong candidate and, with the Atlas Brands job now pretty much finished, was sorely tempted to offer his services. In return, Crooner42 was bartering a week’s worth of his own coding services. That could always come in handy. It wasn’t a bad trade for what would probably amount to just a few hours of work.
“Do you have proof of this allegation, Mr Taylor?”
Brody looked up. Lamont had asked the question.
“Well, yes of course. Give me a second.”
Brody opened a new browser tab and brought up an email he had drafted earlier. He pressed send.
“I’ve just forwarded you all some emails sent to Mr Welland from a Jani
s Taplow. I believe she’s a relatively new employee within the marketing organisation. Where did you hire Janis from, Tim?”
Tim Welland replied flatly. He named their number one competitor.
“The email contains the whole launch campaign for their grille restaurant concept, presentations, financial plans, target countries, demographics, everything. And, if you open up the main presentation, you’ll notice that even the concept art is very similar. In fact, the only main difference is the name of the restaurant chain.”
“Got it,” said Lubber, Chu and Fielding in concert, from three different locations around the world.
As they read through the offending material, Brody flipped back to Crooner42’s request. He was tempted by the job, but hesitant to put himself forward until he reviewed the site in question. It was the reference to it receiving unwarranted attention from law agencies that intrigued him.
Incredulity rang in the voices from the screen as they absorbed the material Brody had just emailed them.
He checked Crooner42’s profile. He presented himself as more of a coder than a hacker, someone who spent far more time programming than trying to identify exploits in systems. He’d been active on CrackerHack for three years. Satisfied, Brody clicked on the hyperlink to the so-called ‘experimental’ site. It was called www.SecretlyWatchingYou.com. It seemed to be a random collection of network camera and webcam feeds. Brody clicked on one, making sure his computer’s speakers were muted. It showed some people working in an office, layers of desks and desktop computers. Another feed showed some fish swimming around in a fish tank. Not particularly interesting.
The Internet was full of webcam sites, the majority of which were either for viewing public places from afar in real time or for pornographic purposes. But this site claimed to have hacked into private network cameras in peoples’ homes and workplaces. It was certainly unusual. It charged fees for access beyond the free taster webcam feeds on the front page. Brody couldn’t really see why anyone would want to pay or what all the fuss about law agencies was about.
Surely Crooner42 was over-egging the protection the site needed to have? Who would bother to attack it? And publicly requesting help like this on CrackerHack was definitely out of the ordinary. But then Brody remembered that after this meeting, his diary was looking concerningly clear. If Crooner42 selected Brody over other forum members for the job, his elite status in the hacking community would intensify — doubly so if he quickly broke through the website’s security countermeasures.
Ah, what the hell!
He returned to the original email and pressed the link Crooner42 had provided. In the blink of an eye, he had registered his interest in carrying out the pentest on SecretlyWatchingYou. Now it was down to whether Crooner42 chose him over another offer.
Brody returned his attention to the video conference.
“Looks like I’m done here,” said Tim Welland, getting to his feet in Munich.
“That’s the understatement of the day,” commented Chu.
“You’ll have my resignation in your inbox within the hour, Mr Lamont.” They all waited while Welland gathered his belongings and left the room in Germany.
“Well, Mr Taylor,” said Lamont. “A bit unorthodox, but I’d like to thank you for saving our company from a very embarrassing predicament, not to mention the potential law suits.”
“Just doing my job.”
“I think we should delay the presentation of your findings report until I’m back in the UK, which will be Monday week. I’d also like to personally shake your hand. And if everything is as insecure as you describe, it looks as though Chu will see a lot more budget going his way.”
“Sounds good to me,” said Brody.
“And me,” said Chu, his relief evident.
Ten minutes later, Brody drove out of the Atlas Brands car park in his metallic orange and black, custom-designed Smart Fortwo coupe. It would take a good few hours to get back to London. His phone vibrated. He slowed, looked down and glanced at the message header. It was from Crooner42 and entitled ‘Pentest Outcome . . .’
Brody stopped the car and clicked on the message, fully expecting to see his name in lights.
He couldn’t believe what he read.
ABOUT IAN SUTHERLAND
Ian Sutherland is a crime thriller author, living in London with his wife and two daughters. Leveraging his career in the IT industry, Ian's stories shine light on the threats we face from cybercrime as it becomes all too prevalent in our day-to-day lives. Invasion of Privacy is his first full-length novel and was professionally self-published in August 2014, along with it’s prequel, a novella entitled Social Engineer.
Learn more about Ian at www.ianhsutherland.com
Join his mailing list at www.ianhsutherland.com/stay-in-touch
Follow him on twitter at www.twitter.com/iansuth
Like his Facebook page at www.facebook.com/ihsutherland