For Money or Mayhem ©2015 2018 Nathan Everett, Elder Road Books, ISBN 978-1-939275-57-8
Getting to work at nine in the morning after gaming until four is a royal pain. I’m getting too old for this. I was willing to bet that nearly everyone in that game last night was in his teens or twenties except me. And Patterson. I’d given up on thinking anyone from the company had been involved last night except the mysterious IGotUrBak who jumped in at the last minute. I suspected Patterson had organized the attacking team himself and sat back to watch how I handled it. The hackers were getting better all the time, and to basically turn a treasure-hunt into a first person shooter game was really rude—especially when I was the target. I wanted to find out who these guys were, but once they were destroyed, they were erased from the game system. It would have been helpful if IGotUrBak had kept them alive for interrogation instead of so completely obliterating them.
And that was reason enough to go to the office.
It was one thing to have someone in the office monitoring what I did, but to have him jump in and save me at the last minute was disconcerting. He’d proven helpful on a couple of occasions now. But still… I’d expected whoever it was to play, not to lurk until I was desperate and come to my rescue. Today was the day I was going to find out who was on my tail.
I started by checking to see who was in and who wasn’t. It looked like Ford had spent the night in his office. But his normal position was sleeping at his desk and I wasn’t sure if he even had a home to go to. I swung by Arnie’s office and Darlene caught my attention.
“He’s in an exec meeting this morning. Can you wait till after lunch to see him?”
“Not a problem. I was just stopping by to update him,” I said. Darlene stifled a yawn. “You look tired. Should we be going for coffee?”
“These meetings start at seven a.m. They just kill me. I’m supposed to get my beauty sleep, not be fetching donuts at six-thirty in the morning.”
“Ouch. I barely make it to bed by that time.”
“Mmmm. Hope staying up late is for pleasure.”
“Sort of. About that coffee…”
“No. I have to run interference at ten when they take their ten-minute break. Phil looked like he could use coffee when I saw him. Said his three-month-old kept them up all night.”
“I’ll stop by and check.” I headed Phil’s direction, but detoured by Don Abrams’ office. It would be interesting to see if anything was happening in the area of Network Security. Don was in jeans and a polo shirt, a baseball hat pulled down low as he stared at his screen. “Hey, Don,” I greeted him. “Did I miss the memo on casual Tuesday?”
“I haven’t been home to change yet. We had a hack attack on the network at three-thirty this morning. I got a call from my team and have been here since four. Didn’t take time to shower and dress up before work.”
“What area did they hit?”
“That’s the thing. It looks like they were mostly interested in getting inside. Once they were in, they disappeared as quickly as they entered. It was like they all just unplugged their computers from the network at the same time.”
“All? How many were there?”
“Half a dozen. Looked like they were marauding and just trying to hack through firewalls. Maybe a contest to see who could get through first. It’s possible they didn’t really have a reason to be there. They were gone before we got an address for them or could isolate the signatures.”
“Sounds nasty,” I said. So the invasion of my six pursuers had triggered an alarm in the system. It sounded like they just retreated, but the message on my dashboard led me to believe someone inside had expelled them. Still, Don seemed to have no knowledge of this. I decided to stick my head into Allen Yarborough’s office. You’d think the System Administration Manager would have been called about the security breach, but Allen’s office was closed and the lights were out. It didn’t look like he’d come in yet. I stopped by Phil’s office and he waved me on. He was on a phone call and didn’t look like he’d be off anytime soon.
There was one other person I was interested in this morning. I still didn’t know what kind of work she did. I went up to the twenty-sixth floor and strolled by Jen Roberts’s office. She was just walking out the door, dressed sharply in a blue pinstriped suit with a white silk blouse buttoned to the throat. She was looking at a file in her hands and nearly tripped into me.
“Oh, Dag! Just the person I wanted to see. Were you coming to see me?”
Jen was brighter and more cheerful than I’d seen her on any other occasion. She must have had a good weekend. I’d avoided her all day Monday.
“I was just stopping by to get some pointers on filling out a travel request. Ford tells me you are a stickler on setting up cost/benefit analysis and I wanted to find out how you prefer to see travel estimates put together.”
“I’m a stickler with Ford because he submits a travel request every other week. If I approved half of them, that would still be four times the team’s entire budget. If you have travel that will advance your work, talk to Darlene. She has signing authority for all Arnie’s directs. Probably has a higher spending limit than I do. You don’t need to bring it to me unless you need it to be discussed and approved in our team meeting.”
“Well, that’s good to know. Did you want to see me about something?”
“Yes. You wouldn’t happen to have been headed out for coffee would you?”
“I was thinking about it. Most of our team seems to be whacked out of their minds with lack of sleep, but no one was interested in taking a break.”
“That’s what I wanted to talk to you about,” she said. “Let’s take a walk.”
Unlike Darlene and Arnie, Jen—in her high heels—avoided the long walk down the hill to the Daybreak. Instead we entered a bank building on Third and went to the atrium where an independent vendor did a good business all day long with people in suits. I noticed the price of a cup of coffee was about thirty percent higher than down the hill. Jen had grabbed an umbrella from the stand next to our building entrance to keep the light rain off her perfectly coifed hair and silk blouse. But once we hit the marble of the atrium her wet heels slid and I caught her in a position that was neither ladylike on her part nor chivalrous on mine. I couldn’t help but notice that she eschewed anything that would strap her in.
“Let’s just pretend that little embarrassment didn’t occur shall we?” she said once she’d straightened up.
“I’m sorry…” I started. She held a hand up to silence me.
“Didn’t occur.”
“Right.” We got our coffees and found a wrought iron table near the three-story windows. If you were high enough, you could see the Sound out the upper part of the windows, but where we were, there was nothing outside but tree planters. “You have something in that file you wanted to go over with me?”
“No. Carrying a file is just a prop. Makes people think you have a purpose when you are walking the halls. It’s like you with your smartphone.” Damn! “I want to talk to you about last night.” That was a surprise. First, she was the only person I’d seen this morning who didn’t look like she’d been up all night. Second, I didn’t think she could possibly have information that Don didn’t have and he showed no interest in talking to me. Third, I didn’t think she had the technical chops to hack the system. She seemed more like a numbers person to me.
“What about last night?”
“Forgive me, but you were behaving oddly, and I couldn’t help but notice. I live in West Seattle. I went for a jog and saw you sitting in a coffee shop. I was going to stop and say hello, but you seemed intensely involved in something other than the cupcakes. You were carting around more computer hardware than most of us have on our desks.”
“Oh.” She didn’t know about the intrusion at all. This was completely off the record. “I was setting up some new gaming equipment.”
“Gaming? As in gambling?”
“No. RPG. That’s a role-playing game. People from all over the country gather together online to participate in a gamemaster’s storyline. I was running a game last night.”
“Not just locals?”
“I don’t really know where most of them are from. They sign on with their gaming alias and we play. Last night we played until quite late.”
“Yes. Do you always have someone tailing you?”
“Tailing me?”
“The guy in black with a Nike jacket. Seahawks cap. Text messaging all the time.”
“Didn’t even see him.” There was a guy following me? I wracked my brain trying to visualize who was in that coffee shop. I couldn’t call him to mind.
“It was intriguing. Made me curious as to why he was following you, so I followed along.”
“You were following me last night?”
“Oh, no. Even in running sweats, if I’d been following you, I’m sure you would have noticed. I followed him.” I shivered just a little thinking about the parade of followers behind me. Was someone following Jen? I could just imagine her in sweats, jogging along. All right, I’d definitely have noticed. I put that image out of my mind.
“It must have looked pretty strange.”
“I gave up when you caught the bus to the airport and called a taxi to take me home. Did you come to work straight from your game?”
She knew I went to the airport? Questions were piling up.
“No. I slept…” I didn’t want to tell her exactly when I ended the game if she didn’t already know. People up at certain hours of the night when other things were happening at those hours would be too easy to connect. “…a few hours before I showered and dressed for work. By the time I got on that bus, the game was beginning to wind down.”
“And how many others on our team were playing your game with you?” There it was. She was suspicious.
“None that I’ve identified. Like I said, people log in with their gaming alias. I don’t usually try to track down the real identity. Could be the whole company was playing. Were you?”
“Though I try not to be blatant, I don’t play games.” She looked me intently in the eyes and I could see more than a professional interest. Her lips curled into a smirk. After an awkward silence of a few seconds, she changed to a more professional tone.
“You arrived on the scene at EFC in the midst of a power struggle. The company is closely held, but the founders and majority stockholders have been at this for twenty-five years. They’re getting tired of playing Caesar and are looking around every corner for potential assassins. That includes your boss and mine. It’s clear to me that neither of us was brought here to do the job for which HR has a description. What’s less clear is that we may not have been brought to do the job our bosses described either. Watch your back.” She let me soak that in for a minute while she finished her coffee. IGotUrBak. A lot of what she said fit with my suspicions. “Let’s get back to work,” she said at last.
She stood and casually tossed her cup in a bin. She walked carefully across the marble floor, put up her umbrella and marched out into the rain.
It was after lunch that I began my exercise routine. I started on the third floor, walked the entire circuit, and then moved to the fourth floor. I stopped on each floor to examine the bulletin boards where employees posted notices of apartments for rent, puppies for sale, housekeeping services, and the mandatory HR Fair Employment Practices bulletins. EFC has a lively community of employees who post notes about community service events, multi-cultural events, and book clubs. I noticed many people walking the halls. Marketing, of course had the most elaborate displays and included notices about cookie and candy sales from various schools and clubs, and a May Day festival coming up soon.
On the other hand, floors that were mostly technical or manufacturing had little or no activity in the halls. The offices had no interior facing windows, and the core was devoted to equipment, much of which was managed remotely. That’s what I encountered on the twelfth floor.
As I approached the security door where I’d concealed my miniature RFID reader, I pulled out my cell phone and launched an app for capturing the info from the device. I timed my approach so the camera was pointed away and held my infrared LED flashlight pointed at it just to make sure I wasn’t caught. I waved the phone at the reader. In an instant it had captured the signal and replayed it for the security unit. The door clicked unlocked and a green light came on. I smiled and continued my exercise routine without opening the door.
I was back in my office by two-thirty, giving short shrift to the upper floors. There is a fundamental fact about security cameras that few people know. They aren’t usually monitored. It’s ridiculous to imagine a person whose job is to watch the camera feed twenty-four hours a day. Add to that the fact that there are over a hundred cameras that I had counted with at least four to a floor and you have a phenomenal amount of video to watch. I figured it would take no less than sixty people to monitor all the feeds twenty-four-seven. Instead, footage is stored for a period of time in a digital vault that holds several petabytes of data. After thirty days, the data is erased. Only if there was an intrusion into the company, a theft, or assault, would the tapes ever be reviewed. EFC’s unique policy of having security cameras playing as screen-savers on every employee’s desktop served more to remind people they were being watched than to monitor the cameras.
I needed to know if there was video surveillance in the manufacturing facility. I used my portable keyboard to tap out the commands and searches I needed inside the network to generate a list of video feeds. There was video surveillance at the entrances to the facility, but not inside.
Next, I needed plans for the building. I suspected there was a reason for the facility being on the twelfth floor. Unfortunately, the company plans for offices were of no help. The floor plans on the Intranet showed what offices were on which floors, where emergency exits were, and general use information regarding the large spaces that were used for the server farm and the manufacturing facility. I needed electrical, heating, and plumbing plans.
Developers making structural changes in buildings are required to obtain a building permit from the Department of Planning and Development. Applications for building permits must be accompanied by blueprints that building inspectors use to approve the work and then verify that it was done according to specification, is safe, and is habitable. Being a government office, it doesn’t throw anything away. A huge microfilming project was undertaken a few years ago and development documents from the 1890s forward have been cataloged. At the same time the historical documents went into microfilming, all current projects were stored digitally. I was betting the modifications to the twelfth floor were made after digitization started.
Proper protocol for looking at these documents requires an investigator to submit a request, go to the office, and pick up the files after signing for them. The permits and drawings are a matter of public record, so technically breaking into the city’s digital vault to view the plans wasn’t completely illegal in my mind. I looked up the city records for the building permits on this site. The low-res digital images I found were just adequate to confirm my suspicions.
There is still something about the number thirteen that makes people jittery, even in an age supposedly beyond superstition. As a result, very few buildings acknowledge a thirteenth floor. The elevators in our building are no exception. The buttons are numbered consecutively from one to twelve and from fourteen to twenty-six. We’re supposed to believe that there simply is no thirteenth floor.
The reality is that most of the building’s mechanicals are located on the thirteenth floor, accessible only by a service elevator and stairs. The central core, however, had been cut out to make a single two-story room where the manufacturing equipment of the credit card company is located. It would take me some work, but I was pretty sure I could access the facility through the equipment rooms on the non-existent thirteenth floor. It was going to be a climb. It was nearly five by the time I’d finished my various searches and memorized the access points I needed. There was still one thing I wanted to check.
I stepped out to verify that Don had left for the day. If he’d been here since four a.m. he had a good excuse to bug out early. In fact, all my teammates were gone. I went back to my desk and called up the network logs for last night. I wanted to see exactly what was recorded at the time I was being attacked in cyberspace.
Network logs include screen after screen full of text lines. EFC is a twenty-four-hour company, so there is always traffic on the network. I could get close to the information I wanted by searching the time, but I was only certain that it was between three-thirty and four o’clock which left thousands of lines of log entries.
Part of being a good detective is being able to see anomalies. Take one look around a room and identify the one item that is out of place. I’d already proven how inept I was at that last night when I failed to realize I had not one but two tails on me. But it was different when I looked at code. I started scrolling through the lines of log entries, not sure what I was looking for, but watching for the anomaly. I didn’t try to read the lines, just watch for the patterns. As the lines went by, I zoned out, letting them flood my mind.
It took me two passes through the entire half hour log before I saw it. The timestamps.
At 3:42:24 there was a ten second gap. The numbers had been consecutive, often multiple for a given timestamp up to that point, but between 3:42:24 and 3:42:34 there were no entries. It wasn’t beyond the realm of possibility that all network traffic into and out of EFC suddenly ceased for ten seconds in the middle of the night right when half a dozen gamers broke through the firewall and were ousted by someone inside with enough power to wipe them from the system. Right. It’s possible, but the likelihood is remote.
I examined the records carefully. On either side of the ten second block, an employee was surfing the Web. The network log indicated a start point and an end point for each link. Above the ten second gap the addresses moved smoothly. From a to b, from b to c, from c to d. But below the gap the transitions were suddenly from f to g. The referrals from d to e and e to f were missing. Someone had edited the network log and that took a lot of skill. The log was autogenerated from the system. If someone could blank out a portion of it or delete it, EFC’s security problems were a lot more serious than a breached firewall.
Now that I knew what I was looking for, I could write search parameters and send spiders into the network. At least theoretically. First I had to locate a server in the cloud that would let me execute a program that would technically be classed as a virus by security. I could get the results, but whatever server I found would be pulled off-line and the hole patched by morning. Ah, well. That will just enhance company security. I set the little bug loose.
It was nearly six and I was supposed to meet Andi at seven. I set up both the company laptop and my big gaming machine side-by-side on my desk and put them sleep so I could wake them remotely if I needed to. Then I grabbed my tablet and my cell phone and left.
The service stairwell was accessible from the underground parking garage where some impatient mechanic had conveniently wedged the door open and left it. It had taken me nearly ten minutes to find it, even knowing from the building blueprints where to look. It took twelve minutes to climb to the thirteenth floor. Of course, it wasn’t marked thirteen. The access door below was marked twelve and the access door above was marked fourteen, but this door was simply marked “Danger. High Voltage. Do Not Enter.” It was secured by an old fashioned key-lock. It took me almost three minutes to pick it. That’s not really my specialty.
Inside, I got my bearings as I walked up and down aisles of cable boxes, heat and air conditioning units, telephone and electrical boxes. Finally, I came to the door I wanted. This door was secured by an electronic lock that matched the ones in our office. I waved my cell phone at it with the recorded RFID and it clicked open.
It was a good thing I didn’t just step through. It was an access door, no doubt on the fire department’s list of emergency exits, but it was nearly twelve feet off the ground with no more than a narrow catwalk crossing in front of it. I stepped onto the catwalk and heard the door click shut behind me.
Damn.
There was no way to open the door from the inside that I could see. I was inside and I’d have to figure out how to get out later. For now, I found my way down a metal stair onto the main floor.
The room was two stories high and filled with the equipment and robotics required to make credit cards, including warehousing the stock, manufacturing, sealing, and shipping.
Sheets of plastic were fed into cutters and trimmed to credit card size. Printing on the front and back was done on a digital press, including laminating holographic images on the front of certain cards. Magnetic strips were applied to the cards and each was treated with an ink-receptive strip for the signature. The cards were then fed through a magnetic recorder that recorded the personal information of the user on the card. From there, the card was fed into a machine where the strip was read and then the card was stamped with the raised numbers and letters that identified the credit card number and customer.
I took pictures of the process with the camera built into my tablet and started cataloging the operation. EFC produced private label credit cards for various organizations, including associations and credit unions. It had also developed a side-business of manufacturing gift cards with dollar values for various restaurants and retail outlets. It even subcontracted card manufacturing for larger credit organizations and banks.
The magnetic stripe on a credit card contains the necessary information to conclude a transaction. The primary account number embossed on the card is also the leading information on the stripe. It includes the name of the cardholder, the expiration date, the Verification number or CCV Code, and the address and ZIP code of the cardholder. Of course the information is encrypted so you can’t simply run it through a tape player and read the info, but one of the cleverest schemes for pirating accounts has been to have a thin card reader inserted into a regular bank station like an ATM machine or gas pump. Usually a concealed camera is focused on the keypad so that the thieves can record the keying of the PIN as they capture the information from the magnetic stripe. It’s quick and efficient.
It also goes undetected for a long time. A compromised account can be hoarded by a thief for weeks or even months before use. That gives the thief time to collect a huge amount of data and then remove all trace of the illicit equipment before it is discovered. It makes it almost impossible to identify the source of the compromise.
As I watched the machines doing their thing, I observed an occasional card being rejected at one or another station. The most common rejections occurred before any data was imprinted on the card. The magnetic stripe might not have adhered. The ink might have been smeared. Any number of defects were caught by inspecting equipment in a fraction of a second and led to immediate rejection of the card.
Further down the line, a card might be rejected for failed data recording, duplication, or simply being blank when it got to a place that required data. Each of these failed cards were shuffled to a bin that led to a shredder where rejected cards were chopped to tiny bits to be recycled.
After a card passed all its tests, it was put in line for mailing. Based on the card data, a letter was printed, envelope generated, the card attached with a glue spot to the letter which was then folded, inserted in the envelope, sealed, and bundled for mailing. No human hand had touched it.
The few cameras that were in this manufacturing room were focused on the equipment so a technician could visually verify if there were production problems. If there was an equipment malfunction, service or maintenance to be done, or supplies to be refreshed, someone would come through a security door on the twelfth floor. Once inside, the operating assumption was the tech belonged there; security did not take responsibility for what authorized people did once they were inside the room.
I’d seen what I needed to in this room. I wasn’t happy about exiting onto the twelfth floor but my exit back through the mechanicals room was blocked. I headed for the main door into the room and got a shock. It didn’t have a RFID reader to open the door from the inside. It had crash bars that were clearly marked “Emergency Exit. Alarm will sound. Use Keypad.” Next to the door was a ten-key pad with a flashing red light above it. I estimated the location of the card reader on the outside of the door and waved my cell phone at it, transmitting the code, but it was too far away and on the other side of a wall. No signal penetrated.
I was stuck.
Please feel free to send comments to the author at nathan@nathaneverett.com.