White-Hot Hack
He couldn’t hear the rain anymore. He felt drowsy, as if all the excitement of the day had sapped him of his energy. He wanted to lie in their bed, wrapped around Kate, until one of them came up with a good enough reason to leave it.
“How did it go with the task force?” she asked, and she sounded as drowsy as he felt.
“They placed bets on how long I could stay away. Can you believe it?”
“Absolutely. Your face lights up when you talk about anything related to the FBI.”
“Really?”
“Yes.”
“Before we started working to break up the carding ring, the task force brought down a group of hacktivists. We sent one of them to prison where he’s currently serving a ten-year sentence. There’s reason to believe the same group is responsible for a string of recent cyberattacks on banks and credit card companies.
“You said hacktivists aren’t interested in stealing. Why would they hack banks and credit card companies?”
“Because they like to show how easy it is to obtain information. They steal the data and share it with whistle-blower organizations. And some of the attacks have been on government agencies, which is why Phillip wanted me to do the pentesting.”
“That sounds troubling. No wonder he’s so worried.”
“It’s a serious threat to national security.”
She let out a surprised chuckle. “Do you have any idea how excited you sound?”
“I can’t help it. I find it exhilarating.”
“I know you do. This is exactly the kind of challenge that makes you happy.”
Opening himself up to Kate, sharing his feelings and letting her see who he really was, had been one of the wisest things he’d ever done. “You make me happy.”
“I’m just the cherry on top.”
“Yes you are.” He ran his fingers through her hair, idly wrapping the strands around his fingers. “Do you know why I call you sweetness?”
She propped herself up on her arm and smiled down at him. “I thought it was just your preferred term of endearment.”
“It is, but I call you sweetness because everything in my life got sweeter the minute you became a part of it. You’re exactly the woman I always hoped I’d find.”
“I love you,” she said, giving him one hell of a hot kiss.
“I love you too.”
She laid her head on his chest and snuggled closer.
He put one arm around her and reached for his phone with the other.
“Are you looking at the pictures?”
“Hell yes, I’m looking at them.”
“Let me see.”
She shifted a bit and he brought the phone down so the screen would be visible to both of them, and five minutes later it seemed he’d been absolutely right about that second round.
CHAPTER TEN
Ian did a double take when Kate walked into his office two days later and stood before his desk. Her long dark hair had been dyed a golden blond, a shade or two lighter than his. Before, it had reached almost the middle of her back, but she’d cut some of it and now it fell in long layers several inches below her shoulders. He’d contemplated asking her to dye her hair when they returned from Roanoke Island, but after discussing it with Phillip, they’d decided it probably wasn’t necessary, especially if he wasn’t also going to dye his. But now that she was going to be seen in public more often, he’d decided he’d feel more comfortable if she altered her appearance a bit.
“All right,” she said. “Let’s just get the carpet not matching the drapes jokes out of the way right now.”
“I’m not sure that tiny landing strip of yours actually qualifies as carpet, but okay. It’s not going to match.” He pushed his chair back and studied her. For as long as he could remember, certainly as long as he’d been aware of the opposite sex, he’d preferred a certain type: long-legged brunettes with dark eyes. But his wife had just shattered that all to hell, and no one was more surprised than him.
“I know that look,” she said.
“I should hope so.” The truth was there was never a time, day or night, when he didn’t want her at least a little bit. And right then he wanted her more than ever. “I never pictured you as a blonde, but this is a superhot look on you, and I pretty much want to lay you across my desk.”
She grinned. “So I guess you like it.”
“You look beautiful. Thanks for agreeing to do it.”
“Well, blondes do have more fun.”
He came around from behind his desk and sat on the edge of it so that he was facing her. “I know you’re all about using your sex appeal for personal gain, but I do not want those”—he pointed to her breasts—“or those”—he pointed to her legs—“or this”—he reached behind her and palmed her ass—“being used as an incentive in any way. The only person who should be looking down your shirt is me. You are not bait.”
She shook her head. “I promise I’ll never do that again.”
“Are you ready to go over scenarios?” He’d given her a stack of three-ring binders overflowing with information on social engineering attack vectors and asked her to study them. Maybe when she saw what it really entailed, she’d change her mind.
“I want to look over some of the materials one more time. Give me half an hour and then come to my office. I’ll be ready for you.”
“You got it.”
Kate had quickly turned the small sitting room off the formal living room into her office once Ian agreed to let her help him. The walls had been freshly painted when the main level had undergone its remodeling, and at Kate’s request, Jade had delivered a desk and a small chair and ottoman. Together they had selected brightly colored art for the walls, and Kate placed the rug from her apartment in Minneapolis on the floor in front of the desk. She loved it.
In law school, she’d had to commit copious amounts of information to memory, and Ian probably had no idea how eagerly—and thoroughly—she’d immersed herself in the study materials he’d given her. Phillip had said that social engineering was human hacking, but Kate soon realized it was much more complex than that. Ian preferred using his technical skills to penetrate and scan a company’s computer systems for vulnerabilities from the outside, but Kate would focus primarily on human-based techniques directly involving a company’s personnel. That might entail sending a phishing e-mail with a malicious link to someone within the company or convincing them to accept malware via a USB drive. In addition, she would become an expert in the art of pretexting, or conducting prior research that would lend legitimacy to an invented scenario in order to convince the victim to release the desired information or agree to a specific action. Kate had studied every possible situation and its consequences and couldn’t wait for her first assignment to try out everything she’d learned.
She was sitting in the chair with her feet on the ottoman, flipping through one of the binders when Ian appeared in the doorway.
He sat down on the ottoman and put her feet in his lap. “Ready?”
She handed him the binder. “Hit me.”
“Office building, badge access only, receptionist.”
“I’ll say I’m there for an interview.”
“What’s your attack vector?”
“USB-delivered payload.”
“How are you going to do it?”
“I’ll spill my coffee on my résumé or claim I’ve forgotten it. Then I’ll ask them to print me a copy.”
“How will you build rapport?”
“I’ll look for common ground, a vacation photo or a picture of a child on the desk. I’ll say how much I enjoyed that particular location when I visited last year, or I’ll mention how cute the child is.”
“What if the child isn’t cute?”
“Ordinarily I’d argue that all children are cute, but Chad looked pretty goofy until he was about five, so I know that’s not one hundred percent true and people will question my motives if they think I’m not being authentic. So if the child isn’t cute, I’ll fin
d an individual characteristic that is. Chad, for example, had adorable dimples.”
“What if it’s a picture of a dog and not a baby?”
“I’ll tell them about Scooter and how I rescued him from the pound after he was dumped along the side of the road along with three of his siblings. He was in such bad shape, but he’s four now and thriving.”
Ian sat up a little straighter and looked at her curiously. “Cat.”
“My Fluffy recently had a litter of kittens right underneath my bed. It was truly amazing, and I’m so glad I got to experience it.”
“What if it’s one of those hairless cats?”
She didn’t miss a beat. “Technically they’re called sphynxes, and they’re not totally hairless. They’re also very friendly. Mine greets me at the door every day when I get home from work. It’s so rare that I connect with other sphynx owners.”
“I’m amazed at how quickly you think on your feet, which is a very important and valuable skill for a social engineer to have. Did you actually research hairless cats?”
“I researched every kind of pet anyone might possibly have a picture of on their desk. You could have asked me about fish, hamsters, guinea pigs, or snakes. I’d have nailed it.”
“But what if there are no pictures of children or pets?”
“Then I’ll look for a knickknack, postcard, logo on a coffee cup. Anything that will give me a jumping-off point.”
“What if you fail in your attempts to deliver a payload to the gatekeeper?”
“Then I’ll have to tailgate my way into the building. Once I’m inside, I’ll have several options for collecting information, like shoulder-surfing or impersonating an employee.” The clients who hired Ian would expect his firm to make repeated attempts to penetrate their networks from several different angles. The practice, known as red-teaming, would allow Ian to analyze the vulnerabilities they discovered, which he would then share with the client in order to assist them in tightening their security.
“What if you get caught?”
Not getting caught was the primary goal of any social engineer, and the more outrageous the intrusion, the bigger the bragging rights. No one wanted to get caught, but playing it safe wouldn’t show a company the holes in their security.
“I’m not going to get caught.”
“I admire your unwavering confidence, really I do. But let’s just say—hypothetically—that an overzealous employee is bored and decides to play ‘spot the social engineer.’ What do you do?”
“I give them my letter. Because I’ve failed.”
Before beginning any social engineering assignment, Kate and Ian would have in their possession a letter from the client stating that Diane and Will Smith had the legal right to be on the premises. It was standard operating procedure, and every white hat security firm insisted on it because it offered them protection from any employee who might become suspicious and attempt to stop them in their tracks or haul them off to security.
“Try to think of it as your get-out-of-jail-free card.”
“Have you ever had to use it?”
He gave her a look like surely you must be kidding. “No.”
“Of course you haven’t.”
“Aw, sweetness. I never knew you had such a competitive side.”
“Neither did I.”
He smiled and gave her back the binder. “I’m extremely impressed. You’ve got this down cold.”
“Thank you. There’s nothing in that binder I don’t know. You could quiz me for another half hour and I’d never miss a beat.”
“Ferret.”
She struggled to suppress a grin and he thought he’d finally succeeded in tripping her up, but she quickly composed herself. “These cuddly animals are so unfairly maligned. Only a fellow ferret owner understands how truly special they really are.”
“Who are you?” he asked, his own laughter finally overtaking him.
“Isn’t it obvious? I’m your new social engineer.”
CHAPTER ELEVEN
“We should move these meetings to Applebee’s,” Tom said when Ian and the rest of the task force filed into the conference room where Phillip was waiting. “If we can’t hold them at headquarters, we might as well take advantage of the two-for-one happy hour that starts”—he glanced at his watch—“in about forty-five minutes.”
“Not to mention the hot wings and free Wi-Fi,” said Brian, the newest member of the group.
“That’s hilarious,” Ian said. “I’ll remember that next time one of you needs to be on the down low.” He pulled out the printouts Charlie had given him at their last meeting. They were covered in notations identifying the markers that proved the attacks were the unique work of the same hacktivist collective they’d already brought down once. “I’ve read through all the evidence and analyzed the code. I know for a fact the attacks were carried out by Joshua Morrison’s group.”
“Same signature?” Charlie asked, his forehead creasing in concern. Hackers often left TTPs—tools, tricks, and procedures—behind that pointed to the work of a certain person or group.
“Yes,” Ian said. “They appear to be pulling together, organizing, but their goal isn’t clear.”
“How are we going to proceed?” Tom asked.
“Now that we know for sure it’s the same group, a task force member will infiltrate,” Phillip said. “It’s our most efficient way of uncovering their agenda.”
“Don’t worry Merrick,” Charlie said. “You’ve more than paid your dues, and I already volunteered.”
Ian took the teasing in stride. He had no problem with Charlie going undercover and knew Kate would be very happy to hear it wouldn’t be him. “I appreciate that, and it’s Smith, remember?”
“E-mail me a spreadsheet with your names. I can’t possibly be expected to keep them all straight.”
“I wonder what they want,” Tom said, looking contemplative.
“Could be anything. I want everyone to be thinking about possible attack vectors,” Phillip said. “Charlie, start monitoring the channels and planning your entry. We’ll reconvene in a week.”
“Will do.” Charlie closed his laptop and turned to Ian. “Let’s go get a drink.”
Ian followed Charlie to the bar he’d chosen, hoping the Navigator would still be there when he came out because the location was neither trendy nor particularly desirable. One might even say it was downright sketchy. His misgivings were compounded by the surly bartender who barked out, “What do you want?” upon their entrance and the fact that their shoes stuck to the sticky floor as they carried their drinks to a table in the back.
“Jesus, Charlie. Don’t tell me this is your regular hangout, because I fail to see the draw.”
Charlie knocked back half his drink in one swallow. “Are you kidding me? This place is perfect. The drinks are strong and there’s never anyone around to eavesdrop on my conversations.”
“You better pace yourself. We just got here.”
“My tolerance for alcohol has already increased significantly thanks to the hacktivists. Damn carders never made me want to drink like this. I’m going to require a liver transplant by the time this task force wraps up.”
Ian raised his glass and then took a drink. “I hear that.” He’d been in Charlie’s shoes before and knew how intense it could be. The sheer number of hours he’d put in and the constant threat of blowing his own cover by saying the wrong thing or not covering his tracks well enough had worn on him. He’d cut Charlie some slack on the drinking.
“It’s great to have you back, man.”
“Thanks. I didn’t realize how much I’d missed it until I ran into you.”
“Kate seems like a great girl.”
“She is.”
“How’d you convince her to marry you?”
“Women are powerless when it comes to my charms.”
Charlie snorted and took another big drink. “Still wearing ’em down, I see.”
“It took a little persuading, but
she came around.”
“I’m happy for you. I’ll admit I wasn’t sure about any part of that crazy plan working out. But here you are, Kate by your side.”
“Yeah,” he said. “Here we are.”
“You buy a house?”
Ian nodded. “We planned to buy something closer to headquarters, but we ended up on a horse farm in Middleburg.”
“How did that happen?”
“Seventy-five fenced and secluded acres and a top-of-the-line security system, which I modified to make even better.”
Charlie’s glass had been empty for five minutes when Ian finished his drink.
“Want another? I’m buying.”
“Thanks, but I’d better head home. Kate taught herself how to cook and undoubtedly has some sort of gourmet dinner on the stove. It’s going to take me a while to fight my way through the traffic.”
“Beautiful and she can also cook? Boy, you really did hit the jackpot, didn’t you?”
“I remind myself of that every single day.” He stood and put on his coat. “Thanks for the drink. I’ll see you around.”
CHAPTER TWELVE
After Kate’s first social engineering assignment went off without a hitch, they celebrated by spending the afternoon in bed and the evening enjoying a bottle of champagne in front of the fireplace. It was true that the kind receptionist and the world’s cutest baby had made for one of the most ideal scenarios for a successful hack, but she’d used the USB attack vector successfully two more times since then—one receptionist had a picture of a Hawaiian beach and the other a golden retriever. Ian had been able to bring on two new clients now that he could offer social engineering as part of his audit package, and that made Kate very happy. She might not be using her law degree anymore, and the food pantry was no longer hers to run, but she added value to Ian’s company and she enjoyed the work. And she hadn’t balked when Ian insisted on paying her because her first paycheck, and every paycheck after that, had been donated anonymously to the Main Street Food Pantry.