Weekend Herald - Canvas

INTO THE VAULT

When the hacker known as “Alien” landed a job with a leading security company, she expected to spend all her time behind her keyboard. Little did she know her first test would be trying to break into one of America’s biggest banks, writes Jeremy N. Smith.

Elite Defense was owned by five partners. Three were computer security experts, one was a former Silicon Valley executive and the fifth was ex-military, a retired air force commander superb at physical surveillan­ce and with an encycloped­ic knowledge of technical gear. Thanks to their prior work experience, all were good at bringing in business.

“If we come in to give you a test, you will have been tested,” they promised Fortune 500 companies and government agencies and contractor­s. “We will pwn [hack] you if you can be pwned — and we haven’t had a client yet who couldn’t be.”

Elite was a small and loosely organised company. There were only nine people: the five co-founders, who called themselves Jedis, two veteran associates, an office manager and now Alien. The office manager was the only other woman and no two Elite staffers lived in the same city. They communicat­ed with one another either by cell phone or through a private email and chat system. Since there was no apparent hierarchy among the five partners and they didn’t seem to gather regularly as a group, even online, who was in charge of what seemed determined by chance or the whim of the moment. It was a miracle that she’d been hired at all, Alien realised now.

Three months after signing on, when she was finally given her first assignment, it didn’t require any of her coding and command line skills. She didn’t know if this was because she was female, or just new, or for some other reason.

The assignment was breaking into a bank. Alien pressed her hands to the passenger-side heating vents of a grey Ford Taurus — chosen because it was the most boring rental Hertz had on the lot with a closed, lockable trunk. Her outfit was also purposeful­ly nondescrip­t: two-inch black leather heels, a long dark brown skirt, a prim white blouse “borrowed” a few years earlier from her mother and a long, tan trench coat. Beside Alien, behind the wheel, sat one of the co-founders of Elite, a scowling, heavy-jowled man of 50, named Richard. Across the street was the 20-storey glass-clad regional headquarte­rs of one of the country’s biggest banks, with more than 1000 branches nationwide and $100 billion in assets.

“Six-foot metal side fence,” Richard said, pointing out each security feature and its placement. “There’s a camera. There’s a camera. And there’s a blind spot by the corner — see the angle?”

Alien nodded. “Got it.” She jotted down the observatio­ns in a notebook. “Castle,” Elite Defense had code-named the client, referring to the financial institutio­n’s logo, a red castle with two symmetrica­l turrets.

Richard drove around the block to the rear of the building, which they studied through a small hole in a blue mesh screen covering the employee parking lot fencing.

“Notice the UPS guy,” he said, pointing out a brown-clad figure leaving from a side door. “That must be the delivery entrance.” The door was propped open with a small wooden block. “I bet they have a freight elevator,” Richard continued. “And that looks like an unmanned storage room with an unlocked window.”

Alien followed his gaze and then added the details to her notebook, to be integrated later with her own remote reconnaiss­ance notes — informatio­n gathered online or via public records, such as the names and positions of local Castle employees and the floor plans of areas for lease. As with hacking computers, a single security flaw was unlikely to give them everything they wanted. But the more they knew and could combine, the more likely it was that they could get in — and then out again — with sensitive goods or informatio­n.

“Not much movement,” Alien said when they were back out front. “Could be tricky to tailgate” — that is, to gain entry by following someone with authorised access.

“Just wait for the smokers’ breaks,” said Richard. “Or” — a clock outside struck the hour — “lunch.”

Alien counted 12 chimes: noon. Employees started streaming out of the building lobby.

“See you tomorrow,” she whispered to them.

TED ROBERTS, Castle’s head of security, requested a private booth at the hotel restaurant. A friendly, blond 40-year-old man in a business suit, he leaned across the table after dinner and passed both Richard and Alien his business card and a signed one-page note.

Alien skimmed the document, which she had written and sent to Ted, asking him to fill in the blanks and bring it to their meeting tonight. ”[Castle] has hired Elite Defense to

We will pwn [hack] you if you can be pwned — and we haven’t had a client yet who couldn’t be.

Elite Defense

Social engineerin­g meant manipulati­ng people. You might call it charming or, in some cases, scaring them but it was always about getting them to do what you wanted.

perform physical security penetratio­n tests and assessment­s of nine sites in three states,” it said.

Specific addresses followed, starting here, with the bank’s regional headquarte­rs and four branches she and Richard had driven by that day, doing local reconnaiss­ance. For the rest of the week, Ted’s note authorised, they were to probe the facilities, one by one, to determine if an uninvited visitor could enter, explore, remove equipment or data, or rob the banks. The letter closed with instructio­ns on how to contact Ted if they got caught.

“Your ‘Get Out of Jail Free’ letter,” he said. Richard harrumphed, but Alien gave her best smile, folding the letter and placing it in her coat pocket. “Thanks,” she said, patting the pocket afterward. “I hope we won’t need it.”

Ted signalled to a waiter for the bill. “Good luck — but not too much luck,” he said.

TUESDAY NOON, the clock tolled and office workers exited the 20-storey building again. Everyone was bundled up and breathing out steam on their way to lunch. Moving in the opposite direction, Richard entered the lobby to check it out.

Alien watched from the front passenger seat of the car, clutching an empty black laptop case. No — not completely empty. While she waited, Alien reached her fingers into the zippered pocket and checked. There they were. Beside her “Get Out of Jail Free” letter. Fake business cards she’d printed after dinner with Ted last night.

“Elizabeth Tessman/Enterprise Technology Specialist,” they said, to the right of the red Castle logo, above her real cell phone number, a fake Castle corporate email address, and the address of this building, each element copied from Ted’s business card.

Alien sighed, shifting impatientl­y. Then she sat up quickly, seeing Richard approach the car.

“Did you get in?” Alien asked after he had taken his seat and shut the door. Richard responded scornfully. “There’s no way,” he reported.

“What do you mean?” she said. All he’d done was try the lobby. What about the freight elevator? Or the storage room with the open window? “What happened?”

“Forget it.” Richard turned up the heater and made to shift the car into drive. “It’s f***ing freezing,” he said. “Let’s move.”

“We can totally do this.” Alien unbuckled her seat belt. “Let me try,” she said.

Richard shook his head. “You won’t get in,” he insisted. “There are turnstiles and a security guard watching everything. You’ll just blow our cover.” He continued gruffly, “Let’s try the bank branches first. If there’s time, we’ll come back here. We found plenty already.”

“We’re here now,” said Alien. “And I won’t blow our cover.”

Richard could spot a narrow opening in a fence at 45m and recite security camera specs from memory. Forthright, credible, and confident, he was terrific at presentati­ons. It was clear, however, that he had neither the patience nor the aptitude for what those in the InfoSec community called social engineerin­g.

Bluntly put, the term meant manipulati­ng people. You might call it charming or, in some cases, scaring them but it was always about getting them to do what you wanted. Whoever you were, the trick was to assess the other person and figure out how you might talk him or her into something. Perhaps the best name for it might be “human hacking”.

Consciousl­y or not, every child or parent, teacher or military leader, politician or “player” on the dating scene used social engineerin­g. For pentesters [profession­al penetratio­n testers] or their criminal counterpar­ts, like those who sent phishing emails or persuaded victims to empty their bank accounts, the appeal was obvious. Why bother breaking into anything when you could get individual­s to open their doors for you? And because people, especially men, were generally less suspicious of women in this kind of situation, being female could be an advantage. “It’ll be fine.” Alien smiled sweetly. “I’ll be quick and come right back if there’s any problem.”

Before Richard could say another word, she was out the door with her laptop case.

Alien crossed the gray slate floor of the spacious lobby. Four hip-high stainless steel gateways stood between her and the elevators. Each was equipped with a wedge-shaped black barrier that receded when you placed your badge on a scanner. Then, as soon as anyone passed the gateway, the barrier closed immediatel­y, preventing tailgating.

Next to the gates was a wide marble counter, also gray, behind which stood a white-haired guard in a crisp black uniform.

She walked toward the badge reader systems, as though expecting to go through. When the barriers stopped her, Alien acted startled, purposeful­ly trying to catch the guard’s eye. Then she approached him.

“Hi,” she said. “I’m with IT. We have a computer emergency on the seventh floor. I need to get up there.” She would be happy to get in anywhere but knew from remote reconnaiss­ance that this was the floor with the most day-to-day office workers.

Up close, the man looked even older than she had originally estimated — at least 65, Alien guessed, with thin gold-framed bifocals and permanent creases in his forehead. Still, he looked in excellent shape, erect and alert. “You have to use your badge,” the guard said. “Or are you on the list?” he asked, pointing toward a black hardcover binder on the table.

“No — I’m in IT,” Alien told him. “I’m new — I just started yesterday.”

The guard frowned. “Where’s your badge?” he asked.

“I don’t have a badge yet,” said Alien smoothly. “But my name is Elizabeth Tessman. And my boss is Ted Roberts. T-E-D. R-O-B-ER-T-S. Here’s his card.” Alien lifted her laptop case and placed it squarely on the counter between them. She tugged the zipper and took out and slid him one of her new cards as well as Ted’s.

The guard entered both names in his computer system. “He’s in here,” he acknowledg­ed. “You’ll need to call him to get added to the list.”

Alien opened her phone, pretending to call Ted and leave a message.

“Hi, Mr Roberts,” she said. “This is Elizabeth. I’m leaving you a voicemail. I’m really sorry to bother you. They won’t let me up to the seventh floor. I know it’s an emergency. Can you call me back, please? I’m really sorry. Thanks.”

She stood awkwardly in front of the desk, checking her phone and looking fleetingly at the elevators. The guard cringed.

“I can try him again,” she said to him. “I’m really sorry to keep you waiting. I know there was a big server crash right before I left and he might be in the data centre. I just can’t leave without fixing this — I promised.”

The guard was clearly conflicted. He looked down, giving her card only a second’s glance. Then, though, he waved her forward.

“Look, I know it’s important,” he said. “I’ll make an exception. Just be quick.”

“Thanks — I will,” she told him — just as she had assured Richard.

Alien grabbed her laptop bag and stepped forward to the closest gateway.

The guard pushed a button under the counter. The barriers parted with a whoosh.

Alien was surprised to feel her heart pounding as she stepped out of the elevator. She’d taken much greater physical risks in college. But she’d never tried to steal something.

For now, at least, there was nobody else on this floor.

Alien moved quickly. Most work spaces, she saw, were cubicles containing white desks, separated by 1.8m freestandi­ng grey walls.

At the perimeter of the floor were the larger individual offices of middle-level managers, with glass walls and doors.

On every cubicle’s desk was a black phone and a Dell laptop connected to an external keyboard and monitor. Alien hefted a few laptops. All were secured with cables.

She decided to try the managers’ spaces, starting with a corner office with an unimpeded view of the downtown. It had the same computer set-up, though on a larger dark grey desk.

She lifted the laptop.

No cable.

Alien heard the elevator ding, announcing the return of the first of the employees from lunch. Two men chatted as they went to their desks, not noticing her. She slipped out of the corner office with the laptop and walked past two more employees. Alien was positive she looked as guilty as she felt, but these employees ignored her too. She ducked into the nearby women’s restroom, where she hid inside the stall farthest from the door.

Her heart was beating harder than ever. To a bank, nothing meant more than its reputation for trustworth­iness. The machine might have confidenti­al customer files on it, Castle business plans, corporate personnel records, or all of the above. An identity theft ring exploiting that informatio­n could make millions. So could shady stock market traders or any of Castle’s national and internatio­nal competitor­s. And the fines and settlement fees once a big breach was disclosed could run to eight figures.

In the stall, Alien unzipped her satchel and stuffed the laptop in her case, between the business cards and the “Get Out of Jail Free” letter. The laptop was a little too big for the case, and she was very nervous. She told herself to calm down and succeeded in stretching the case over the laptop and zipping it closed.

Alien walked to the elevator as confidentl­y as she could, smiling profession­ally at others as their paths crossed. Everyone else wore a rigid badge with their name, headshot, and the Castle logo clipped to their shirt or waistband, so she shielded those areas with the laptop case.

The elevator opened back in the lobby. “Did you get it taken care of?” the security guard asked.

“Yes. Thanks so much,” said Alien, giving him a thumbs-up. She crossed the street, opened the car door, and slipped back inside the Taurus. “Nada,” Richard said in a told-you-so tone. “I did it,” Alien said. She zipped open the case. “I got a laptop.” “What?” Richard’s eyebrows rose as he beheld her prize. “Holy shit,” he said.

At Ted’s request, they rendezvous­ed immediatel­y afterward for Alien to walk him through the heist. They met outside and went back in together, gathering after the walkthroug­h in a second-floor conference room to talk. Then Ted brought in the guard.

The man looked stricken. He was still in uniform. Without the reception counter to stand behind, however, he seemed older and frailer — shrunken somehow.

“This is Elizabeth. You’ve met her before,” Ted said. “She’s a profession­al penetratio­n tester. You let her into the facility. Why?”

The guard lowered his head. “Looking back, I know it was the wrong thing to do,” he said. “But I just ... trusted her.” He looked up at Alien. Their eyes met. His were dark brown. He wasn’t angry. More ashamed.

Then the guard looked away.

“We’re on your side,” Alien said to him. Struggling over what to say next, she explained, “Like a doctor — they have to hit your knee to test your reaction. It hurts for a minute. But in the long run it makes you stronger.”

LATE MORNING the next day, Richard circled the icy strip mall parking lot, head shaking as he and Alien passed the Kinko copy centre where she had made their fake business cards, a Blockbuste­r Video, a fitness centre, a party supply store and a gyro shop before circling back to the long, low-slung redbrick Castle bank building — the first of the branches in town to be assessed. Again, he didn’t see how they could crack it.

“A big office building like yesterday, okay — strangers come and go there all the time,” Richard said. “Here, a little bank branch, everybody knows everybody else. They can all see everything that’s happening. They’re not going to let you just carry out a computer.”

“I want to get into the vault,” said Alien. “Circle again. Let’s check the back of the building. Maybe there’s a vent we can climb in.”

Richard scoffed. “It’s going to be locked down,” he said.

“We’ll figure it out,” Alien said. Like yesterday. “What would be a good ploy?”

Richard looked at his phone, squinting at an incoming text. He shrugged and said, “My daughter’s choir has a concert tomorrow night. I’m going to switch my flight and head home early. Just give it a shot yourself in the morning.”

Concert or no concert, Alien was surprised that he was giving up so easily. But she couldn’t say that.

“Okay, no worries,” said Alien. “Do you want a ride to the airport?”

Richard checked his watch. “Nah, I’ll take a cab.” He added, “Good luck, but yesterday was a fluke. You’re not gonna get into this place.”

Alien peered across the frost-fringed asphalt, new hope dawning only when her gaze reached the rows of self-service copiers inside the glasswalle­d Kinko’s.

Time to live off the land.

When Richard had left, Alien strode inside the Kinko’s, grabbing her driver’s licence and hotel room keycard from her purse. She made a colour photocopy of the headshot from the licence, cut it out, and pasted it carefully to the keycard. Then she rented computer time, printed out her name and the Castle logo, and added both to the prop.

Alien held the result to the light, smiling. There. Her own employee badge, just like the ones she had seen inside regional headquarte­rs — or at least close enough to pass casual inspection.

Alien grabbed a clipboard from the rack of office supplies and returned to the computer bank, loading the Castle logo again and pasting it into a new document.

“SECURITY AUDIT,” she typed. “PART I: QUESTIONNA­IRE.”

Shortly before 10.30 the next morning, Alien pulled up in the Taurus and parked just outside the entrance to the same Castle branch bank. “Branch manager: Leon Sanders,” her remote reconnaiss­ance notes reminded her. Moments later, a middle-aged man in suit and tie exited the building, precisely as he had at 10.30 — and again at 2.30 — the day before. If the pattern held, she had half an hour, Alien estimated. Then Sanders would return from his break.

She stepped out of the car, dressed as she had been at the regional headquarte­rs, only this time with her new clipboard and questionna­ire instead of a laptop case — and the fake Castle employee badge clipped to her waistband. Alien entered. Straight ahead were teller booths. To the left, in front of the empty manager’s office, was a desk for his assistant, a pretty brownhaire­d woman in her early 30s.

“Hi,” Alien introduced herself, holding the clipboard close to her chest. “I’m from central security. I’m here to see Leon Sanders.”

“He’s out,” the woman said, “but he should be back in 30 minutes.” “Hmm.” Alien looked at her watch. “I still have still three other branches to do,” she said. “How about the assistant branch manager?”

“That would be me.”

“Great,” said Alien. “I’m here to do a spotcheck of the branch.” This would occur twice a year from now on, she explained. “First I need to ask you a few questions,” Alien continued. “Then we’re going to do a little walk-through together.”

The assistant manager gulped, standing quickly, and then, just as rapidly, sitting down, as she processed Alien’s words. Her eyes flashed on the hip badge, but she didn’t ask for a business card.

Shame. While at Kinko’s, Alien had them print new cards, with a fresh central security title, as she was typing the questionna­ire.

Now, if she had wanted to, she could have treated the branch like her own personal piggy bank.

Black pen in hand, Alien stepped through her questions, beginning with access: “Who opens in the morning? What time do they get here? What’s your all-clear signal?” she asked.

“Leon or I open at 7.30,” the assistant manager told her. “Whoever comes in first opens the break room blinds. We check all the areas before opening the others. Then we move that plant” — she pointed to a ficus by the front window, visible from the parking lot — “from the left side of the room to the right.”

Alien nodded, outwardly stern, inwardly delighted, and scribbled the answers.

“Do you use bait money or dye packs?” she asked. “Do you have many false alarms? Where do you store your combinatio­ns? Are the vault keys locked away?”

More quick questions followed, covering everything from common break times to who settled the ATM. The woman answered them all. Then she opened a locked drawer and gave Alien the log noting any security issues they’d experience­d in the last 12 months.

“Can you make a copy of this for me?” Alien asked. “Of course,” the assistant manager said.

They stood afterward and walked together through the facility, beginning behind the tellers, where the woman pointed out the specific details she’d mentioned in her answers to the questionna­ire. From there, they entered a rear file room, only to be interrupte­d by a teller.

“Yes, Adam?” the assistant manager asked him.

The guy studied Alien. She stiffened, her heart beating so strongly she could feel her pulse in her neck. Had she somehow been caught?

“Can you notarise a car title?” the teller asked the assistant manager.

The woman nodded. “Excuse me,” she apologised to Alien, leaving the “auditor” alone with file cabinets containing the records of the branch’s customers: names, addresses, account numbers, debts, assets, and every single one of their transactio­ns.

In other words, precisely the informatio­n that could be mined to commit financial fraud, blackmail, or worse.

“I assume you want to see the vault?” the assistant manager asked when she returned.

“Of course.” Alien nodded, acting like it was a question she got daily. But she knew to make it snappy if she didn’t want an unwelcome meeting with the manager.

Thirty seconds later — less than 20 minutes since she’d entered the building — Alien stood with her pen and clipboard in a cool, dry, thickwalle­d room, silent as a tomb.

“Very good,” said Alien, running a finger along the rows of safe deposit boxes.

The hard part now was pretending she already knew everything. “So,” she said. “Tell me more about where you store your keys.”

Over the next 36 hours, Alien tried her “random audit” ploy on three more Castle branches in the area, now dealing directly with the managers. It worked at every one.

The manager at the last branch was especially helpful. She told Alien about the back door that was hard to close, the location of the security videotapes and even the combinatio­n of the vault. As they left the bank branch file room, Alien saw and took an extra set of building keys. Now, if she had wanted to, she could have treated the branch like her own personal piggy bank.

She returned at 5pm Friday with one of Ted’s actual staffers, Castle’s security lead on the East Coast. The manager was mortified. Not embarrasse­d, though. Just angry.

“I will hate you forever,” she told Alien the moment her superior was out of earshot.

The words hurt. Alien tried to shrug them off.

Better me than the real bad guys.