The Director: A Novel (26 page)

By two-thirty, James Morris was back at the research center, sending a volley of messages to subordinates on several continents and in several aliases. It helped that he was lit now like a Halloween lantern, and that the anxiety had drained from his body, so that it was pliable again and his mind could think.

Weiss had been messaging from Headquarters, asking where he was. She needed to answer some inquiries from the comptroller, which had required opening some restricted electronic files, using authority she had in Morris’s absence but rarely used. Morris passed over her communications, as he had for a week. Weiss was the bookkeeper. Morris barely registered her activities most of the time. He liked to call her a “fire-and-forget missile,” but in practice this mostly meant “forget.”

Morris had meetings scheduled at the end of the afternoon with two prospective “fellows” of the institute. He was like a team manager before the trading deadline, trying to get all the right players in place. His research budget was elastic; he could hire as many world-class hackers as he could find, to do whatever he instructed. Here in England, he had the incomparably opaque Dr. Li to handle arrangements. Prospective candidates might suspect they would be working for China; perhaps a few thought the real sponsor might be GCHQ in Cheltenham. But it was a rare person who saw the American hand.

The first of these final crash recruits was an Israeli electrical engineer named Yoav Shimansky. He had dropped out of Cambridge a year ago after winning a graduate fellowship, gotten into debt feeding a drug habit and had begun hacking for profit about a year ago.

Morris had begun inquiring about the Israeli after one of his operatives had noticed some artful coding in a hack on numbered accounts at a Swiss private bank. They traced the code back to an IP address in Russia, which in turn linked to one in Israel, which connected finally to the real author of the code in the UK, who turned out to be Shimansky. He had other interesting qualifications: He had served in the Israeli military, which meant that he knew his way around classified systems, and he had visa problems in the UK, which meant that he was vulnerable.

The Israeli candidate was waiting in an interview room on the first floor. Dr. Li’s secretary knocked on Morris’s door and told him it was time, past time, and that Dr. Li had already gone downstairs to meet the visitor. Morris didn’t hear at first; he was listening to a club mix on Spotify; a DJ named Oliver repeated over and over the words: “The night is on my mind.” When the administrator from downstairs rapped on his door, he removed his earbuds. He put his cell phones in the safe, adjusted his wig in the mirror to make sure it fit, put on his goggle-eyed glasses and descended the stairs. He was not an imposing physical presence, in or out of disguise, which gave him an anonymity he had always used to advantage.

Shimansky sat at a table, with a computer screen and keyboard in front of him. Li sat across from him, facing another screen that displayed the same information. The Israeli was scrawny from his drug habit, and had deep circles under his eyes and an unhealthy brackish pallor from spending too much time indoors. He was fidgety in his seat, while Li sat still as a statue.

Morris was rubbing at his nose when he arrived. He took the empty seat next to Li.

“I’m Hubert Birkman,” he said, extending his hand. “I’m the principal engineer. I used to work for Hubang Networks here in the UK. Then I came to the center.” Morris spoke with a mid-Atlantic accent, somewhere between Britain and America.

“I’m Yoav,” said the Israeli. “Unemployed.”

“We know your work. That’s why Dr. Li and I wanted you to come see us today. We do penetration testing at FEARC. We need to get inside our clients’ systems, to show them their vulnerabilities and help them make corrections. We’re looking for people who know how to hack, basically, but aren’t crazy.”

“I heard all that, thank you very much,” responded the Israeli. He spoke from deep in the throat, every word heavy with phlegm, so that he sounded sardonic even when his statements were straightforward.

“Our biggest clients are in the financial sector,” said Morris. “Large banks, some hedge funds, even some central banks.”

“Okay, sure, whatever. I don’t mind.”

“We’d like to see what you can do,” said Morris. “That’s our drill when we interview potential fellows. We want to see you penetrate a system, to make sure you have the technical skills. I assume Dr. Li explained all that.”

Shimansky nodded dubiously.

“I told your Chinese boss I would break into the Bank Gstaad. That’s my demo tape, except it’s not a tape, it’s happening on-screen. I prepare some of it before, but still: You watch, whatever you want. But I have to ask, you are not a cop, right?”

“We have nothing to do with law enforcement in the United Kingdom or any other country. We are a research institute only, with close links to our funders in Asia, of course.” He nodded to Dr. Li at his side. “We will share only with our clients whatever you do for us as a research fellow. Including what you show us today. All that will be in the contract, along with the nondisclosure agreement.”

“How much you pay?”

“Sorry. You go first.”

Shimansky shrugged.

“You have the money. I need the job.”

“So log in.” Morris pointed to the computer. “Today, your username is ‘fellow’ and the password is ‘guest.’”

Shimansky logged himself into the center’s system, which immediately displayed a Mozilla browser.

“Go ahead,” said Morris. “Walk us through it.”

“Okay. So first I go to TOR. You want me to do that, to hide where I am, unless you are crazy.”

“Use TOR, of course,” said Morris, nodding. How quaint that the Israeli trusted the “Onion Router” as an anonymizer. Its triple layers had been peeled back by the NSA, but hackers still swore by it.

“So I pick my target, Mr. Dieter Kohler, a vice president of Bank Gstaad. I do some research on him already, so I know that he is a big traveler, uses all the travel sites and airline sites. So I do ‘man-in-the-middle attack,” when he thinks he goes to buy airline ticket, giving them his information, he is really going to me, to my proxy server. Here, I show you how the capture worked, on my site.”

Shimansky’s fingers tapped at the keys, and the screen displayed his own Internet site. Then up on the screen came a display that looked exactly like the website of Sitzmark Airlines, a charter company that arranged helicopter ski trips.

“So a week ago Mr. Dieter Kohler goes to Sitzmark Airlines to make charter reservation for this winter. I know he will do this because he did it last year and the year before that; always in October, okay. But when he goes to Sitzmark, thinking it is a trusted site, he really goes to my proxy, which I take from cache.”

As the Israeli typed on the computer, his wan face seemed to come alive. It was like the thrill of any sport; when the player was in the zone, he gave up conscious control to preconscious intuition.

Morris has been following the display closely, but now he broke in.

“How did you get the certificate, so Kohler’s computer would think your dummy was a trusted site? Even this little airline would have Transport Layer Security, right?”

“Of course they have TLS. I have to spoof that. So, I show you. I get certificate from Trustnode. Not direct, but someone I know, he buys one, then gives to an Israeli friend, who gives to another Israeli friend, who gives to me.”

The screen image changed to a screenshot for the certificate authority’s Verisign certificate.

“Nice,” said Morris.

“Now Kohler makes his reservation. He types in all his information, credit card, everything else, thinking this is TLS-protected, but he doesn’t know it’s me. I show you.”

Shimansky brought up more screenshots that showed the capture of Kohler’s basic data, name, address, credit card number, security code.

“So you went phishing, without phishing.”

“You got it, Mr. Birkman. I have all his information. And also, because I own the proxy server, I know the IP address that Herr Kohler is coming from. He shouldn’t be using his company computer to make his personal ski reservations, but, you know, he is like most people, so he does.”

“Got it,” said Morris.

“I even ask Kohler for a password for the charter flight reservation. Because I know maybe he uses the same password multiple times. People shouldn’t, but they do.”

“People are stupid,” said Morris, with a wink that was barely visible behind his oversized glasses. He had already decided to hire the Israeli kid, but he wanted to see the rest of his demo.

“Yes, this is a useful and true fact, Mr. Birkman. So now I have his password, too. His bank is small, so it doesn’t use two-factor authentication, but only static passwords for remote access. And it has stupid employees, who use the same password everywhere. So what do I do now? I go to the Bank Gstaad site and pretend that I am him.”

Shimansky typed some more, and the monitor displayed the Bank Gstaad employee’s screen, in real time. The Israeli typed in the username and password he had stolen from Kohler, and he was in the system, seeing a display of the bank’s proprietary information.

“I am lucky. I see what the bank vice president sees. Here, I show you, these are the numbered accounts that Herr Kohler manages.”

A series of numbers came up on the screen, followed by some large amounts in Swiss francs. All were over ten million; some were over one hundred million.

“But there is a problem,” said the Israeli in a sly voice. “I know the numbers, but I do not know who they belong to. How do I fix that?”

“You tell me,” said Morris.

“Easy. The URL of the bank’s public website is gstaadbank.com.ch. Here it is.”

Shimansky typed in the firm’s Web address and the monitor displayed the client-friendly interface of its website, with the white of the Alps and the blue sky as a background behind the basic information.

“So the bank’s customers come to this site all the time, to check their accounts. They shouldn’t do it, I know, but they do. Okay, so I use a cache version of the real Gstaad site to build a proxy that looks just the same, exactly the same, except that the URL of mine is one letter off. So the address of my dummy site is gstasdbank.com.ch. Here is what it looks like.”

He typed in
gstasdbank.com.ch
, one mistyped letter, an
s
instead of an
a
, an easy mistake to make, and sure enough, up came a site that looked identical to the one before. Like the real site, it asked clients to register the usernames and passwords to get information about their accounts.

“God bless ‘fat fingers,’” said Morris.

“Yes, and I can tell you, Mr. Birkman, that rich people’s fingers are pretty fat. So when they go to the Gstaad site, sometimes they mean to hit that second
a
but they miss it and hit the
s
that is next to it. And so they are at my site, and not the bank’s. Here, like I show you.”

On the monitors was a screenshot of a customer’s completed sign-in, with username and password typed to access the site.

“When they go to look at their money, the site crashes, what a pain this is, so maybe they go back again, but this time, they hit the right letters, the
a
and not the
s
, and they are back at Bank Gstaad for real, but it’s okay for me, because I have their username and password, and also, I have their IP address.”

The Israeli displayed the IP address information for the Bank Gstaad customer he had most recently hacked.

“So if I do a little detective work on this IP address, I can see that it belongs to Mr. Alireza Najafi-pur, who does his commercial banking through Dubai . . .”

Shimansky typed some commands, and the screen displayed the IP address of a Dubai branch of a global commercial bank.

“. . . but who really lives in Tehran.’’

The Israeli typed again, and now the screen displayed the image of a simple commercial website written mostly in Farsi, but an English-language address visible in the upper left-hand corner that showed the firm in question was a food-distributing company based at 3 Dr. Bahonar Street, off Bahonar Square, in the Niavaran district of Tehran.

“So now I know something, eh?” said Shimansky.

“Yes, you do,” agreed Morris.

“But you see, this is really only the beginning of how I can make mischief. Because I can inject SQL into the system of the bank and the accounts of the users, too. And then I really begin to know some things.”

A few more clicks on the keyboard, and Shimansky showed the rudiments of an attack using Structured Query Language that is injected into a database and then can read, write, delete or modify data stored there.

“So this is what I do,” said the Israeli. “And you just watched me do it, so you know this is no bullshit. If your clients need, what, protection against this, okay, I am ready.”

“Roger that,” said Morris. “We’d like to offer you a fellowship. No bullshit.”

“So now I ask again, how much, please.”

“That depends. Our research fellowships begin at a hundred fifty thousand dollars annually. With bonuses, that can go higher. This is for exclusive work. No freelancing.”

“I can make this much at a bank. No way. I stay unemployed, I make more money.”

“Maybe, but you have visa problems.”

“You solve them?”

“Of course. Our institute has many friends here in the UK.”

“Okay, very nice, but a hundred fifty thousand still is not enough. Sorry.”

“Let me ask you a question that might affect how much we can offer you. Did you ever work for Unit 8200 when you were in the Israeli army?”

“What are you? An Israeli spy?”

“Maybe,” said Morris. “But answer my question. Were you in 8200? Did you do any cyber-work when you were in the army?”

“Sure. Of course I did. What you think they would do with someone like me? Turn me into a paratrooper? I have trouble taking a walk on the beach in Tel Aviv with my shirt off, too many people laugh at me.”

“I won’t ask you what you did for 8200, but I take it you know your way around classified cyber.”