Rise of the Locusts Read online

  Kate waved her hand. “Yeah, don’t listen to me. I’m just jealous because I’m 34 and no guys are calling my house.”

  “I don’t believe that. What about the guy in your department? Don’t you play video games with him?”

  “Albert? Nope! He’s a good IS worker and a good teammate for Black Ops, but that’s where my interest ceases.”

  “Black Ops?”

  “Yeah, it’s an online multiplayer video game. He plays at his house and I play at mine. I like it that way.”

  The server brought their food and they began eating.

  “You’re sure about Albert? I know you’ve had issues in the past where you let your social-anxiety thing get in the way of your happiness.”

  “No, I’m positive. I feel completely comfortable around Albert, which is good for a friend, but if I like a guy, I’m a wreck. He just doesn’t do it for me.”

  Terry finished chewing. “Nobody on the scene does it for you? What about that guy you met at the hackers’ conference in Vegas? What’s the name of it?”

  “The conference is called DefCon.” She let her fork rest on her plate. “The guy’s name is Gavin. He emailed me. We play Titanfall together and chat online, but we stick to talking about gaming.”

  “He never asked for your phone number?”

  She frowned. “He did.”

  “And you said no.”

  “I did.” She looked down at her plate.

  “You have to be brave, Sis. I know it’s risky, but you have to take a chance.”

  She shook her head. “Not with Gavin. He’s not the type of guy who would be interested in me anyway.”

  “What are you talking about? He asked for your number.”

  “Yeah, but just to talk about gamer stuff.”

  “Come on, Sis. Guys don’t ask for girls’ telephone numbers just to talk about video games.”

  “You don’t understand, I clam up, my heart races, I stutter and shake, my mouth goes dry, it’s terrible. The alternative is that I say nothing, then guys think I’m rude or distracted.”

  “Are you still taking Jiu-Jitsu? You said you thought that might help build your confidence.”

  “I am and it is; at least in general. Knowing that you can choke someone out makes them less intimidating. But it doesn’t work with cute guys and authority figures. Choking them out wouldn’t usually help matters.”

  Terry smiled. “You’re fitting in nicely at work.”

  “Probably because they all know I’m your sister.”

  “I have no clout in IS. My name means nothing there.”

  “It got me a job.”

  “No, it got you an interview. Your experience got you the job. Besides, that was just an HR thing.”

  “The director of IS asked about you when I got called into the office over that penetration testing exercise I initiated. I have a feeling I would have been in a lot more trouble if I hadn’t been your little sister.”

  “They called me about that one. You scared some people.”

  “They needed to be scared. IS is tasked with keeping the network secure, but there’s only so much you can do if people aren’t practicing safe online habits.”

  “Kate, you hacked the top systems administrator of Sky National Bank and somehow had the email password of the CFO.”

  “Private consulting firms would have charged fifty thousand dollars to a company like Sky National to perform that level of penetration testing. I did it for free and got reprimanded for it.”

  Terry nodded slightly. “But you embarrassed people. There’s a way to handle things like that. Still, you’re right. It’s what you do and you’re good at it. They should have realized that you were doing them a favor.”

  She finished her espresso and started on the second cup which the waiter had left on the table. “It’s fine by me. I’ll just do my job and spend the weekends hunting bugs.”

  “Does that pay well? I mean if you identify a vulnerability as a freelancer?”

  “It depends on the company. Google, Facebook, and some of the big tech security firms shell out fairly large bounties if you find a bug. But every bug hunter out there is gunning for the big prizes. I usually pick the low-hanging fruit. The payoff is only a couple hundred bucks, but less competition.”

  “How do you find companies willing to pay for hacking them?”

  “There’s a website called bugcrowd.com. It lists who will pay out bounties.”

  “So, how did you hack Sky National?”

  “Look around us.” Kate turned from side to side. “Half the people in this restaurant work at Sky National Bank. I brought a backpack with a cell phone jammer and a device called a pineapple. The pineapple piggybacks off of Oak Wood Café’s WiFi and acts as a hotspot. Once people can’t use their cell carrier to check their email or social media, they have to use the café’s WiFi. When they log on via my pineapple’s hotspot, I can see everything they’re doing; including passwords.”

  Terry’s mouth hung open in disbelief. “It’s that easy? How do you know they’ll log on via your device? Why wouldn’t they just use Oak Wood’s regular WiFi?”

  “Social engineering basically. Oak Wood’s WiFi is named ‘Oak Wood Guest.’ I named the spoofed WiFi ‘Oak Wood High Speed.’ People think they’re logging into the management’s account or something, think they’re getting one over on somebody. It makes them feel smart and technologically savvy.”

  Listening, Terry pressed his tongue in his cheek. “Unbelievable.”

  Kate’s phone rang. “Hold on, I have to take this.”

  She held her phone to her ear. “Hey, Albert, what’s up?”

  “Everything is going crazy. Multiple accounts are being drained. I tried to issue a stop payment. I ordered the receiving banks to redeposit the funds, but the money is already gone.”

  Kate jumped up from her chair. “Take the system down. Do it now!”

  “But all of our customers will be locked out of their accounts,” Albert protested.

  “Their money will still be there when we go back online. Albert, we’ve been owned. Take us offline, right now!”

  “Okay.”

  Kate listened to the sound of Albert’s fingers clicking against the keyboard. She looked at her brother. “Sorry, I’ve gotta go. This isn’t good.”

  “Do what you have to do. I’ve got the check.”

  “Thanks!” She grabbed her purse and sprinted across the street to the office tower.

  CHAPTER 3

  The field is wasted, the land mourneth; for the corn is wasted: the new wine is dried up, the oil languisheth. Be ye ashamed, O ye husbandmen; howl, O ye vinedressers, for the wheat and for the barley; because the harvest of the field is perished. The vine is dried up, and the fig tree languisheth; the pomegranate tree, the palm tree also, and the apple tree, even all the trees of the field, are withered: because joy is withered away from the sons of men. Gird yourselves, and lament, ye priests: howl, ye ministers of the altar: come, lie all night in sackcloth, ye ministers of my God: for the meat offering and the drink offering is withholden from the house of your God.

  Joel 1:10-13

  Kate held her ID badge over the sensor to unlock the door and rushed into the Information Security Control Center. The ambient light of the large monitors, which lined the walls overhead, provided most of the illumination in the room. In order to reduce glare on the screens, dim lights above aimed at the soft tiles on the ceiling, reflecting down in a gentle glow.

  Albert and the other IS analysts stood motionless, staring at the screens. Kate needed no affirmation that the bank’s system had been taken offline. The monitors above her head, which usually streamed with constant flows of data, displayed a static image. She’d never seen the large open room so still, nor heard it so quiet. Neither had she felt the sense of impending doom hanging like a dark cloud above the space in which she’d spent so much of her time over the past two years.

  Albert turned to face her. He adjusted his glasses and fro
wned.

  Kate pressed her lips together tightly. “Did you call Don?”

  “He called here.”

  She rolled her eyes. “Great.”

  Albert scratched his head nervously. “He said for you to call him right away.”

  “Let’s get this over with.” Kate sighed and walked up the stairs to her glass-enclosed office; although, it wasn’t exactly her office. The transparent elevated workspace, which looked over all the analysts on the floor, belonged to the IS shift supervisor. It was hers for now, but once she clocked out, the office which had been given the pejorative moniker, the Crystal Palace, by the security analysts, would belong to someone else. She realized what a nerdy name it was, but like herself, IS personnel were the type of people who liked writing code, studying algorithms, watching sci-fi, and reading epic fantasy novels. Their peculiar culture lent itself to such nicknames.

  Kate hated the room. She’d looked upon her predecessors as smug authoritarians and was sure her co-workers saw her the same way. But, the salary was nearly double what she was paid as an analyst. She wondered if it was worth it. Kate picked up the receiver to call the Sky National Chief Information Security Officer Don Lombardo.

  She’d known the CISO for over a year but still felt nervous when speaking with him. “Mr. Lombardo, hi, it’s Kate.”

  “Where were you?”

  “I went to lunch. I came back right away, sir.”

  “You’re the person in charge of securing $210 billion in assets. You can’t leave when you’re the shift supervisor.”

  “It’s never been a problem before, sir. Albert watches the floor while I go to lunch and take breaks. He has the same level of security clearance as me. He’s even been shift supervisor before.”

  “Well, we’ve never had a breach like we had today, so that all changes, effective immediately!”

  “Yes, sir.”

  “We lost over $3 million in a matter of seconds. And every minute we stay offline, the bigger this problem is getting. We’re bleeding customer confidence, which is the very life force of a bank. Find the breach, patch it, and get us back up and running as soon as humanly possible.”

  “Yes, sir.” Kate heard Lombardo hang up abruptly. She wasn’t offended by his rudeness, rather she was happy the conversation had been terminated so readily. It gave her a moment to focus. She stared out at the frozen monitors encrusting the wall before her, like glowing scales on a great dragon. Her mind raced to develop a game plan. She considered the talents of the individual analysts on the floor and parsed out the unique tasks required to get the system secured and back online. Kate allowed herself a full minute to review her strategy before emerging from the Crystal Palace. She pushed the door open and stood on the catwalk above the analysts. “Albert, put a trace on the money that was taken out of the accounts. Find out where the money went. If it was used to purchase goods or services, initiate stop payments. If it was used to purchase cryptocurrencies, get the information of the purchaser, especially if it was in a country that has Know-Your-Customer laws. If so, report it to the appropriate authorities. We’ll never get it all back, but if we can claw back a reasonable amount, even 25 percent, it will make us all look a lot better.

  “Linda, run an analysis on the nature of the hacks. Find any similarities that you can. Look for commonalities in the people whose accounts were hacked as well as any correlation between the IP addresses of the hackers.

  “Quinton, work with Linda and look over the data that she pulls. Figure out if this is an internal or an external breach.

  “Rodney, begin a level-three security reset protocol. Put us back online and require a password change for all online banking customers, complete with a one-time email or text authentication code.”

  Albert looked up at her and shook his head. “Don isn’t going to like that.”

  Kate made her way toward the stairs to join her team in the recovery effort. “We don’t have any other options. It’s the only way we can go back online without risking more money being stolen.”

  Half an hour later, Kate got a text.

  Albert looked over her shoulder. “Zachery Mendoza. If I was going to get balled out, I’d rather hear it from Zach than Don.”

  She twisted her mouth to one side. “He wants me to call him.”

  “At least we’re back up and running. You’ll have some good news to give him.”

  She looked up from her phone at Albert. “Keep working on the recovery efforts. Text me if you get any more money back. Even though this wasn’t our fault, our department is the one that is going to take the heat.”

  “Sure thing, boss.” He smirked.

  “And don’t call me boss.” She stomped off to the stairs.

  “Whatever you say, boss.”

  She grunted her displeasure and continued up to her office.

  Kate dialed the number for Sky National Chief Data Officer Zachery Mendoza.

  “Hello?”

  She felt anxious speaking to anyone she didn’t know well, especially an authority figure. “Mr. Mendoza, hi, it’s Kate McCarthy from IS.”

  “Hey, Kate. Thanks for calling. We’re putting together a briefing for the board tomorrow morning and I need you to come by my office and give me a first-hand account of what happened today.”

  Speaking to the man on the phone was bad enough, but a face-to-face meeting would push her to a borderline panic attack. “Can I explain it over the phone? We’re still sort of mopping up the mess around here. Although, we do have the network back online. Customers have full access to all of Sky National Bank’s services; that includes banking and investment accounts. We’ve also recovered about $200 thousand of the stolen funds.”

  “Good work, Kate. I don’t want to pull you away from your responsibilities. Finish your shift, then come by.”

  “It could be late when I get out. I’ll have to debrief the incoming shift supervisor.”

  “It’s going to be a late one for all of us. I’ll see you when you get here.”

  “Sure. I’ll see you then, Mr. Mendoza.” She grimaced and hung up the phone.

  It was after 7:00 PM when Kate finally finished for the evening. She spent a few minutes rehearsing what she’d say to the CDO when she arrived in his office. Being prepared before a meeting was one of her limited techniques for controlling her jitters. She took the elevator to the 58th floor where Mendoza’s office was located. On the ride up, Kate practiced her breathing exercises to calm her nerves. She counted to four slowly, inhaled through her nose, held the breath for four counts. Kate then steadily released the breath, counting to four once again.

  The elevator doors opened and Kate stepped out. She approached the secretary’s desk. “Hi, I’m here to see Mr. Mendoza.”

  “You’re Kate from IS?”

  “Yes.”

  “Go right in.”

  Kate smiled at the secretary, then opened the door. Inside was no less than five C-level administrators. She felt her anxiety threatening to make her freeze in her tracks. Her first instinct was to turn around and run. She could email a resignation letter in the morning and return to hunting for bug bounties in the comfort of her own apartment. But she couldn’t do that to Terry who’d gone out on a limb to get her the job. She had to be strong for him; and she had to be strong for herself.

  Kate walked into the room. Don Lombardo glowered at her. His voice seemed to blame her while he introduced her to the others sitting around Mendoza’s office. “Gentlemen, this is Kate McCarthy, she was the supervisor who was supposed to be on the floor when we were breached this afternoon.”

  “Supposed to be?” Sky National Bank CEO Xavier Altoviti looked at Kate for clarification.

  She glanced at her feet to avoid Lombardo’s accusatory glare. She pulled her arms over her chest as if to protect herself from the steely daggers she felt would surely come next. Kate forced herself to look the CEO in the eyes. “Yes, sir. I’d stepped out to have lunch with my brother. I left Albert Rodgers in charge while I
was away. He called me immediately when the breach occurred. I ordered him to shut down the network so we could stem the bleeding. He complied. I’m not sure what else I could have done even if I’d been present, sir.”

  Altoviti said, “McCarthy. Is your brother Terry McCarthy?”

  “Yes, sir.”

  “I love that guy. Kate, please sit down. And don’t be nervous. We’re not here to assign blame. We just need to find out what happened so we can address the board in the morning.”

  “Thank you.” Altoviti’s voice put her somewhat at ease. She took a seat as far away from Lombardo as possible.

  Mendoza was the next to speak. “Kate, I know you’ve had a long day and must be tired. Why don’t you walk us through what happened today, then you can go home and get some rest.”

  “Yes, sir.” Kate proceeded to give a minute-by-minute accounting of all the events that had transpired since she received Albert’s call during lunch. She explained all the data analysis her team had performed since the hack and her reasoning for initiating the level-three security reset protocol which had inconvenienced so many customers by making them change their passwords. She told how the team’s initial findings indicated that the breach had likely been external but that multiple attacks had been carried out all at the same time to maximize the confusion element in the information security control center.

  Mendoza rubbed his chin. “You said the breach was most likely external. So you think multiple customers were compromised individually to steal their login credentials, then the hackers hit all their accounts at once?”

  “Yes, sir. It was likely rootkits installed on the customers’ PCs through phishing emails. However, it’s not clear how the perpetrators obtained the customer email list in the first place. Since we don’t share customers’ information with third parties that could have been the result of an internal breach.”

  Lombardo interjected. “Phishing scams are used to directly get passwords, not install rootkits.”

  Kate blinked toward Lombardo, then back to the CEO. “It’s increasingly popular to use phishing type emails that mimic correspondence from banking institutions like Sky National which have clickable links in the body of the message. Once the customer clicks the link, the rootkit installs and gives the hacker access to the infected device. That’s why our system didn’t detect that the accounts were being accessed by new devices. All of the fraudulent transactions were made by the victims’ home computers.”