Rise of the Locusts Page 3
“Doesn’t anti-virus software protect against that kind of stuff?” CFO Nick Hampton asked.
“Not if it’s a zero-day, sir,” Kate answered.
“What’s a zero-day?” Hampton inquired.
“It’s a threat which hasn’t been identified by any cyber security firm yet. It has been protected against by anti-virus software for zero-days,” she said.
“So have we found the bug? Can we keep this from happening again?” Mendoza asked.
“Not yet. I’ve spoken to several of the victims over the phone and many of them have granted me remote access to their computers. I have friends in the cyber-security industry who are willing to help me find the malicious code.” Kate crossed her hands.
Lombardo stood up. “Oh, no. You’re not bringing in outside contractors. We have to keep a tight lid on this thing. If word gets out that we had a breach this big, people will start pulling out of Sky National immediately. Then the stock price will get hit and the dominoes will just keep falling.”
“Wait a minute, Don.” Xavier Altoviti held up his hand and signaled for Lombardo to take his seat. “I want to hear what Ms. McCarthy has to say.”
Lombardo sat down but continued to protest. “Mr. Altoviti, I can assure you this is a project that my department is more than capable of handling on our own. We don’t need any help from outside firms.”
The CEO tightened his jaw. “Don, I brought you on to this position because you had a very solid background in administration, even though you didn’t really possess the technical knowledge that a CISO would typically bring to the table. I had expected that you’d study up and get proficient with information security, but I’m beginning to realize that it takes a certain personality type who understands the nature of the risks inherent to the modern age of total connectivity. I may have asked too much of you. I want to take ownership of that mistake.”
“Not at all, sir.” Lombardo piped down and shut his mouth.
Kate understood what Altoviti had said to Lombardo to be boardroom speak for start getting your resume together. She tried not to let her amusement show over Lombardo’s dressing-down. Instead, she humbly said, “It wouldn’t be outside contractors, sir. These are personal acquaintances of mine who would respect our need for confidentiality.”
The CEO said, “Okay, I’ll green-light that operation. But please, make sure everyone in your department understands that we have to keep this close to our chest. We haven’t figured out how we’re going to handle this just yet. If we take it to the FDIC, the breach immediately goes public. Just what we’d lose in the stock price could easily eclipse what was stolen, not to mention lost revenue from a severe cut in our customer base. Heck, we’d probably shell out more in damage control than what was siphoned off in today’s attack. Our in-house PR department couldn’t contain a mess this big.”
CFO Nick Hampton added, “We’ve got a rainy-day fund that could cover most of today’s losses.”
Kate hesitated but finally said, “It’s not much, but I’m confident we’ll be able to recover at least another $100 thousand.”
Chief Data Officer Zachery Mendoza turned to Kate. “We appreciate your offer to have your friends look into the malicious code, but what’s in it for them?”
She blushed. “They . . . well, we, I should say, are a bunch of computer nerds who are into that kind of thing. It’s sort of a game to us. One gets a certain level of street cred in our community for being the first to identify a virus like this.”
Mendoza grinned. “We’re fortunate to have you at Sky National Bank.”
Xavier Altoviti snapped his fingers. “Wait a minute, aren’t you the girl who hacked Nick’s email earlier this year?”
Kate’s heart stopped and her mouth went dry. She looked down at her fingers which were nervously interlaced. “Yes, sir.”
Altoviti began laughing. “I thought so.” He turned to Nick Hampton. “Nick was all shaken up over that little prank, but I’ll admit, I got a kick out of it.”
“I assure you, sir. It was not intended as a prank.” Her voice cracked.
The CEO stood up and walked over to her. He sat next to her and put his hand on her back. “Relax, Kate. We weren’t expecting it, that’s all. But you were right. You mentioned that the customer email list could have been obtained via an internal breach.” Altoviti looked around the room. “Maybe if we’d paid attention to you back then, today’s debacle could have been avoided altogether.”
She looked up at Xavier Altoviti.
His eyes met hers. “Once the smoke clears from this train wreck, I’d like you to put together a corporate memo on habits we can form that will keep the bank safer in the future. Will you do that for me? I’ll make sure you’re well compensated for your efforts.”
“Of course, I will, Mr. Altoviti.” She’d just gone from thinking she was about to be fired to getting what amounted to an unofficial promotion. Her emotions were raw; and between the double shift and the extra hours, she’d just worked nineteen hours straight. She welcomed the adjournment of the meeting and looked forward to her soft, comfortable bed.
CHAPTER 4
Alas for the day! for the day of the Lord is at hand, and as a destruction from the Almighty shall it come.
Joel 1:15
Wednesday morning, Kate shut off her alarm clock and forced herself to get up. She was still exhausted from the previous day. Once out of bed, she checked the Wire app on her phone. Sure enough, she had a message from Gavin. Her heart sparked and she suppressed a grin. Connecting with him on the encrypted messaging service was a big leap for her.
I heard your bank had some technical difficulties yesterday. Wondering if we’re still on to play Titanfall tonight.
She twisted her mouth to one side and messaged him back. We’re still on. Might have to work late so it could be after eight by the time I get online. Just a glitch at work. No big deal.
Kate put her phone on the counter and turned on the television. She turned on the coffee maker and made herself a bagel with cream cheese for breakfast. She poured a glass of orange juice, paying little attention to the news until she noticed the Sky National Bank logo on the screen. She quickly grabbed her juice and bagel, making her way to the couch.
She put her breakfast on the glass-top coffee table and turned up the volume.
“Two million Sky National Bank customers were frozen out of their accounts yesterday afternoon in what a company spokesperson is calling a temporary service outage. Once customers were able to access the bank’s website nearly an hour later, they were forced to reset their passwords and authenticate their identity via text or email. Some have speculated that the mega-bank may have experienced some type of security breach, but no concrete evidence has been provided to confirm the rumors.”
Kate’s phone buzzed. It was a message from Gavin. Turn on CNN.
She messaged back. Already watching.
Glitch?
She messaged back with a mouthless emoji.
Gavin responded. We need to talk. Can I call you?
She froze up. Unable to respond. Kate practiced her breathing exercises for a few minutes.
You still there?
She braced herself and forced a reply. Okay. When?
Now?
Kate immediately wished she hadn’t said okay. Certainly not now. She needed time. She had to prepare, to think about what she’d say, how she’d act. Talking to Gavin wasn’t something she could just do on the spur of the moment. But what if she waited? The anxiety would build and it would hang like a cloud over her head all day, on a day that she needed to be more focused than ever. She messaged him back.
I’ve got to get ready for work. Can you give me twenty minutes? I can try to talk on the way to the office. This would give her an out if she got too frazzled. She’d blame it on heavy traffic which was a daily truth in downtown Atlanta.
What’s your number?
She froze again. Why couldn’t he just call her via the Wire app? If she gave
him her number that was tantamount to saying that she liked him. She could never admit a thing like that, not to someone like Gavin. But even more frightening was the thought of seeming weird if she didn’t give him her number. She typed it in and hoped he wouldn’t call.
Kate rushed to get ready so she could be out the door and in her car before Gavin called; if he called.
Fifteen minutes later, she was in her blue Mini Countryman and on her way to the bank. The Countryman offered all-wheel drive and slightly more room than the typical Mini Cooper. Kate purchased it for the rare Atlanta snowstorm and her annual pilgrimage to the Waynesville, North Carolina cabin on four acres, which her father had left to her and her two brothers. Terry always took his family to the cabin for Christmas. Kate joined them each December. Her younger brother, Boyd, typically did not.
Her phone rang and she braced herself for the uncomfortable ordeal of talking directly to a guy that she really liked. She pressed the speaker so she could talk and drive. “Hello?”
“Kate, I can’t believe I’m actually talking to you on the phone.”
“What’s the big deal? You talked to me at DefCon. And we talk to each other in Titanfall.”
“Yeah, but this is different. When you shot me down at DefCon I didn’t think I’d ever get your number.”
“I didn’t shoot you down.”
“You wouldn’t give me your number. But that’s cool. I understand, you probably have a boyfriend or whatever. Anyway, I just wanted to know if you could tell me anything about what happened at work. Since I work in information security at Bank of America, I was wondering if there’s anything I should be looking out for. I mean let’s be honest, I know it wasn’t just a glitch.”
She was quiet for a moment.
“Hello? Are you still there?”
“I don’t have a boyfriend.” Immediately, she regretted her awkward reply.
Now Gavin’s end of the phone was silent.
She attempted to redirect the conversation which was quickly coming off the rails. “I mean, that’s not why I wouldn’t give you my number. It’s just that I barely knew you.”
“Yeah, sure. Whatever.” Now Gavin sounded nervous. “I totally understand.”
Kate composed herself. “I guess it would be prudent to have all your customers reset their passwords.”
“Okay, so it wasn’t a glitch.”
“I thought you already knew that.”
“Not for sure, but I do now.”
She blew out a deep breath. “I can’t say much else about it.”
“I totally get that.”
“Unless.”
“Unless what?”
“We haven’t identified the malicious code. I have permission to share access to the infected computers with trusted people who have the skills to find the banking Trojan and block it.”
“What do you mean you haven’t identified the code? Are you talking about a zero-day?”
“Yeah.”
“No kidding! I’d love to get a chance to help find the virus. So, are you saying I’m trusted people?”
“I don’t know. Are you?”
“I run the night shift for IS at Bank of America’s corporate office here in Charlotte. I guess they think I am.”
She’d loosened up considerably during the short conversation. “Yeah, but they’ll hire anybody.”
“Give me a break! So, am I in?”
“I’ll have to think about it.” She enjoyed teasing him, once her collywobbles died down. “Do you have Signal on your desktop? If we’re going to talk, it has to be secure.”
“I have Signal at work. I can install it on my machine at home. What time?”
“Is 6:00 good?”
“Yeah. I have to leave for work at 10:30 tonight, so I’ll have a few hours.”
“Okay, I’ll talk to you then.” She ended the call and felt a rush of exhilaration over the evening’s coming online encounter.
Kate arrived at work a few minutes later. When she walked into the control center, she was met by Zachery Mendoza. “Mr. Mendoza, it’s a pleasure to see you again.”
“Thanks, Kate. You’re still in charge today, but we’ve brought in a few extra people from IT who will assist your team with anything they might need. Until we can identify the malware, we can’t be sure that we won’t have subsequent breaches.”
“You’re correct, and we can certainly use the extra eyeballs watching for unusual activity.” She looked at him. “Pardon me for asking, but wouldn’t Mr. Lombardo typically be running oversight for information security?”
Mendoza cracked a grin and signaled for Kate to lead the way up the stairs to the Crystal Palace. “He would, but Don is taking a couple days off.”
“At a time like this?” She glanced back before ascending the stairs.
“I’m not sure it was his decision.”
“Oh.” Kate knew better than to ask for more details.
Once they arrived in the upstairs office, Mendoza asked, “If Albert ran the floor today, would you be able to get a jump on going through those infected computers?”
“Sure.”
“You mentioned yesterday that you might know some other people who could help us out. I looked over your resume. You listed that you’d done some freelance work, hunting for vulnerabilities; bug bounty hunting, I think it’s called. Would that also be an accurate description of the people you were speaking of?”
Kate replied, “Yes, sir, but some of them would do it for the thrill.”
“That’s quite kind, but we’d like to add an incentive. If you can find the Trojan horse and block it, we’ll pay you a $10,000 bonus. Plus, we’ll pay $5,000 to each of the people who help you, up to twenty people.”
“You’re very generous, sir. But I doubt I know that many white-hat hackers. More like three or four.”
“Very well. Is this office a good workstation?”
“Not really. I need a Linux machine, and I need a fast one.”
“I’d be happy to get one for you.”
“Getting it set up would take the better part of a day. I have a really good system at my apartment. It’s configured for scanning code remotely. Would you have any objection to me working from home?”
“Not at all. What about your team? Will they work from your place?”
She laughed, “No, they’ll work remotely. Vijay, he’s in Boston. He works for MIT. Then there’s Shu, she’s in San Francisco, and Willow is in Denver.”
“So it will just be the four of you?”
Thinking about Gavin, she felt nervous. “I might have another guy on the project as well. He works for B of A, corporate HQ.”
“In Charlotte?”
“Yes, sir.”
“Okay. I trust your judgment. Do what you need to do, and I’ll hold down the fort.”
“Thank you, Mr. Mendoza.” Kate left the office and made her way down to the floor.
Albert met her at the bottom of the stairs. “What’s going on? We’re tripping over these IT guys. They don’t understand information security.”
She rolled her eyes. “They understand it a little better than people from accounting would.”
“Barely,” he said snidely.
“Well, they’re here to help, and you’re in charge, so find them something to do.”
Albert pushed his glasses up on his nose. “I’m in charge? Where are you going?”
“To look for the bug that caused this mess.”
On her way home, Kate began calling all of her white-hat hacker friends. She called Vijay first, he would be the most excited about the opportunity. Being tenured in academia meant that Vijay could set aside his classes for a few days to pursue a pet project without being hassled.
Shu was next on Kate’s list, knowing that she’d have to carve out some time from her tech-startup security consulting business.
And finally, there was Willow, an extremely smart trust-fund kid who did what she wanted, when she wanted, if she wanted.
&nb
sp; Kate was home when she’d finished her three recruiting spiels. She had but one more call to make.
Once inside her apartment, she dialed Gavin’s number.
“Hello.” His voice sounded groggy.
“Hey, it’s Kate. I’m sorry, did I wake you?”
“Yeah, I’m trying to find a zero-day exploit buried in who knows how many lines of code tonight, then I have to work the graveyard shift at the bank. I thought I might take a short nap. Tell me I didn’t make a mistake by giving you my number. You’re not an obsessive stalker, are you?”
Her face went hot, then cold, stunned at the accusation. “What? I gave you my number. I’m sorry I woke you, but don’t flatter yourself, I’m not stalking you.”
“Relax. I’m joking.”
“Oh, right. Sure.” She felt even more embarrassed at being so quick to defend herself.
He yawned. “Anyway, I couldn’t get that lucky.”
“Lucky how? To get a nap?”
“No, to get stalked by someone like you.”
She recognized a quirky computer-geek compliment when she heard one, but figured he was probably still kidding around. “I just wanted to let you know that my boss let me leave early to start hunting the bug from home. I’ve talked to the rest of my team, and we’re going to go ahead and get started.”
“Who’s the rest of your team?”
“Willow and Shu. They were the two girls with me at DefCon last month.”
“Yeah, I remember them.”
“And Vijay. He was at DefCon the year before but didn’t make it this year.”
“In that case, I better fire up my machine. I don’t want this Vijay guy cutting in on my action.”