Guilty Minds (19 page)

Read Guilty Minds Online

Authors: Joseph Finder

Tags: #Thriller, #Mystery

BOOK: Guilty Minds
3.1Mb size Format: txt, pdf, ePub
52

A
bout an hour later I was back at the hotel. The dining table was covered with electronic equipment—cables and wires and little black boxes and white plastic cards and such. I set down the briefcase I’d brought into Norcross and McKenna.

“How’d it go?” Dorothy asked.

I shrugged. “Fine.”

“No problem?”

“No problem.”

“You get the briefcase close enough to a keycard?”

“I think so.”

“Let’s see what you got.”


The day before, Mandy had made her own undercover visit to the same law firm.

She’d entered the building where the firm was located with the morning rush, tailgating on someone who was entering. She took the elevator to the fourth floor and briefly stood outside the firm’s glass doors
and took pictures with her smartphone, as subtly as she could, of the little black box mounted on the wall next to the glass doors.

Then she went right in to the firm’s offices and told the receptionist that she lived just down the street and was looking for temp work, and asked what agency they used to hire their temps. She spun a story about having a young child at home and needing to find work in the neighborhood. The receptionist gave her the name of an employment agency but apologized that there was nothing available at the time, so far as she knew. Mandy thanked her, and that was that.

Now Dorothy examined the photos on Mandy’s phone.

“Okay,” she said, “this is good. They’re using an HID system like just about everyone else uses. Almost certainly a low frequency 125 kilohertz system. Like eighty percent of the keycard users in the world.”

“Why is this good?” I asked. When it comes to technology, I long ago stopped worrying about sounding stupid. I ask, and Dorothy explains. This kind of technology is her forte. She enjoys being smarter than me, and I don’t mind it a bit.

“Because a couple years ago there was an interesting talk at Black Hat USA about how to defeat it.”

“How involved is this? You think we should bring in Merlin?”

Merlin’s real name was Walter McGeorge, an old army buddy who’d been a commo sergeant on my Special Forces team and later became a TSCM specialist, an expert in technical surveillance. He lived in the area, in Maryland. When I lived in DC I used to bring him in frequently to help me on jobs.

“You don’t need Merlin for this,” she said. “I promise. I can set it all up for you myself. Plug-and-play. Easy.” She tapped at her laptop. “Here we go.” She turned her laptop’s display toward me. It was an eBay page with a lot of listings, pictures of what looked like square boxes.

I recognized them. They were proximity readers, also known as badge readers. They’ve become ubiquitous in the corporate world. They’re the little black boxes mounted next to office doors at which you wave your plastic keycard to gain entry. You also see bigger versions of prox readers at the entrances and exits to parking garages. They allow drivers who have the right keycard to pass right through.

“I know what a prox reader is,” I said, “but I don’t see how that gets us in.”

“Okay. I buy one of these long-range RFID readers and do a trivial amount of futzing around to weaponize it. Stick in a PCB, a circuit board, and twelve double-A batteries. Like that. This thing can read a badge from three feet away, normally. So pay a visit to Norcross and McKenna, and you bring it in, in a backpack or briefcase, and just make sure to be within three feet of someone who’s got a badge around her neck or on his belt.”

“Then what?”

“You don’t need to know how it works. It’ll read any Wiegand protocol card that gets close enough. It captures the data on the keycard. When you get back here, I download the data and write it to a blank keycard, and that’s all she wrote. We’ve cloned the key to their front door.”

“Hold on,” I said. “Those things beep when they read a card. Am I going to be beeping audibly whenever I get near someone’s keycard?”

She smiled. “You do think ahead. Good question, and thanks for mentioning it.”

I shrugged. “Just another accidental flash of brilliance.”

“I’ll toggle a dipswitch in the thing to turn off the beep sound. Anything else?”

“Foolproof?”

“Well, idiot-proof. You should be okay.”

She placed an order through eBay with a company in South Carolina and one in Eagle Mountain, Utah, and requested overnight shipping, and the next day several large boxes arrived at the hotel, and we were in business.

53

N
ow, Dorothy took the briefcase, unzipped it, and pulled out the badge reader. It was about a foot square by an inch thick. It was a long-range 125 kilohertz MaxiProx proximity card reader manufactured by the HID Corporation, the Texas-based company that makes most of the keycards and readers used in corporations around the world.

She turned the thumbscrew on top of the box and removed the front cover. She popped out the micro SD card and stuck it in her laptop.

She blinked a few times. Then she smiled. “You captured four separate cards.”

“The receptionist, the partner—Ashton Norcross—and probably a couple of employees I was next to in the elevator on my way out,” I said.

She nodded. “I don’t know if there are levels of access, but Norcross is a partner, and he’ll no doubt have the highest level. We’ll clone his.”

Dorothy and I went through everything I’d observed on my visit to the firm—the placement of the CCTV cameras, which areas appeared to be separately locked, and what kind of security protected the vault, which they called a strong room. “The vault is locked separately with a Kaba Simplex mechanical push-button lock,” I said.

“Know anything about them?”

“Come on. This is why I want Merlin now. It’s at least a two-man job.”

She shrugged. “Okay. Now here’s an extremely cool piece of hardware called a Rubber Ducky.” She handed me something that looked like a thumb drive.

“A Rubber Ducky.”

“Correct. I know it sounds silly, but it’s dead serious. You plug this into the USB port of any of their computers and it goes to work.”

“I’m going to need you to come along and help me deal with this thing.”

“That’s the beauty part, Nick. It’s fire-and-forget.”

“What happens when I plug it in and some antivirus program comes up? Which is likely.”

“Someone’s been paying attention in class. But that’s not going to happen. This is configured to be an HID, a human interface device, like a mouse or a keyboard. The computer will detect that it’s an HID and trust it.”

“Okay. So I plug it in—then what?”

“It immediately injects code at a thousand characters a minute. It creates a shell on the network, and pretty soon it’ll give us root-level access. It runs something called Metasploit that looks for weaknesses in the software. It creates a username and password. And then . . . I’ll be able to get onto the Norcross and McKenna server from here.”

I picked it up, toyed with it, and put it down. “If you’re right, this really is cool. Just plug-and-play, huh?”

“Well, I’ve got to do a bunch of programming on it this afternoon to deploy the payload. But it will be.”


Merlin—I never called him Walter—was short, maybe five feet seven, and lean. His physical type was surprisingly common in the Special
Forces. He had a black buzz cut with some gray starting to move in, a pushed-back porcine nose, and a thin black mustache. The vertical lines carved into his forehead between his eyes made him look angry.

He had no family, as far as I knew, and one singular devotion: sport fishing. He lived in Dunkirk and kept a boat in the Harbour Cove Marina, in Deale, and was always out on the water. I reached him onshore, though, and told him about the job. It was a simple black-bag job of the sort he and I had worked several times before. I offered him a couple thousand bucks, double if we encountered any surprises, and he quickly agreed. His TSCM business was slow, and evenings he was never busy.

In the afternoon I did a bunch of errands, picking up everything we could possibly need. We rendezvoused at a dive bar in a strip mall in Leesburg around midnight. He’d chosen it because it had a separately ventilated smoking section, which was permitted because of some loophole in Virginia law. Neither one of us had anything alcoholic to drink; wanting to keep sharp for the job, we both had Cokes. We sat at a booth. He smoked continuously.

I showed him the Halloween masks I’d picked up from a costume store, transparent masks, one of a young man, one of an old man. They both transformed our appearances, made us unrecognizable. Merlin insisted on wearing the young mask. In the bar’s restroom we changed into the navy polo shirts with the Compuservice logo on the left. I had toolboxes for each of us to carry in.

This was the part of a black-bag job that always jazzed me: the preparations, thinking of every eventuality, everything that might go sideways. The high-wire tension. Assembling equipment, making lists, making sure that if we were caught, we’d have a way out.

But you can’t ensure everything. Things go wrong.

Shit happens.

54

I
t was a few minutes after two o’clock in the morning. The parking lot was dark and almost empty. A cold wind whipped our faces. The only lights on in the building, as far as I could see, were in the lobby, where a lone security guard sat at a counter and probably was browsing aimlessly on the Internet.

The front door to the building was unlocked. We passed the guard, and I said, “Good evening, or is it good morning?”

The guard smiled and gave us a sort of salute. We were confident, we knew where we were going, and we looked like we belonged. He probably assumed we were computer nerds coming to solve some middle-of-the-night crisis. We headed for the elevators. That was the limit of building security. Easy.

We got off the elevator on the fourth floor. The hall was dimly lit. We quickly came upon the entrance to Norcross and McKenna. The glass doors were dark. Apparently no one was inside. That had been a worry of mine: Lawyers often work very long hours. At midnight I wouldn’t have been surprised to find someone toiling there, a lone beleaguered partner, even several associates. At two in the morning, there was less chance of encountering someone.

I pulled our masks out of my toolkit and handed the young man one to Merlin. I put on the old man mask. I’d noticed earlier that there was a CCTV camera just inside the glass doors, pointed at the entrance. From now on we were being photographed. Our ball caps and masks made it impossible for the cameras to record our likenesses.

I waved my cloned keycard up to the card reader, a little black box mounted to the wall next to the glass doors. I bit my lip.

The little light switched from red to green and it beeped. I pushed the door and it came right open.

Until that moment, when something relaxed inside me, I hadn’t been aware of how clenched with anxiety I’d been.

There was low-level emergency lighting here in the office, just like in the hallway, so although it was dim, there was just enough light to make our way. I knew where I was going.

I led Merlin through twisting corridors to the strong room. The door appeared to be wooden, mahogany, like all the other doors in the firm, but I knew that it was actually a sandwich of wood over several inches of high-grade steel. This was not a room you could slip into through the air-conditioning ducts and the ceiling tiles. There was no dropped ceiling. The wall, floor, and ceiling were reinforced concrete, Norcross had told me proudly, eight inches thick. Not only was the room fireproof, but it was protected against intrusion.

Merlin knocked on the door a few times and chuckled at its dead sound. He glanced at the steel lever attached to the Simplex lock, a vertical row of five steel buttons. He nodded and ran his fingers down the buttons. It was a familiar lock, the sort of thing you see inside all sorts of businesses, including jewelry stores and watch shops and casinos. FedEx uses them to secure their drop boxes.

“You start working on this,” I told him. “I’ll head over to Norcross’s office.”

“Don’t go anywhere,” Merlin said. “This shouldn’t take more than a few seconds.”

He unlatched his toolbox and pulled out a small cloth bag. From the bag he drew an oblong block of metal about two inches by three inches. “Watch,” he said. He placed the shiny metal block on the side of the Simplex lock. Then he grabbed the lever and tried to turn it. Nothing happened.

“Shit,” he said. “They fixed it.”

“What are you doing?”

“This is a rare-earth magnet. Neodymium. A couple of years ago some security expert figured out that if you put one of these next to the Simplex lock, it messes with the combination chamber and unlocks it right away.”

“Doesn’t look like it’s doing anything.”

“Yeah. They must have upgraded to one that uses a non-ferrous metal inside. Oh, crap. That would have been too easy, wouldn’t it?”

“Now what?”

“We do it the old-fashioned way.” He pulled a folded piece of paper from a pocket. It had a long column of numbers on it. “This could take fifteen minutes or so.”

“If you get lucky,” I said.

Merlin grunted.

The Simplex had five buttons, which could be pressed in any order. But it had one rule, one weakness: Each number could be used only once per combination.

That meant that the Simplex lock had “only” 1,082 combinations. I don’t know how this is calculated, but I know that math teachers sometimes give their students the “Simplex math problem” to solve: how to calculate the number of combinations for the five-button Simplex lock.

“I can shorten the time a little,” I said. “I saw Norcross push four buttons, not five.”

“Oh yeah?”

On the piece of paper he’d just taken out was a list of all possible combinations for the Simplex five-button mechanical lock. Now he was going to run down the list and enter each four-digit combination.

Seriously. I thought we’d be lucky if it only took him fifteen minutes.

I tested our walkie-talkies one last time and then left him there pushing buttons. I took out my penlight and wandered the corridors until I found Norcross’s office. The door was closed, as I expected. The plaque on the door said
ASHTON NORCROSS
in black letters on gold. I waved my keycard at it, and it beeped and the red light turned green.

There was no CCTV camera in here, as far as I could tell, but I didn’t want to take a chance, so I kept my mask on. What if there was a well-concealed camera? Not likely, but possible, and I didn’t want to risk being photographed.

It was starting to get hot and sweaty inside the mask. Perspiration was dripping down my face.

I remembered from my earlier visit that there was a credenza behind the desk that had books and keepsakes on display and a lower hutch section that looked like a file cabinet. I figured that might be where he kept active files on matters he was currently working on. It wasn’t locked, but inside, disappointingly, were a few reams of printer paper and nothing much else. I turned around and surveyed the desk. There was not much on top of it except a pen set, a lamp, a few knickknacks, and a computer monitor.

I squatted down, searching with my penlight, and located a computer tower underneath the desk, pushed to one corner. It grunted quietly. I found a USB port and inserted the Rubber Ducky.

Dorothy had instructed me to keep it plugged in for at least ten minutes, though it would probably finish its work within five.

Then I stood back up and checked the drawers of Norcross’s desk, looking for a sticky note with numbers on it. You’d be surprised how often I find combinations to safes or passwords to computer accounts scrawled on Post-it notes or scraps of paper. We all have too many passwords and numbers to remember nowadays, and he couldn’t be expected to have the combination to the strong room memorized. But there was nothing here. Good for him. He practiced good security hygiene.

Then again, I considered, there was his executive assistant’s desk just outside, an even more likely place for one of those sticky notes. I left Norcross’s office, headed to his assistant’s desk, and searched her drawers, and the underside of the drawers, and her computer monitor and keyboard—all the usual places.

But nothing here either. Both Norcross and his assistant were good doobies.

So what about the other name partner, McKenna? Maybe he was sloppier.

I followed the corridor to the next corner office, and sure enough, the plaque on it read
JAMES MCKENNA
. I waved my keycard at the reader mounted to his doorjamb, but nothing happened. It was keyed separately, no surprise. I rifled through his assistant’s desk. This one was sloppier, the desk drawers jammed with extra supplies like boxes of paper clips, printer cartridges, tape, staples. It took me longer to go through this cluttered desk, more false alarms, pieces of paper to examine, but I still ended up without the combination to the strong room.

I looked at McKenna’s office door and stood there in silence, thinking for a moment about how I might try to get in.

Then my walkie-talkie came to life and I heard Merlin’s voice. “I’m in,” he said.

Other books

Outside Eden by Merry Jones
Demelza by Winston Graham
Storm Gathering by Rene Gutteridge
User Unfriendly by Vivian Vande Velde
Justifying Jack (The Wounded Warriors Book 2) by Beaudelaire, Simone, Northup, J.M.