Social Engineer

Read Social Engineer Online

Authors: Ian Sutherland

BOOK: Social Engineer
7.04Mb size Format: txt, pdf, ePub
CONTENTS

Title Page

Copyright

Dedication

- CHAPTER 1

- CHAPTER 2

- CHAPTER 3

- CHAPTER 4

- CHAPTER 5

ACKNOWLEDGEMENTS

INVASION OF PRIVACY

- CHAPTER 1

- CHAPTER 2

ABOUT IAN SUTHERLAND

SOCIAL ENGINEER

Ian Sutherland

Social Engineer

Ian Sutherland

Copyright © 2014 Ian Sutherland

Smashwords Edition

For Laura and Raquel, who constantly remind me through their own actions that in order to live your dreams you must be dedicated and apply yourself. Always.

CHAPTER 1

Six Days Ago

Dr Robert Moorcroft entered his office in the North Wing of HTL’s head office campus. He hung up his white lab coat behind the door and poured himself syrupy coffee from the glass flask. While he had been in the meeting reviewing the latest results of the pharmaceutical company’s new Alzheimer’s drug, the ochre liquid had stewed on the percolator machine’s heating element for most of the morning. He decided it should still be passable.

His mobile phone bleated from the holster on his belt. Unhooking it, he noticed the display showed a mobile number, but not one stored against a contact in the phone.

Immediately thoughts that Madeline, his beautiful wife of eighteen years, had been involved in another car crash raced through his mind. She’d had three in the last four months, but none had been serious. While she hadn’t yet been formally diagnosed, he was intimately familiar with the early signs of dementia, and suspected he should talk her into scheduling a check-up at the local GP surgery. He was dreading facing her initial reaction and the inevitable changes it would cause to their lifestyle, when, no doubt, the diagnosis would be confirmed.

“Hello?” he said into the phone.

“Dr Moorcroft?” The deep male voice sounded serious.

“Yes, who’s this?” And, before he could help himself, “Is Madeline all right?”

“Madeline? No, I’m not calling about your wife, Dr Moorcroft.”

“Who is this?” And, more importantly, how did whoever it was know Madeline was his wife?

“I’m not at liberty to say. You may call me Mr Smith for the sake of expedience.”

“I’m putting this phone down unless you immediately explain yourself,
Mr Smith
.”

“I work for GCHQ in Cheltenham. Does that name mean anything to you?”

“Yes, but only from the news. Something to do with government spying. MI5 or MI6.”

“Yes, that’s us. Among other things, we’re the agency responsible for providing intelligence analysis based on electronic communications to the other government departments.”

“Okay. But why the hell are you calling me?” And, although Moorcroft didn’t give voice to the thought, why call him on his mobile?

“One of our responsibilities is to protect British economic interests. As part of this remit, we’ve built up a liaison service with many of the larger UK headquartered multinational organisations.”

“Yes?”

“Let me cut to the chase. Does
Project Myosotis
mean anything to you, Dr Moorcroft?”

It meant a lot. It was HTL’s internal codename for their major Alzheimer’s prevention drug research program; Myosotis being the Greek name for the flowers more commonly known as forget-me-nots. It was the research project the whole company’s future was staked upon. Project Myosotis was about two years away from clinical trials, but initial results were incredibly promising. Moorcroft’s unspoken hope was that, by the time clinical trials were in play, Madeline’s dementia might become a treatable case.

“Maybe,” he said cautiously. “But how do you know this name? It’s not in the public domain.”

“As part of our electronic surveillance program, we’ve been intercepting some traffic relating to Chinese hacker groups. They may be working for large Chinese corporations or could even be state sponsored; it’s hard to tell. It seems that they’ve been targeting IP addresses registered to HTL, Dr Moorcroft. We believe they are attempting to infiltrate your company’s security defences and steal your secrets. I’m calling you now to bring this to your attention so that you can defend yourself appropriately. As I said, it’s not in Britain’s best economic interests for our country’s intellectual property to be stolen by the Chinese.”

“Are you sure HTL is being attacked?”

“Dr Moorcroft, we uncovered the term Project Myosotis from these intercepts. It seems to mean something to you, so I’d suggest that they’re making some progress.”

“But that’s impossible. Our Security and IT departments assure me that we have implemented the very best cyber defences.”

There was silence on the other end of the line. Moorcroft slowly digested the implications.

Smith attempted to placate him. “Even the best defences can still be compromised, Dr Moorcroft. It may be that the hackers have only gained peripheral access. I’m sure your firewalls and intrusion detection systems would have notified you of any unusual activity.”

“Yes, I’ll check with IT.”

“Good. And you could also . . .”

“What?”

“Well, I was going to suggest that you have a penetration test performed, but I’m sure your IT department has those done regularly.”

“Penetration test?”

“Hiring someone to test your cyber defences, as if they were a hacker attempting to break into your systems. It’s the best way to know for sure if you have any weaknesses. If they find anything, they’ll report it to you and you can put new defences in place.”

“I’ve not heard of our IT department doing that, but then I’m not close to their day-to-day activities.”

“Well, there’s pentesting and then there’s
pentesting
.”

“What do you mean?”

“Given the nature of your business, your company lives and dies by its patents and other intellectual property, yes?”

“Yes.”

“Well, then maybe you should retain the services of one of the best penetration testers in the industry. They’re not all the same, you know. And, if you do it without anyone knowing — especially IT — then it would be a
true
test. A bit like when you do a fire drill. You don’t warn employees it’s coming, otherwise it makes a mockery of the test itself.”

“I see. That makes sense.”

“It’s like turkeys voting for Christmas. The last thing most Security or IT departments want is to be embarrassed by poor pentest results, so they don’t necessarily do it justice. They just hire large IT security companies to make it look like they’re doing the right thing. But it’s a skilled job and it always comes down to the individuals doing the test.”

“Hmmm.”

Smith had a point. But the most important point was that GCHQ had intercepted the term Project Myosotis from the Chinese. This was serious. As Head of R&D, Moorcroft had every right to protect the company’s interests. No, more than that, as a registered company director, he had a responsibility to protect the company.

It had nothing to do with Madeline’s condition, he told himself.

“Is there anyone GCHQ recommends, Mr Smith?”

“Not officially, but . . .” Smith gave Moorcroft the names and contact details for three independent penetration testers.

“I really appreciate your bringing this issue to my attention, Mr Smith.”

“You’re welcome. Hopefully, you’ll never hear from me again.”

Smith ended the call. And only then did Moorcroft remember that Smith had called him on his mobile number. He supposed Smith had done it to prove how resourceful GCHQ was.

Moorcroft took a slurp from his coffee and almost spat the disgusting, lukewarm, bitter liquid out all over his desk.

He picked up his desk phone and dialled the number at the top of the list.

Today, 8:50am

Avoiding eye contact with the three senior executives sitting confrontationally on the other side of the huge oak meeting table, Brody plugged the projector and audio cables into his top-of-the-line tablet computer. The absence of small talk heightened the sense of tension in the room. Brody thought about saying something, anything really, to break the ice, but then remembered he wasn’t here to make friends or seek their approval. He was here to make a point.

Not that Brody had many friends, well not in the real world anyway.

It was early on a rainy Monday morning in HTL’s head office campus near Shoreham in Kent. The pharmaceutical company’s Research and Development Director, Dr Moorcroft, had yet to arrive. Moorcroft had scheduled this meeting immediately following his reading of Brody’s report on Saturday morning, which Brody had submitted only the evening before. This had rankled Brody because he’d had to cancel his weekend’s plans at short notice, instead using the time to prepare the presentation he was now about to give. And he’d had to set his alarm for some ungodly hour this morning to make it here on time from his apartment in London. He made a mental note to never again submit a findings report on a Friday evening.

A mirror image of Brody’s tablet computer materialised on the large screen at the foot of the table. Satisfied the projector worked, he turned the mirroring off. On the desk next to his tablet, his smartphone flashed the receipt of a text message. He picked it up and saw it was from his girlfriend, Mel, confirming she could meet him for lunch later on. He patted his pocket nervously, feeling the shape of the small item it contained.

With nothing left to do but wait for Dr Moorcroft, Brody studied the HTL executives sat silently across the table: two men flanking one woman. Moorcroft had explained during their phone call on Saturday morning that he would summon the heads of IT, Human Resources and Security to Brody’s presentation. Moorcroft had not provided names but this hadn’t deterred Brody from checking out who they were ahead of the meeting.

He already knew which of them was the Head of Security, having previously researched him as part of the original brief. For the other two, he had browsed through the HTL corporate website and then searched LinkedIn, the ‘business’ version of the social networking site Facebook, to determine who they were and check out their backgrounds. Based on the photos in their publicly viewable LinkedIn profiles, he was pleased to see his quick investigation had narrowed down to the correct people.

The IT Director was called Rob Hall. His LinkedIn picture presented a lean, tanned face with a full head of hair but the photo must have been taken some years before. In real life, Hall was flabby and overweight with an aggressively receding hairline. He wore an ill-fitting light grey suit with open-necked pink shirt and was intently thumbing through messages on his BlackBerry.

The woman was much younger than her two colleagues, who both looked to be in their mid-forties. She was perhaps in her early thirties, similar in age to Brody. Brody had discovered that she was called Kate Wilson and ran Human Resources. She shuffled some papers and peered at Brody over the top of her rimless glasses, stage-managed to give her the air of seniority denied by her relative youth.

The last was Paul Jacobsen, HTL’s Head of Security. According to LinkedIn, he had originally been in the Navy, having served in the Falklands and then, up until a few years ago, had been a senior ranked detective in Greater Manchester Police. He was thin and well groomed, wearing a dark, pinstriped suit, plain white shirt with an inoffensive tie and cufflinks. The job title alone had made Brody believe that the Head of Security would be his biggest obstacle this morning and, watching Jacobsen nonchalantly twirl an expensive Montblanc pen around in his fingers, the impression was reinforced. In fact, having spotted Jacobsen’s shiny tan brogues as he entered the meeting room a few minutes earlier, Brody was now one hundred per cent positive there would soon be a head-on confrontation.

Finally, the door opened and Dr Moorcroft entered, wearing a white lab coat over a grey shirt and tie. He shook hands with Brody and, instead of taking the impartial seat at the head of the table, sat in the vacant chair beside Brody and next to the projector screen at the foot of the table.

That evened things up nicely.

Moorcroft asked the HTL executives to introduce themselves. They each provided their names and titles, nothing more. Before Brody could reciprocate, Moorcroft jumped in. “This is Brody Taylor, an independent security consultant. He’s here to present the findings of a penetration test I commissioned following the recent hacking attacks from China, brought to my personal attention by GCHQ.”

Jacobsen’s expensive pen clattered on the table. “Hold on a minute, Bob. That’s my domain. What gives you the right to —”

Moorcroft held his left hand up to silence Jacobsen.

“What’s a penetration test?” asked Wilson, warily.

Hall turned to her and explained, “A pentest is a method of testing our security defences by simulating computer hacking attacks.”

“Mr Taylor, please begin your report,” commanded Moorcroft.

“Please, call me Brody.”

Brody pressed some keys on the detachable keyboard connected wirelessly to his tablet via Bluetooth. An image appeared on the large screen at the foot of the table. It was a very long chemical formula, with lots of C’s and H’s.

Other books

Living Witness by Jane Haddam
Charm and Consequence by Stephanie Wardrop
Near To You by King, Asha
The Star of the Sea by Joseph O'Connor
The Amulet of Power by Mike Resnick
Hungry as the Sea by Wilbur Smith