The Florentine Deception (37 page)

Read The Florentine Deception Online

Authors: Carey Nachenberg

BOOK: The Florentine Deception
13.08Mb size Format: txt, pdf, ePub

“I agree, but I can't just call Microsoft and ask them to shut down thousands of servers. They'll think I'm crazy, assuming I could even find the right people to call.”

“Call your contacts at the NSA then.” Amir grabbed his phone and deposited it at the edge of his desk. “Call now.”

I habitually reached into my pocket for my smartphone and came up empty.

“Dammit. I don't know how to contact the NSA people I talked to earlier.” I picked up Amir's phone and called my old boss at ViruTrax. His voicemail picked up immediately—he was on the phone with someone—so I left a brief message, recited Amir's number into the handset twice, then hung up.

“He'll call right back. He's obsessive about checking his voicemail.”

“In the meantime, we must think of a backup plan for those computers that are already infected,” said Amir, glancing down at his watch. “On the typical computer, Windows checks the Microsoft Update servers once per day, so roughly one-twenty-fourth of the affected computers would check every hour. So if this man launched the attack three hours ago, up to twelve percent of American computers may have already been infected. Fewer in Israel, where it is in the middle of the night and many computers will be turned off. Even if the NSA can shut down Microsoft's update servers, it won't do anything for those that have already been infected.”

“So the question is,” he continued, “how can we use the Florentine to cure these infected computers? Could we send a cancellation message—tell the infected computers to abort the attack?”

“Not without the right password.” I paged down through Gennady's translation and pointed. “Here. ‘When launching an attack with the Florentine, the operator must specify a password and an authentication key in addition to the attack instructions and targeting parameters. After the attack has been launched, it may only be cancelled or have its parameters adjusted by an operator in possession of this original password and the authentication key of the original attack.'

“Any hint on possible passwords or keys in Sami's notes?” I asked.

Amir sat up in his chair and rifled through the crumpled sheets. “The password could be anything…. I don't see anything that stands out. There is a number circled here,” he held up a Post-It “which could be the authentication key.”

“But that's worthless without the password,” I lamented.

Amir began pacing the room in thought, then stopped. “Ah!” he said brightly. “I have a solution. We can use the Florentine to send a new command to all of the computers, and instruct them to rewind their internal clocks backward a few days, perhaps even a week or a month back. Say we set the internal clocks of all those computers back forty-eight hours. When the trigger time on Wednesday comes around, all the computers will think it's still today, preventing them from launching the attack. That will give the NSA two extra days to properly fix the problem. Or you could fast-forward the clocks to Wednesday, after ten a.m., and bypass the trigger date completely.”

“I considered both options,” I said, “but the document says that the Florentine back door in Windows intercepts all attempted changes to the system clock, and adjusts the trigger time of existing payloads accordingly. So rewinding or fast-forwarding the time won't have any effect.”

Amir's smile dimmed. “Back to the drawing board then.” He glanced at his watch. “Maybe you should try contacting your boss again? Or asking another colleague for the NSA contact number? And perhaps we should experiment with the Florentine software now. That way, should we identify a weakness, we can use it to deploy a cure immediately.”

“Okay,” I said nervously, “but I feel like we're playing with live explosives. We've got to be extremely careful.”

“Don't worry,” he said, “I have no desire to be known throughout history as the man who accidentally destroyed the Internet.”

I pulled up a plastic chair and sat down next to Amir, launching a second round of calls to every ViruTrax extension I could remember, while Amir began his detailed review of the translated document and the accompanying files. John Wong, one of my first mentors at the company and now the company's oldest engineer at seventy, answered just as I was about to slam the handset down on my ninth attempt. I dispensed with pleasantries, asking immediately for Rod's number. Sensing my urgency, John suppressed his usual chatty repartee and pulled up Rod's page in the corporate directory, repeated both his extension and private cell phone number twice for me, and then forwarded me to his work number.

Rod's work extension reverted to voicemail after four rings, so I left Amir's number and was about to try his cell when Amir raised his finger in warning. I cradled the receiver and gestured for him to talk.

“I've changed my thinking. Hear me out. If the NSA shuts down the update servers, there will be no way to distribute a cure using the Florentine system. That means the tens of millions of computers that have already received the attack command will be damaged permanently. That's not acceptable. We have the means to restore all of those computers, if we can just identify a clever cure. You could call your friend Rod, but even if he were able to get hold of the NSA, it would take them hours to safely retrieve you and the Florentine, then additional precious hours to debrief you and understand its operation and attempt to use it to deploy an antidote. By that time, it will be too late. If, as you say, Windows systems check Microsoft's update servers once every twenty-four hours, most of the infected systems wouldn't have a chance to receive the cure until well after the detonation event. No,” he continued after consulting his wristwatch, “the only viable solution is to do this ourselves.”

I considered his argument and came to the same conclusion. He was right; the timing was just too tight, and even a couple hours of delay would subject tens of millions of computers to assured destruction. But the thought of placing hundreds of millions of both nations' computers in the hands of two private citizens was madness. I opened my mouth to raise my objection, but Amir shook his head.

“No, Alex. There is no other option.” Amir took my silence as agreement and continued.

“Now, as we reviewed earlier, the software requires three different parameters to launch a new attack.” Amir double-clicked an icon, and a command shell window popped up on his desktop; he then keyed in “florentine.exe” and hit the Enter key. The computer paused briefly, then a firewall alert popped up:

The software Florentine.exe is attempting to connect to the Internet. Do you want to [Allow once], [Allow always], or [Block]?

Amir ignored the warning, clicking “Allow always” as fast as his aging hands could manage. An instant later, the program printed the following on the screen:

Использование: florentine.exe ключи.dat пароль нагрузка.dat

florentine.exe -o ключи.dat пароль нагрузка.dat

He said, “When you run the software without the proper parameters, it prints out a line that explains what parameters the tool expects the operator to provide. According to your friend's translation, the first parameter,” he pointed to
ключи
, “specifies a data file that holds an authentication key. Without a proper key, the back door in Windows will ignore the attack command. This prevents the system from being hijacked by an adversary. Each cryptographic authentication key can be used just once to launch an attack, and once, if necessary, to cancel a previously launched attack prior to its execution.” Amir clicked his mouse and brought up a second window containing nearly a dozen 256-digit sequences. “Fortunately, the Florentine package came with ten such cryptographic keys—enough to launch ten attacks. These were in the Florentine.keys data file.”

“Like launch codes the President carries around for arming our nukes,” I said.

“Yes. And based on what you've told me, I assume the first few keys have already been used by the Iranian agents, to prepare for and launch their attack.” He picked up one of Sami's yellow Post-Its and pointed to an eight-digit number scrawled at the top. “See. These digits here match the first eight digits of the first key in the file. So my inclination is to start with the last key and work our way up.”

He clicked back on the original window, bringing it into focus. “The second parameter,” he pointed his finger at the
пароль
, “specifies the cancellation password. When you launch a new attack, you must specify a new password. The password is then required, along with the original key, to cancel the attack at a later time. And the third parameter specifies the name of a payload file that contains the details of the attack timing, machine targeting, and the attack program itself. The Controller tool connects to the Microsoft Update servers over the Internet and sends the key, password, and payload to them for distribution.”

“What's the ‘dash-o' for?” I asked.

“That's the cancellation command. If you add a ‘–o' to the command line with the proper key and password, it transmits an abort command to the server. Unfortunately, even though we have the keys used by the Persian operatives, without their password, there will be no way to cancel their previous payload. Our only option is to send a new attack that somehow negates the earlier one.”

We next reviewed how to create a Florentine attack program. Each attack program included a series of instructions that would be executed on each computer at the designated trigger time. An attack program could check conditions on the computer, such as the computer's display language, its address on the Internet, the names of users on the machine, and dozens of others, and then conditionally perform or exclude parts of the attack based upon those conditions.

“There are several example programs in the PDF file—I found them while you were making calls,” he said. “And if necessary, you can launch more-complex attacks using an embedded machine code module.”

“That's probably what Khalimmy and Sami used to trash the firmware chips.”

“Yes, there's no evidence of any built-in commands to alter or destroy the contents of the firmware. They almost certainly had to add a special module of their own to do this.”

Amir consulted his watch again. “So we have roughly nine or ten hours of remaining time to come up with an antidote and upload it to the update servers. If we can do so before ten a.m. tomorrow, that will give the population of machines exactly twenty-four hours of time to retrieve our antidote commands, the minimum duration required for all the machines to connect at least once to the update servers, at least those that are powered on during this period.”

“The big question is how we cancel the attack,” I said, just as a knock came at the door. I spun around in alarm.

“It's okay, Alex. I'm sure it's just a student.” Amir patted me on the back and then walked over to the door, turning the knob three-quarters of the way to the open position, before hesitating and asking, “Who is it?”

“It's Terry. Have you got a second? Johan forgot his password again.”

Amir pulled the door open a crack. “I'm sorry Terry. I've got an emergency I'm dealing with right now. Can you have Johan call up the Engineering helpdesk?”

“I'll tell him but he won't be happy. Last time he spent two hours on hold before someone picked up.”

“I understand. Please apologize for me, and tell him I'll try to stop by later if I have time.” Amir eased the door shut and returned to his chair. “These emeritus professors can't tie their own shoes without assistance,” he snorted, “let alone operate modern computers.”

“Amir, is there any chance we could move to a more secure location?”

“Why? We're perfectly safe here. And no one knows you're here. Correct?”

“Only a close friend. But Khalimmy managed to locate me at my friends' house, and the Russians managed to locate Khalimmy's hideout as well. So I'm not so sure …”

Amir considered this. “I have a small hardware storage room in the Cellar. It's not very pleasant, but it's got power, and only a few people know I've taken over the room.”

“The Boelter Cellar?” I asked. A graveyard for maintenance equipment and other digital detritus accumulated during Boelter Hall's fifty-plus years of existence, the Cellar would be a perfect hiding place. Accessible only from the seldom-visited second-floor atrium area in the middle of Boelter Hall, most students didn't even know the cavernous junkyard existed, or for that matter, how to reach the atrium.

“That would be perfect. Does it have an Internet connection?” I asked.

“No direct connection, but we can use the department's Wi-Fi network. The area is directly underneath the large Boelter 3400 lecture hall.”

“It's settled then. Let's grab some food from the Engineering café and head down.”

Chapter 60

Laden with laptops, power strips and bags of plastic-wrapped premade sandwiches, protein bars, and energy drinks, Amir and I rode the southwest Boelter elevator down to the second floor, rounded the corner, and then stepped down into the atrium. The courtyard's fallen leaves crackled under our feet as we moved silently, both in brainstorming mode, across the open space and to the Cellar entrance.

“Hold this.” Amir handed me his laptop and fished in his pocket for a keycard.

“Wow. This never used to be locked. Hell, the doors used to always be propped wide open when I was a student.”

“Times have changed, Alex.” He shook his head disappointedly. “They put card readers on all of the doors after a rash of computer-equipment burglaries last year.”

Amir slipped the card from his pocket and waved it past the card reader along the right side of the gray metal door; the electronic door lock clicked immediately. Amir gazed suggestively at the handle, so I grabbed it and eased the heavy warehouse-style door open.

Other books

Succubus Blues by Richelle Mead
The Floor of Heaven by Howard Blum
Creatura by Cab, Nely
My Lord's Lady by Sherrill Bodine
The Heiresses by Allison Rushby
The Seventh Day by Tara Brown writing as A.E. Watson