Breaking and Entering Read online

Page 16


  Now, she had her chance.

  Amy, who had helped Alien track the worm, opened for her presentation a week later. The meeting room was now crowded with the hospital’s entire Windows, UNIX, network, and information security teams. “Voice over IP is voice data converted to digital format,” Amy began. “It’s encapsulated in IP”—Internet Protocol—“packets and transmitted across the network.”

  Amy continued. “This is what all office phones will be soon, the same way cell phones are replacing landlines. The promise is, now you can change offices, take your phone with you, plug it into a computer, and it will work instantly—just like email,” she said. “Adding new numbers is just as easy. And going through the Internet, not phone lines, saves Mayflower a lot of money.”

  On a wall monitor behind her, Amy showed diagrams of the new phones, using a demo model plugged into the presentation laptop as a point of reference.

  “VoIP works by dividing a single network line into separate virtual domains, one for regular data traffic and one for phone data,” she explained. “You know which is which because phone data is ‘tagged’ as such. In theory, then, only other phones can receive it.”

  Chris, the UNIX team leader, crossed his arms. “In theory?” he said.

  Alien took this as her cue and stood. “I’m coming at it from the bad guy’s perspective,” she said, taking over at the presentation laptop and flicking to a new slide. “VoIP Security,” it said. “C-I-A.”

  The acronym was InfoSec 101. Alien had picked it up at work at MIT. “That’s confidentiality—can I eavesdrop on calls, monitor conversations in a room, or track phone calls?” she continued. “Integrity—can I modify phone calls or spoof caller ID? And availability—can I disrupt the phone system, spam people with it, or steal free phone calls?”

  She opened a free Windows program called Cain and Abel, described by its developer as a “password recovery tool.” Alien clicked once to start its “Sniffer” function—a Mood Ring for the masses in that it secretly recorded network traffic.

  “Does anyone have a cell phone handy?” she asked.

  One of the Windows team members waved his.

  “Here’s the phone number,” Alien said, passing him a piece of paper.

  He dialed. The demo VoIP phone rang and Alien answered.

  “Hello?” she said.

  “Hey,” the guy said awkwardly.

  “Tell me you’re pregnant,” said Alien.

  “I’m pregnant,” he repeated as everyone else chuckled.

  They hung up and Alien showed Cain and Abel’s running count of captured packets.

  “So, yes, I can record conversations on any phone attached to my computer,” she said. “And so could any spyware.”

  Alien switched back to her presentation, advancing to the next slide. “Recommendation,” it said. “Don’t use the Access port on the phone.” Demonstrating, Alien unplugged the phone from her computer, connecting it to a nearby VoIP-enabled wall jack instead.

  “Don’t worry—we’re still not done eavesdropping,” she said.

  People chuckled again but looked at one another uneasily as Alien ran another free program, Nmap, short for “network mapper.” This returned a list of every device online and any open network ports—designated back doors for specific services like email or Web browsing—on each.

  “Here,” said Alien, pointing to two lines on the wall monitor:

  PORT STATE SERVICE VERSION

  80/tcp open http Cisco IP Phone Conference Station

  “As you can see, every single phone has a Web server,” said Alien. “Let’s see why.” She opened a Web browser window and typed the address.

  “Device Information,” “Network Configuration,” “Device Logs,” the resulting Web page menu offered.

  “With the right username and password, anyone, anywhere on the Internet, can log in, change settings, divert traffic, or shut it down,” Alien summarized. She paged to the next slide in her presentation. “Recommendation,” it said. “Disable Web servers on phones.”

  “Now how about the call manager?” asked Alien, meaning the larger phone system gateway. She returned to Nmap, scrolling through results until she reached the following:

  PORT STATE SERVICE VERSION

  80/tcp open http Microsoft IIS webserver 5.0

  102/tcp open iso-tsap?

  135/tcp open msrpc Microsoft Windows RPC

  139/tcp open netbios-ssn

  443/tcp open https?

  445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds

  1433/tcp open ms-sql-s?

  1720/tcp open H.323/Q.931?

  2000/tcp open callbook?

  2001/tcp open dc?

  2002/tcp open globe?

  2301/tcp open http Compaq Insight Manager HTTP server 5.3

  3389/tcp open microsoft-rdp Microsoft Terminal Service

  5800/tcp open vnc-http WinVNC

  5900/tcp open vnc VNC

  “That’s fifteen open ports,” Alien counted. “Each one needs to be turned off or secured. As is, I can download, delete, or change any phone’s configuration file.”

  “Recommendations,” said the next slide. “Turn off unnecessary services. Use secure protocols. Lock the system down.”

  Alien pointed to another laptop plugged into the port next to the one in which she had connected her phone. “This is my own unregistered Linux laptop,” she said. “It’s never had a phone plugged into it. But while Amy was explaining VoIP to you, I ran another program, vconfig, to tag it as the call manager.”

  Alien opened the laptop and showed everyone a series of short commands typed earlier onscreen. “Here it’s saying, ‘Hey, everyone—send all your traffic to me,’” she said. Alien demonstrated two more programs, Ettercap and Ethereal. “This whole time,” she said, “I’ve been collecting the stream of data as it comes and picking out the voice traffic.”

  Last, she ran VOMIT—“Voice over Misconfigured Internet Telephones,” Alien decoded the cheeky acronym. “This converts captured VoIP packets to an audio format,” she said.

  Alien typed again and a recording played on the tinny laptop speakers. It was the Windows team member from a few minutes earlier: “I’m pregnant.”

  “Congratulations,” joked Alien. She continued. “Theoretically, you can turn on speakerphone and record conversations in any room. Reverse the process and you can take over someone’s line with prerecorded messages. Flood the system and you get an easy DOS”—denial of service—“attack. Like this.”

  She typed. The conference room phone rang and Grant reached to answer it.

  “Check the caller ID first,” Alien interrupted him.

  Grant did. “George W. Bush,” he read, frowning.

  “Busy man.” Alien typed again. The ringing stopped.

  “Do you have your cell phone?” she asked Grant.

  “Yes.”

  Alien passed him the piece of paper with the assigned phone number written on it. “When you get the voice mail, try to leave a message.”

  Grant dialed. The demo phone rang again.

  “Hello,” he said stiffly, a few seconds later. “This is—”

  Alien interceded, typing a command to barrage the call manager with thousands of instantaneous messages, to the point where it was overwhelmed.

  Grant stopped.

  “What happened?” asked the Windows team member who had volunteered earlier.

  Grant replied softly, eyebrows arched in a wry expression. “It hung up,” he said.

  “Say you’re a heart transplant patient,” Alien said. “There’s a donor match, but your surgeon can’t get or receive the call.”

  Thirteen more recommendations followed.

  “Jesus,” Chris said, taking notes. “This makes everything else you’ve bothered us about look easy.”

  Alien smiled. “I’ll take that as a compliment,” she said.

  The phone presentation impressed Grant, who put Alien in charge of developing the hospital�
�s first formal information security incident response policy. But before she finished it, he summoned her to his office for something entirely different.

  Grant waited guardedly for Alien to enter before asking her to close the door behind her. “New case,” he said, handing her a manila folder. “Sorry.”

  Alien opened it, and then looked away instinctively as she paged through a thick stack of color photos printed on eight-and-a-half-by-eleven-inch printer paper.

  In the first photo, two very well-constructed nude women were trying on high heels in a mirrored dressing room. In the second, cheerleaders were engaged in a gymnastic routine as lewd as it was athletic. In the third, a famous singer and her boyfriend were making the most of a cove that evidently had been less secluded than they thought.

  “A nurse on the cancer wards turned these in,” Grant said. “She says their printer is infected. Whenever she reloads the paper in the morning, this stuff starts spooling out. What do you think?”

  “This happens repeatedly?” Alien asked.

  “Every morning for the past five,” he said.

  Alien sighed. “How much—er—material does it print?”

  “Thirty, forty pictures. Sometimes more. Once one hundred,” Grant told her. “Why?”

  Alien tapped her chin, thinking. “Tell me,” she said a moment later, “does it happen only when the nurse puts new paper in?”

  Grant nodded. “That’s the other thing. It’s always out of paper when she gets there,” he said.

  “Give me a couple of hours,” Alien said. “I think I know what’s going on.”

  Bordering Beigeworld was a black metal barrier: the entrance to the hospital data center, where fans whirred loudly, circulating air to cool nine hundred computer servers. Alien swiped her badge and the heavy door clicked open. Immediately, Alien felt the breeze press her black velvet dress against her legs above her boots.

  Step one: chill-out music. As soon as she had closed the data center door behind her, Alien took out her iPod headphones and scrolled to King Harvest’s “Dancing in the Moonlight.” The second the electronic keyboard started, she took a nice long exhale.

  Locked black metal racks held the computers in groups of twelve to twenty. Standing on tiptoe, Alien grabbed a key from the top of the third rack from the door. She opened the rack and pulled out and popped up a tray with a laptop that monitored and controlled the machines around it. Now to test a new logging system she’d just set up.

  Alien poked around the system authentication logs for ninety minutes, looking for anyone who might have accessed the printer the last five days—and nights.

  Just as she’d guessed.

  “It’s not a virus—it’s a new night shift maintenance worker,” Alien reported to Grant. “Between seven p.m., when the last person leaves, and seven a.m., when the nurse starts work in the morning, he’s the only person logged in on that floor.”

  She showed a graphical chart of the employee’s routine, taken from the logs. “Here, around one in the morning every night he’s signing in at one of the shared workstations,” Alien said. “He goes online and prints porn, more pages of it than there is paper left in the printer. When he gets the ‘out of paper’ message, he goes and gets his pictures. He forgets about it, but the printer’s memory doesn’t, even after he signs off. Then, when our nurse comes in and restocks the printer, it finishes printing from the queue.”

  Alien followed the chart with a lengthy printout, highlighted to show the relevant items in a time-stamped list. “Once I knew what workstation he was using, I grabbed it and pulled the Web-surfing history. Take a look. Everything matches.”

  It was her first independent network forensics case. And it made her realize how differently people acted when they thought no one else was watching them. What they didn’t understand was that everything they did online left a trail.

  “Poor nurse,” Grant said. “I’ll report the guy to human resources.”

  “Poor guy,” said Alien. “There’s no anonymity on the Internet.”

  The first week of May, Mayflower replaced asbestos-laden carpeting on the fourth floor of the IT building. Movers came and dismantled all the cubicles and their contents, either shifting them to other floors or stacking them in the conference room. Then everything went back to where it belonged. Except that the head of patient accounts reported that his desktop computer had not been returned to him.

  Alien placed an alert on the network; if the machine came online, she’d detect it. Next, she contacted a colleague in physical security and told him where the staging areas for the move had been. “Are there cameras there?” she asked.

  “I’ll check,” he said.

  Last, she went in person to see the head of patient accounts. The location of his desk, near one of the building’s few windows with a view, indicated his seniority. Fifty or so, round-faced and chubby, he kept nervously fingering the collar of his white short-sleeve button-down shirt, as if seeking reassurance.

  “Is there any patient information stored on the computer?” she questioned him.

  “Of course,” the man said.

  Alien paused. “For roughly how many people?”

  He thought about it. “Ten thousand patients.”

  “Ten thousand patients,” Alien repeated to Grant afterward. “And right now the computer and its hard drive could be anywhere from Roxbury to Romania.”

  “It would take a while to get to Romania,” Grant countered. “Are you sure it’s not here in the hospital? Maybe it just got misplaced during the move.”

  “Let’s hope so,” said Alien. The new InfoSec policy she’d written used two main measures to rate the urgency and importance of possible information security incidents. One was the sensitivity of any system at risk—how critical it was to hospital operations. The other was the confidentiality of any data involved—whether it was public or private, for example, or subject to internal Mayflower policies or federal regulations.

  Losing this computer hit the second gong hard.

  “It’s got names and addresses; driver’s license and Social Security numbers; credit card and bank information—all totally unencrypted,” Alien said. “If you were interested in identity theft, this hard drive would be a one-stop shop. And then there’s all the medical information.”

  Grant didn’t wait. Immediately, he and Alien conducted a blanket search of the building—cubicles, closets, conference rooms, and data center—every nook and cranny. Nothing.

  Grant paged the other information security team members. He passed out printed copies of the floor plans. They stayed after work, walking through the deserted offices, turning everything upside down again—with no result.

  At midnight, following Alien’s new policy, Grant notified his boss, Mayflower’s head of IT, who called the hospital’s CTO—chief technology officer—who alerted legal.

  “What now?” she asked Grant at dawn.

  “We’re investigating” was all he told her.

  All week Alien waited for a news report or press release—even a staff memo of some kind—about the missing computer. None appeared. And Grant, when she asked again, made it clear that the entire incident had been taken out of his hands.

  “It’s a random Dell desktop,” Harry tried consoling her at lunch on Friday. “Someone probably saw the chance to make five hundred bucks, grabbed it, and sold it to a friend.”

  “And that’s fine with you?” asked Alien.

  “Of course not,” Harry said. “But you don’t have to make a federal case out of it.”

  “But it is a federal case,” said Alien. “Have you heard of HIPAA?” The acronym stood for the Health Insurance Portability and Accountability Act—a recent federal law that restricted access to private medical information. “Ten thousand patient medical records just walked out the door. We don’t know what happened. We need to take this seriously!”

  Harry impatiently eyed the sandwich and fries he’d ordered, but Alien continued. “Did you know personal
health information can be resold for ten times the price of stolen credit cards? And you know why? Because you can’t ‘cancel’ your medical history and get a new one.” She paused. “In the wards, the doctors wear white coats to stop anyone from thinking of blood. The floors are squeaky clean so no one imagines that an infection could be transmitted. If people trust us with their health and the health of their loved ones, we need to take the same care with the security of their intimate personal information.”

  Alien stood. She couldn’t just cross another workday off the calendar as Harry did—not now, she felt, not with a case that really mattered like this one. Medical identity theft affected more than a million Americans a year. Mayflower Hospital had to deal with calls from puzzled and outraged people claiming “I never had that surgery” after someone else had used their health insurance. If your provider was duped by an imposter’s fake ID, you might be billed for fraudulent copays or hit your insurance limit before you knew it. And if your medical records were altered in the process, such as having another person’s blood type entered in place of your own, the consequences could be dangerous and even fatal.

  “Where are you going?” Harry said. “You haven’t eaten anything.”

  “I’m going back to the office,” said Alien. “I’m checking the logs to see if the computer came back online.”

  “It’s gone,” Harry told her.

  “I’m not giving up.”

  A month passed. Late one night, Alien lay beside Fireberry’s house manager, Keenan, in the backyard hammock. Tall and muscular, with dreamy green eyes and a terrific spiked haircut, Keenan attracted a stream of women to his third-floor bedroom, across the hall from hers. So far, at least, Alien wasn’t one of them. Yet when Keenan sat up slowly and started massaging her shoulders, she realized how much trouble she was having relaxing. Her mind was still stuck on the missing computer.