Tuesday, April 26

Strangely Borne—Part 2

It was after lunch that I began my exercise routine. I started on the third floor, walked the entire circuit, and then moved to the fourth floor. I stopped on each floor to examine the bulletin boards where employees posted notices of apartments for rent, puppies for sale, housekeeping services, and the mandatory HR Fair Employment Practices bulletins. CCS had a lively community of employees who posted notes about community service events, ethnic events, and book clubs. I hadn’t noticed how many people I saw walking the halls while I did on most floors. Marketing, of course had the most elaborate displays and included notices about cookie and candy sales from various schools and clubs, and a May Day festival coming up over the weekend.

On the other hand, on floors that were mostly technical or manufacturing, there was little or no activity in the halls. The offices had no interior facing windows, and the core was devoted to equipment, much of which was managed remotely. Robotics are an amazing thing.

That’s what I encountered on the 12th floor.

As I approached the security door where I’d concealed my miniature RFID reader, I pulled out my cell phone and launched an app for capturing the info from the device. I timed my approach so the cameras were pointed away and waved the phone at the reader. In an instant it had captured the signal and replayed it for the security unit. The door clicked unlocked and a green light came on. I smiled and continued my exercise routine.

***

I was back in my office by 2:30, having cut short shrift to the upper floors. There is a fundamental fact about security cameras that few people know. They aren’t usually monitored. It was ridiculous to imagine a person whose job was to watch the camera feed 24 hours a day. Add to that the fact that there were over 100 cameras that I had counted with at least four to a floor and you have a phenomenal amount of video to watch. It would take no less than 60 people by my rough estimate to monitor all the feeds 24-7. Instead, footage was stored for a period of time in a digital vault that could accommodate several petabytes of data. After 30 days, the data was erased. Only if there was an intrusion into the company, a theft, or assault, would the tapes ever be reviewed. CCS’s unique policy of having security cameras playing as screen-savers on every employee’s desktop simply served to remind people they were being watched.

I needed to know if there was video surveillance in the manufacturing facility. I used my portable keyboard to tap out the commands and searches I needed inside the network to generate a list of video feeds. True to my assumption, there was video surveillance at the entrances to the facility, but not inside.

Next, I needed plans for the building. I suspected there was a reason for the facility being on the 12th floor. Unfortunately, the company plans for offices were of no help. The floor plans on the Intranet showed what offices were on which floors, where emergency exits were, and general use information regarding the large spaces that were used for the server farm and the manufacturing facility. I needed electrical, heating, and plumbing plans.

Developers making structural changes in buildings are required to obtain a building permit from the Department of Planning and Development. Applications for building permits must be accompanied by blueprints that building inspectors use to approve the work and then verify that it was done according to specification, is safe, and is habitable. Being a government office, it doesn’t throw anything away. A huge microfilming project was undertaken a few years ago and development documents from the 1890s forward have been cataloged. At the same time the historical documents went into microfilming, all current projects were stored digitally. I was betting the modifications to the 12th floor were made after digitization started.

Proper protocol for looking at these documents requires an investigator to submit a request, go to the office, and pick up the files after signing for them. But the permits and drawings are a matter of public record, so technically breaking into the city’s digital vault to view the plans wasn’t completely illegal in my mind. I looked up the city records for the building permits on this site. The low-res digital images I found were just adequate to confirm my suspicions.

There is still something about the number 13 that makes people jittery, even in an age supposedly beyond superstition. As a result, very few buildings acknowledge a 13th floor. The elevators in our building were no exception. The buttons were numbered consecutively from 1-12 and from 14-26. We were supposed to believe that there simply was no 13th floor.

The reality was that most of the building’s mechanicals were located on the 13th floor, accessible only by a service elevator and stairs. The central core, however, had been cut out to make a single two-story room where the manufacturing equipment of the credit card company was located. It would take me some work, but I was pretty sure I could access the facility through the equipment rooms on the non-existent 13th floor. It was going to be a climb. It was nearly 5:00 by the time I’d finished my various searches and memorized the access points I needed. There was still one thing I wanted to check.

***

I stepped out to verify that Don had left for the day. If he was here since four a.m. he had a good excuse to bug out early. In fact, all my teammates on this floor were gone. I wasn’t going to bother checking on Jen upstairs. I went back to my desk and called up the network logs for last night. I wanted to see exactly what was recorded at the time I was being attacked in cyberspace.

Network logs are screen after screen of text lines. CCS is a 24-hour company in some areas, so there is always traffic on the network. I could get close to the information I wanted by searching the time, but I was only certain that it was between 3:30 and 4:00 which left thousands of lines of log entries. Part of being a good detective is being able to see anomalies. Take one look around a room and identify the one item that is out of place. I’d already proven how inept I was at that last night when I failed to realize I had not one but two tails on me. But it was different when I looked at lines of code. I started scrolling through the lines of log entries, not sure what I was looking for, but watching for the anomaly. I didn’t try to read the lines, just watch for the patterns. As the lines went by, I zoned out, letting them flood my mind.

It took me two passes through the entire half hour log before I saw it. The timestamps.

At 3:42:24 there was a ten second gap. The numbers had been consecutive, often multiple for a given timestamp up to that point, but between 3:42:24 and 3:42:34 there were no entries. It wasn’t beyond the realm of possibility that all network traffic into and out of CCS suddenly ceased for ten seconds in the middle of the night right when half a dozen gamers broke through the firewall and were ousted by another gamer who was already inside. Right. That’s like thinking there is ever a time in 24 hours that there is ten seconds between messages posted on Twitter.

I examined the records carefully. On either side of the ten second block, an employee was surfing the Web. The network log indicated a start point and an end point for each link. Above the ten second gap the addresses moved smoothly. From a to b, from b to c, from c to d. But below the gap the transitions were suddenly from f to g. The referrals from d to e and e to f were missing. Someone had edited the network log and that took a lot of skill. The log was autogenerated from the system. Blanking out a portion of it or deleting it was a lot more serious than simply breaching the firewall.

Now that I knew what I was looking for, I could write search parameters and send spiders into the network. At least theoretically. First I had to locate a server in the cloud that would let me execute a program that would technically be classed a virus by security. I could get the results, but whatever server I found would be pulled off-line and the hole patched by morning. Ah well. That will just enhance company security. I set the little bug loose.

It was nearly six and I was supposed to meet Andi at seven. I set up both the company laptop and my big gaming machine side-by-side on my desk and put them sleep so I could wake them remotely if I needed to. Then I grabbed my tablet and my cell phone and left.

***

The service stairwell was accessible from the underground parking garage where some impatient mechanic had simply wedged the door open and left it. It had taken me nearly ten minutes to find it, even knowing from the building blueprints where to look. It took 12 minutes to climb to the 13th floor. Of course, it wasn’t marked 13. The access door below was marked 12 and the access door above was marked 14, but this door was simply marked “Danger. High Voltage. Do not enter.” It was secured by an old fashioned key-lock. It took me almost three minutes to pick it. That’s not really my specialty.

Inside, I got my bearings as I walked up and down aisles of cable boxes, heat and air conditioning units, telephone and electrical boxes. Finally I came to the door I wanted. This door was secured by an electronic lock that matched the ones in our office. I waved my cell phone at it with the recorded RFID and it clicked open.

It was a good thing I didn’t just step through. It was an access door, no doubt on the fire department’s list of emergency exits, but it was nearly twelve feet off the ground with no more than a narrow catwalk crossing in front of it. I stepped onto the catwalk and heard the door click shut behind me.

Damn.

There was no way to open the door from the inside that I could see. I was inside and I’d have to figure out how to get out later. For now, I found my way down a metal stair onto the main floor.

The room was two stories high and filled with the equipment and robotics that were required to make credit cards, including warehousing the stock, manufacturing, sealing, and shipping.

Sheets of plastic were fed into cutters and trimmed to credit card size. Printing on the front and back was done on a digital press, including laminating holographic images on the front of certain cards. Magnetic strips were applied to the cards and each was treated with an ink-receptive strip for the signature. The cards were then fed through a magnetic recorder that recorded the personal information of the user on the card. From there, the card was fed into a machine where the strip was read and then the card was stamped with the raised numbers and letters that identified the credit card number and customer.

I took pictures of the process with the camera built into my tablet and started cataloging the operation. CCS produced private label credit cards for various organizations, including associations and credit unions. It had also developed a side-business of manufacturing gift cards with dollar values for various restaurants and retail outlets. It even subcontracted card manufacturing for larger credit organizations and banks.

The magnetic stripe on a credit card contains the necessary information to conclude a transaction. The primary account number embossed on the card is also the leading information on the stripe. It includes the name of the cardholder, the expiration date, the Verification number or CCV Code, and the address and zip code of the cardholder. Of course the information is encoded so you can’t simply run it through a tape recorder and read the info, but one of the cleverest schemes for pirating accounts has been to have a thin card reader inserted into a regular bank station like an ATM machine or gas pump. Usually a cleverly concealed camera is focused on the keypad so that the thief can record the keying of the PIN as they capture the information from the magnetic stripe. It’s quick and efficient.

It also goes undetected for a long time. A compromised account can be hoarded by a thief for weeks or even months before use. That gives the thief time to collect a huge amount of data and then remove all trace of his equipment before it is discovered. It makes it almost impossible to identify the source of the compromise.

As I watched the machines doing their thing, I observed an occasional card being rejected at one or another station. The most common rejections occurred before any data was imprinted on the card. The magnetic stripe might not have adhered. The ink might have been smeared. Any number of defects were caught by inspecting equipment in a fraction of a second and led to immediate rejection of the card.

Further down the line, a card might be rejected for failed data recording, duplication, or simply being blank when it got to a place that required data. Each of these failed cards were shuffled to a bin that led to a shredder where rejected cards were chopped to tiny bits to be recycled.

After a card passed all its tests, it was put in line for mailing. Based on the card data, a letter was printed, envelope generated, the card attached with a glue spot to the letter, inserted in the envelope, sealed, and bundled for mailing. No human hand had touched it.

The few cameras that were in this manufacturing room were focused on the equipment so a technician could visually verify if there were production problems. If there was an equipment malfunction, service or maintenance to be done, or supplies to be refreshed, someone would come through a security door on the 12th floor. Once inside, the operating assumption was the tech belonged there; security did not take responsibility for what authorized people did once they were inside the room.

I’d seen what I needed to in this room. I wasn’t happy about exiting onto the 12th floor but my exit back through the mechanicals room was blocked. I headed for the main door into the room and got a shock. It didn’t have a RFID reader to open the door from the inside. It had crash bars that were clearly marked “Emergency Exit. Alarm will sound. Use Keypad.” Next to the door was a ten-key pad with a flashing red light above it. I estimated the location of the card reader on the outside of the door and waved my cell phone at it, transmitting the code, but it was too far away and on the other side of a wall. No signal penetrated.

I was stuck.

No comments:

Post a Comment