Bad Good Bad: Special Edition Read online

Page 13


  Kamal: “They are not alone fighting this attack. Something else is at work. That must be our bot.”

  I can feel the presence now. I turn around and look at Kevin and Eric. I am visualizing a word: HELP.

  Eric: “Kim, Kevin, you both copied that as well, right? HELP.”

  We are both nodding back to mean yes.

  Kevin: “How can we help? Kim, do you copy anything else?”

  Kim: “Yes. I think so. Through the noise. But I don’t know what that is yet.”

  Eric: “Ok, let’s go to the conference room together. We need to focus on that. Whatever we can gather may be of use. Kevin, can you reach out to Anima so she joins us?”

  Kevin: “I just texted her. Maybe that is the assault the bot was predicting.”

  Kamal: “I’ll go get my laptop and join you there. I want to get updates from all security teams while we are trying to figure out what is going on.”

  Chapter 8

  The assault. Maybe. And our smart bot seems to be struggling trying to assist with defending the vault. I am trying to focus on the information that is probably hidden in the noise. I cannot yet make out anything useful. Just nonsense and noise. This is giving me a migraine.

  Kamal: “We have one sector in red now. Backoffice and applications. New Forensics says Neocuris has isolated the backoffice at the headquarter. A portion of the clinics network is orange, and all surgeries have been cancelled for the day, as part of the incident response process.”

  Kevin: “The resynchronization traffic from the application instances is a bit too high. Here is the rate of reconnecting instances, but it does not correlate with the network traffic anymore. See how the 2 lines don’t align on this graph.”

  Kevin is pointing at his laptop display, which he turned around for us to see.

  Kim: “Let me try something.”

  I unlock my phone. Start the app dashboard. I disconnect.

  Kim: “I am off the network. I can still hear the noise.”

  Everybody pauses and think about the implications of what I just said.

  Kevin: “Wait. That can only mean one thing. The application itself is compromised?”

  Kamal: “That could explain the network traffic mismatch vs the resynchronization traffic we would expect to see.”

  Kim: “I am reconnected now. Let me try to focus on the noise.”

  I push my chair back a bit from the table. Anima switches chairs so she can sit next to me, as if to keep an eye on me.

  Kevin: “Kamal, can we generate a dashboard chart with a breakdown of traffic by mobile device type?”

  Kamal: “I think so. Let me try something.”

  Kim: “I feel another presence now. I believe this is the helper.”

  Kamal: “Ok, take a look at this pie chart Kevin.”

  Kevin: “Can you drill down into this device model? Try to get another chart grouped by OS version.”

  Anima is just staring at me. I think she wants to know what is going on, but at the same time she wants to make sure I am not going to get my brain fried or something.

  Kim: “I can make out the same words again from the helper. Follow me.”

  Anima: “Are you sure you are okay Kim?”

  Kim: “Yes. I don’t know if I should focus on the noise or the helper. I can visualize some numbers now.”

  Eric stops and turns around to look at me. He gets up and goes to the whiteboard with a marker.

  Eric: “Can you tell me what numbers you see?”

  Kim: “I don’t understand what they are. I see two numbers. First one is 40.74. Second one is 73.99.”

  Everybody is looking at the whiteboard, thinking. Kevin is working on something on his laptop, glancing at the numbers on the whiteboard.

  Kevin: “Search engine. Let’s see. If I glue the 2 numbers together with a dot in between, I am getting an IP Address range in use in Japan.”

  Eric: “Is the attack originating from Japan? That would be a first.”

  Kevin: “Wait. This looks like the 2 numbers also correspond to a location in New York. One of the results in the search engine shows me a map of Manhattan. GPS coordinates.”

  Kevin picks up his phone. He unlocks the screen. He taps a few things. He waits.

  Kevin: “Gone. The noise is gone.”

  Eric: “What did you do? Are you disconnected?”

  Kevin: “It’s the GPS app. I see my model and OS version in this pie chart. I disabled geolocation in the Neocuris app, but I am still connected. They probably compromised the GPS application.”

  Kamal: “There is integration between the Neocuris application and the GPS app for geolocation. There is probably a vulnerability in the Neocuris application as well to allow this to work. I am reaching out to New Forensics and Neocuris teams. We probably want to shutdown geolocation to contain the attack.”

  Eric: “Well, we will also have to fix somebody else’s application I guess.”

  Kamal: “Yes, correct. As part of the incident response process, Neocuris will contact both the GPS app providers and the phone providers.”

  Kevin: “Kamal, can you show us the live traffic graph on the dashboard?”

  Kamal changes the perspective on the dashboard. We wait a few minutes. We see the traffic line take a few sharp downturns. It looks a bit like a staircase.

  Kamal: “Geolocation is globally down now.”

  Kim: “I can still hear the noise. Wait, it’s gone now.”

  Kevin: “The delay is probably because the vault needs to reach to all the instances to change the local setting. It looks like the attack is contained now. The botnet was made up of all those app instances running on the compromised models and OS versions.”

  Kamal: “Neocuris say they will investigate all different models and OS versions, before they gradually re-enable geolocation. At least now they know where to focus the effort.”

  Eric: “Teamwork. But that was close I guess.”

  Kevin: “Yes. That spike in traffic was load testing the network beyond any scenario we tested yet. Not sure how long we would have been able to cope with it without a global interruption of service. The growth in traffic activity was not linear.”

  Kim: “I am not sure the helper intentionally gave us a cue. Maybe I just grabbed his GPS coordinates because they were amplified by the attack. Coincidence?”

  Kevin: “Or if he did intentionally copy those numbers to you, maybe he was not in a position to call Neocuris or New Forensics. We don’t know if he is still at New Forensics. He probably wants to stay anonymous.”

  Eric: “Well, whether it was on purpose or whether it was a coincidence, Kim you just dialed the solution for us again.”

  Chapter 9

  I am back to Bianca’s office today, to discuss the attack and the response process.

  Bianca: “Hi Kim. Well, things unfolded pretty fast. Eric briefed me about how you guys at Pro have been able to piece the puzzle together. I was told you got some help from the mysterious helper?”

  Kim: “For some reason, the bot was trying to mitigate the attack. It was not able to. Maybe because it was at the app level, involving some components beyond its reach. At least not yet under its control. Because if I can connect to the other apps on my mobile, the bot should have the potential to do so as well, right? The app kind of sit right in the middle of the channel.”

  Bianca: “Unless this is a big setup, we appear to have some evidence that both the helper and the bot are on the right side. Still, we do not have a compelling story at this point to convince ourselves that we have a good security posture at Neocuris. Nevermind convincing the Board or eventually the auditors. Officially, we are still compromised.”

  Kim: “How is the situation now vs the incident response process?”

  Bianca: “We are busy on a few fronts. We are working with the mobile manufacturers, not just the models that were leveraged for the botnet. And all application manufacturers for which we have some interface. GPS is one app we interface with, but we als
o interface with the calendar, the alarm clock, voice recognition, and a few others. We need to figure out if we want to keep leveraging the other apps on the mobiles, or if we instead want to duplicate those features in our own app. This is kind of breaking the smartphone model, and our strategy to not try to re-invent the wheel. But when it becomes a national security issue, compromises have to be considered.”

  Bianca: “Geolocation is a key feature for us, especially to quickly locate patients in need of a timely intervention. And also to provide smart analytics based on location, current weather, smog alerts, etc. We are planning to re-enable the feature as soon as possible. Hopefully within a day or two.”

  Kim: “What is the position of the Ethics Committee right now?”

  Bianca: “Today, it basically operates in crisis mode. We had to deal with a few resignations, and they are trying to backfill the seats left empty. Those who are staying made the decision to stay because they don’t want to abandon the others and the patients. Big questioning is going on. For example, do you still allow for new patients to be onboarded into the vault when you know it is compromised? If you make the decision to stop the onboarding of new patients, that is basically equivalent to state that we have a sinking ship here at Neocuris. Stock would plunge, we would probably precipitate Neocuris into bankruptcy. Which would mean existing connected patients could find themselves connected to nothing overnight. Maybe some of them could die, or suffer. Would that be a good ethical decision? So the Ethics Committee has to factor in the market reaction and potential negative consequences to the very patients they are trying to protect. This complex situation is way beyond what many of the members are willing to put up with. They did not learn how to deal with such a situation at ethics school. The consensus for now between the remaining members is that we must maintain the services, while trying to remediate the situation. That means getting rid of the bot.”

  Kim: “It looks like the bot was able to assist with countermeasures. Would we have succeeded without the bot? Maybe. Kamal says the bot contributed to the mitigation of the attack, at a minimum by allowing me to gather the numbers from the helper. We were very close to lose the whole vault. Every minute counted. Eric says it was teamwork. And that the bot was on the team.”

  Bianca: “The helper switched camps at one point. And the bot is not perfect, it could not contain this last attack all by itself. What if the bot gets compromised? It looks advanced enough to be able to take Neocuris down if it falls in the wrong hands. Or if it starts to malfunction. I never thought we would be having those discussions about relying on an entity that we cannot get rid of, an entity that we do not understand, to defend the vault.”

  Kim: “I think it was programmed with good intentions. But I agree that it is less than an ideal situation.”

  Bianca: “All-in-all, I think this is good schooling for you. You are learning the practice from the traditional approach, which is by the way only a year or so behind the world posture. And at the same time you are also in the trenches, at the front, part of a team that is trying to fight something in a context that has not yet been captured in textbooks. A few years back I was in similar shoes. But changes are happening faster today. Try to absorb as much as you can. You really are standing on what they call the bleeding edge.”

  Chapter 10

  I am back in San Francisco for a week. Eric told me that it is okay for me to focus on the exam preparation since it is only a few weeks away. However I need to be ready to jump back in, if another crisis emerges. I have not seen Toshiro for a little more than a week, when he was in Portland visiting for a few days.

  A lot happened during those few days. I was ready to unplug for good. But then I was able to provide some decisive contribution to resolve the crisis. The team, they count on me. And it is quiet again. So I remained plugged in. But I know Toshiro will have an argument with me at some point. I don’t know if I will be able to handle the storm any longer. This is eating me.

  I push the door to get inside Voilà! 1:30 pm on Saturday. Lunch rush is almost over. I know Saturday night is going to be a busy night, as always. Amanda takes me to a free table. We take seats.

  Kim: “Hi mom, great to see you!”

  Amanda: “Hi Kim. I was waiting for you. Toshiro just stepped out to go to the market. He’ll be back soon. He wanted to complete his afternoon shopping before you get here.”

  Kim: “Is Cristina still coming over this week?”

  Amanda: “Yes. She will be here Friday night. She is preparing her finals right now. She is also trying to figure out what she wants to register for at the university, and which university to apply for. She still has a few months to figure that out. I am sure you can help her make the right decision. Don’t you?”

  Kim: “Yes. I will try to help her with that. I need to ask her a few questions first, to see if she really understands the difference between an engineering degree and a pure science major.”

  Amanda: “Toshiro mentioned to me that you were working on a weird project. He seemed concerned. Are you working for something legit, or are you on the dark side?”

  Kim: “Don’t worry mom. I am on the good side. It’s just that we have to learn all the tricks the bad guys use to debunk them bad guys. We need to know our enemy, so we can predict their next move. I have to agree that it gets weird sometimes though.”

  Amanda: “Well, you probably want to sort things out with Toshiro. He looks confused about his feelings. I remember when I and Randy started to put some distance between us. If there is a problem, you want to get to the bottom of it before it eats up your relationship. Trust your old mother who is the queen at sacrificing her personal life to advance her career. I just don’t know how to balance both. Now I am all alone again.”

  Kim: “Mom, you have always been there for me. Don’t blame yourself that way. You gave me everything I needed. I am sorry I was such a rebel teenager. I am smarter now. At least I think I am. And I can fully appreciate all the sacrifices you put yourself through for me. I will never say thank you enough.”

  Amanda: “Now you go make me a happy mother by not repeating my mistakes. This is the only advice I can give you. Know your priorities.”

  Toshiro is walking back into the restaurant. I get up. We walk towards each other and we hug. The few patrons still around finishing their lunch glance over. They know who he is. They are not sure about who I am. I am the famous chef’s girlfriend. That is what they seem to be talking about amongst themselves.

  Kim: “Toshiro. I am so glad to be here with you again. A lot has happened last week. You probably saw on the news that Neocuris was under attacked together with the power grid and the internet. I did not want to expand too much about it over the phone with you. We all need to disconnect from work in the evening. They are still investigating. We had to work very hard and very fast to successfully counter that last attack. Sorry I may have sounded a little distant last week. I was exhausted.”

  Toshiro: “Are you still connected to this thing?”

  I pick up my phone. I open the app personal dashboard. I disconnect.

  Kim: “Not anymore. But yes I had to connect last week. And that allowed me to make a significant, probably necessary, contribution to stopping the attack.”

  Toshiro: “Are you saying to me you still need to stay connected to that thing?”

  Kim: “Eric and the team, they need me. For now at least. I know you are asking me to completely disconnect for good, but lives are at stake. I have some responsibilities. I want to unplug for good. Soon. Kevin will take over. His turn. We are working on the transition.”

  Toshiro: “You mentioned your contributions. You have done enough already, right?”

  Kim: “Yes Kevin will be ready soon. He is getting there. My plan is to land into a normal job, and I have the perfect mentor in Bianca. She cares about me being a successful executive in information security. I just need more time.”

  Toshiro is more and more annoyed by the interface I am wearing. It’s
so bad right now that this is the first or second thing we end up discussing when we get together. Amanda is right. I’m about to ruin everything.

  Kim: “Let’s go for a walk. You have time, right?”

  Toshiro: “Yes. I completed my shopping so I could have more time with you. Let’s go to Fisherman’s Wharf. It’s a nice day outside. Let’s go walk in the sun a bit. I just want to be with you.”

  I am waiving at Amanda, who is kind of faking writing some notes on a piece of paper at the table. But she is actually watching us, trying to read the body language.

  Chapter 11

  9 pm. I decided to go wait for Toshiro at the restaurant. He should be able to delegate the rest of this busy Saturday night to his team soon.

  There is a folded copy of some newspaper on the table. The staff is not done yet with cleaning this table I just sat at. I am glancing at the big titles and subtitles on the front page. They are talking about the assault.

  ‘The White House is blaming the Kremlin for the attacks.’

  ‘The Kremlin denies any implication. It is repeating its statement from last month that it condemns all terrorist attacks, and it is actively trying to locate and arrest those who are responsible for these attacks from its territory.’

  ‘Power restored in New Jersey and Michigan.’

  ‘Neocuris successfully counters an attack and fully reestablishes its services.’

  ‘The United States challenge the One-China Policy: Trade disputes in the background?’

  While it is true that Neocuris defeated the attack, it is unclear to me whether or not Neocuris is making progress from a security posture point of view. The media are not aware of the full story. Again, it looks like Neocuris is attack proof and is ready for any eventuality. In reality, Neocuris is almost out of control.

  The other titles about China and Russia seem to indicate that the information security war is only one aspect of a systematic economic and territorial war.