Chapter 15 - April 5-7, 2003 - Episode 3Listen to podcast
Sent: Saturday, April 5, 2003 6:14 AM
To: chaim roslov
Subject: security information
since you are reading this you must be who i think you are.
i know that israeli security monitors and sometimes blocks internet traffic going in and out of the territories for security reasons. i think you or your colleagues may be aware that there is traffic between hackoff.com and an organization in jenin which we have outsourced some work to.
it may be that you are particularly tolerant of this traffic since you know it represents a legitimate business relationship. i think however you may have been complacent. i had reason to monitor this traffic and found some highly suspicious traffic streams of what superficially appears to be voip between hackoff and the jenin group. however, the hackoff ip addresses are not in service. the packets outbound from jenin appear to be empty and, in fact, fall into the bit bucket when they get here since the addresses do not exist. the packets going into jenin do not originate at hackoff despite having hackoff origination addresses. as i said, these particular addresses are not in use.
when i listen to these packets as they are being received in jenin i hear what sounds like arabic although that is not a language i know. i think that this is some sort of communication designed to be undetected and unmonitored by you. the first sheet of the attached spreadsheet contains a list of the ip addresses involved so that you can monitor this communication as you see fit and leave it up or take it down as appropriate. that is your game and not mine.
now here is my problem. without explaining all the particulars, i am going to have to take some defensive actions on computers belonging to my customers to render them safe from an attack which i believe to be imminent. it is very possible that the other side will launch its attack as soon as they are able to detect that i am taking defensive measures and these measures will take me at least an hour so there is a window of vulnerabilty. thats where i need your help. i would like you to shut down all communication between the territories and the ip addresses of my customers whom i must protect which are listed on the second sheet of the spreadsheet, i need you to give me a four hour window. if you are willing to do this, please respond with the time window in zulu time. when you respond to this email, your response will appear to bounce. that is a security measure of my own; i will still get the mail.
i have one more inducement to offer you for helping me. it is clear from what ive told you that i have been able to penetrate your border ip security. it may be that no one else will ever find the hole i found. i will never use this hole for any illegitimate purpose. i assume, however, that you will still want to plug the hole and i will tell you where it is if you help me do what i need to do.
because i know you will make some inquiries i need to tell you honestly what my present situation is. i am a fugitive from the police here in nyc on suspicion that i poisoned your friend larry lazard who you probably know shot himself. i did not kill larry lazard nor would i kill or attempt to kill anyone. i must remain a fugitive until i am able to protect my customers from the attack against them.
pls let me know you will open a window for me by shutting a gate on them.
Detective Mark Cohen finds Kevin Wong at hackoff on Saturday morning. In Dom’s absence, Kevin is acting as CTO.
“Have you heard from Dom?” Kevin asks.
“Yes,” says Mark, “I have. I want to help him. I have a question for you.”
“Shoot,” says Kevin. “Not literally,” he adds, eying the bulge beneath the shoulder of Mark’s jacket.
“I know this place is very secure — from a network point-of-view…”
“Right,” says Kevin.
“I mean you have to worry about hackers breaking in and everything…” Again Mark pauses.
“So, what I’m asking is: Do you think there could be any way someone clever, some smart hacker could get in and do the kind of thing from outside that you’re only supposed to be able to do from inside? I mean, that would be bad, right?
“Right,” says Kevin, “that would be called a backdoor. That would be bad.”
“I think that’s what Dom’s worried about.”
“What do you mean? What did Dom say?”
“This is an ongoing investigation, so I’m not allowed to say much,” says Mark. “But I can tell you that Dom thought you were the person to go to for things like this. That must be why you’re acting CTO, right?”
“So, if you thought there was a backdoor, could you shut it down?”
“If I knew where it was, of course. Did Dom say…”
“That’s the problem. We don’t know where the backdoor is. But it looks like there probably is one. So, if you know there is one but you don’t know where it is, then what can you do? I mean, could you change all the locks or something? Does that make sense?”
“Sort of,” answers Kevin. “We have a lockdown drill. It means that we have to go to backup for email, but that’s no so bad on a weekend. It means people working at home wouldn’t be able to get in to the network. That’d be a pain, especially on a weekend. If Dom wanted us to do it, we could. Let me think…”
Mark lets him think.
“Yeah, we could do it. But ... Are you sure? I haven’t seen anything on the traces makes it look like we have a problem.”
“That’s the problem,” says Mark. “It’s someone Dom thinks is really good. Wouldn’t leave a trace. I think you should do it. I think you should lock down for the weekend at least. Then hopefully Dom’s back and we know what to do next.”
“Right,” says Kevin.