Homunculus: Chapter 23: Echo

Douglas had barely had time to sit down at his desk before Mort burst through his office door.

“Where the hell have you been?” Mort exclaimed.

“At home,” Douglas replied. “It’s where I live when I’m not here.”

“Didn’t you get any of the voice mails I left you over the weekend?”

“I got them; I just haven’t listened to any of them yet.”

“Since when do you not answer your phone?”

“I was busy. What’s so important that you couldn’t wait for me to come in?”

Mort leaned forward on Douglas’s desk. “I found them,” he said.

“Found who?”

“I don’t know who, yet. But I found them. They’re in Balthasar.”

Douglas stared at Mort, dumbfounded. Friday afternoon, Douglas had been trying to figure out how many man-years of effort it was going to take to systematically check the entire system for signs of intrusion. And now barely three days later, Mort was claiming success.

“How? Are you sure?” Douglas asked.

“Absolutely. In fact, they’ve been in contact with Jacob.”

“I mean, how could you possibly have gone through the analysis I was preparing last week?”

“You mean those plans you dumped on my desk on Friday? I glanced at them. They were pretty worthless. The approach was way off.”

“So then what, pray tell, did you do?” Douglas locked his eyes on Mort, wondering how he had managed to upstage him over the weekend.

“Simple. Well, not simple, but elementary. What are the three fundamental security services you try to protect?”

“Confidentiality, integrity, availability,” Douglas rattled off automatically, ticking the three off on his fingers as he said them.

“Right. Anything our visitors tried to do when they attacked had to target one of those three. Right away we can cross off availability as something to worry about, obviously.”

“What do you mean?” Douglas demanded. “They tried to burn the place down! I’d call that a big denial of service.”

“Exactly!” Mort said, as though Douglas had somehow proved his point. “Let’s say they did want to bring down the system with whatever was on that disc. Either it was supposed to work immediately, or it was going to be some kind of time bomb set to go off later. But if that’s the case, why resort to physical destruction, if they just had to wait for the trigger to be pulled. No, if their main goal was to destroy it, they were expecting it to happen right away, so we can safely rule out any kind of destructive time bomb.”

“OK, you make an interesting case about there not being any time bombs, but by that logic shouldn’t you rule out confidentiality and integrity? The fire suggests they were after immediate destruction. Maybe they were trying to set a time bomb, but it didn’t work so they resorted to Plan B.”

“Hmm,” Mort said. “You could be right about that, but it doesn’t matter because I know I’m right.”

“Why don’t we just skip ahead to what you do know for sure?”

“Right. Anyway, my point was, an attack on confidentiality is the easiest thing to check. If they’re trying to steal our data, they’re either going to have to send it somewhere, or come back for it later. If they’re sending it somewhere, we don’t have to look at the system itself, just what’s going out of it.”

Douglas nodded. “Go on.”

“There’s only three pipes exiting the server room. One is the set of leased lines for nightly backups. That’s just a secure VPN to the backup site, so no one can route packets to themselves out that way. Besides, that pipe’s a firehose. There’d be no way a packet analyzer could keep up with that much traffic.”

“That’s one.”

“The second is the pipe that goes through half a dozen firewalls before hitting the Internet. The third goes into the development lab. There’s much less traffic on those, so sniffing those for anything suspicious is workable.”

“The development lab’s a closed network,” Douglas said. “That’s looking for your keys where the light is good instead of where you dropped them.”

“That’s what she said.”

“Who?” Douglas tried parsing his last statement for a double entendre, but couldn’t find one.

“Never mind. Anyway, that’s what I thought too, so I put a sniffer on the outbound pipe for a while. I got nothing.”

“How can you be sure the malicious traffic isn’t just well-hidden?”

“No, I said, I got nothing. Zip. Zilch. Nada. No traffic whatsoever. It’s not being used.”

“That’s not possible. He gets out to the Internet all the time. He’s got that stupid blog and everything.”

“Not if someone puts a rogue connection between the development network and the corporate intranet, then routes Internet traffic from Balthasar though that link instead.”

Douglas sat silent for a minute. Mort watched him, clearly knowing he didn’t need to explain what that meant. Particularly, how that meant the only thing standing between their billion-dollar collection of trade secrets and the Internet was a permissive perimeter firewall.

“Oh, it gets worse,” Mort added.

“How?” Douglas didn’t really want to know, but he needed to know how much bodily harm he was going to inflict upon the Daves for this.

“Naturally, once I realized we had a rogue connection, I started sniffing the third pipe. There’s an awful lot of outbound pings being sent from it.”

“There’s no reason for it to do that.”

“Right, so I looked at them more closely. The destination addresses are all over the map, figuratively and literally.”

“It’s infected with some kind of worm?”

“If only. My guess, though I don’t really have any way to confirm this without breaking all kinds of hacking laws, is that all the addresses belong to a botnet that our visitors either control or are renting out. Most likely to hide their tracks.”

“What makes you say that?”

“The ping payloads. People tend to forget that echo requests and replies have a payload section. Normally, it’s just random junk, but not these packets. They’re tunneling data inside, and it all gets right through the firewall, since all the techies want to be able to ping Internet servers if they’re having connection problems.”

“Which means if they’re screwing with ping payloads,” Douglas said, “they’re bypassing the normal interface for that. Which means they’ve got admin rights on the Simulacrum. Wonderful.”

“The good news,” Mort continued, “is that even though it goes both ways, it’s not much bandwidth for them to play with. The pings are infrequent enough that they’d slip under the radar normally. It’s only because there aren’t supposed to be any pings whatsoever coming out of Balthasar that they’re noticeable at all.”

“No,” Douglas corrected, “the good news is that we can rip out the rogue connection and close it for good. Rip out the other one too. Now that we know for a fact they’re in our system, we need to cut them out for good. In fact, why didn’t you do that already?”

“Because,” Mort said defensively, “I need your authorization before I start monkeying with the configuration. Which is why I left you a dozen voice mails yesterday.”

Douglas sank into his chair. It figured that the one time he actually tried shirking his duties for a couple days, something like this would happen. “Right, right. Do we know what they’ve gotten so far?”

“Sort of. Some of what I saw was plain text messages going back and forth. The only way that makes sense is if they’re actually talking to Jacob.”

“What about?”

“It’s hard to tell; I’m missing the context of whatever might have been going on between the time our visitors planted the backdoor and the time I started sniffing the link. What I have seen is pretty vague, like they were worried they might be found out and didn’t want to say anything that we could use to trace it back to them. Actually, judging from what Jacob was sending them, he was getting frustrated with their evasiveness too.”

“Do you think they’re trying to turn him?” Douglas asked.

Mort shrugged. “No idea. Maybe they can’t or don’t know how to do whatever it is they’re trying to accomplish. But I can tell you is if they’re planning on stealing everything through that, it’ll take them a million years at the rate they’re sending packets.”

“I don’t know. Something about all this doesn’t add up.” The disparity between the break-in and the backdoor was glaring. Sure, they weren’t the first to use ICMP to tunnel data through a firewall, but it did suggest an above-average level of expertise. But the original payload that put it on the system in the first place was delivered by a couple of idiots who couldn’t understand a simple evacuation alarm. The enemy here was clearly interested in covering their tracks, so hiring a couple thugs to do the break-in wasn’t out of the question. But then, why try to destroy the system you just put a backdoor into? It was as if…

“What is it?” Mort asked.

“What’s what?”

“You look like you just realized something.”

“Maybe,” Douglas said cautiously. “I don’t think the two who broke in really knew what they were doing.”

“Obviously. They barricaded their only escape and suffocated to death.”

“No, I mean, I don’t think they knew what was on that disc they put into the servers. It did what it was supposed to do, right? It installed the backdoor, which presumably propagated itself to the rest of the machines on the network. It was clearly supposed to set up a covert channel back to whoever hired them; it’s not like a destruction program is going to accidentally do that. So why set the fire in the first place?”

“Cover?”

Douglas shook his head. “They could have been in and out of there long before you noticed them and called the police. If the fire actually destroyed everything, that ruins their original plan. If they were counting on the fire being extinguished before it could do any damage, they must’ve known about the suppression system, in which case why stick around and wait for certain death?”

“Hmm.”

The more Douglas reasoned out loud, the more confident he became in his hypothesis. “No, whoever hired them to do it must’ve told them it was to destroy the system. I don’t know why they’d do that, but it explains the fire. When the system didn’t go down right away, they tried something else to have the same effect.”

“They panicked and went off script,” Mort said.

“Right. Which doesn’t tell us who put them up to it, or what their real motive is.” Douglas stood up. “But right now it doesn’t matter. We have some network cables to unplug.”

“Let’s go.”

“Do you suppose it’ll be long enough to strangle both of them simultaneously?”


Chapter word count: 1,816 (+149)
Total word count: 40,649 / 50,000 (81.298%)