Zero Day: A Novel (9 page)

Read Zero Day: A Novel Online

Authors: Mark Russinovich,Howard Schmidt

Tags: #Cyberterrorism, #Men's Adventure, #Technological.; Bisacsh, #Thrillers.; Bisacsh, #Suspense, #Technological, #Thrillers, #Suspense Fiction, #Fiction, #Espionage

BOOK: Zero Day: A Novel
8.68Mb size Format: txt, pdf, ePub

She’d learned through a mutual friend of Cynthia’s death and had, in her subsequent contacts with Jeff, noticed the change in him. Where once he’d frequently been lighthearted, now he was somber. She regretted that she’d never found the proper moment to express her condolences at his loss.

She was looking forward to seeing him, especially as she was convinced he was the one person who could help her with this virus. As for the rest, well, time would tell.

11

RIO DE JANEIRO, BRAZIL

RUA FRANCISCO OTAVIANO

TUESDAY, AUGUST 15

10:16 A.M.

With a touch of distaste Maria Braga watched the scraggly-haired young man enter.

The Euro Internet Café, just two blocks from Copacabana Beach in Rio, catered largely to the tourists who walked by and to certain Cariocas who didn’t have a computer of their own. She knew both types at a glance. The tourists were dressed in fresh beach attire, while the locals were primarily diligent, well-scrubbed students. With six computers and one booth for international telephone calls crammed into the long, narrow room, Maria made an adequate living for herself and her daughter. In the four years she’d run the café, she’d only been robbed once.

The young man’s name was Nicolau. Maria thought he was weird. She didn’t like the way he looked at her, staring at her modestly covered breasts as if she were naked. She was certain he was some kind of pervert.

And he was a nerd. She could tell this guy knew all about computers. He’d probably built his own at home or, at least, bought the very latest models. From the looks of his expensive watch, he could afford it. He didn’t have to use hers, so why did he?

Nicolau rarely stayed at the station more than three or four minutes. That alone was strange. He was up to something, but she had no idea what. She’d thought about charging him more—maybe he’d go somewhere else—but her fees were posted.

Nineteen-year-old Nicolau da Costa was a hacker. His father was a senior vice president with Banco Central do Brasil, while his mother ran a modest flower shop on Avenida Nossa Senhora de Cobacabana. Nicolau spent his nights at his computer playing video games or online in various chat rooms, exchanging virus code, talking endlessly about creating a virus that everyone in the world would know, but wouldn’t cause enough damage to get him arrested.

He’d found it wasn’t that easy. More than once he’d been on the verge of launching a virus, but had always held back. Brazilian prisons were notorious. He had nightmares about ending up in one. You never knew when the authorities might decide to make an example of someone. Even his father wouldn’t be able to help.

Every once in a while, though, a job came along. This was the fifth in less than a month. He dropped onto the chair and checked to confirm that the computer was connected to the Internet. He looked back at Maria up front, then slipped his floppy into the computer and launched the code. The e-mail had told him to leave the floppy in place for three minutes. As he waited, he browsed two Web sites, then, satisfied, extracted the floppy.

Now he entered his Yahoo e-mail account and sent the following message.

Date:      Tues, 15 August 10:21 —0700

He typed in the address, careful that no one was looking.

From:      Riostd

Subject:   sent

rlsd code. rdy for another when u r. send $.

RioStud

At the counter Nicolau smiled as he counted out the coins for his time. Nicolau thought Maria was hot, but wondered if she had been raised in a convent. He and his friends talked about traditional girls like that, though none of them had ever met one who had been. She sure dressed like a nun.

12

MANHATTAN, NYC

IT CENTER

FISCHERMAN, PLATT & COHEN

TUESDAY, AUGUST 15

10:25 A.M.

Stepping outside the building, Jeff was surprised to see it was midmorning. A slight breeze was coming in off the Atlantic and the air was clear, invigorating after the sterility of the IT Center. He walked around the corner to a deli he’d spotted earlier, where Daryl had agreed to meet him. He was looking forward to seeing her again. Quite apart from her ability to help him in his work, he’d always enjoyed her company.

For the last day the world outside had not existed for him. Nothing mattered but the pixels on the screen, accessing the operating system, the story he discovered as he inched his way toward solving the problem, the bits of information that formed together in time to crack the mystery, and the final recovery of the blocked, stolen, or destroyed data. Though this one was not solved—not yet.

Daryl was due any minute. As he entered, he realized that the deli might have been out of
Seinfeld,
with a dozen people ensconced in booths or sitting on stools. He took an end booth, placed an order for coffee, then sat drinking as he waited.

He felt bad about leaving Sue with such a mess, but he had to take a break and rest to think clearly. He glanced over at two men and one woman working on laptops with Wi-Fi and wondered how many viruses each had without knowing it. Two other men in business suits were sitting at a small table having an animated conversation. From the few words he picked up they were talking baseball. Apparently the Yankees were losing.

As a barista cleared a table beside him, Daryl Haugen entered, glancing first left, then right. She was wearing her usual garb of jeans, with a tight white blouse. He waved a hand; she spotted him, smiled warmly, and came over. Sitting across from him, she placed a half-empty bottle of water on the table, then flopped her laptop bag onto the floor. She looked stressed, very, very tired—and lovely.

There was no denying her beauty. He’d once sat in a meeting, bored out of his mind, only to realize he’d been staring at her. Her returning look had not been pleasant, and he’d been careful ever since. Still, simply being with her was an appealing experience.

For an instant he couldn’t help comparing her to Sue. Daryl had a freshness, a spontaneous way of behaving, about her that was quite engaging. Sue was more artifice and calculation. The two women could not have been more different, and his response to each was night and day. He felt relaxed and open around Daryl, but on guard with Sue, making sure that he kept within the bounds of professional interaction.

“No coffee?” he asked.

She shook her head. “No. I had plenty earlier. It gets me wired if I’m not careful. How have you been? How’s it going in the cold, cold world of private enterprise?”

In the years since he’d left the CIA the two had run into each other at the occasional conference. But mostly they’d exchanged e-mails and talked over the phone about difficult problems they’d encountered. Jeff was by nature a puzzle solver, while Daryl was the most gifted computer expert he’d ever encountered. Together they made a great team, but their different lines of work didn’t offer many opportunities for collaboration.

“I’m doing fine,” he said. “Business continues to boom. I do it all myself so I don’t have to waste time with employees. It keeps me busy. My main problem is reminding myself to keep increasing my fees. Computer security is a pretty hot topic for many companies. But who am I telling? How do you like CERT?”

“It’s US-CERT, and I like it a lot.” She grinned and for a moment the tension in her face vanished.

In the wake of 9/11 came recognition that cyberspace was vulnerable to attack and that something needed to be done. The new Department of Homeland Security lumped together a number of previously independent and disparate groups in various agencies. Related to that, but also independent of it, in early 2003, the president issued a directive creating the National Cyberspace Security Response System and within it the United States Computer Emergency Readiness Team, labeled in government jargon US-CERT. As the operational arm of the National Cyber Security Division, its primary objective was to create a strategic framework to prevent cyber-attacks against U.S. computer-oriented infrastructure.

A different organization, known as CERT, had been created earlier, in response to the infamous Morris worm, which had brought 10 percent of Internet systems to a halt in 1988. Housed at and part of the development center at Carnegie Mellon University in Pittsburgh, Pennsylvania, it held a less audacious mandate. CERT was intended to coordinate communication among the various cyber experts to prevent future virus outbreaks, though with the advent of 9/11, the older CERT’s profile had significantly increased.

But the total effect of so many organizations with overlapping jurisdictions hadn’t improved America’s defenses; instead, it created chaos. Turf wars intensified rather than easing, and obvious measures took months or years of discussion and debate to implement—if at all—because it wasn’t clear which organization was ultimately accountable. In Jeff’s view, it was all tragic and pointless. The threat was self-evident. Only those with the power to do something about it seemed unaware.

How anyone could do nothing in the face of such an obvious threat was something he could never comprehend or accept. The anger he felt whenever he thought of it burned at him, but he could do nothing more than what he’d already done and continued to do, every workday. Sometimes he wanted to scream, but he knew no one would listen. He’d just be defined as a kook and in consequence lose any effectiveness he had. This was, he now realized, one more reason why he’d made a point to stay in contact with Daryl.

“I didn’t know you were a field operative,” Jeff said.

She gave him a quirky smile. “I have a very competent team. Between my laptop, e-mail, and cell phone, we’re in constant contact.” She paused. “And I needed to see this situation for myself.”

“How do you like Homeland Security?” he asked with a knowing smile.

Daryl grimaced. “The bureaucracy can be wearing, but my part’s pretty good and getting better. I’m surprised anyone’s got time to work.”

“You’re with my old friend George?”

“With? We consult one another. I don’t spend any more time with him than I need to.”

“How’s that going?” he asked, though he had no doubt of the answer. She despised the man as much as he did.

“Did I mention bureaucracy?” She made a face. “Don’t get me going, though honestly, when it comes to that group and their maneuvering for power, he’s better than some I could name. It’s just that I feel like I’m talking into an empty oil drum most of the time. All I hear is my own echo back. Commercial attacks are up steeply, but both he and the department don’t really seem to care about that all that much. Lots of people and companies are losing information that costs them money. These high-tech crime groups in Russia are getting fat off of us, and nobody’s made them a priority.”

“I hear the Company ran another simulated attack last summer.” Such information was common knowledge in the elite world of cyber-security Jeff occupied. He’d been waiting to ask someone in the know about it. “What was the outcome?”

She laughed. “It was like all the ones before Silent Horizon in 2005 or Operation Cyber Storms I, II, in 2006 and then Cyber Storm III in 2009. CIA and DHS rigged the tests so completely there was no way they couldn’t defend. They established perimeters no real attacker would ever follow while everyone defending a system against penetration knew the attack was coming, and what the rules of the game were. It was ludicrous, but management took great comfort from the results. They’re back to worrying about terrorists blowing up a computer system. It’s like the old FBI chasing bank robbers while the Mafia was running rampant. DHS does what its component parts have always done. There’s an extraordinary lack of imagination there.” Daryl shook her head, still amazed at the stupidity of it all.

“It’s got, what? More than two hundred thousand employees? That’s enough manpower to do the job right.”

“That’s it,” Daryl confirmed. “Cyber-security is so far down the totem pole we hardly count. If it wasn’t for the work of the private-computer and Internet-security companies, we’d be getting nowhere.” She took a pull of water. “Did you read about the airplane?”

Jeff shook his head. “I’ve been in a cocoon. What happened?”

“As I understand it, a British Airways flight from London to New York had an incident over the Atlantic.”

“Don’t tell me it was a Boeing 787?” Jeff had long anticipated such an event given its heavy dependence on computers.

“Yes, indeed, a fly-by-wire, computer-designed-and-operated aircraft.”

“What happened?”

“Apparently the plane began to climb very slowly, and the airspeed dropped while on autopilot. The crew was not alerted and didn’t recognize their danger until it was nearly too late. As it was, the plane stalled at forty thousand feet.”

“Jesus.” Jeff shook his head in disbelief. “Like the Spanair crash last year they think was caused by malware.”

“Yes. They were lucky they were so high. They needed all but a couple thousand of those feet to recover.”

“What happened?”

“We don’t know, but I understand they were only able to save the airplane by rebooting the controlling computer in flight.”

“That took nerve.” Jeff was impressed. Someone had known what to do when the chips were down and had acted on that knowledge.

“More than you can imagine. They had
no
command while the computer was off-line. There is no mechanical backup to the controls. That plane fell like a rock.”

Jeff gave a low whistle. “That’s a bright crew to manage something like that, under those conditions.”

Daryl raised an eyebrow. “They deserve a medal. But you haven’t heard the best part. When they tried to reboot, the computer locked up. They had to power off. It’s a miracle they got enough control back in time.”

My God,
Jeff thought. He couldn’t imagine anyone having the presence of mind to pull off a stunt like that in such an emergency. Those men really did deserve a medal. Still, those systems should have been secure from infection, and fail-safes should have prevented the need for manual intervention. “What about the redundant systems?”

Other books

The Indian School by Gloria Whelan
Second Thoughts by Jade Winters
Remedy is None by William McIlvanney
Crush by Stefan Petrucha
Silver Shadows by Richelle Mead
The Revelation of Louisa May by Michaela MacColl
The Paris Directive by Gerald Jay
Rugged by Tatiana March
Arc Angel by Elizabeth Avery