A Hidden Killer

This is the first chapter in a story about how an APT can come to life in a real-world setting. This first chapter takes us through how a threat might evolve and how it might affect an ever increasing group of people. All the characters and locations are fictional….

Sargent McAfee was sure the crimes were linked but was still shaking his head at the sudden change in the perps behavior. The last 3 had been simple B and Es with the scum breaking a window or a sliding door to gain entry. Get in, steal the prescriptions, then get out. This was way different and way messier. Messier was an understatement. There was blood everywhere leading back to where poor Mrs. Goldsmith had first been bludgeoned. McAfee figured she made the mistake of getting up and that must have pissed the perp off quite a bit. Had it not been for the torn prescription bag in the kitchen he might never have had the hunch to link the crimes. Hell, as it was he still wasn’t sure. The CSI guys were on their way and it would soon be their problem.
“Hey sarge, got a woman here that says she’s with the L.A. Times, says she knows you.”
Crap, so much for a simple report. “Tell her I’ll be out in a minute and…” He didn’t get a chance to finish his sentence before the tall redhead burst into the room.
“OH MY FREAK’N GOD!” came spewing out of her mouth as she saw the way the room had been decorated with Mrs. Goldsmith’s bodily fluids. Deb Bradsmith had been a crime scene reporter for over 5 years but she still couldn’t get used to some of the things she’d seen. This ranked up there as far as she was concerned. A tiny little old lady lay in the middle of what could only be described as a blood bath. During the attack the perp must have hit an artery in the fragile Mrs Goldsmith and she bled out trying to reaching for her emergency button. She almost made it too. But, time to switch off the emotions and turn on the hard core investigative reporter. The observant, suspicious person that digs and digs and digs. The person that her boyfriend hates. The reporter that the cops dodge and block.
“Sweetheart, you know you can’t be here. I have to wrap things up for the CSI team. You have to go.” He said it and he believed it but he also knew he was going to have to have one of the other uniforms escort her out. He also know that being a sargent had about as much pull as being her boyfriend did. Zip. Yep, zip was at the high end of it too. She was here and it was too late. He knew she had completely memorized the entire room in the few seconds she’d been there.
“No need to tell me twice Rick, I’m outa here.” Deb was glad she ate lite at lunch.

Gabriel generally didn’t care about how novatos dealt with their assignments but this new gig made him nervous. Some crappy little caja spits out an address and guys come back with Vicodin and oxycodone proving they’re worthy to join. After all, not everyone can be Mara Salvatrucha. Ya gotta prove yourself! Get’n free drugs was good, but this, this spooky infoshit, it bugged him. Guess it’s a new freak’n world. That’s what the geeks are tell’n him anyway. He liked it better when they just had to beat the crap out of some Blood to get cred. Something to be said for tradición. Where the hell were those two anyways? He threw the paper with the lists on the table with the empty beer bottles and thought they should’a been back hours ago.

Something didn’t add up. Almost like clockwork, these break-ins happened once a week for the last month. Why hadn’t anyone noticed? “Hey Rick, don’t you think it’s weird that these things have been happening about once a week for the last month?” Deb posed the question to her cop boyfriend almost rhetorically.
“Probably takes that long for them to go through the drugs. No mystery there.” and he took another sip of his beer.
There had to be a link, she just wasn’t finding it. “So, we have four attacks in four different places. None of the victims knew each other and all of them were in some kind of severe pain.” They were dying she thought. Thanks to modern medicine, it was just taking longer. “Did you talk to the pharmacies that filled the prescriptions?” Maybe there was a link there.
“Ah…no. Why should we?” It had been a long day and now he was having to go through it again with her. “They were just the place that filled the bottles. Besides, they were all different. Some were CVS, some were Walgreens, and some were done at the hospital where they were seen. All the bottles had different pharmacy logos on them. Even the prescribing doc was different in each case.” The case was bothering him but he was tired and just wanted to rest. Tomorrow was another day.
She knew that trying to get the victims names was treading on a thin line, but maybe, just maybe, there was another thread she could pull on. It never hurt to ask…”do you have a list of the doctors that prescribed the meds?”
What was she thinking? The doctors names? OK, he’d bite. “Yepper, I do. Since you asked, it turns out each patient did ask if they needed to tell their doctor about the thefts. I told them that I wasn’t sure but to call them anyway just to be safe. One couple even had two doctors. One for each of them.” That was an memorable conversation. Some people are either married for way too long or just married to the wrong people. He seriously doubted that the husband had conspired with the woman’s doctor to kill her but you never know. He wondered if that’s what he thought about Deb. As a reporter she could be hard to live with but was she the right one? Maybe now, but in 30 years would she still be? “Here ya go” Maybe she would figure something out.

It was easy money. Each address was 50 bucks. A thirty day supply of vicodin could get $150. The math was easy. Dealing with his customers was not. Every time he dealt with them he felt like he had gotten out with his life. It’s odd how fate can be such a random influence on your life. Stop to help a damsel in distress, find out her boyfriend is MS13, they find out you’re a geek with a vision, they offer to finance that vision or kill you. Again, the math seemed kinda simple. And it more than pays the rent. Speaking of rent, it was time to see if his little money maker had spit out another list.

She was looking right at it but she still couldn’t believe it. It just didn’t make sense. The link was pretty clear, but how? Why? The only conclusion she could come up with was that the doctors had no clue what was going on. Were they conspiring with someone to do this? If it was for drug diversion there were easier ways then prescribing them to a patient then breaking in and stealing them back.
But yet, there it was in front of her face. The only thing that linked the victims was that they all had been seen by doctors at the same hospital.
She didn’t have enough to go to print, but she knew that there was more. Probably a whole lot more. How many people had been broken into that hadn’t reported it to the police? The people that visited that hospital lived all over LA county. Hell, all over Southern California for that matter. She had found the link but how could she get more? Perhaps a discussion with the doctors might give her a clue.

“RICK!!! I got it!” She burst through the front door of his apartment like the hallway was on fire. She threw her oversized purse on the couch and didn’t even care that her Macbook had fallen out. This was clearly serious. She normally paid more attention to where her Macbook was then where her usually empty wallet was.
“You are so not going to believe what I’ve found out! I linked the doctors in your break-ins to the Healthy Forever hospital in downtown LA. I figured that I could interview them for a drug use story and see if I could learn anything.” She was in rapid fire mode now. He wondered how she breathed when she got like this. The talent did come in handy in certain situations though.
“What I learned was that all of them, and a few of their colleagues, had been re-writing prescriptions for lost or stolen meds more then usual for the last two months. Turns out it’s about 7 of them and when they compared notes it turns out it was about 25 patients over the last 8 weeks!”
If she was right, this was serious and it wasn’t a coincidence. They’d talked about it down at the precinct, figuring that it might be something planned. But 25 people in two months and a death was pretty significant. That meant they’d only gotten less then half the picture. Pretty crappy police work if he had to say.
But it made him think so he put on his cop hat and asked, “what about their normal rates of drug loss? You know, kids stealing their parents drugs for the party? What did they say about that?”
“Well, they do have a problem, but this was a pretty significant spike. Bad enough that they all got called by their internal compliance folks. They were pretty pissed about that too!”
She was sure that she was on to something here. Somehow these home invasions were linked to the increased prescriptions in some way, she just needed to ferret it out. But she did have some leverage – so far it was only one hospital in the area that she knew of….maybe she could use that to get another piece of the puzzle. Another visit to Healthy Forever she was thinking. Yep, she was good at pretending that she knew more then she really did. Hell, that’s what being an investigative reporter was about! By the time she was done she’d own this sucker!
Stu Baker hated his job. He knew he was much more capable then what he was doing for this loony bin they called a hospital. Every time he turned around some doctor was preening his peacock feathers and telling him how to run his network. “Add my tablet to the network”, or “I need my email on my cell phone”. They were always pushing the limits and doing some stupid shit that he knew was going to cause problems with the freak’n security wonks at corporate. They had no clue what he was up against here. They just spit out stupid and useless policy directives that ate away at his precious time.
And now this. Some “genius” life giving doctor had forgotten his new toy in the consultation area. Well, not this time. No, he wasn’t going out of his way to help this time. From what he remembers, It’s been sitting there under the desk for the last 6 weeks and that’s where it can stay. If they won’t come to him and ask for his help, he wasn’t going to offer any up. Besides, he was sure he’d have some new stupid policy directive to comply with by the time he got back to his desk.
The little geek in front of him was short, pudgy, unshaven, and he smelled. His long black hair was greasy and ready for its weekly washing. He didn’t mind someone being a bit ripe, hell, after wrenching on his ride for a day he could be quite the surprise to someone’s nose. He had to put his compañera in her place one day after she mentioned it in front of his amigos. But this, well, this was over the top. Get the list, give him the money, and send his smelly, greasy ass away. Besides, the guy was so nervous he was starting to make everyone edgy.
“Hey amigo, you got the list?” He was hoping the little geek wouldn’t talk because each time he opened his mouth the room would smell a little fouler. Like something died in his mouth and he tried to wash it out with coffee and cigarettes.
The greasy geek’s eyes darted to the door when Gabriel spoke but he managed to maintain his cool without peeing his pants. “yeah, I got it. You still up to giving me more money?”
Gabriel thought about it for a second. He thought he could get the list and not have to give him any money but he wasn’t sure that pissing off some cabrón that could have him declared dead in most of the worlds computers was a good thing. Then again, being legally dead could be interesting. “Si, here’s the dinero.” And with that Gabriel grabbed a paper bag with his left hand and tossed it at the geek. “Where’s the list?”
While the geek grabbed for the bag with one hand, his other hand fished around in the back pocket of his dirty jeans, pulled out an envelop. He couldn’t give it to Gabriel fast enough and he was on his way out the door. He could hear them laughing and he knew they were laughing at him but so what. He got what he wanted and they got what they wanted. In Rod’s book that was a “good deal”. Too bad these idiots didn’t use computers or he could handle this all over the web. It was better that way. No people.
Rod had work to do. He was very excited about an update to his software that would allow him to monitor more WiFi traffic with just a bit more overhead. Another week or so of work and he could push it out to his creation. He liked to push the updates in the early morning. Then he could get some sleep during the day and avoid the ugly people that filled the world.
Two more weeks and four more invasions. At least nobody got hurt in the last four but that was probably due to luck and Deb knew it. Her cop boyfriend was starting to get real annoyed at her poking around and he’d even mentioned it one night in bed. Yeah, great foreplay talk “hey honey, stop poking around my crime scenes, let’s have sex”. Gees.
Today she was supposed to talk to some more doctors at Healthy Forever but they were late. That was OK with her because it gave her permission to poke around the hospital with a built in excuse, “Oh, sorry, I was looking for doctor Ledbetter, guess I shouldn’t be here” should work when she got caught were she shouldn’t be.
She had no idea she was about to stumble on the headline of the decade.
“I’m telling you Stu, that’s not one of our boxes! I have NO IDEA where that piece of shit came from. But I’m telling you it’s got a cell connection to it and it’s attached to our WiFi”
“Bullshit”. Stu wasn’t buying this load of crap. Just because he was a doctor he thought he could get away with anything. He ran some new security scanner and now this was his problem for some reason. “It’s not one of my boxes so it HAS to be one of YOURS! What ever it’s doing, it’s loading up the access points on this floor. It was fine until today. What ever update or what ever you guys did to it and it’s totally hosed the WiFi bandwidth and it’s annoying the pharmacy computers. I got complaints coming out my ass and it’s going to take me a week to catch up on my text messages.”
Deb knew Doctor John. He was the resident Chief Medical Information Officer for this region. He was pretty savvy but he was no expert. He’d download something, play with it, get folks excited about it, then move on to the next shinny thing he saw without any consideration for the crap he left in his wake. But something interesting was going on here. Both of these guys were so busy banging their dicks on the table that they were talking past each other. Clearly, here was a device that neither of them owned yet it was connected to the network and talking on a cellular link. That could only be bad bad bad. She couldn’t resist. It was like watching a car wreck on a foggy freeway. Yeah, you knew it was going to be bad, but there was nothing you could do about it. At least here she could poke the “drivers” a bit.
“Howyadoin Doc?” Doctor John turned around to see the vivid red head he had talked with a couple of weeks ago. “I’m annoyed. Stu here thinks that I’ve violated policy by placing this device on our network and I’m trying to tell him that I had nothing to do with it”
“And I’ve been trying to tell the Good Doctor here that his little toy has completely hosed the WiFi AND the pharmacy computers and now they can’t get a prescription filled from anywhere in the entire hospital” Stu had to cover his digital butt.
Then it clicked for Deb….
“How long has this box been here?” Stu thought about it for a minute, then grabbed his phone. He remembered he’d made a note about it. “About three months”
“When did it go bad?” Stu didn’t need to think about that one at all, “today at about 9am. Freaking thing has been flooding the pharmacy computers with address requests. It’s clogged the damn WiFi access points too. Everyone is pissed”
She was amazed that she saw it and they didn’t. But they haven’t been following the home invasions and they didn’t have a cop boyfriend. But she did. From her vantage point it was pretty simple and it was time to write the headline. Hopefully these two wouldn’t do too much damage to the box before she figured things out. She was sure she could find out who was behind this. All she had to do was work the situation right and she might have a chance. But she needed them to preserver the box.
But first, she needed to write that headline. “Murder tied to mystery box on Healthy Forever network”. She was sure she’d get a Pulitzer.

Part Two….
“You guys can’t stop the box!” She had to think fast else she’d loose the chance. “I’ve called the cops and they think this is tied to the murder of that little old lady a few weeks ago. That’s destroying evidence and you become an accessory to murder!” She was talking faster then she was thinking but it seemed to be doing the trick. Stu had stopped reaching for the box.
Stu was now officially shitting his pants.

The rest of the story shortly…..


Keeping People Honest

Why would I take the time to sit in front of a computer at night when I sit in front of one all day?
Why would you write a book?
Why would you bicycle across the country?

Clearly not for the money and fame.

You do it because you believe it’s important and it should be done.

That’s why this blog.

Because I think we need to look at things in a different way. We need to ask some hard questions. We may not get immediate answers, but at least the question will be asked and hopefully, just hopefully, there is someone out there that is interested enough to ask the question of someone else. New thoughts, new approaches, new people, and most of all, an open, and (probably at times) caustic discussion. Not mean, not hurtful, but probing and unbiased. People are emotionally invested in the topics of information security and privacy because of the years of effort we’ve put into them.

And on both sides! Those of us that dedicate ourselves to protecting have a counterpart who’s just as dedicated to “freeing” the information. This discussion is as much about technology as it is about ideology. Yes, ideology. For example…

Should you make security obvious or invisible?
Does anyone have a right to any data?
Is risk the only way, or even a good way, to assess security?
Are we winning?
Can we even tell if we’re winning?

Hopefully, this blog and my expressed opinion will spark some discussion on these very subjects. We’re losing the battle right now and we need to figure out why before our industry turns into the punch line of some really bad jokes. And as a side benefit, maybe we can convince some people to do the right thing and use their skills for goodness and niceness instead of badness and evil.

When we don’t ask the hard questions we don’t reach beyond our limits. When we don’t ask questions at all, we enable those that have less then honorable intentions to do what they want without any accountability. It’s about time we start being honest about our abilities, our solutions, and our future.