Rogue Code Read online

  The other hiker stopped where the trail widened. He was tall, physically fit, with fair hair. He placed his foot on one of the smaller boulders and slowly retied his shoelace. When finished, he lifted the other foot and repeated the process.

  Vince thought about the man’s presence for a moment, wondering if it was good or bad. Sheila had suggested this quiet location off the main trail for their first meeting, hinting for the first time at the possibility of romance by mentioning how she often came here alone, wishing someone special were with her.

  He chuckled at his thoughts getting ahead of reality. He was about to see a woman he’d first met on Facebook, that’s all. The other hiker meant nothing. You don’t have a private romantic rendezvous on a public hiking trail, he told himself.

  Vince scanned back along the trail and saw no one new. He frowned, pulled out his iPhone, and checked for messages. Nothing.

  He glanced up. The hiker was finished. He smiled as he approached the Italian, looking as if he were about to say something. That’s when Vince spotted the heavy branch held loosely in his hand.

  “Have you seen this?” the hiker asked just as he reached Vince.

  Vince looked up into the man’s face, then quickly at the upraised branch and only in that final second of his life did he realize what the branch meant.

  2

  NEAR WALL STREET

  NEW YORK CITY

  10:17 A.M.

  In the dimly lit room, the frosty glow of flat-screen monitors bathed their faces in a silver light. One of the men licked his lips in anticipation. The other stared keenly at his screen as his fingers raced across the keyboard.

  They’d been at this for three intense weeks. Neither had said as much to the other, but both believed that today they’d succeed in penetrating the New York Stock Exchange trading system—at last. First they’d speculated over whether it was even possible. For the last few days, they’d been certain it was.

  Once they infiltrated the system, they’d be free to do anything they desired. They’d be able to change whatever they wanted at will, free to bring trading to a halt, free to let it run amok, free to alter billions of dollars in transactions—free to loot any account, anywhere, with impunity and in secret.

  Theirs would be digital financial power of nearly unimaginable dimensions. And their electronic trail would be hidden within tens of millions of lines of code and terabytes of monitoring and audit logs.

  For all the time they’d worked on this assault, it was not so long as each of them had spent in previous similar operations. Though access and speed were vital components of the Exchange, so too was security. It was essential that its digital walls be perceived as impenetrable, and so the Exchange presented itself to the trading public as a model of security. It could afford the best and brightest and claimed to employ only the most up-to-date and finest security technology.

  Which, of course, was nonsense. The so-called walls resembled those of a fortress castle of the Middle Ages, designed and constructed to withstand any siege. Until the invention of the cannon, such fortresses had rarely succumbed to so direct an attack. Instead, when they fell, it was most often because of a vulnerability to an assault team, often no more than two or three men, who found their way beneath, over, or around the outer wall, then through the subsequent protective labyrinth until they’d identified a weak point and exploited it. With that access, they’d leverage the security open and admit the besieging army.

  So it was for them as well—except that they were both the assault team and besieging army folded into one.

  For these last weeks, the two had probed, managing to approach the core of the NYSE Euronext network from every angle their skill and knowledge allowed. When their efforts had proved a dead end, they retreated and tried again.

  But the time had not been wasted, for they’d established which servers they could reasonably expect to compromise. They then spent hours scouring internal Web sites and file servers, scanning documents, spreadsheets, and group user directories. Using bits of information—some from a file here, others from a report posted on a team collaboration site there—they’d determined who in the company had access to these same servers, how they accessed them, and what systems they used.

  The work had been tedious, but they were well suited to it, and the time passed quickly. And despite all the setbacks, days of them at a stretch, there’d been steady progress. A fragmented view of the internal organization of the Exchange and its IT infrastructure emerged, like a jigsaw puzzle only partially complete. Systematically they gathered, analyzed, and cataloged every piece of information and document they encountered, as they couldn’t know what detail might prove helpful to them in time.

  Once they’d mapped promising paths through the system to their goal, they attempted to inject themselves into points on those paths. In that, they’d had help. Vulnerabilities in software the Exchange used were publicly reported, so instead of crafting a hole on their own, they explored to discover a zero day opening or if the Exchange had failed to patch any bugs. They’d found no zero day opportunities but did find vulnerabilities in at least one application used internally by the Exchange. Their continued efforts led them to code written by FirstReact, a cybersecurity research company that discovered and reported bugs to the Exchange for a substantial fee.

  Even then, their attempt at penetration failed with the first three servers they’d targeted. But they persisted and at last hit upon what they’d sought, what they’d been certain would exist if only they persevered. One of those well-educated, highly paid, bright minds on the NYSE Euronext IT team had yet to seal a vulnerability. That was all they’d needed to ooze through the inner workings of the Exchange’s network, and from there it hadn’t taken long to locate a path to the doorway of the trading engine systems. Today, as anticipated, they’d managed to plant their code on that doorway known as a jump server.

  Neither had said a word when they realized what they’d done. It was in many ways a sublime moment, best savored privately. After a short pause, one of them began to determine the extent of their penetration, as there was much yet to be done, more barriers to surmount, a complex of security measures to bypass. It would all be demanding, but they had the lever bar in place. When they pressed, it would create a yawning hole they’d exploit relentlessly. Finally, with a sigh of satisfaction, one of the men pushed himself back in his chair and said, “We’ve got them.”

  “That was too easy,” the other answered, reaching for a fresh Red Bull.

  “You know, we shouldn’t be able to do this.”

  “That’s their problem.” He leaned forward. “We still have a long way to go yet.”

  Their next step was to establish access known only to them, a simple means to gain entry even after the portal they’d just opened was closed. Known as a backdoor, it would allow them ready access up to the jump server. After the backdoor was installed, they spent several hours setting up a command and control system for their personal use. It would be the external platform from which they could conduct their operations.

  In the past, attackers had been compelled to compromise legitimate servers or establish business accounts with hosting companies that rented out servers. Both options were problematic because traffic to outside servers could be suspicious and because renting a server usually required a legitimate credit card. Now, with the advent of public cloud computing, they could instantly establish a trial account using nothing more than a burner cell phone number and set up a free command and control server anonymously.

  Next, the pair planted within the system their own carefully crafted code, software that would allow them to remotely send program commands. Those commands, taken as genuine by the system, would enable them to do anything—absolutely anything—once they had full access.

  “So,” the taller one said to the other, “just how rich do you want to be?”

  3

  HASTINGS STREET NE

  GRAND RAPIDS, MICHIGAN

 
3:46 P.M.

  “I’m going to see Ryan now!” Connor Stern all but shouted at the shocked woman as he barged by her desk, storming up to the closed door of his broker’s office and pushing it open.

  Ryan Kramer looked up, startled. “Connor, I’m—”

  Stern slammed the door shut behind him. “You know why I’m here! Don’t pretend you don’t!” He raised his fist above his head. In it he clutched several sheets of paper.

  “Connor, sit down. There’s no need for a scene. I can explain it all.”

  “That’s what you said over the phone. Well, that isn’t going to work! I’m entitled to answers. More importantly, I’m entitled to my money and I don’t intend to leave without it!”

  The telephone rang. Kramer hesitated a moment, then picked it up, gesturing at the chair in front of his desk. Stern appeared to compose himself before taking the seat, and he leaned forward in agitation.

  “No,” Kramer said. “Just bring us some water.” He replaced the telephone, then sat back in his chair. “That was Vivian. You scared the hell out of her. She’s afraid to come into the office.” He looked at the man evenly. “Connor, you need to get control of yourself or I’m going to have to call security.”

  “Security? I was with your dad for eight years and never had a complaint. When you took over he asked me to stay on, so I did out of respect for him. When my wife and I came to you thirteen years ago and told you our retirement plans, you wrote up this very impressive proposal, with an investment arc that got us where we needed to be. Well, I’m sixty-eight years old now. I had a mild heart attack last month. It’s time to cash out while I still can. We talked about this last week when I gave you the sell order. You of all people know how tough it’s been since the crash, that I’ve had to work three years longer than I wanted. I should be on the beach in Florida right now, planning my next fishing trip.”

  Just then, there was a light rap at the door. Kramer’s secretary entered, glancing nervously at Stern. She carried two glasses of water, which she set on coasters on the desk before quietly retreating. Stern licked his lips, then reached forward to take a glass. He was a big man, perhaps thirty pounds overweight, with thinning gray hair and a ruddy complexion. He took a sip, then a long drink before placing his glass back on its coaster.

  “You know it’s been hard for me,” he continued. “I’ve run up over a million dollars in debt to keep the company going. I laid off everybody I could. I’ve got a daughter who won’t talk to me, because I had to let her husband go, and he can’t find work. I’ve even had to use my own assets as collateral. I’m upside down in a house I owned free and clear eight years ago. I’ve worked seven days a week to dig myself out of this hole I’m in, one I never caused.” He looked at Kramer, no longer visibly angry.

  “We talked, Ryan,” he continued. “We talked a long time before I decided to pull the plug. I needed two million. According to the workup you did, we were supposed to have more than five by now. Okay, I understand that you can’t guarantee a rate of return, that you don’t control the stock market. I get that. Nothing’s certain in this world. We were way down, but when we crawled back up to two million, the missus and I talked. Sell now and we still had some time to retire before old age did us in. I could pay off the debt, give Uncle Sam what I had to give, and we’d have half a million left. That’s not much, not nearly enough for the life we wanted, but it would do. With that money we can buy a cheap condo near Miami, draw on the rest when we had to, living mostly off Social Security. That was the plan. Not much, but we could live with it. Ryan, I told you all this.” Stern raised his fist. “Then you send me this!”

  Kramer spread his hands before him defensively. In a measured voice he said, “I didn’t do this to you, Connor.”

  “You told me two million! That’s what we were going to get when you executed the order. That’s what you promised!”

  “I make it a practice never to promise, Connor. I gave you the prices of the stock in your 401(k) and told you the figure if we executed the order at those prices.”

  “That’s right! And I said do it! It wasn’t easy settling for so little. Every dollar over a million four was money in our pocket, money to retire on.”

  “I understand.” Kramer glanced at his wristwatch.

  “Do you? I don’t think you do. You sit in this fancy downtown office, punching numbers, running spreadsheets, taking your cut. A business your father gave you. You never worked a day in your life to build it up! Tell me, Ryan. You’re not making any less now than if I’d got the full two million, are you?”

  “I … I’m getting less. I’d much rather see you get the figure we talked about.”

  “‘Figure we talked about’? What’s that? It was two million dollars! Not some figure. It’s my life here. My life!”

  “Connor, I executed the order,” Kramer said testily. “I sent you the statement.”

  “One million five hundred twenty thousand. That’s what I’ve got here.” Connor shook the papers in his fist. “That leaves just over a hundred thousand after I pay my debts. Then there’s your fee, odds and ends. I ran the numbers, Ryan. Fifty-two thousand dollars. That’s it. No half million. What the hell happened?”

  “The sells were supposed to go at specific price points, but the record shows they were executed later than that and at a much lower price. This happens from time to time,” Kramer added archly. “The stock market is volatile. It’s in the paperwork we gave you. It’s just the way the stock market works.”

  “I’ll bet the big boys never have it happen to them. No, they get theirs. My order was at the back of the line and got the scraps. You promised me!”

  “I never promise.”

  “You know what fifty K means to me? Nothing! Absolutely nothing! Maybe we can buy some crummy one-bedroom condo with it. Then we get to scrape by on Social Security, eating dog meat. Medicare’s not free, you know. I’ve still got to pay, and pay through the nose.”

  “You can always file for relief.”

  “You mean bankruptcy? You’re a moron, that’s what you are. I wish I’d seen it sooner. If I file for bankruptcy, I’ll be tied up in court for two years at least. Two more years of snow and ice. I don’t even know if I’ll be alive in two years! And the lawyers will take every penny I’ve got.” Stern slumped back in his seat. “It wasn’t supposed to be like this. It wasn’t.”

  Kramer stared at his watch pointedly.

  “Hell,” Stern said in sudden surrender. “Why am I all worked up? With my ticker in the shape it’s in, I haven’t got much time anyway.”

  4

  CENTRAL PARK

  NEW YORK CITY

  4:31 P.M.

  Jeff Aiken’s shoes slapped the track as he picked up his pace for the final mile. It was good to be running again, good to breathe fresher air, good to be away from the busy Manhattan streets, even if only within the illusion of Central Park.

  He followed the old Bridle Path of the Lower Loop because he enjoyed its beauty and because his feet and knees liked the forgiving dirt. He ran steadily, passing a few slower runners, yielding to others. Though hugging the reservoir, from time to time he caught a striking view of the park.

  He closed his mind to all thought, focused on his body, the rhythm of the run, the sensations of pain and pleasure that coursed through him. Seeing the end within sight, he kicked into his final sprint, his side aching and his lungs a bit ragged from his recent inactivity. He pressed himself hard.

  * * *

  More than ten years before, Jeff lost his fiancée at the World Trade Center. Working then for the CIA, he and his team had uncovered clear indicators of the pending 9/11 disaster. But when he met with his superior, he was unable to persuade him or anyone else to act. He even failed to save Cindy’s life, though he’d known she’d be in Manhattan on the probable day of the attack.

  They’d spoken just moments before her death.

  The experience was devastating. Afterwards he’d left the CIA to start his own cyber
security company as he struggled to deal with the tragedy.

  Jeff was born the youngest of two sons. When he was six years old, his parents and brother were killed in a two-car accident. He’d been with his grandparents at the time and remained with them thereafter. They were loving surrogate parents. Jeff’s elderly grandfather died when he was a sophomore in high school, and his grandmother passed when he was in college. Until Cindy came along, he’d remained largely a loner.

  He’d gone on to obtain his doctorate and then taught at Carnegie Mellon before joining the Cyber Security Division of the CIA’s Information Operations Center. Though he spent most of his time before a computer, he’d played rugby at the University of Michigan and worked to stay fit.

  When he’d next been in Manhattan, he went to Ground Zero at the start of the new construction, drawn there by deep emotional currents. But seeing the gaping hole, the busy construction, had offered nothing except painful recollections. Over the long decade following her death, his memories had slowly dimmed, though there were moments when some reminder would bring back the sharp pain of loss.

  Now his work had drawn him to Manhattan once again.

  He’d loved Cindy deeply and was sure he’d never experience such a relationship again. But later, during the frantic chase to stop a planned al-Qaeda cyberattack on the West, he formed an unexpected bond with Daryl Haugen. He’d known her as a colleague for several years, and both of them were surprised by this development, as neither had been looking for a companion.