Bob the Broker and the 'Rashid Connection',
A Work of Fiction

By Mike Dooley

 

NOTE: All characters in this story are fictional, and any resemblance to any real persons, either living or dead, is purely coincidental.  Opinions are those of the author, and do not constitute an endorsement, mandate, or policy of NSDCAR.

 

It was 2:00 a.m. in San Diego, California, and the city slept, curled in slumber against the moonlit waters of the Pacific.

In Karachi, Pakistan it was 2:00 p.m., however, and 22-year-old Rashid Muhammad was just shaking off the effects of a brief nap.  His ear automatically tuned to the faint clicking of the read/write heads on his hard disk drive, reassuring him that the processing continued; he rolled upright and tapped the keyboard, logging in and checking the screen on his computer.   A top-of-the-line Intel box, equipped with dual Pentium-4 processors, and tape, CD, and massive hard disk storage, the unit hummed beneath his desk, connected to the world via a broadband Internet connection Rashid’s employer provided, encouraging him to work extra hours “off the books”.  Logging in, for Rashid, was an associative-memory exercise.  He used great passwords, cobbled together with bits of several quotations and verse numbers from the Qur’an.  Very secure, very difficult to imitate, and virtually impossible to guess.

Rashid had grown up in the glow of computer monitors, the hum and click of telephone switching panels, the eye-fatiguing glare of low-resolution screens and the fanatical devotion to fundamental religious ideals that formed the basis of his devotion to his work.  Rashid’s father, Mahmoud, had been an engineer with British Telecom for many years.  Rashid, as a bright and curious young boy, had accompanied his father on many long tours of duty in the dark halls and whirring catacombs of a rapidly evolving telecommunications company.   Educated in Britain, Rashid enjoyed long exposure to Western civilization, and to its ever-increasing dependence upon the very technology that served the young Pakistani as intellectual sport, daily occupation, and chosen obsession.  In the current geopolitical climate, however, Rashid’s avocation was taking on a couple of new roles: as a weapon, and as a generator of income.

Rashid, you see, was possessed of considerable talent with computers, and his recent employment as a help-desk engineer for a major American software company’s outsourcing vendor provided him ample application for his talents.  Rashid was responsible for operating a sophisticated help-desk software program, used to field calls from American customers, mostly corporate, seeking support for installation and configuration of their anti-virus and tape backup systems.  Rashid, unfortunately, was also becoming a drug addict, thanks to the drastic recent increase in the production of opiates in neighboring Afghanistan.  His often frenzied quests for the finest of euphoric concoctions put him in touch with many criminal elements in Karachi, on an almost daily basis, and his addiction was forcing him further and further into the underworld of Karachi, and further and further into debt.  His contacts and acquaintances would be invaluable in Rashid’s marketing endeavors.  All Rashid needed was the product to market, and he had many, many sources at his fingertips.

Presently, Rashid was monitoring a data feed from his company’s network.  Downloading the entire help-desk incident database was proving a monumental task, but his new hard disk needed breaking in, and there was no better test than transferring the 80 gigabytes of data from his work system to his home computer.

When the file finished loading, Rashid quickly loaded the text search program he’d written in college, and fed it the criteria needed to find, within the huge database, those customer records which contained copious incident attachments, small files containing the details of individual help calls.  These notes represented individual support incidents, how they were handled and by whom, and details of the caller’s network infrastructure and the settings applied when installing their anti-virus and backup software.

Searching further, for key phrases and technical terms used during a support call, Rashid drilled down through the data, and found his way, after many hours of effort, to a record that showed promise.  A real estate broker in Southern California had called for help installing his anti-virus software, and the notes in the file detailed the conversations and attempts that were guided by the dutiful technician who fielded the call.  Also noted were tidbits like an IP address for remote access to the brokerage’s main server computer, and the password needed to gain access to the system.

Far away in San Diego, at 9:00 a.m. sharp the following morning, Bob Clydesdown, REALTOR® and real estate broker, logged into his computer in his fashionable La Jolla office, and immediately loaded his email program.   Scanning swiftly through the forty or fifty new messages awaiting him, Bob’s eye was captured by an interesting subject line.   He giggled as he realized the message was from a friend across town, and he quickly double-clicked with his mouse to open the message.  Following the now-familiar “You gotta see this!” tag line in the email message, Bob eagerly clicked on the attachment icon, fully expecting the usual slightly pornographic but hilariously funny joke picture his buddy was fond of sending his way… he always found such off-the-wall stuff, and Bob enjoyed sharing them with his agents and office staff.

The attachment file opened, but instantly closed again, displaying nothing.  Bob remembered the new security software he’d recently installed, with a lot of hassle and phone calls to some help-desk guy with a thick ‘Hindu’ accent.  He’d finally given up and even considered hiring a local computer guy to come help him out.  The technician at the anti-virus company, (who, by the way, was a Pakistani Moslem with an Urdu accent, but how would Bob know that?), had finally managed to log onto Bob’s server and fix the problems, and the software seemed to be working fine.  But Bob remembered that certain email attachments were not going to be allowed by the new software, so he figured that’s why he couldn’t view his buddy’s little email joke.  Dismissing the issue, and eager to get on with a busy day in real estate, Bob hit the ‘Delete’ key and moved on.

Another thing Bob did not know, at this point, is that the joke from his buddy that arrived in the morning email was not from his buddy.  Instead, it was from our friend Rashid, in Pakistan.  The little attachment Bob clicked on was no humorous picture; rather, it was a compact little file that installed a tiny little program on Bob’s computer.  This program used an Internet protocol, or language, called FTP, short for File Transfer Protocol.  Bob’s computer had just become a remote file server, and Rashid could log in and transfer any of Bob’s files across the world to Karachi, in the blink of an eye.

Bob’s was a typical modern real estate brokerage, equipped with relatively modern technology and only slightly out-of-date software and operating systems, and supported by an outsourced San Diego IT company that could dial in remotely and solve printer problems, perform backups, check the server logs for problems, and various other maintenance tasks.  Occasionally, Bob would have to call for a technician to come out and deal with a bad piece of hardware or an off-and-on Internet connection; every time this happened, Bob winced at the size of the invoice for these services.   Bob was fond of learning as much as he could about his computers, and even doing a little ‘tweaking’ on his own, from time to time, just to assure himself that no overpaid geek was gonna put one over on him!

Rashid, on the other hand, was the consummate do-it-yourselfer, when it came to computers.  And Rashid was now able to log into Bob’s network and download tons of really interesting stuff.  Some of this data was really interesting to Rashid’s contacts and acquaintances, too.  Stuff like credit checks, loan documents, transaction histories, property records, titles, insurance information, and payroll records for Bob’s employees.  All the stuff one might need to, say, assume the identity of someone else.  Very interesting stuff, indeed.

Rashid knew the marketplace of Karachi very well, and had contacts that would pay serious sums of money for the files he’d just copied from Bob Clydesdown’s brokerage in San Diego.  As this data found its way into sophisticated hands, Bob’s clients and employees would never make the connection to Bob’s computers.  They would assume the damage to their bank accounts resulted from paying their bills online, or the last time they bought some camping stuff from the camping superstore’s website, or the time they lost their wallet in Tijuana on the way to the condo in Rosarita.

Bob’s employees followed Bob’s example, too.  Most of them used their first name to log onto Bob’s network, and set their own passwords.  Many of them just used their first name a second time, as their network password.  The “smarter” ones figured out that if they checked the little “remember my password” box on the login screen, they’d never have to remember or type a password again.  The computer would just log them on, automatically.  This was great, because Bob only provided five computers for a 14-agent office, and sharing the desktop workstations was difficult enough, without having to remember passwords, or to log another agent’s account off, before logging on to read email.

Rashid, too, found Bob’s lax computer security a real boon to his efforts.  No matter where on Bob’s network Rashid went exploring, he quickly found a way around any obstacle to his access.  Bob’s payroll software, alone, was worth several hundred dollars in trade for Rashid.  Containing credit card accounts, bank deposit information, names and birthdates of employees and their family members, and even street addresses and phone numbers for each employee, the contents of this comparatively tiny database were an absolute goldmine in the right hands.  Rashid’s hands would never get dirty with this stuff; he had many outlets through which to sell off the information and be rid of it.  Why, this little database alone would probably buy a twin for Rashid’s new high-capacity, high-speed hard disk drive.

Rashid was very careful, in his perusal of Bob’s brokerage’s system.  He never logged on for long, and he monitored the network with a “sniffer” program, that could identify the source of any other connection to the network.  The moment he noted another user logging in, Rashid would discretely disconnect and save any further exploration until a future session.  Most of Rashid’s handy little toolbox of software was engineered to masquerade as normal parts of the Microsoft Windows operating system, anyway, and could only be detected by the best of anti-virus or intrusion-detection software.  And since Rashid’s current employer, by contract, was the very company which marketed the only protection on Bob’s system, Rashid had the inside handle on this little nuisance.  

Indeed, disabling the detection of his clandestine “back door” into Bob’s network was Rashid’s first task every time he connected.  If Bob had been a little more alert, he’d have noticed the little slashed circle over his anti-virus software’s icon, on his Windows toolbar, a dead giveaway that the meager protection Bob enjoyed had been turned off.  Rashid had even chastised himself, on two occasions, for forgetting to turn the protection back on, prior to disconnecting from the network.  Rashid had left a clear trail, far more recognizable than the proverbial breadcrumbs, and any competent system administrator would have found that trail.

But Bob was saving thousands of dollars per year by not hiring an in-house Information Technology Manager, or a security consultant to “harden up” his network.  Bob just didn’t know that he was also giving away thousands of dollars per year in economic impact and millions in emotional stress and heartbreak, to a 22-year-old computer hobbyist in Pakistan.

Bob’s non-secured network is typical of literally millions of small businesses, the world over.  There just isn’t enough money in their budgets for high-dollar consultants and expensive firewall solutions.  To compound the danger, the most common operating systems and office applications on earth have been proven, time and time again, to be vulnerable to hackers, email exploits, malicious scripting, and buffer overflow anomalies, to the point that no network or computer using these software solutions can be deemed secure.

Is there a Rashid Connection in your life?  Are you being watched, tracked, analyzed, and your data stolen?  How would you know?

If you’re a real estate or financing professional, even working from your own home office, you handle personal information that could facilitate identity theft, and you’re responsible, whether you acknowledge it or not, for the security of that data.  Do you have a firewall?  Do you have a consultant or IT expert at your disposal?  Are you training yourself to assume these responsibilities?  Are you going to allow some attorney to take your measure, or fix things before you wind up in court?  Or, are we all going to rely on the Federal Government to handle these issues, legislatively?  That’s always fun.

This is food for thought… and Rashid doesn’t want you to be thinking, does he?

Author's note:  This fictional tale is, obviously, based on real occurrences in today's technology-driven world.  The setting and character structures are not intended to be derogatory to any nationality, race, creed, color, or profession.  Indeed, the settings could have been comprised of any city, country,  nation, and industry  on earth.  The choice of real estate, and of Karachi, Pakistan and San Diego, California reflect direct experiences of the author in real life, fictionalized to make a point. 


July 29th, 2004 - SearchSecurity.com's Today's News:

The HangUP Team, a for-profit malicious code group from Russia, is believed responsible for Download.ject and for the recent rash of Korgo worms that attacked the LSASS vulnerability Microsoft outlined in security bulletin MS04-011. Experts believe the goal of the attack was to deliver malicious code to visitors of an affected Web site that could be used to steal credit card and other information that would then be marketed to organized identity theft markets.

<Back to Tech News>

<Back to NSDCAR Home>