Stories of Application Security: “You Get what you Git”

I believe that stories are a great way of getting a complex message across to people. I have started, what I hope would be a series of short stories on different perspectives of Application Security. I hope that you enjoy them and find value from them. Please RT/circulate and share if you find this idea interesting. Thanks. Here goes….

Pride. That was what Kumar was feeling at this moment. He realized that he had not even felt this proud when the CRM was released internally and appreciated by the CEO. Richard Grasser (the CEO) had praised the Vulcan CRM Project as a project that had “saved not only millions of dollars in time spent by employees, but had made a positive contribution to their personal lives”. Kumar’s name and picture had appeared in the monthly newsletter circulated amongst the nearly 100,000 employees within the Fortune 500 Financial Services giant.

But today was different. All this was made possible by some truly “out-of-the-box” thinking by the new CIO, Amy Cho. She had realized that their organization was larger than most software services and product companies the world over. They had thousands of applications and nearly 300 new IT applications initiatives in the pipeline. A lot of this was outsourced. She realized, that the only way to grapple with the scale of the problem was to build World-class Engineering Teams within the organization. No matter that they were a “boring Financial Services company” full of “suits”. They had to do a bit of a makeover. They had to woo the best engineering talent in the world by “walking the talk”. They had to showcase their capabilities, polish their already-shining implementations at scale and really give their tech-image a big boost. In this effort, Kumar and his team were regularly sent to conferences, where they presented the company’s cutting-edge tech in Container Orchestration, or their use of micro-services and so on. These conferences were at the heart of Amy’s strategy and it was delivering results. Big time. Soon enough, the company’s technology teams started recruiting some quality ‘A’ players, who seemed to want to work for this once-stodgy and apparently boring company.

Last month, Amy made her biggest move yet. She managed to convince the management that their organization had to be seen giving back to the community at large. They had so many great products that had been built in-house. She felt that sharing some of them would make a difference to their cause. And better yet, showcase them as the thought leaders they were.

Open sourcing was something an organization like this, wasn’t used to. They were highly conservative in nearly everything they did. After all, they managed billions of dollars in people’s assets. They were regulated in over 150 countries. Word around the campfire was that, this was a heavily opposed move, even by Amy’s own Operations chiefs. But, she decided to move forward.

Kumar felt that this was necessary. He was happy that Amy was “opening the technology veil” figuratively and giving them an opportunity to explore. One of the first projects that was selected for the open source initiative was Kumar’s Vulcan CRM product. The Vulcan CRM product had replaced the bank’s aging CRM 2 years ago, and had become the mainstay since. Built for scalability and impressive search features, the CRM was a genuine timesaver that had not only sped up operations, but some of the features like the search feature and the shiny new React Front-end were very easy to use. People all over the company loved it. Kumar and his team would get love notes from appreciative users every day. This was not a commonplace occurrence in a company like theirs.

The team had decided that it was up to Kumar to “do the honors” so to speak. He had worked tirelessly with a small team of 5 people to deliver this product. He clicked on a button that would make the Git (code) repository for this product public. He clicked on the button, and immediately Greg, a team member who was one of the 6 standing around Kumar when this happened, fired the confetti gun and cheered loudly. All of them clapped and congratulated themselves. Open source projects were labors of love and they were all proud of that today. Soon after cake and some drinks, everyone went home, feeling a little more elated that the world would get to actually use the thing that they loved so much.

Maya was running late. She had to get to the café quickly. She had three pick-ups scheduled today. She regretted scheduling all three pickups today in Palo Alto. The 101 would be jammed, especially near Palo Alto. She opened up Telegram and texted her first pick-up that she would be 15 mins late. He responded with a thumbs up emoji and told her not to worry. He was in the area and would be there in 2 mins flat after she messaged him. She hated liquidating Ethereum this way, but it had to be done, especially with her new job and everything. But she told herself that at least the price was good today. And for the last month it kept getting better.

Maya had arranged today’s pickups through a P2P cryptocurrency trading site. You could buy/sell bitcoin or ethereum through bank accounts, PayPal or cash. Today she had to sell 3 ETH, totaling to about $3,500. This was good, because she had a lot more in her wallet, at her rig at home. But the only problem was the dealing in cash. When you sold ethereum over cash, you had to do it in person and in cash. You had fewer buyers and the seller always got screwed of nearly 5% over the PayPal and bank options. But she realized that she couldn’t have any of this trace back to her bank account or PayPal account. So, even with the steep shave on the selling price, Cash was a better option. Luckily for her, she was in the Bay Area; Full of cryptonerds and hobbyists. There were thousands of buyers near where she lived, even cash buyers.

She made it a point never to reveal her name. She also made it a point to wear a wig and wear different makeup every time she was involved in a transaction. She always bunched transactions for smaller amounts, never dealing with the same seller twice. Last month she had to go to Sausalito for her transactions, which was pretty far. She got to the café. All of her pickups were on time. They all seemed relatively harmless. None of them looked like the proverbial “Russian mobster” type. But then again, she had no clue of what mobsters looked like, outside of caricatured villains she had seen in movies.

She quickly drove back home to check on her new creation. She logged into her laptop and connected to her application. Maya was a developer who worked at a leading social media tech company by day. But by night, she was a freelancer who developed some apps would identify security flaws. She loved finding security flaws, and she had won a bunch of bug bounties from companies like Google and Facebook. Recently, she had built a really nifty crawler, that would crawl GitHub repositories for credentials. This would look for passwords, API tokens and so on. She was contacted by someone recently on a .onion forum if she could run a service for them. They wanted her to look for Email API tokens in Github and other repo sites and forward it to them. In return they would pay her for finding this, in Bitcoin or Ethereum. She realized that they were probably spammers who wanted to use genuine Email APIs to spam millions of emails all over the world.

She was quite surprised seeing some of the results from today’s crawl. Nearly a thousand results in the last 2 hours itself. One of the results was particularly amazing. “Wasn’t this a huge financial services company?” She asked herself. What the hell! She checked the URL quickly on GitHub and there it was. A “FROM email” and “API token” in a nice and juicy config file. She tried to see if she could find anything else. But that was it. She quickly opened up a chat window with “lazerboyee2016”, the guy she used to deal with regularly. “I have Email API of a huge bank here. Want it??” she messaged. LazerBoyee or whoever she was immediately responded “Of course.” She realized that this was big, if real. “Ill need more for this find. Not usual fee. I need 2X on this find”. Lazerboyee said “one sec”. A few minutes later he said “No problem. But only if you send in next 2 mins”. She did and within the hour lazerboyee sent her 2x her usual fee in ETH. Today was a good day.

Kumar was on vacation for 2 weeks. He was going back to India to visit his parents. He hadn’t seen them in nearly a year and his parents were longing to see him and their grandchildren, who were now growing like weeds.

He was busy packing his suitcase. His flight was at 2 pm. At 7 am, Kumar got a call from Greg. Greg said frantically “Kumar, did you check your email….” Kumar was a little perturbed, but said “No…. I am on vacation Greg”. Greg cut him off and said “you have to see this…” Kumar quickly logged in to his email. His face fell when he saw “Incident Report: 50 million emails sent from CRM Token with phishing message”. His voice had gotten a little shaky now as he spoke to Greg “Greg…What happened?” Greg responded, clearly fearful himself “Looks like someone committed the Email API Token and a from email address to Github….I guess someone found this and sent 50 million emails as our company”. Kumar sunk in his chair, speechless. Greg said “I think you better come in dude….I don’t think you can go on vacation now”

Kumar hung-up and immediately left for his office. He sent a text to his wife “Something big at work. You and kids might have to go. I am going to have to stay back”.