Stories About Application Security: You Get What You Git
Application security is no joke. Check out this cautionary tale about a financial services company and their data security breach through email APIs.
Join the DZone community and get the full member experience.Join For Free
I believe that stories are a great way of getting a complex message across to people. I have started, what I hope would be a series of short stories on different perspectives of application security. I hope that you enjoy them and get value from them.
Pride. That was what Kumar was feeling at this moment. He realized that he had not even felt this proud when the CRM was released internally and appreciated by the CEO. Richard Grasser (the CEO) had praised the Vulcan CRM Project as a project that had “saved not only millions of dollars in time spent by employees, but had made a positive contribution to their personal lives.” Kumar’s name and picture had appeared in the monthly newsletter that was circulated amongst the nearly 100,000 employees within the Fortune 500 Financial Services giant.
But, today was different. All this was made possible by some truly “out-of-the-box” thinking by the new CIO, Amy Cho. She had realized that their organization was larger than most software services and product companies the world over. They had thousands of applications and nearly 300 new IT applications initiatives in the pipeline. A lot of this was outsourced. She realized that the only way to grapple with the scale of the problem was to build a world-class engineering team within the organization. It didn't matter that they were a “boring financial services company” full of “suits.” They had to do a bit of a makeover. They had to woo the best engineering talent in the world by “walking the talk.” They had to showcase their capabilities, polish their already-shining implementations at scale, and really give their tech-image a big boost. In this effort, Kumar and his team were regularly sent to conferences, where they presented the company’s cutting-edge tech in container orchestration, their use of microservices, and so on. These conferences were at the heart of Amy’s strategy, and it was delivering results. Big time. Soon enough, the company’s technology teams started recruiting some quality ‘A’ players, who seemed to want to work for this once-stodgy and, apparently, boring company.
Last month, Amy made her biggest move yet. She managed to convince the management that their organization had to be seen giving back to the community at large. They had so many great products that had been built in-house. She felt that sharing some of them would make a difference to their cause. And, better yet, she wanted to showcase them as the thought leaders that they were.
Open sourcing was something an organization like this wasn’t used to. They were highly conservative in nearly everything they did. After all, they managed billions of dollars in people’s assets. They were regulated in over 150 countries. Word around the campfire was that this was a heavily opposed move, even by Amy’s own Operations Chief. But, she decided to move forward.
Kumar felt that this was necessary. He was happy that Amy was “opening the technology veil” figuratively and giving them an opportunity to explore. One of the first projects selected for the open source initiative was Kumar’s Vulcan CRM product. The Vulcan CRM product had replaced the bank’s aging CRM 2 years ago and had become the mainstay since. Built for scalability and impressive search features, the CRM was a genuine timesaver that had not only sped up operations, but some of the features, like the search feature and the new react frontend, were very easy to use. People all over the company loved it. Kumar and his team would get notes of appreciation from thankful users every day. Up to this moment, this was not a commonplace occurrence in the company.
The team had decided that it was up to Kumar to “do the honors” so to speak. He had worked tirelessly with a small team of five people to deliver this product. He clicked on a button that would make the Git (code) repository for this product public. He clicked on the button, and immediately Greg, a team member who was one of the six standing around Kumar when this happened, fired the confetti gun and cheered loudly. All of them clapped and congratulated themselves. Open source projects were labors of love, and they were all proud of that today. Soon after cake and some drinks, everyone went home, feeling a little more elated that the world would get to actually use the thing that they loved so much.
Maya was running late. She had to get to the café quickly. She had three pick-ups scheduled today. She regretted scheduling all three pickups today. The 101 would be jammed, especially near Palo Alto. She opened up Telegram and texted her first pick-up that she would be 15 mins late. He responded with a thumbs up emoji and told her not to worry. He was in the area and would be there in 2 mins flat after she messaged him. She hated liquidating Ethereum this way, but it had to be done, especially with her new job and everything. But, she told herself that at least the price was good today. And, for the last month, it kept getting better.
Maya had arranged today’s pickups through a P2P cryptocurrency trading site. You could buy/sell bitcoin or Ethereum through bank accounts, PayPal, or cash. Today, she had to sell three ETH, totaling about $3,500. This was good because she had a lot more in her wallet at her rig at home. But, the only problem was dealing with cash. When you sold Ethereum over cash, you had to do it in person and in cash. You had fewer buyers, and the seller always got screwed of nearly 5 percent over the PayPal and bank options. But, she realized that she couldn’t have any of this trace back to her bank account or PayPal account. So, even with the steep shave on the selling price, cash was a better option. Luckily, she was in the Bay Area, which was full of crypto-nerds and hobbyists. There were thousands of buyers near where she lived — even cash buyers.
She made it a point never to reveal her name. She also made it a point to wear a wig and wear different makeup every time she was involved in a transaction. She always bunched transactions for smaller amounts, never dealing with the same seller twice. Last month, she had to go to Sausalito for her transactions, which was pretty far. She got to the café. All of her pickups were on time. They all seemed relatively harmless. None of them looked like the proverbial “Russian mobster” type. But, then again, she had no clue what mobsters looked like, outside of caricatured villains she had seen in movies.
She quickly drove back home to check on her new creation. She logged into her laptop and connected to her application. Maya was a developer who worked at a leading social media tech company by day. But, by night, she was a freelancer who developed some apps that would identify security flaws. She loved finding security flaws, and she had won a bunch of bug bounties from companies like Google and Facebook. Recently, she had built a really nifty crawler that would crawl GitHub repositories for credentials. This would look for passwords, API tokens, and so on. She was contacted by someone recently on a .onion forum, asking if she could run a service for them. They wanted her to look for email API tokens in GitHub and other repo sites and forward it to them. In return, they would pay her for finding this, in either Bitcoin or Ethereum. She realized that they were probably spammers who wanted to use genuine email APIs to spam millions of emails all over the world.
She was quite surprised seeing some of the results from today’s crawl — with nearly a thousand results in the last two hours alone. One of the results was particularly amazing. “Wasn’t this a huge financial services company?” She asked herself. What in the world! She checked the URL quickly on GitHub, and there it was. A “FROM email” and “API token” in a nice and juicy config file. She tried to see if she could find anything else. But, that was it. She quickly opened up a chat window with “lazerboyee2016,” the guy she used to deal with regularly. “I have an email API of a huge bank here. Want it?” she messaged. LazerBoyee — or whoever they were — immediately responded: “Of course.” She realized that this was big if it turned out to be real. “I'll need more for this find — not the usual fee. I need 2X on this find.” Lazerboyee said, “one sec.” A few minutes later he said, “no problem. But, you can only have it if you send in the next two minutes.” She did and, within the hour, LazerBoyee sent her 2x her usual fee in ETH. Today was a good day.
Kumar was on vacation for two weeks. He was going back to India to visit his parents. He hadn’t seen them in nearly a year, and his parents were longing to see him and their grandchildren, who were now growing like weeds.
He was busy packing his suitcase. His flight was at 2 pm. At 7 am, Kumar got a call from Greg. Greg said frantically, “Kumar, did you check your email?” Kumar was a little perturbed but said, “No. I am on vacation Greg.” Greg cut him off and said, “you have to see this.” Kumar quickly logged in to his email. His face fell when he saw: “Incident Report: 50 million emails sent from CRM Token with phishing message.” His voice had gotten a little shaky now as he spoke to Greg “Greg, what happened?” Greg responded, clearly fearful himself, “looks like someone committed the email API Token from an email address in Github. I guess someone found this and sent 50 million emails from our company.” Kumar sunk in his chair, speechless. Greg said “I think you better come in dude. I don’t think you can go on vacation now.”
Kumar hung-up and immediately left for his office. He sent a text to his wife, “Something big at work. You and kids might have to go. I am going to have to stay back.”
Published at DZone with permission of Abhay Bhargav, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.