165: Tanya

Transcript

Speaker 1 Hey, it's Jack, host of the show. For a while, I worked at a big company doing security engineering.

Speaker 1 And every year, someone would come in and do an audit on us, and they would ask us the same question: Do you have a security policy? Yes, of course we do.

Speaker 1 Is it available for all of your employees to find? Yep, it's right there on SharePoint.

Speaker 1 But this got me thinking: yeah, sure, it was right there in SharePoint, but it was called something ridiculous, like ISP underscore overview overview or something like that.

Speaker 1 And ISP stood for information security policy.

Speaker 1 And it made me wonder, if this document was so important that we would be audited to check to see if we had it and make sure all our employees had access to it, could any of them actually find it if they needed it?

Speaker 1 Like this policy said stuff like, what are our security objectives? Who are the people that we escalate things to? What's acceptable in our network and not? Who should be able to access what?

Speaker 1 As well as what we should do when there's an incident, how often our security training should be, and what our security standards are.

Speaker 1 So one day when I was feeling feisty, I decided to do something to make a point.

Speaker 1 I asked everyone on shift at our network operations center, hey, you have 15 minutes to find the company's security policy. Winner gets a free item in the vending machine.
Go.

Speaker 1 And everyone started looking. First, they typed security policy in our department's portal.

Speaker 1 And that actually brought up security policies for some of our customers, which I thought was really cool that our customers were taking their security policy so seriously that they wanted to make sure that their partners had copies of it, but that wasn't our policy.

Speaker 1 Then people started looking through their emails. Nope, nothing in our email about security policy.
Then they looked at shared drives. They couldn't find anything there.

Speaker 1 And eventually, a few of them thought to look through SharePoint. And of course, not a single one of them could find it because it had the worst name and it was in the worst place.

Speaker 1 I don't know if you've ever used SharePoint, but it's a place to store documentation and files. And it's an awful mess to navigate and find stuff.
None of their searches came close to finding it.

Speaker 1 And so I just said, all right, everyone, time's up. Thanks for trying.

Speaker 1 And then I sent an email to our CISO, our chief information security officer. Security policy test, Q1.

Speaker 1 10 out of 10 of our NOC technicians could not find our company's security policy after spending 15 minutes trying.

Speaker 1 And he responded,

Speaker 1 sounds like your NOC technicians have a hard time finding things.

Speaker 1 I waited another four months. We got a whole new batch of technicians.
And I tried again. One guy actually found it.
I was really impressed.

Speaker 1 I also retested all the people that I tested four months ago. One in five remember where I told them it was.
So I sent another email.

Speaker 1 Nine out of 10 of our new hires could not find our security policy. Four out of five of our senior technicians could not find it.
He was like, why do you keep telling me this?

Speaker 1 Just show them where it is.

Speaker 1 I wanted him to understand. The problem wasn't my technicians.
It was that the security policy was buried way too deep. It was named poorly and nobody knew where it was.

Speaker 1 Nobody could find it if they tried, which meant nobody knew what was in it.

Speaker 1 In my opinion, when there's a document that's so important that auditors ask if you have it and if it's available for employees to find, then it should be way more front and center.

Speaker 1 Heck, I even suggested that we should print out a summary of it and tape it above the urinals and sinks in the bathroom so that everyone sees it every time they go to the bathroom.

Speaker 1 That way the whole company would be familiar with our security policy and know exactly what to do when there's an incident and what's allowed and not allowed.

Speaker 1 But of course, our security leadership didn't see it that way and never did change the name of it or the location. And we kept passing our audits somehow.

Speaker 1 Yet nobody in the company ever read it or knew where it was.

Speaker 1 Ah, the politics of office life and compliance.

Speaker 2 These are true stories from the dark side of the internet.

Speaker 2 I'm Jack Resider.

Speaker 2 This is Darknet Diaries.

Speaker 2 This episode is sponsored by Threat Locker. Ransomware, supply chain attacks, and zero-day exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable.

Speaker 2 But imagine a world where your cybersecurity strategy could prevent these threats. And that's the power of ThreatLocker, zero trust endpoint protection platform.

Speaker 2 Robust cybersecurity is a non-negotiable to safeguard organizations from cyber attacks.

Speaker 2 ThreatLocker implements a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team.

Speaker 2 This least privileged strategy mitigates the exploitation of trusted applications and ensures 24-7-365 protection for your organization.

Speaker 2 The core of ThreatLocker is its protect suite, including application allow listing, ring fencing, and network control.

Speaker 2 Additional tools like the Threat Locker Detect EDR, Storage Control, Elevation Control, and Configuration Manager, enhance your cybersecurity posture and streamline internal IT and security operations.

Speaker 2 To learn more about how ThreatLocker can help mitigate unknown threats in your digital environment and align your organization with respected compliance frameworks, visit threatlocker.com.

Speaker 2 That's threatlocker.com.

Speaker 2 This episode is brought to you by Drada.

Speaker 2 Let's face it, if you're leading GRC at your organization, chances are you're drowning in a sea of spreadsheets every day, balancing security, risk, and compliance in an ever-changing landscape of threats and regulatory frameworks that can feel like running a never-ending marathon.

Speaker 2 Enter Drada, the modern GRC solution designed for leaders leaders like you.

Speaker 2 Drata automates the tedious tasks, security questionnaire responses, continuous evidence collection, and much more, saving you hundreds of hours. But it's more than just a time saver.

Speaker 2 It's a scalable platform that adapts to your organization's needs. Drada gives you one centralized platform to manage your risk and compliance program.

Speaker 2 Drada empowers you with a holistic view of your GRC program and real-time reporting capabilities.

Speaker 2 With Drata, you can also get access to their powerful Trust Center, a live, customizable tool that supports you in expediting your never-ending security review requests in the deal process.

Speaker 2 It's perfect for sharing your security posture with stakeholders or potential customers, cutting down on back-and-forth questions and building trust at every interaction.

Speaker 2 Ready to modernize your GRC program and take back your time? Visit drata.com/slash darknet diaries to learn more. That's spelled d-r-a-t-a.
drata.com/slash darknet diaries.

Speaker 1 Today, I have the pleasure of sitting down and hearing stories from Tanya Jenka.

Speaker 2 Thank you for having me.

Speaker 1 I've been going to a lot of conferences, and time and time again, I see Tanya at almost all of them. But not only is she there, but she's almost always giving talks when she's there.

Speaker 1 She's on a mission and is very driven.

Speaker 3 I hope software developers write more secure code.

Speaker 1 Boiled down to a word, that's called AppSec. application security.
She's laser focused on how applications become insecure and how to make them secure.

Speaker 3 I was a software developer forever, and then someone exploited one of my apps and showed me, and it created this fascination.

Speaker 3 It was an SQL injection, and it was on the login screen of one of my team's apps, and I was in charge of the team. And so, if it's not secure, it's my fault.

Speaker 3 And I remember he was giving a demonstration to us, and he showed me, he's like, this is one of your apps. I'm going to get past this login screen without a password.

Speaker 3 And the only reason it's going to take so long is because I'm talking and it's going to be a minute.

Speaker 1 He demonstrated how he can easily get past her login screen and showed her how it's done. And she was stunned.

Speaker 3 Oh my God.

Speaker 1 This was the moment that she saw the whole world differently.

Speaker 1 Just because there's a right way to use a website by putting in a username where it says username and a password where it says password doesn't mean people will actually play by those rules and follow the website's logic.

Speaker 1 If you're clever enough to think outside the box, you can manipulate the website to do things that the developer didn't intend.

Speaker 3 And we ended up becoming very close friends and he became my first professional mentor for hacking.

Speaker 1 This was a career pivot. Instead of building things, she wanted to know how to break things.
And all this is happening in Canada, by the way.

Speaker 1 Tanya was living and working in the capital city of Ottawa. So her new mentor was like, okay, so you want to be a hacker? I've got some work for you.
You can help me do some penetration tests.

Speaker 1 And And she's like, okay, but I'm not exactly sure how.

Speaker 3 And so he told me on the Friday, okay, so go learn Burp Suite this weekend. There's videos on YouTube.
Just go watch them. It's not hard.

Speaker 1 So she starts watching them. Burp Suite is a tool used to monitor the packets that go between your computer and an application or a network or website.

Speaker 1 So you can redirect all your computer's traffic to it.

Speaker 1 And then Burp Suite will show you, hey, you went to this website and it responded with this code and then your computer sent this information back.

Speaker 1 And then this website sent back a cookie which has this data in it it's kind of like getting under the hood of a car but for network traffic and burp suite is really cool you can capture that data and replay it if you want like maybe you look in the cookie that a website sent you and it says that your user id is 5000 and so what if you change that user id to 5001 and then reconnect to the site and present this cookie which has a different user id will it think that you are a different user it's kind of like a way to do surgery on the packets that your computer is sending to an application or website.

Speaker 1 And it's possible to manipulate your packets enough to make the site do some very strange things. So she comes back in on Monday with the basics of burp suite understood.

Speaker 1 And he tells her, okay, great. Spend a few hours a day trying to hack this website and tell me what you find.

Speaker 3 And he says, I'm going to be observing you silently while you're working. And I just need you to report anything that you find.
And I was like, great.

Speaker 3 And so the first night, I just found really tiny things. The second night, I found really tiny things.
And the third night, he kind of gave me a lecture.

Speaker 3 And he's like, listen, Tanya, you've got to find something. You can't do a pen test and not find something big.

Speaker 3 I need you to really think outside the box, take off your developer hat, put on your black hat. And so I just tried everything I could think of, and I found server-side request forgery.

Speaker 3 Now, I didn't understand server-side request forgery.

Speaker 1 How'd you find it?

Speaker 3 Basically, there was an email field, and I just started entering in code.

Speaker 3 And I entered in an email, but then after, I just put in everything I could think of, like all sorts of code, all sorts of stuff.

Speaker 3 And inadvertently, I started copying and deleting files on the web server. Yeah.

Speaker 3 And I ended up crashing. the production web server and it turned out I had polluted the database as well.
They had to restore both from backup. And so I call my boss.

Speaker 3 I'm like, I found something and I have crashed everything. And he's like, what? This is production.
You can't crash production.

Speaker 3 And I'm like, well, I found an exploit and you told me to like to prove that I had exploited it. So like, here's, you know, I took the whole thing down.
And he's just, he yelled at me.

Speaker 3 I was really angry. And then he's like, how did you do it? I'm like, these are all the commands I did.
And he's like, well, this is garbage. This shouldn't do anything.

Speaker 3 And I'm like, well, I guess it did. Right.
I was like, well, weren't you watching me the whole time? And he's like, no, that's just something I said to make you feel better.

Speaker 3 And I was like, well, like, what is the client going to say? And he's like, I'm like, I could talk to them. He's like, no, they don't know that you're testing.

Speaker 3 I'm like, but you said I'm a subcontractor, right? Like, so, like, the contract I signed with him that I was subcontracting that they knew, they had no idea I was on their network.

Speaker 3 So, he had given me the keys to production to some random client. They had no idea I was on there.
I destroy everything. And he's like, Great.

Speaker 3 Now I'm going to get yelled at tomorrow and it's all your fault. I'm like, really? This is all

Speaker 3 he was really pissed at me.

Speaker 1 I think they both learned a lesson that day, but Tanya was hooked more than before to copy and delete files on a web server all by putting in some code through a form field. Wow, such power.

Speaker 1 But wow, such weakness. These apps she was seeing are surprisingly weak.
And she was drawn to that.

Speaker 1 What are other tricks and techniques for making an app give you data that it's not supposed to do or do things it shouldn't let you do?

Speaker 1 She got more and more into security, wanting to get more hands-on with everything related to it.

Speaker 3 And I kept annoying the security team constantly. I would report security incidents.
I would fix all the security bugs. I kept asking if I could use security tools.

Speaker 3 I volunteered to work on their projects. And

Speaker 3 one day they said that I could sit in on an incident and just watch and shut up. And literally, I did not have a seat at the table.
They had... only so many seats that would actually fit at the table.

Speaker 3 So I was actually against the wall at the back of the room, just being zipping zipping it, being quiet like they told me to.

Speaker 3 And then I remember them putting all this stuff on the screen and looking at it and being like, oh, that's SQL.

Speaker 3 Oh, that's pretty bad. And so I said to them, like, I'm seeing code here.
We need to look at this. Can we, can we talk? And they're like, you can read that.

Speaker 3 And like, just because someone's trying to SQL and inject you doesn't mean they're successful, right?

Speaker 3 But I'm like, someone's attacking us. And every organization is getting attacked all day, all the time.
But the fact that I could sit there and read code, they were like, oh, she's an asset.

Speaker 3 And then a few weeks later, they said, oh, we've opened a job on the security team. And I was like, oh my gosh, I'm going to apply.
They're like, obviously, it's for you, silly.

Speaker 3 And so they let me transfer onto the team. And I was just, I was so excited to be a part of their team.

Speaker 1 With this new position, she proved herself again and again and rose up the ladder, eventually landing in a security leadership position at an organization, which was within the Canadian government.

Speaker 1 She was in charge of making sure that agency and all its abs were secure. And one day she came to work and had an email waiting for her.

Speaker 3 I receive an email from Vice Magazine and it says,

Speaker 3 dear Tanya,

Speaker 3 We know you work, you know, at this place and that you're the leader of this team.

Speaker 3 We would like a quote for you for our magazine about how your data is for sale on the dark web and how you feel about that your data is worth only 48 Canadian dollars.

Speaker 3 And here's a link if you want to see more. And it's a link to Pastebin

Speaker 3 and on it it says, you know, here's a sample of the data from the name of my organization. And like to get more, go here.

Speaker 3 And then I go there and they're auctioning my data for the Bitcoin equivalent of approximately 48 Canadian dollars, which is not a lot of money.

Speaker 1 What a way to be notified that your agency has suffered a data breach by getting an email asking you for a quote on how you feel about your data being for sale.

Speaker 3 So I talked to my team. I'm like, ah!

Speaker 3 And all of us are just flabbergasted. We're like, first of all, what is this data? Is this actually our data? And so we're looking through all of our apps.

Speaker 3 And this is when I realized My app inventory was not complete. We were missing lots and lots of apps that I did not know about that I'm supposed to be securing.

Speaker 1 Step one of a data breach like this is to verify that it's your data. Find out which app or database it's from, and this will help you identify maybe which app is vulnerable.

Speaker 1 But it took them a while to figure out even where this data was in their network. Eventually, they narrow it down and figure out which app this must have come from.

Speaker 3 And so I go, I find it that data is in there. The paste bin sample does look a little familiar.

Speaker 3 And I'm like, oh no. So I go and I talk to my boss, and my boss was so pissed.
He was, he was like,

Speaker 3 have you ever had someone say your name in a way where it sounds like a swear word? They're just like, Tanya!

Speaker 3 And

Speaker 3 I am not really good when people are upset with me. And so I was like, well, sir, I, you know, our data is for sale on the dark web.
That's true. But I think the bigger problem is that it's only $48.

Speaker 3 Don't you feel we're worth more than that? And he was not impressed.

Speaker 3 Somehow my name was at like a higher pitch the next time he said it. And he's like, you are going to go fix this now.

Speaker 1 Yikes, there's a leak. Data from the Canadian government is getting leaked.
And Tanya is head of security for this department that it got leaked out of. This is really bad.

Speaker 1 She pinpointed the application, though, and got the owners of that application together.

Speaker 3 And I sat down with the team and they're like, we have no idea what you're talking about. And I showed them and they said, yep, that's our data.
And I said, okay.

Speaker 3 And one of my team members said, I think we should buy the data to make sure it's an exact match. And it's not like, cause they're just showing two or three records on Pastebin.

Speaker 3 They weren't showing all of it. And I was like, well,

Speaker 3 I don't want to give them money because I feel like that's encouraging them. And it feels pretty obvious that, like, if they got three records, why couldn't they get more records?

Speaker 3 And so then we look at the data and it's completely unclassified.

Speaker 3 It was actually data, it turns out, that we have been trying to promote to the Canadian public public for quite a while and had been being mostly ignored.

Speaker 3 Like some journalists would look at it for like

Speaker 3 a media piece or something, but generally like no one was paying attention to a thing. We were hoping that they would.
So we're like, maybe this will help. My boss also did not find that funny.

Speaker 1 Okay, this wasn't as bad as it seemed. A lot of data within government is in fact unclassified and publicly available.

Speaker 1 And it seemed like the hacker stole some publicly available data and nothing sensitive was actually taken or sold. But what do you do here?

Speaker 1 If a hacker stole data that's publicly available, is it actually stealing? Is there any action to even do here? Like, what's the big deal, right?

Speaker 3 Yes, this data was public in general, but they had the record ID number and that's not public, right?

Speaker 3 So someone clearly got a copy of our full data set as opposed to just what we wanted to show the public.

Speaker 3 And every single record except the ID identifier that we used to look it up was considered unclassified. So none of it was sensitive in nature.

Speaker 1 Hmm, I see. Every line of the database has a unique ID, which aren't important or even sensitive information.
However, it's not public information. It's only used for how the database sees the data.

Speaker 1 So whoever got this had full, readable access to their database. So it was time to drudge through the logs to try to find out what happened.

Speaker 3 We had only database logs. We had no web app logs.
The app itself did not log at all. It was really old.

Speaker 3 And so we looked through all the database logs and very quickly I figured out what the attacker was doing was one,

Speaker 3 attacking us on every single statutory holiday. So we in the government would get paid a time and a half if we work overtime.

Speaker 3 But if you work a statutory holiday, you get two and a half times your regular pay. And it's policy that unless it's an emergency, you are never booked for on-call or anything like that on those days.

Speaker 3 So we would never work those days. And so this person for a year, every single statutory holiday would start hacking us basically at midnight all the way until the next day.

Speaker 3 And so I started looking through the logs.

Speaker 3 Well, basically, first I looked at the most recent logs and then I was like, have I ever seen these commands before?

Speaker 1 She did recognize what was happening, at least kind of. She recognized that the commands in the database were trying to do SQL injection.
SQL is the type of database used.

Speaker 1 And injection is where you try to put your own database commands in through the web form field. So like when you go to log in on a website, you put your username and password in, right?

Speaker 1 Well, the website will grab that information and then go check the SQL database to see if your username exists, which an SQL statement might look like, select from table where user equals Jack, like if that's my username, right?

Speaker 1 And since Jack is what the user typed in, then that's actually what gets queried in the database. Well, what an SQL injection does is it messes with that.

Speaker 1 Since you're going to take whatever username I type in and search the database for that, what if I type in the username Jack, but then also write something else like Jack or select from table all the passwords?

Speaker 1 So now if it's vulnerable to this, it'll take that input and go do this database command. Select from table where user equals Jack or select from table all passwords.

Speaker 1 And if it's vulnerable, it might return all the passwords that you asked for.

Speaker 1 You see how adding extra commands into a form field can trick it to return extra stuff the developers didn't want you to do?

Speaker 1 To fix this, developers of the apps need to sanitize their apps, not let users put in extra stuff like that and really restrict what's allowed to be typed in those form fields.

Speaker 1 So Tanya recognized this was SQL injection by looking at the database logs, but it didn't quite make sense. It wasn't your classic SQL injection.

Speaker 3 But this one was doing trues and falses, and I was very confused. So they were looking for this person and they're always true.
And then it would say

Speaker 3 and

Speaker 3 instead of or, which I was not used to. And it would say, and,

Speaker 3 you know, the name of this table, the first letter is A.

Speaker 3 And I was like, what? And?

Speaker 3 Why do you need and?

Speaker 3 I'm very confused here. And so we, I started running them and almost all of them were false.
It would just return an error. There's no one named Jack.
And I was like, but there is a person named Jack.

Speaker 3 And I'm like, but that's because they did the and. You have to both of them be true.
I'm like, this is so weird. So I kept going through and finally one was true.

Speaker 3 And I'm like, well, what the heck is this? And I look and it's a letter from one of the names of the fields of that table. And I'm confused.
I'm like, why,

Speaker 3 why would you look up an A?

Speaker 3 Like, it was like, is this A? Is this B? Is this C? And I was super confused.

Speaker 1 Well, they fixed that app so that it wasn't vulnerable to SQL injection anymore, but they were still perplexed on how those commands worked, how they got data with those commands.

Speaker 3 We spent two or three months looking at it, and no matter what we did, we couldn't figure out how they got the data. There were just errors for returning this one record.

Speaker 1 She never did figure it out. She ended up leaving that organization, still not understanding how that data got out with those commands.

Speaker 3 And so then I went to DEF CON and I did a workshop called Blind SQL Injection.

Speaker 3 And I was super excited to finally make it into a workshop because I don't know if you know Jack, but there are long lines and there's a lot of competition to get those seats. And I made it.

Speaker 3 And so here I am at the back of the class. And

Speaker 3 the teacher is explaining, oh, well, what you're doing when you do blind SQL injection is you are asking questions.

Speaker 3 And the questions you are asking is either like the names of fields in the database, the names of tables, what's inside a field. So it's like, oh, this record exists.
Great. You know,

Speaker 3 like, is there a field called this? No, is there a field called that? Oh, there is.

Speaker 3 Is the first letter, because you can't say return that record. It won't do it with blindness.

Speaker 1 So the only option you get back is yes or no. So you can ask the database any question, but they're not going to give you data.
They're just going to tell you yes or no.

Speaker 3 Exactly. And so if it's an error, it's a no.
And if you receive the record that you have searched for every time, it's true. And so

Speaker 3 I went to this workshop and it's like this giant light bulb went up for me. And I was like, oh my gosh.
And so I call my old boss and I'm like, I know what happened.

Speaker 3 And he's like, have you been poking around since you left? I'm like, no. I went and I took a workshop and I learned and I know exactly what happened.

Speaker 3 And so I went back and we had a meeting in our special secret room. And

Speaker 3 that wasn't very secret. Anyway,

Speaker 3 and we had a meeting and I, and it's funny because I walked them through the logic of this is how you ask the database questions and this is how you can know for sure that it's true.

Speaker 3 So I explained this and then all of them except the really, really big boss, the really, really big boss was like, I still don't get it, but everyone else is nodding. So that's fine.

Speaker 3 So they did exfiltrate our data and that is what happened. And okay, so now we know.

Speaker 1 We're going to take a short ad break here, but stay with us because Tanya is going to tell us more stories about the fires that she's extinguished.

Speaker 2 This episode is sponsored by HIMS. According to the National Institute of Health, as many as 30 million men in the U.S.
experience ED. It's more common than a bad night's sleep.

Speaker 2 The good news, HIMS makes getting access to treatment simple so you can feel like yourself again without the stress or awkwardness.

Speaker 2 HIMS offers access to ED treatment options, ranging from trusted generics that cost up to 95% less than brand names, to hard mitts if prescribed.

Speaker 2 This isn't one size-fits-all care that forgets you in the waiting room. It's your health and goals put first with real medical providers, making sure you get what you need to get results.

Speaker 2 Think of HIMS as your digital front door that gives you back your old self with simple, 100% online access to trusted treatments for ED and more, all in one place.

Speaker 2 To get simple online access to personalized affordable care for ED, hair loss, weight loss, and more, visit HIMS.com/slash darknet. That's HIMS, spelled H-I-M-S.

Speaker 2 HIMS.com/slash darknet for your free online visit. HIMS.com slash darknet.
Actual price will depend on product and subscription plan.

Speaker 2 Featured products include compound drug products, which the FDA does not approve or verify for safety, effectiveness, or quality, prescription required, see website for details, restrictions, and important safety information.

Speaker 1 Tanya had a lot of roles in different companies and organizations over time, and at one point, she was leader of incident responders.

Speaker 1 You know, if there's a severe security problem in the network, it would be her and her team that would manage the problem.

Speaker 1 She would identify the problem, engage with the right people and get working on it and tell leadership what's happening and then stay on the incident in order to make sure it gets the resources it needs to get resolved.

Speaker 3 And so I was the lead of the incident responders. So we had like a guy that did malware analysis, you know, all of those things.
And so I was the AppSec expert as not surprising, right?

Speaker 3 And so I would always do the software incidents. I came into work late one day because I had a dentist appointment.
And I had told my boss, I told my team where I was. It was in my calendar.

Speaker 3 Anyone could see. And I come in at maybe 10 a.m.
And basically, there were two of us that managed incidents: me and this amazing person named Eric.

Speaker 3 And I come in, and all my team's sitting there, including the Eric that is the incident manager. And I'm like, hey guys, what's up? And they all look really tense.

Speaker 3 And they're like, there's a really big incident, and everyone's in the really big boardroom. And I'm like,

Speaker 3 but

Speaker 3 Eric's sitting there and I'm standing here, so who's managing the incident? And they're like, some guy named Dan from Help Desk. And I've changed Dan's name because that is what you do.
And

Speaker 3 I was like, what?

Speaker 3 And they're like, yeah, they wouldn't let us in the room. And I was like, what is happening? They're like, we need you to go in there.
They won't listen to us.

Speaker 3 So I go in and I open the door and they're like, Tanya, where have you been? I'm like, at the dentist, no cavities.

Speaker 3 And no one thought that was funny. And

Speaker 3 they're like, we needed you and you weren't there.

Speaker 3 Like everyone stared at me and I'm looking and there is the director of every department, a bunch of managers and all of the executives from our organization in this room.

Speaker 3 So this is an extremely expensive meeting and everyone looks really stressed and upset. And there's,

Speaker 3 so this was a while ago. So there was like that big, huge thing in the middle of the table that was the phone with the giant buttons in it.
And it sounds terrible. And yeah, it's one of those.

Speaker 3 And there's this guy on the phone named Dan from Help Desk. And

Speaker 3 they're like, we're, you know, we're having this huge incident and you weren't here and we needed you. And, but Dan's helping us.
So we don't need you and you can go.

Speaker 3 And I'm like, I'm not going anywhere. Like, I'm the head of incident response.
I'm the incident manager that is on duty now and I'm doing the thing. I'm like, I've got this, Dan.

Speaker 3 And he's like, oh no, I have it. I'm handling it.

Speaker 1 She's like, who the heck is this Dan guy? Dan was from Help Desk, which is often the front line for office workers when they have problems, right?

Speaker 1 If your computer stops working or the internet is out or you're locked out of your computer or your password doesn't work, who are you going to call? Help desk. And that's where Dan was working.

Speaker 1 And he was answering a lot of phone calls that day. He just kept getting call after call from that office.
People were saying, nothing is working. Managers are in a panic.
They can't do their work.

Speaker 1 People were getting so upset in that office.

Speaker 3 And I found out later we had people go home because they'd had like at least one panic attack.

Speaker 3 Just several people were just too nervous and upset that they actually went home for the day because they just felt very uncomfortable and unsafe.

Speaker 1 And just call after call was coming into the help desk and Dan was answering these calls and he was doing his best to solve the issues.

Speaker 3 I'm like, okay, so what is happening? So I'm standing there in HQ, our headquarters office.

Speaker 3 We have a satellite office that's maybe 20 kilometers away And I am informed that our satellite office is infected with malware. And I said, oh, someone has malware.

Speaker 3 No worry, we'll go, we'll go mop it up. We'll be right there.
And they're like, no, no, the building has malware. And I'm like, the building's dumb.
It can't have malware. And I laugh.

Speaker 3 And then someone says, don't call them dumb. They're nice.
No, no, no, the people aren't dumb. The building's dumb.
And they're like, don't call them dumb. Okay, the building's not smart.

Speaker 3 And that didn't go well either.

Speaker 3 I'm like the so a smart refrigerator is internet connected it's not internet connected it's cement cement does not get malware and they're like dan knows and you don't you weren't even here you were busy at the dentist i got so much flack about the dentist you would not believe but anyway so everyone's very upset I try to calm them down.

Speaker 3 I'm like, listen, my team will look into this. And Dan's like, we should evacuate.
They're in danger. He's like ramping them up so they are panicking.
I'm like, Dan, that's not true.

Speaker 3 Everything's fine. Let my team look at this.
And finally, I get everyone. I wouldn't say settled.
I would say that they were less panicky. I'm like, everyone, go back to your desk.

Speaker 3 I am going to update you in half an hour. I am going to find out what is happening.
Everything's going to be okay. And they're like, Someone needs to go to the dentist instead of helping us, Bob.

Speaker 3 Like literally, people were so upset with me. They're furious.
So I dismiss everyone. I hang up on Dan.
Dan's not helping. And he keeps, he said over and over again, the building has malware.

Speaker 3 We should evacuate. And I was like, no one's evacuating.
And so I go back to my desk and I'm like, someone flip on Wireshark.

Speaker 3 He's claiming the entire building has malware. We all know that's not true.
They all respond, but the building's dumb. I'm like, I know.

Speaker 3 I know, guys. We all know.
Dan has whipped everyone into a frenzy. We need to do something about this now.
So we flip it on.

Speaker 3 And so there are some stereotypes about Canadians, and some of them are true. Like they take our passport if we're rude.
We all eat poutine.

Speaker 3 There's many, many stereotypes. And one of the stereotypes is that we love the Winter Olympics.
We love watching hockey. We love watching the figure skating.

Speaker 3 As an entire nation, like we tune in. We really like it.
And so when we turned on Wireshark, we immediately saw every single person in the entire building was going to the exact same site.

Speaker 3 and it the figure skating for the Olympics was on and Canada was skating.

Speaker 1 So there is no malware. The reason why nothing was working is if everyone is live streaming the Olympics, that takes up a ton of bandwidth.

Speaker 1 So the work that those office workers were supposed to be doing, they couldn't do it because the network was basically clogged up, bogged down. They essentially did a DDoS attack on themselves.

Speaker 1 And the funny thing was, they had a policy in place that should prevent things like like this from happening.

Speaker 3 We have a policy in the government, or we did at the time, where when the Olympics happened, we knew Canadians are going to Canadian.

Speaker 3 And so we would make a boardroom in one building, and that was where the Olympics are showing.

Speaker 3 And so if you need to go see your guy win his thing, you go and you watch the skating and the twirling and whatever it is you're going to do.

Speaker 3 And no one's allowed to stream it because if every single person is streaming, there's no internet.

Speaker 3 So we block that and make many Canadians cry. And

Speaker 3 we found out later that some executive had decided, oh, you're going to take a vacation day if you want to watch the Olympics. Like you're here to work, blah, blah, blah.

Speaker 3 And had gone against policy thinking they were super smart. And this is what had happened, right?

Speaker 3 And so I call a meeting on the next hour.

Speaker 3 And I'm already sending emails, explaining to everyone there is no malware. There was never any malware.
Everything's fine. So I call everyone into the room.
I'm like, hi, everyone. Everything's fine.

Speaker 3 Everything's cleaned up. There is no problem.
There was no malware. They're like, but when are we going to clean up the malware? I'm like, there never was any.
Everyone was just watching the Olympics.

Speaker 3 The internet slowed down. Everything is fine.
It was actually always safe.

Speaker 3 We do not need to panic. I need you to all go calm your staff, especially the satellite building staff.
Tell everyone everything's fine. They were always fine.

Speaker 3 We just were too busy streaming and not busy enough working.

Speaker 3 And

Speaker 3 everyone seemed not super satisfied with that answer, but enough, right? And so everyone left. But going forward, people talked about how that building had had malware for six months.

Speaker 3 Like I couldn't squash the rumor. It didn't matter how many times I corrected people.
They're like, yeah, she doesn't believe it. She doesn't know.
I'm like, I'm the incident manager.

Speaker 1 So after it was all fixed and resolved, it was time to pay a visit to the help desk to help them identify and handle incidents better.

Speaker 3 So help desk wants to help, right? Like people that are really good at help desk, they love literally helping and solving problems. And so they are the first line of everything, right?

Speaker 3 Like you call help desk. First of all, you try, you fiddle around yourself, you try to fix it.
And if not, you go to them. I go to them, right? If I can't fix it myself, which it happens.

Speaker 3 And so this person received this call and they're like, I know what I'll do. I will solve this problem for them.
Because that person,

Speaker 3 because I know, because I was working at that org, had never had any training about what a security incident looks like.

Speaker 3 And so what my team did to solve this problem going forward is we had help desk in and we gave them a training on what security incidents look like.

Speaker 3 And we told them, we will never, ever, ever get angry if you call us and it's a false alarm. I'd rather 20 false alarms than one where you didn't call and we made a mess.

Speaker 1 So, her and one of her incident managers named Eric gave some training to them. And Eric had a doozy of a story himself to share with the help desk team.

Speaker 1 So, at Eric's last job, he was an incident handler. If there was a security incident, it would go across his desk.
And one day, someone from the IIT help desk discovered a problem.

Speaker 1 They were given a computer to fix something on. And when they were looking through the computer for problems, the help desk technician discovered sexually explicit images of children.

Speaker 3 And he understandably was extraordinarily upset.

Speaker 1 Yeah, I mean, of course, seeing images like that, you can't unsee it. It feels like you did something wrong just by taking a look.
Well, this IT help desk technician was like, well, that's wrong.

Speaker 1 The employees shouldn't have this on their computer.

Speaker 3 And he deleted the images and then he was still upset and he formatted the drive.

Speaker 1 Which actually makes sense. When people who work in IT help desks see problems, it's usually on them to fix it.
Virus on computer, clean it off.

Speaker 1 Apps installed that are against company policy, delete them. Apps missing, which should be there, install them.
Software out of date, update it. Help desk people are action-oriented.

Speaker 1 They take control and fix things all day, every day. They're fixing things.
So for him to delete these photos seemed like the right thing for him to do.

Speaker 3 So he calls incident response.

Speaker 1 He's like, man, I was just fixing a problem on some employee's computer and I found sexually explicit images of children and this feels like something I should report to you and Eric the incident response manager is like okay wow thanks for telling me how bad is it real bad okay well let's be careful here can you show me what you found essentially what happened is the entire chain of custody the evidence was ruined Because the help desk technician deleted all the evidence and didn't take any screenshots.

Speaker 1 I mean, how could you take screenshots? And then he reformatted the hard drive. There was zero proof that what he saw was actually there.
So there was nothing for the incident manager to evaluate.

Speaker 1 But they did report it to HR.

Speaker 3 They were able to fire that person for violating the acceptable use policy of the computer.

Speaker 1 But HR was like, hold on. This is actually more than an acceptable use violation.
This is illegal. We should report them to the police.
And so they did.

Speaker 1 But then the police are like, okay, show us the evidence. And they had nothing to provide.

Speaker 1 There were traces of backups and archives that they could have dug into, but it didn't matter because the chain of custody was broken. So they had nothing admissible to give.

Speaker 3 So they're unable to prosecute that person.

Speaker 1 Man, what a blunder by help desk there, huh?

Speaker 3 The poor help desk guy, he feels incredible guilt. And the person from help desk

Speaker 3 ended up in therapy for a long time. Why?

Speaker 3 Well, probably for two reasons. So one is he felt incredible guilt because he did not know better.
So he did what Help Desk does, which is usually erase, reformat, reimage.

Speaker 3 And so he did what his training told him to do, right? But meanwhile, he saw things he can't unsee.

Speaker 3 And he also

Speaker 3 unintentionally let a very bad criminal go free. And so when I give training on the topic and I talk to Help Desk, I'm like, I know you want to help.
I know you want to help.

Speaker 3 That's why you're so good at what you do. But if you see anything that you think looks criminal, you need to call us right away.

Speaker 3 If you see anything where you're like, this just makes absolutely no sense, I need you to call us right away.

Speaker 3 Like if all your normal steps to fix something don't work, please call us and we will come in because we have different tools than you have.

Speaker 3 So we started this annual training that me and Eric would give give where it was just like, these are the things that we need you to know. And the training would just be like 20 minutes.

Speaker 3 And it was just very basic. Like, if you see this, call us.
We will never, ever be angry.

Speaker 1 Now, Tanya has been to a lot of conferences. It's a great way to learn and meet amazing people.
But one really cool thing you often see at conferences are CTFs, which stands for Capture the Flag.

Speaker 1 It's a game where you can form teams and then try to hack into something. Like there's a computer that's intentionally vulnerable.
And if you can hack into it, you'll see a a flag.

Speaker 1 And if you can get that flag, you'll get points. And the team with the most points wins the CTF challenge.

Speaker 3 I did do a few CTFs. I went to a bunch the first year, year and a half when I was trying to become a pen tester because I heard they're a great way to learn.
And I did learn lots of things.

Speaker 3 And I also learned that I was always the only female everywhere I went. Everywhere I'm the only woman.
And I was a little tired of that.

Speaker 3 So I put a note on LinkedIn and said, hey, do any women want to form a CTF team with me? Because I don't want to be the only woman everywhere I go.

Speaker 1 Where was this going to be?

Speaker 3 It was going to be in Ottawa.

Speaker 3 And I formed, I ended up having so many women say, Yes, we had to form two teams, which was really exciting. I was pretty surprised.
And all of them said the same thing.

Speaker 3 Like, I was curious to go, but I felt like I didn't know enough. And I'm always the only woman when I, and it's weird.
And, and so a bunch of us wore party dresses, which was really fun.

Speaker 3 And, um, and so I was showing them, okay, so here's this login screen, and we're supposed to try to get past the login screen. And I'm like, I know how to do this.

Speaker 3 I'm sure there's going to be some sort of SQL injection opportunity. And so I was walking them through it the way that my mentor had walked me through it.
And I showed it to them. And then we got in.

Speaker 1 Tanya was able to use SQL injection to bypass the login screen. Basically, when you type in the username and password, the website sends the data to the database.

Speaker 1 And if they are a match, the database returns true. If they aren't, it returns false.
Well, she put in the username field, something that will always return as true. Like, is there a user named Tanya?

Speaker 1 Or does one equal one?

Speaker 1 And because there's an or statement there, and one equals one is true, the database returns true, no matter what the username is.

Speaker 1 So since the database returned true, she logged in without providing a valid password. Her teammates were amazed at how she did it and asked her to explain it.

Speaker 3 Yep. And then two of us got up and did happy dances.
And a third one got up and she's like, hi, I have to go. And we're like, where are you going? And she's like, I have to go to work right now

Speaker 3 because

Speaker 3 I am not sure that we are safe from this. And I need to go test every app I've ever built and make sure that it is okay.
And I have to go right now.

Speaker 3 And she literally went to work and spent, apparently she was there quite late because she came to the CTF quite bleary-eyed the next morning. And I was like, oh, how'd it go?

Speaker 3 And she's like, we're fine now.

Speaker 3 And I'm like, now? And she said she had fixed a whole bunch of things. And she's like, what's the next thing I'm going to learn to fix? Let's do this.

Speaker 1 So in the middle of CTF, she learned she was vulnerable and ran out of there.

Speaker 3 I think she suspected. I don't know if she knew for sure, but she's like,

Speaker 3 I am shocked. I am upset.
And she just like ran out of there.

Speaker 1 So professionally, Tanya has two passions, application development, which is coding, and cybersecurity, hacking.

Speaker 1 And so over time, she simply found her favorite place to be was at the intersection of these two things.

Speaker 1 She's given talks and written frameworks on how app developers can write secure apps, which is known as secure coding or application security. Okay, so application security is

Speaker 1 yelling at devs.

Speaker 3 Why do you laugh? Why do you laugh?

Speaker 3 It should be helping devs. It should be helping devs make more secure code and being nice to them, ideally, most of the time or all the time, in my opinion.

Speaker 3 And so I was in charge of pen testing and doing like running and launching their first AppSec program. And so there was five developer teams.
I was asking

Speaker 3 to be able to pen test their apps before they went to prod.

Speaker 3 And I was hoping that they would scan their apps with Zap for me first. Zap?

Speaker 3 Yeah, so Zap is a dynamic scanning tool that used to be part of OWASP, and it's the most used dynamic scanner on the planet.

Speaker 3 And basically, I wanted the developers to scan the app first, and I'd made a grid. So, I'm like, if you find this, fix it.
If you find that, just ignore it.

Speaker 1 But the manager of that development team did not want his developers to do any of this.

Speaker 3 And one of the teams, their manager, told me, leave my devs alone. We don't have time for your crap.

Speaker 3 I was pretty new to AppSec. It was only my second job in AppSec.
And he felt I was inexperienced and that, in his words, I was a pain in his ass.

Speaker 3 And I was like, I'm here to help. And he's like, then go away.
That would help. And I was like, listen, like, I need to take a look at your apps for security.
He's like, they're fine. Just trust me.

Speaker 3 And I was like, well, I'd like to talk. He's like, I don't have time.
And each time I kept trying to approach him, he was more aggressive.

Speaker 3 And so the last time I'd talked to him, he'd literally said, go fuck yourself. Get the fuck out of my face.
And like, was pointing in my face and pointing away.

Speaker 3 and then he just started yelling at me and i so i left

Speaker 1 rude rude but this is why i don't want to be a manager managers take on too much stress directives from higher ups and deadlines with not enough resources to get it done and their team always having problems too and they can't always be transparent about things either like how much their budget is or plans for upcoming layoffs if their manager has a bad day and that rubs off on them and that means means that manager's team has a bad day too.

Speaker 1 Or someone like Tanya gets yelled at for no reason.

Speaker 3 My boss was like, I know what we're going to do.

Speaker 3 We're going to hold a meeting and we're going to tell them about a whole bunch of security incidents and we're going to deputize them and tell them not to tell anyone. So don't worry.

Speaker 3 I'm like, I'm very worried. And he's like, and it's going to be fine.
And then they'll listen. And I was like, this is a terrible idea.

Speaker 3 And so he invited them in and he explained what it's like when a computer gets malware.

Speaker 3 And he's like, and then, you know, then this guy on the team, he does the malware analysis and he does this, and you lose all your local files that you should have had.

Speaker 3 And he's like, so this is why we don't stick USB keys in our computers. And they're like, okay.

Speaker 3 And then, like, our worst incident recently, like, there was this app and there was an SQL injection in it. And they managed to exfiltrate a whole bunch of our sensitive data.

Speaker 3 We had to report ourselves to the privacy commissioner. We ended up having to, like,

Speaker 3 because like they attacked the SQL server itself, we ended up having to send that server away for analysis. He's like, we had to do this, this, and that.

Speaker 3 And, you know, we ended up spending all these weeks of overtime on it. And he's like, it ended up costing over half a million dollars.

Speaker 3 And they're like, oh my gosh. And he's like, yeah, we could hire five engineers for that.
And they're like, oh, my gosh, wow, what a giant screw up. And he's like, that was your app.

Speaker 3 That was an app that Tanya asked in writing. And she came up and asked you personally if she could test it.
And you said no.

Speaker 3 She has been bugging you for six months and you have not let her test a single one of your apps. Tanya can't do this job by herself.
She needs you. She needs your help so bad.
She keeps asking for it.

Speaker 3 And you keep, you told her to F off, dude, that's rude. We need you guys.
We can't do it without you. Please, please, please, please help us.
Let us test stuff. Let us tell you when things are wrong.

Speaker 3 Work with us, please. And the manager was like, oh my God, I'm so sorry.
I had no idea. And he's like, dude, we spend so much on AppSec.
Like, we have, you know, her full time. That costs money.

Speaker 3 But he's like, there's the tools she has to buy. There's the time it takes.
There's when there's an incident happens. It's a mess.
Like, we can't do this without you.

Speaker 3 You guys are so much more important than you realize as this piece of the puzzle. And he's like, I need you to let her test and I need you to fix things if she says they're serious, please.

Speaker 3 And the guy said, yes. And then

Speaker 3 everyone chatted a lot. And then when everyone walked out, the manager that had been so unfriendly with me, he came up to me and he put his hand on my shoulder.

Speaker 3 He's like, Tanya, I had no idea how serious this was. I'm sorry.
This will never happen again on my watch. We are going to be number one.
You tell us everything. We're going to fix everything.

Speaker 3 Our apps are going to be bulletproof. This is over.
And he did it. Like he would fix all the things.
He had them open up their old apps that weren't even on my list.

Speaker 3 And he had them scanning it with Zap and fixing things. And like his team.

Speaker 3 Like the next lunch alert I had, they were all sitting there right at the front eating the bagels because I bribe people with carbs.

Speaker 3 And like all of them were there, like the whole team right at the front. We're ready, Tanya.
And I was just like, oh my gosh, this is so amazing. And like, I thought by hiding

Speaker 3 like that, it sounds dumb in retrospect, but he's like, if we show them we've made mistakes, they're not going to trust us anymore. They're going to think we're stupid and we're bad at our jobs.

Speaker 3 We can't let them know we're having lots of incidents all the time. They'll think we're failures.
But in fact, that made sympathy and empathy.

Speaker 3 And then it was, it was like a completely different workplace then.

Speaker 1 Thank you to Danya Jenka for coming on the show and sharing these stories with us. She's written two books, Alice and Bob Learn Application Security and Alice and Bob Learn Secure Coding.

Speaker 1 She also has a newsletter and would love it if you joined. You can find the newsletter at newsletter.shehackspurple.ca.

Speaker 1 It's totally free, but it's crammed full of great, helpful information on how to make your apps more secure. It's holiday time, and you know what your loved ones would love most?

Speaker 1 A Darknet Dyes t-shirt. And if they don't want something like that, then you tell them to get you one.
And by the way, these shirts don't all say Darknet Diaries on them.

Speaker 1 Most of them are just really cool designs that I came up with. You have to check it out.
Go to shop.darknetdiaries.com.

Speaker 1 The show is created by me, the spaghetti coder Jackry Sider.

Speaker 1 Our editor is the copy pasta coder, Tristan Ledger, mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder.

Speaker 1 One day I hope to change the world,

Speaker 1 but I don't have access to the source code. This is Darknet Diaries.