Darknet Diaries - 165: Tanya
Episode Date: November 4, 2025Tanya Janca is a globally recognized AppSec (application security) expert and founder of We Hack Purple. In this episode, she shares wild stories from the front lines of cybersecurity. She sh...ares stories of when she was a penetration tester to an incident responder.You can sign up for her newsletter at https://newsletter.shehackspurple.ca/SponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.This episode is sponsored by Hims. Hims offers access to ED treatment options ranging from trusted generics that cost up to 95% less than brand names to Hard Mints, if prescribed. To get simple, online access to personalized, affordable care for ED, Hair Loss, Weight Loss, and more, visit https://hims.com/darknet.Support for this show comes from Drata. Drata is the trust management platform that uses AI-driven automation to modernize governance, risk, and compliance, helping thousands of businesses stay audit-ready and scale securely. Learn more at drata.com/darknetdiaries.View all active sponsors.Books Alice and Bob Learn Secure Coding by Tanya Janca Alice and Bob Learn Application Security by Tanya Janca
Transcript
Discussion (0)
Hey, it's Jack, host of the show.
For a while, I worked out a big company doing security engineering.
And every year, someone would come in and do an audit on us, and they would ask us the same question.
Do you have a security policy?
Yes, of course we do.
Is it available for all of your employees to find?
Yep, it's right there on SharePoint.
But this got me thinking.
Yeah, sure, it was right there in SharePoint.
But it was called something ridiculous, like ISP underscore overview.
you or something like that.
And ISPs stood for information security policy.
And it made me wonder, if this document was so important that we would be audited to check
to see if we had it and make sure all our employees had access to it, could any of them
actually find it if they needed it?
Like this policy said stuff like, what are our security objectives?
Who are the people that we escalate things to?
What's acceptable in our network and not?
Who should be able to access what, as well as what we should do when there's an incident,
how often our security training should be,
and what our security standards are.
So one day, when I was feeling feisty,
I decided to do something to make a point.
I asked everyone on shift in our network operations center,
hey, you have 15 minutes to find the company's security policy.
Winner gets a free item in the vending machine.
Go.
And everyone started looking.
First, they typed security policy in our department's portal.
And that actually brought up security policies for some of our customers,
which I thought was really cool that our customers were taking their security.
policy so seriously that they wanted to make sure that their partners had copies of it,
but that wasn't our policy.
Then people started looking through their emails.
Nope, nothing in our email about security policy.
Then they looked at shared drives.
They couldn't find anything there.
And eventually, a few of them thought to look through SharePoint.
And of course, not a single one of them could find it because it had the worst name.
And it was in the worst place.
I don't know if you've ever used SharePoint, but it's a place to store documentation and
files and it's an awful mess and navigate and find stuff. None of their searches came close to
finding it. And so I just said, all right, everyone, time's up. Thanks for trying. And then I sent
an email to our C-So, our chief information security officer. Security policy test, Q1, 10 out of 10
of our knock technicians could not find our company's security policy after spending 15 minutes
trying. And he responded, sounds like your knock technicians have a hard time finding things.
I waited another four months.
We got a whole new batch of technicians,
and I tried it again.
One guy actually found it.
I was really impressed.
I also retested all the people that I tested four months ago.
One in five to remember where I told them it was.
So I sent another email.
Nine out of ten of our new hires could not find our security policy.
Four out of five of our senior technicians could not find it.
He was like, why do you keep telling me this?
Just show them where it is.
I wanted him to understand.
The problem wasn't.
my technicians. It was that the security policy was buried way too deep. It was named poorly.
And nobody knew where it was. Nobody could find that if they tried, which meant, nobody knew
what was in it. In my opinion, when there's a document that's so important that auditors ask
if you have it and if it's available for employees to find, then it should be way more front
and center. Heck, I even suggested that we should print out a summary of it and tape it above
the urinals and sinks in the bathroom so that everyone sees it every time they go to the
That way the whole company would be familiar with our security policy and know exactly what to do when there's an incident and what's allowed and not allowed.
But of course, our security leadership didn't see it that way and never did change the name of it or the location, and we kept passing our audits somehow.
Yet nobody in the company ever read it or knew where it was.
The politics of office life and compliance.
These are true stories from the dark side of the internet.
I'm Jack Recyder.
This is Darknet Diaries.
is sponsored by Threat Locker.
Ransomware, supply chain attacks, and zero-day exploits can strike without warning,
leaving your business's sensitive data and digital assets vulnerable.
But imagine a world where your cybersecurity strategy could prevent these threats.
And that's the power of Threat Locker, Zero Trust, End Point Protection Platform.
Robust cybersecurity is a non-negotiable to safeguard organizations from cyber attacks.
Threat Locker implements a proactive, deny-by-default approach to cybersecurity,
blocking every action, process, and user unless specifically authorized by your team.
This least privilege strategy mitigates the exploitation of trusted applications
and ensures 24-7-365 protection for your organization.
The core of Threat Locker is its Protect Suite, including application allow listing, ring fencing,
and network control, additional tools like the Threat Locker detect EDR,
storage control, elevation control, and configuration manager,
enhance your cybersecurity posture, and streamline internal IT and security.
operations. To learn more about how Threat Locker can help mitigate unknown threats in your digital
environment and align your organization with respected compliance frameworks, visit Threatlocker.com.
That's Threatlocker.com.
This episode is brought to you by Drada. Let's face it, if you're leading GRC at your organization,
chances are you're drowning in a sea of spreadsheets every day, balancing security, risk, and
compliance in an ever-changing landscape of threats and regulatory frameworks that can feel like
running a never-ending marathon. Enter Drada, the modern GRC solution designed for leaders like you.
Drada automates the tedious tasks, security questionnaire responses, continuous evidence collection,
and much more, saving you hundreds of hours. But it's more than just a time saver. It's a scalable
platform that adapts to your organization's needs. Drata gives you one centralized platform to manage
your risk and compliance program. Drata empowers you with a whole week.
view of your GRC program and real-time reporting capabilities.
With DRADA, you can also get access to their powerful trust center, a live, customizable tool
that supports you and expediting your never-ending security review requests in the deal process.
It's perfect for sharing your security posture with stakeholders or potential customers,
cutting down on back-and-forth questions, and building trust at every interaction.
Ready to modernize your GRC program and take back your time, visit drada.com slash darknet
Diaries to learn more. That's spelled D-R-A-T-A-Drata.com slash darknet diaries.
Today I have the pleasure of sitting down and hearing stories from Tanya Jinka.
Thank you for having me.
I've been going to a lot of conferences and time and time again I see Tanya at almost all of them.
But not only is she there, but she's almost always giving talks when she's there.
She's on a mission and is very driven.
I hope software developers write more secure.
code. Boiled down to a word, that's called AppSec, Application Security. She's laser-focused on how
applications become insecure and how to make them secure. I was a software developer forever,
and then someone exploited one of my apps and showed me, and it created this fascination.
It was an SQL injection, and it was on the login screen of one of my team's apps, and I was in
charge of the team. And so if it's not secure, it's my fault. And,
I remember he was giving a demonstration to us, and he showed me, he's like, this is one of your apps.
I'm going to get past this login screen without a password, and the only reason it's going to take so long is because I'm talking, and it's going to be a minute.
He demonstrated how he can easily get past her login screen and showed her how it was done, and she was stunned.
Oh, my God!
This was the moment that she saw the whole world differently, just because,
there's a right way to use a website by putting in a username where it says username and a
password where it says password doesn't mean people actually play by those rules and follow the
website's logic. If you're clever enough to think outside the box, you can manipulate the
website to do things that the developer didn't intend. And we ended up becoming very close friends
and he became my first professional mentor for hacking. This was a career pivot. Instead of building
things. She wanted to know how to break things. And all this is happening in Canada, by the way.
Tanya was living and working in the capital city of Ottawa. So her new mentor was like,
okay, so you want to be a hacker? I've got some work for you. You can help me do some penetration
test. And she's like, okay, but I'm not exactly sure how. And so he told me on the Friday,
okay, so go learn Burp Suite this weekend. There's videos on YouTube. Just go watch them. It's not hard.
So she starts watching them. Burpsweet is a tool you
use to monitor the packets that go between your computer and an application or a network or
website. So you can redirect all your computers traffic to it and then BIRP Suite will show you.
Hey, you went to this website and it responded with this code and then your computer sent this
information back and then this website sent back a cookie, which has this data in it. It's kind of like
getting under the hood of a car, but for network traffic. And BIRP Suite is really cool. You can
capture that data and replay it if you want. Like maybe you look in the cookie that a website sent
you. And it says that your user ID is 5,000. And so what if you change that user ID to
5,001? And then reconnect to the site and present this cookie, which has a different
user ID. Will it think that you are a different user? It's kind of like a way to do surgery
on the packets that your computer is sending to an application or website. And it's possible to
manipulate your packets enough to make the site do some very strange things. So she comes back in on
Monday with the basics of burp sweet understood. And he tells her, okay, great, spend a few hours a day trying
to hack this website and tell me what you find. And he says, I'm going to be observing you silently
while you're working. And I just need you to report anything that you find. And I was like, great.
And so the first night, I just found really tiny things. The second night, I found really tiny things.
And the third night, he kind of gave me a lecture. And he's like, listen, Tanya, you've got to find
something. You can't do a pen test and not find something big. I need you to really
think outside the box, take off your developer hat, put on your black hat. And so I just tried
everything I could think of, and I found service-side request forgery. Now, I didn't understand
service-side request. How did you find it? Basically, there was an email field, and I just started
entering in code, and I entered in an email, but then after I just put in everything I could think
of, like all sorts of code, all sorts of stuff. And inadvertently, I started copying and deleting
files on the web server. Yeah. And I ended up crashing the production web server. And it turned
out I had polluted the database as well. They had to restore both from backup. And so I call my
boss and like, I found something and I have crashed everything. And he's like, what? This is
production. You can't crash production? And I'm like, well, I found an exploit. And you told me to
prove that I'd exploited it. So like, here's, you know, I took the whole thing down. And he's just, he
yelled at me. He was really angry.
And he's like, how did you do it?
I'm like, these are all the commands I did.
And he's like, well, this is garbage.
This shouldn't do anything.
And I'm like, well, I guess it did, right?
I was like, well, weren't you watching me the whole time?
And he's like, no, that's just something I said to make you feel better.
And I was like, well, like, what is the client going to say?
And he's like, I'm like, I could talk to them.
He's like, no, they don't know that you're testing.
I'm like, but you said I'm a subcontractor, right?
Like, so like the contract I signed with him that I was subcontracting that they knew.
They had no idea I was on their network.
So he had given me the keys to production to some random client.
They had no idea I was on there.
I destroy everything.
And he's like, great, now I'm going to get yelled at tomorrow and it's all your fault.
I'm like, really?
She was really pissed at me.
I think they both learned a lesson that day.
But Tanya was hooked more than before to copy and delete files on a web server all by putting in some code through a form field.
Wow, such power.
But wow, such weakness.
These apps she was seeing are surprisingly weak.
And she was drawn to that.
What are other tricks and techniques for making an app give you data that it's not supposed to do or do things that shouldn't let you do?
She got more and more into security, wanting to get more hands on with everything related to it.
And I kept annoying the security team constantly.
I would report security incidents.
I would fix all the security bugs.
I kept asking if I could use security tools.
I volunteered to work on their projects.
And one day they said that I could sit in on an incident and just watch and shut up.
And literally, I did not have a seat at the table.
They had only so many seats that would actually fit at the table.
So I was actually against the wall at the back of the room, just being zipping it, being quiet like they told me to.
And then I remember them putting all this stuff on the screen and looking at it and being like, oh, that's SQL.
Oh, that's pretty bad.
And so I said to them, like, I'm seeing code here.
We need to look at this.
Can we talk?
And they're like, you can read that.
And like, just because someone's trying to SQL inject you doesn't mean they're successful, right?
But I'm like, someone's attacking us.
And every organization is getting attacked all day all the time.
But the fact that I could sit there and read code, they were like, oh, she's an asset.
And then a few weeks later, they said, oh, we've.
opened a job on the security team.
And I was like, oh my gosh, I'm going to apply.
They're like, obviously it's for you, silly.
And so they let me transfer onto the team.
And I was just, I was so excited to be a part of their team.
With this new position, she proved herself again and again and rose up the ladder,
eventually landing in a security leadership position at an organization,
which was within the Canadian government.
She was in charge of making sure that agency and all its abs were secure.
And one day she came to work.
and had an email waiting for her.
I receive an email from Vice Magazine,
and it says,
Dear Tanya,
we know you work, you know, at this place
and that you're the leader of this team.
We would like a quote for you for our magazine
about how your data is for sale on the dark web
and how you feel about that your data is worth
only $48 Canadian dollars.
And here's a link if you want to see more,
and it's a link to paste bin.
and on it it says, you know, here's a sample of the data from the name of my organization
and like to get more go here and then I go there and they're auctioning my data
for the Bitcoin equivalent of approximately $48 Canadian dollars,
which is not a lot of money.
What a way to be notified that your agency has suffered a data breach
by getting an email asking you for a quote on how you feel about your data being for sale.
So I talked to my team, I'm like, ah, and all of us are just flabbergasted.
We're like, first of all, what is this data?
Is this actually our data?
And so we're looking through all of our apps.
And this is when I realized my app inventory was not complete.
We were missing lots and lots of apps that I did not know about that I'm supposed to be securing.
Step one of a data breach like this is to verify that it's your data.
Find out which app or database is from.
And this will help you identify maybe which app is vulnerable.
But it took them a while to figure out even where this data was in their network.
Eventually, they narrow it down and figure out which app this must have come from.
And so I go, I find it that data is in there.
The paste bin sample does look a little familiar.
And I'm like, oh no.
So I go and I talk to my boss, and my boss was so pissed.
He was like, have you ever had someone say your name in a way where it sounds like a swear word?
There's like, Tyne.
Yeah. And I am not really good when people are upset with me. And so I was like, well, sir, I, you know, our data's for sale on the dark web, that's true. But I think the bigger problem is that it's only $48. Don't you feel we're worth more than that? And he was not impressed. Somehow my name was at like a higher pitch the next time he said it. And he's like, you are going to go fix this now.
Yikes, there's a leak.
Data from the Canadian government is getting leaked.
And Tanya is head of security for this department that I got leaked out of.
This is really bad.
She pinpointed the application, though, and got the owners of that application together.
And I sat down with the team, and they're like, we have no idea what you're talking about.
And I showed them, and they said, yep, that's our data.
And I said, okay.
And one of my team members said, I think we should buy the data to make sure it's an exact match.
And it's not like, because they're just showing two or three records on Pacebin.
They weren't showing all of it.
And I was like, well, I don't want to give them money because I feel like that's encouraging them.
And it feels pretty obvious that, like, if they got three records, why couldn't they get more records?
And so then we look at the data, and it's completely unclassified.
It was actually data, it turns out, that we have been trying to promote to the Canadian public for quite a while
and had been being mostly ignored.
Like some journalists would look at it for like a media piece or something,
but generally like no one was paying attention to a thing.
We were hoping that they would.
So we're like, maybe this will help.
My boss also did not find that funny.
Okay.
This wasn't as bad as it seemed.
A lot of data within government is in fact unclassified and publicly available.
And it seemed like the hacker stole some publicly available data
and nothing sensitive was actually taken or sold.
But what do you do here?
If a hacker stole data that's publicly available, is it actually stealing?
Is there any action to even do here?
Like, what's the big deal, right?
Yes, this data was public in general, but they had the record ID number, and that's not public.
So someone clearly got a copy of our full data set as opposed to just what we wanted to show the public.
And every single record, except the ID identifier that we used to look it up, was considered unclassified.
so none of it was sensitive in nature.
Hmm, I see.
Every line of the database has a unique ID,
which aren't important or even sensitive information.
However, it's not public information.
It's only used for how the database sees the data.
So whoever got this had full,
readable access to their database.
So it was time to drudge through the logs
to try to find out what happened.
We had only database logs.
We had no web app logs.
The app itself did not log at all.
It was really old.
And so we looked through all the database logs.
And very quickly, I figured out what the attacker was doing was one,
attacking us on every single statutory holiday.
So we in the government would get paid a time and a half if we work overtime.
But if you work a statutory holiday, you get two and a half times your regular pay.
And it's policy that unless it's a number of,
emergency, you are never booked for on-call or anything like that on those days.
So we would never work those days.
And so this person, for a year, every single statutory holiday, would start hacking us,
basically at midnight, all the way until the next day.
And so I started looking through the logs.
Well, basically, first I looked at the most recent logs, and then I was like, have I ever
seen these commands before?
She did recognize what was happening, at least kind of.
She recognized that the commands in the database were trying to do SQL injection.
SQL is the type of database used.
An injection is where you try to put your own database commands in through the web form field.
So, like, when you go to log in on a website, you put your username and password in, right?
Well, the website will grab that information and then go check the SQL database to see if your username exists,
which an SQL statement might look like, select from table where user equals jack, like if that's my username, right?
And since Jack is what the user typed in,
then that's actually what gets queried in the database.
Well, what an SQL injection does is it messes with that.
Since you're going to take whatever username I type in
and search the database for that,
what if I type in the username Jack,
but then also write something else like Jack or select from table all the passwords.
So now if it's vulnerable to this,
it'll take that input and go do this database command.
select from table where user equals jack or select from table all passwords.
And if it's vulnerable, it might return all the passwords that you ask for.
You see how adding extra commands into a form field can trick it to return extra stuff
the developers didn't want you to do to fix this.
Developers of the apps need to sanitize their apps,
not let users put in extra stuff like that
and really restrict what's allowed to be typed in those form fields.
So Tanya recognized this was SQL injection by looking at the database logs.
But it didn't quite make sense.
It wasn't your classic SQL injection.
But this one was doing truths and falses, and I was very confused.
So they were looking for this person, and they're always true.
And then it would say, and instead of or, which I was not used to.
And I would say, and, you know, the name of this table, the first letter is A.
And I was like, what?
And.
Why do you need and?
I'm very confused here.
And so I started running them, and almost all of them were false.
It would just return an error.
There's no one named Jack.
And I was like, but there is a person named Jack.
And I'm like, but that's because they did the and.
You have to both of them be true.
I'm like, this is so weird.
So I kept going through and finally one was true.
And I'm like, well, what the heck is this?
And I look, and it's a letter from one of the names of the fields of that table.
And I'm confused.
I'm like, why would you look up an A?
Like, it was like, is this A, is this B, is this C?
And I was super confused.
Well, they fixed that app so that it wasn't vulnerable to SQL injection anymore,
but they were still perplexed on how those commands worked,
how they got data with those commands.
We spent two or three months looking at it,
and no matter what we did, we couldn't figure out how they got the data.
There were just errors or returning this one record.
She never did figure it out.
She ended up leaving that organization, still not understand.
understanding how that data got out with those commands.
And so then I went to DefCon.
And I did a workshop called BlindSQL Injection.
And I was super excited to finally make it into a workshop because I don't know if you know, Jack,
but there are long lines.
And there's a lot of competition to get those seats.
And I made it.
And so here I am at the back of the class.
And the teacher is explaining, oh, well, what you're doing when you do
blind SQL injection is you are asking questions. And the questions you are asking is either
like the names of fields and the database, the names of tables, what's inside a field. So it's like,
oh, this record exists? Great. You know, like, is there a field called this? No, is there a field
called that? Oh, there is? Is the first letter? Because you can't say return that record. It won't do it
with blind escrow injection. Yeah. So the only option you get back is yes or no.
So you can ask the database any question, but they're not going to give you data.
They're just going to tell you yes or no.
Exactly.
And so if it's an error, it's a no.
And if you receive the record that you have searched for every time, it's true.
And so I went to this workshop and it's like this giant light bulb went up for me.
And I was like, oh my gosh.
And so I call my old boss and I'm like, I know what happened.
And he's like, have you been poking around since you left?
I'm like, no.
I went and I took a workshop and I learned and I know exactly what happened.
And so I went back and we had a meeting in our special secret room.
And that wasn't very secret.
Anyway, and we had a meeting.
And it's funny because I walked them through the logic of this is how you ask the database questions.
And this is how you can know for sure that it's true.
So I explained this.
And then all of them except the really, really big boss.
The really, really big boss was like, I still don't get it.
But everyone else is nodding.
So that's fine.
So they did expultrate our data.
And that is what happened.
And, okay, so now we know.
We're going to take a short ad break here, but stay with us because Tanya is going to tell us more stories about the fires that she's extinguished.
This episode is sponsored by Hymns.
According to the National Institute of Health, as many as 30 million men in the U.S. experience ED.
It's more common than a bad night's sleep.
The good news, Hymns makes getting access to treatment simple so you can feel like yourself again without distress or awkwardness.
Hymns offers access to ED treatment.
treatment options, ranging from trusted generics that cost up to 95% less than brand names to
hard mints, if prescribed.
This isn't one-size-fits-all care that forgets you in the waiting room.
It's your health and goals put first with real medical providers, making sure you get what you
need to get results.
Think of Hymns as your digital front door that gives you back your old self with simple, 100%
online access to trusted treatments for ED and more.
All in one place.
To get simple online access to personalized affordable care for ED, hair loss, weight loss,
more, visit hymns.com slash darknet. That's hymns spelled himms. Hems.com slash darknet for your
free online visit. Hymns.com slash darknet. Actual price will depend on product and
subscription plan. Feature products include compound drug products, which the FDA does not
approve or verify for safety, effectiveness, or quality, prescription required, see website
for details, restrictions, and important safety information. Tanya had a lot of roles.
different companies and organizations over time.
And at one point, she was leader of incident responders.
You know, if there's a severe security problem in the network,
it would be her and her team that would manage the problem.
She would identify the problem, engage with the right people,
and get working on it.
And tell leadership, what's happening?
And then stay on the incident in order to make sure it gets the resources it needs to get resolved.
And so I was the lead of the incident responders.
So we had like a guy that did malware analysis, you know, all of those things.
And so I was the Apsack expert as not surprising, right?
And so I would always do the software incidents.
I came and to work late one day because I had a dentist appointment.
And I had told my boss, I'd told my team where I was, it was in my calendar, anyone could see.
And I come in at maybe 10 a.m.
And basically there were two of us that managed incidents, me and this amazing person named Eric.
And I come in and all my team sitting there, including the Eric, that is the incident manager.
And I'm like, hey, guys, what's up?
And they all look really tense.
And they're like, there's a really big incident.
And everyone's in the really big boardroom.
And I'm like, but Eric's sitting there and I'm standing here.
So who's managing the incident?
And they're like some guy named Dan from Help Desk.
And I've changed Dan's name because that is what you do.
And I was like, what?
And they're like, yeah, they wouldn't let us.
in the room. And I was like, what is happening? They're like, we need you to go in there.
They won't listen to us. So I go in and I open the door and they're like, Tanya, where have you
been? I'm like, at the dentist, no cavities. And no one thought that was funny. And they're like,
we needed you and you weren't there. Like everyone like stared at me and I'm looking and there
is the director of every department, a bunch of managers, and all of the executives from our
organization in this room. So this is an extremely expensive meeting. Everyone looks really stressed
and upset. And there's, so this was a while ago. So there's like that big huge thing in the middle
of the table that was the phone with the giant buttons. And it sounds terrible. And yeah,
it's one of those. And there's this guy on the phone named Dan from help.
desk and they're like we're having this huge incident and you weren't here and we needed you
but Dan's helping us so we don't need you and you can go and I'm like I'm not going anywhere like I'm
the head of incident response I'm the incident manager that is on duty now and I'm doing the thing
I'm like I've got this Dan and he's like oh no I have it I'm handling it she's like who the heck
is this Dan guy Dan was from help desk which is often the front line for office workers when
they have problems right if your computer stops working or they enter
internet is out, or you're locked out of your computer, or your password doesn't work.
Who are you going to call?
Help desk.
And that's where Dan was working.
And he was answering a lot of phone calls that day.
He just kept getting call after call from that office.
People were saying, nothing is working.
Managers are in a panic.
They can't do their work.
People were getting so upset in that office.
And I found out later, we had people go home because they'd had, like, at least one panic attack.
Just several people were just too nervous and upset that they actually went home for the day
because they just felt very uncomfortable and unsafe.
And just call after call was coming into the help desk,
and Dan was answering these calls, and he was doing his best to solve the issues.
I'm like, okay, so what is happening?
So I'm standing there in HQ, our headquarters office.
We have a satellite office that's maybe 20 kilometers away,
and I am informed that our satellite office is infected with malware.
And I said, oh, someone has malware.
No worry, we'll go mop it up.
We'll be right there.
And they're like, no, no, the building.
has malware and i'm like the building's dumb it can't have malware and and i laugh and then someone
says don't call them dumb they're nice no no no the people aren't dumb the building's dumb and they're
like don't call them dumb okay the building's not smart and that didn't go well either i'm like the
so a smart refrigerator is internet connected it's not internet connected it's cement
cement does not get malware and they're like dan knows and you don't you weren't even here you were
busy at the dentist i got so much flack about the dentist you would not believe but anyway so everyone's
very upset i try to calm them down i'm like listen my team will look into this and dan's like
we should evacuate they're in danger he's like ramping them up so they are panicking i'm like dan
that's not true everything's fine let my team look at this and finally i get everyone i wouldn't
I settled, I would say that they were less panicky. I'm like, everyone go back to your desk.
I am going to update you in half an hour. I am going to find out what is happening. Everything's
going to be okay. And they're like, someone needs to go to the dentist instead of helping us.
But I literally, people were so upset with me. They're furious. So I just miss everyone. I hang up
on Dan. Dan's not helping. And he said over and over again, the building has malware. We should
evacuate. And I was like, no one's evacuating. And so I go back to my desk and I'm like,
Like, someone flip on wire shark.
He's claiming the entire building has malware.
We all know that's not true.
They all respond, but the building's dumb.
I'm like, I know.
I know, guys.
We all know.
Dan has whipped everyone into a frenzy.
We need to do something about this now.
So we flip it on.
And so there are some stereotypes about Canadians,
and some of them are true.
Like, they take our passport if we're rude.
We all eat putteen.
There's many, many stereotypes, and one of the stereotypes is that we love the Winter Olympics.
We love watching hockey.
We love watching the figure skating.
As an entire nation, like, we tune in.
We really like it.
And so when we turned on Wireshark, we immediately saw every single person in the entire building was going to the exact same site.
And the figure skating for the Olympics was on, and Canada was skating.
So there is no malware.
The reason why nothing was working is if everyone is live streaming the Olympics, that takes up a ton of bandwidth.
So the work that those office workers were supposed to be doing, they couldn't do it because the network was basically clogged up, bogged down.
They essentially did a DDoS attack on themselves.
And the funny thing was, they had a policy in place that should prevent things like this from happening.
We have a policy in the government, or we did at the time, where when the Olympics happened, we knew Canadians are going to Canadian.
And so we would make a boardroom in one building, and that was where the Olympics are showing.
And so if you need to go see your guy, win his thing, you go and you watch the skating and the twirling and whatever it is you're going to do.
And no one's allowed to stream it because if every single person is streaming, there's no internet.
So we block that and make many Canadians cry.
and we found out later that some executive had decided, oh, you're going to take a vacation day
if you want to watch the Olympics, like, you're here to work, blah, blah, blah, and had gone
against policy thinking they were super smart, and this is what had happened, right?
And so I call a meeting on the next hour, and I'm already sending emails explaining to everyone,
there is no malware, there was never any malware, everything's fine.
So I call everyone into the room, I'm like, hi, everyone, everything's fine, everything's cleaned up,
there is no problem. There was no malware. They're like, but when are we going to clean up the
malware? I'm like, there never was any. Everyone was just watching the Olympics. The internet slowed
down. Everything is fine. It was actually always safe. We do not need to panic. I need you to all go
calm your staff, especially the satellite building staff, tell everyone, everything's fine.
They were always fine. We just were too busy streaming and not busy enough working.
And everyone seemed not super satisfied with that answer, but enough, right?
And so everyone left.
But going forward, people talked about how that building had had malware for six months.
Like, I couldn't squash the rumor.
It didn't matter how many times I corrected people.
They're like, yeah, she doesn't believe it.
She doesn't know.
I'm like, I'm the incident manager.
So after it was all fixed and resolved, it was time to pay a visit to the help desk,
to help them identify and handle incidents better.
So help desk wants to help, right?
Like, people that are really good at help desk,
they love literally helping and solving problems.
And so they are the first line of everything, right?
Like, you call help desk.
First of all, you try, you fiddle around yourself,
you try to fix it, and if not, you go to them.
I go to them, right?
If I can't fix it myself, which it happens.
And so this person received this call,
and they're like, I know what I'll do.
I will solve this problem for them.
Because that person, because I know,
because I was working at that org,
had never had any training
about what a security incident looks like.
And so what my team did
to solve this problem going forward
is we had help desk in
and we gave them a training
on what security incidents look like
and we told them,
we will never, ever, ever get angry
if you call us and it's a false alarm.
I'd rather 20 false alarms
than one where you didn't call
and we made a mess.
So her and one of our incident managers named Eric
gave some training to them.
And Eric had a doozy of a story himself
to share with the help desk team.
So at Eric's last job,
he was an incident handler.
If there was a security incident,
it would go across his desk.
And one day someone from the IT help desk
discovered a problem.
They were given a computer to fix something on.
And when they were looking through the computer for problems,
the help desk technician discovered
sexually explicit images of children.
And he, understandably, was extraordinarily upset.
Yeah, I mean, of course.
Seeing images like that, you can't unsee it.
It feels like you did something wrong just by taking a look.
Well, this IT help desk technician was like,
well, that's wrong.
The employees shouldn't have this on their computer.
And he deleted the images,
and then he was still upset, and he formatted the drive.
Which actually makes sense.
When people who work in IT help desk see problems,
it's usually on them to fix it.
Virus on computer, clean it off.
Apps installed that are against company policy, delete them.
Apps missing, which should be there, install them.
Software out of date, update it.
Help desk people are action-oriented.
They take control and fix things all day, every day.
They're fixing things.
So for him to delete these photos seem like the right thing for him to do.
So he calls incident response.
He's like, man, I was just fixing problems.
on some employee's computer, and I found sexually explicit images of children.
And this feels like something I should report to you.
And Eric, the incident response manager, is like, okay, wow, thanks for telling me.
How bad is it?
Real bad?
Okay, well, let's be careful here.
Can you show me what you found?
Essentially, what happened is the entire chain of custody, the evidence was ruined.
Because the help desk technician deleted all the evidence and didn't take any screenstarts,
I mean, how could you take screenshots?
And then he reformatted the hard drive?
There was zero proof that what he saw was actually there.
So there was nothing for the incident manager to evaluate.
But they did report it to HR.
They were able to fire that person for violating the acceptable use policy of the computer.
But HR was like, hold on.
This is actually more than an acceptable use violation.
This is illegal.
We should report them to the police.
And so they did.
But then the police are like, okay, show us the evidence.
And they had nothing to provide.
There were traces of backups and archives that they could have dug into,
but it didn't matter because the chain of custody was broken.
So they had nothing admissible to give.
So they're unable to prosecute that person.
Man, what a blunder by help desk there, huh?
The poor help desk guy, he feels incredible guilt.
and the person from Help Desk ended up in therapy for a long time.
Why? Well, probably for two reasons. So one is he felt incredible guilt because he did not know better.
So he did what Help Desk does, which is usually erase, re-format, re-image. And so he did what his training told him to do, right?
But meanwhile, he saw things he can't unsee. And he also uninterested.
intentionally let a very bad criminal go free. And so when I give training on the topic and I
talk to help desk, I'm like, I know you want to help. I know you want to help. That's why you're
so good at what you do. But if you see anything that you think looks criminal, you need to call us
right away. If you see anything where you're like, this just makes absolutely no sense. I need you
to call us right away. Like if all your normal steps to fix something don't work, please call us.
And we will come in because we have different tools than you have.
So we started this annual training that me and Eric would give,
where it was just like these are the things that we need you to know.
And the training would just be like 20 minutes.
And it was just very basic.
Like, if you see this, call us.
We will never, ever be angry.
Now, Tanya has been to a lot of conferences.
And it's a great way to learn and meet amazing people.
But one really cool thing you often see at conferences are CTFs,
which stands for Capture the Flash.
It's a game where you can form teams and then try to hack into something.
Like, there's a computer that's intentionally vulnerable.
And if you can hack into it, you'll see a flag.
And if you can get that flag, you'll get points.
And the team with the most points wins the CTF challenge.
I did do a few CTFs.
I went to a bunch the first year, year and a half when I was trying to become a pen tester
because I heard they're a great way to learn.
And I did learn lots of things.
And I also learned that I was always the only female ever where I went.
Everywhere, I'm the only woman, and I was a little tired of that. So I put a note on LinkedIn
and said, hey, do any women want to form a CTF team with me? Because I don't want to be the only
woman everywhere I go. Where was this going to be? It was going to be in Ottawa. And I ended up
having so many women say, yes, we had to form two teams, which was really exciting. I was pretty
surprised, and all of them said the same thing. Like, I was curious to go, but I felt like I didn't know
enough and I'm always the only women when it and it's weird and so a bunch of us were party dresses
which was really fun and and so I was showing them okay so here's this login screen and we're
supposed to try to get past the login screen and I'm like I know how to do this I'm sure there's
going to be some sort of SQL injection opportunity and so I was walking them through it the way that
my mentor had walked me through it and I showed it to them and then we got in Tanya was able to use
SQL injection to bypass the login screen.
Basically, when you type in the username and password, the website sends the data to the database.
And if they are a match, the database returns true.
If they aren't, it returns false.
Well, she put in the username field, something that will always return as true.
Like, is there a username Tanya or does 1 equal 1?
And because there's an or statement there, and 1 equals 1 is true, the database returns true,
no matter what the username is.
So since the database returned true,
she logged in without providing a valid password.
Her teammates were amazed at how she did it
and asked her to explain it.
Yep, and then two of us got up and did happy dances.
And a third one got up and she's like,
hi, I have to go.
And we're like, where are you going?
And she's like, I have to go to work right now
because I am not sure that we are safe from this.
And I need to go test every app I've ever built
and make sure that it is okay.
And I have to go right now.
And she literally went to work and spent, apparently she was there quite late
because she came to the CTF, quite blurry eyed the next morning.
And I was like, oh, how'd it go?
And she's like, we're fine now.
And I'm like, now?
And she said she had fixed a whole bunch of things.
And she's like, what's the next thing I'm going to learn to fix?
Let's do this.
So in the middle of the CTF, she learned she was vulnerable and ran out of there.
I think she suspected.
I don't know if she knew for sure, but she's like,
I am shocked.
She just, like, ran out of there.
So professionally, Tanya has two passions,
application development, which is coding and cybersecurity, hacking.
And so over time, she simply found her favorite place to be
was at the intersection of these two things.
She's given talks and written frameworks
on how app developers can write secure apps,
which is known as secure coding or application security.
Okay, so application security is yelling at devs.
Why do you laugh? Why do you laugh?
It should be helping devs.
It should be helping devs make more secure code and being nice to them, ideally, most
the time or all the time, in my opinion.
And so I was in charge of pen testing and doing, like, running and launching their first
appSEC program.
And so there was five developer teams.
I was asking to be able to pen testing.
their apps before they went to prod.
And I was hoping that they would scan their apps with ZAP for me first.
ZAP?
Yeah, so ZAP is a dynamic scanning tool that used to be part of OWASP.
And it's the most used dynamic scanner on the planet.
And basically, I wanted the developers to scan the app first, and I'd made a grid.
So I'm like, if you find this, fix it.
If you find that, just ignore it.
But the manager of that development team did not want his developers.
to do any of this.
And one of the teams, their manager told me,
leave my devs alone.
We don't have time for your crap.
I was pretty new to AppSec.
It was only my second job in AppSec.
And he felt I was inexperienced.
And that, in his words, I was a pain in his ass.
And I was like, I'm here to help.
And he's like, then go away.
That would help.
And I was like, listen, like, I need to take a look at your apps for security.
He's like, they're fine.
Just trust me.
And I was like, well, I'd like to talk.
He's like, I don't have time.
And each time I kept trying to approach him, he was more aggressive.
And so the last time I'd talk to him, he'd literally said, go fuck yourself, get the fuck out of my face.
And, like, was pointing in my face and pointing away.
And then he just started yelling at me.
And so I left.
Rude.
But this is why I don't want to be a manager.
Managers take on too much stress, directives from higher-ups,
deadlines with not enough resources to get it done and their team always having problems too
and they can't always be transparent about things either like how much their budget is or plans
for upcoming layoffs if their manager has a bad day and that rubs off on them and that means
that manager's team has a bad day too or someone like tanya gets yelled at for no reason
my boss was like i know what we're going to do we're going to hold a meeting and we're going to tell
them about a whole bunch of security incidents and we're going to deputize them and tell them not
to tell anyone. So don't worry. I'm like, I'm very worried. And he's like, and it's going to be
fine. And then they'll listen. And I was like, this is a terrible idea. And so he invited them in
and he explained what it's like when a computer gets malware. And he's like, and then, you know,
then this guy on the team, he does the malware analysis and he does this. And you lose all your local
files that you should have had and he's like so this is why we don't stick usb keys in our computers and
they're like okay and then like our worst incident recently like there was this app and there was an
SQL injection in it and they managed to exfiltrate a whole bunch of our sensitive data we had
to report ourselves to the privacy commissioner we ended up having to like because like they attacked
the SQL server itself we ended up to having to send that server away for analysis he's like
We had to do this, this, and that.
And, you know, we ended up spending all these weeks of overtime on it.
And he's like, it ended up costing over half a million dollars.
And they're like, oh, my gosh.
And he's like, yeah, we could hire five engineers for that.
And they're like, oh, my gosh, wow, what a giant screw up.
And he's like, that was your app.
That was an app that Tanya asked in writing.
And she came up and asked you personally if she could test it and you said, no.
She has been bugging you for six months and you have not let her test a single one of your apps.
Tanya can't do this job by yourself.
She needs you.
She needs your help so bad.
She keeps asking for it and you keep, you told her to F off.
Dude, that's rude.
We need you guys.
We can't do it without you.
Please, please, please, please help us.
Let us test stuff.
Let us tell you when things are wrong.
Work with us.
Please.
And the manager was like, oh, my.
God, I'm so sorry. I had no idea. And he's like, dude, we spend so much on AppSec. Like,
we have, you know, her full time. That costs money. But he's like, there's the tools she has to buy.
There's the time it takes. There's when there's an incident happens, it's a mess. Like, we can't do this
without you. You guys are so much more important than you realize as this piece of the puzzle.
And he's like, I need you to let her test. And I need you to fix things if she says they're serious, please.
and the guy said yes and then everyone chatted a lot and then when everyone walked out the manager
that had been so unfriendly with me he came up to me and he put his hand on my shoulder he's like
tanya i had no idea how serious this was i'm sorry this will never happen again on my watch
we are going to be number one you tell us everything we're going to fix everything our apps
are going to be bulletproof this is over and he did it like he would fix
all the things. He had them open up their old apps that weren't even on my list, and he had them
scanning it with Zapp and fixing things. And like his team, like the next luncheon alert I had,
they were all sitting there right at the front eating the bagels because I bribe people with carbs.
And like all of them were there, like the whole team right at the front. We're ready, Tanya.
And I was just like, oh my gosh, this is so amazing. And like I thought by hiding like the, it
It sounds dumb in retrospect, but he's like, if we show them we've made mistakes,
they're not going to trust us anymore.
They're going to think we're stupid and we're bad at our jobs.
We can't let them know we're having lots of incidents all the time.
They'll think we're failures.
But in fact, that made sympathy and empathy.
And then it was like a completely different workplace then.
Thank you to Danya Jank up for coming on the show and sharing these stories with us.
She's written two books, Alice and Bob Learned Application Security and Alice and Bob
learned secure coding.
She also has a newsletter and would love it if you joined.
You can find the newsletter at newsletter.shiehackspurple.ca.
It's totally free, but it's crammed full of great, helpful information on how to make
your apps more secure.
It's holiday time, and you know what your loved ones would love most, a Darknet Dias
T-shirt.
And if they don't want something like that, then you tell them to get you one.
And by the way, these shirts don't all say Darknet Dires on them.
Most of them are just really cool designs that I came up with.
You have to check it out.
Go to shop.darknet Diaries.com.
The show is created by me, the spaghetti coder, Jack Recyter.
Our editor is the copy pasta coder.
Tristan Ledger, mixing done by proximity sound,
and our intro music is by the mysterious breakmaster cylinder.
One day, I hope to change the world.
But I don't have access to the source code.
This is Darknet Diaries.
Thank you.