Authors: Dilshad Mustafa
Tech Job 9 to 9 (10 page)
Murali called
Vinay and Sana. He said operations support team from CDSTP project was facing
some issue. He told them to work with the support team and analyze the root cause
of the problem. He forwarded the emails related to the problem to Vinay.
Vinay and Sana
read through the emails and started debugging the problem. Out of some ten
thousand transactions, a few transactions were getting hung in the middle of
processing. Both of them spent night and day debugging it. It was difficult to
simulate the anomaly in the preproduction system.
A debugger was
a software tool used to help troubleshooting a problem. Vinay had built a debugger
that could swift through log files and connect to queues and read and write
data. Log files were those files where certain information were written to track
whether a particular operation had succeeded or failed and at what date and
time. In case of any failure during the operation, it would contain a trace of
the failure with details like from which function it originated and while doing
what operation along with some data used in the operation. In case of successful
operation, it contained transaction identifier, account number, transaction
amount along with additional data required for audit purpose.
Queues were software
data structures that could be configured to connect data flow between different
software modules. They carried all incoming and outgoing transaction data going
through the network and between the software modules.
Vinay lost his
patience in debugging the problem. He directly logged into the production
system and started tracing the transactions. He connected the debugger to the
production system and started debugging a transaction when he found one particular
file was read from some location in the file system. He opened that file but
found only encrypted characters in the file.
“What is this
file? I don’t remember anything like this in the CDSTP project,” said Vinay.
“Looks like
some dump data,” said Sana.
“We have to
check if it’s a virus, Trojan or malware first. Can you run the anti-virus?”
asked Vinay.
Vinay
reconfigured the debugger to detect all file reads and writes from and to the
system. The debugger showed some forty file reads and some file write
operations. He observed the series of operations was first kicked off by that
strange file he noticed first.
He checked the
code base used for the production build. He went through sections of code but
he was unable to find any chunk of code that related to these operations.
He wanted to
check the integrity of transaction data to eliminate all transaction related
code first. He accessed the outgoing transaction data through network. It
looked like “153.90 549.43 234.45 33.65 567.38…” He accessed the transaction
data from the audit log. It looked like “153.94 549.43 234.47 33.69 567.38…” It
differed in the second decimal place sometimes. The difference in the data was
“0.04 0.00 0.02 0.04 0.00…” He thought it may be a rounding error in the
underlying algorithm.
“It’s just a
general rounding error,” said Sana.
“I hope so. I
don’t find any pattern. Let’s double check. I want to make sure transaction
algorithm is not compromised,” said Vinay.
He wanted to
be sure it’s just a rounding error and there was no pattern. He fed the data
into MathStat tool and studied the deviations. Out of habit for his fascination
for Mathematical curves and equations, he clicked on the “Curve fitting” button.
The tool then fit a series of overlapping sinusoidal waves and splashed an
equation which Vinay was well aware of. It’s a Fourier transform. Vinay was
very sure now the transaction algorithm had been tampered with. The code in the
code base for production was not exactly what was running in the production
right now.
Sana watched
all this and was shocked.
“The second
decimal place, if it’s from six to nine, it’s rounded to five. And if it’s from
one to four, it’s rounded to zero. Many data is untouched in between to hide
the pattern. Why do this way? There are other ways that could have been used
like a random number generator on the time stamp value,” said Sana.
“There may be
code reviews done by the configuration team. They might be using static code
analyzers to do some last minute check before the build. Calls to random number
generator function could be noticed. The Fourier transform has been camouflaged
in to the transaction algorithm and escaped detection by static analyzer,” said
Vinay.
“There is some
clever rounding algorithm at work here. It uses some complex Fourier transforms
but the pattern is very difficult to detect. The credits left after the decimal
round-off is siphoned off to a very cleverly hidden set of account numbers
within Dochamk Bank. It was designed in such a way that none of the audit trace
will reveal it. And finally it goes through a hidden algorithm to funnel the
transactions to some system account numbers. These account numbers look like
test account numbers used in the preproduction environment and is usually used
for testing purpose,” said Vinay.
“Yes. The
preproduction environment is for testing out bug fixes before deploying in to
production environment. It’s a replica of the production environment and is
purely for testing purpose.
So the final
funneling of transactions is done through the preproduction system so that
there won’t be any trace of it in the production system. One of the outgoing
queue there may be secretly linked to the outgoing network queue in the
production system,” said Sana.
Sana opened
the Calculator application and started doing calculations.
“There are two
hundred transactions each second. Let’s assume at least ten transactions are
siphoned off every second. Let’s say on average 0.03 dollar a transaction is
removed. So in ten seconds, three dollars could be removed. So in eight hours, that
is twenty eight thousand and eight hundred seconds, eight thousand and six
hundred and forty dollars could be removed,” said Sana.
“This is
stealing. Who have access to do all that?” said Vinay.
“Lot of people
here have that access,” said Sana.
“I don’t think
so. My login id doesn’t have that access. Type your login id. I will check with
that,” said Vinay.
“No. Your
login id doesn’t have that access as well,” said Vinay.
“You suspect
anyone?” asked Sana.
“I don’t know.
We have to get hold of others login ids and check with the access. That might
help to filter potential suspects,” said Vinay.
“Himesh writes
his login ids and passwords in that notebook in his pedestal. Ashutosh stores
his passwords in his phone. Anil keeps it in his bag. Puneet uses a standard
pattern in his password. Shanthi keeps it in a text file in her desktop.
Satish, we need to find out. Murali, I don’t think he had any login id in the
first place,” said Vinay.
“I believe
only one person we know is technically capable of doing anything like this,”
said Vinay.
“Ashutosh,”
said Sana.
Vinay nodded.
“We have to be
careful. He has become our close friend. Perhaps we can guide him to the right
path,” said Sana.
“I will take
care. Don’t worry. Just get that password from his phone,” said Vinay.
Sometime later
Ashutosh plugged his phone for recharging and went out of ODC. Sana used the
chance to quickly glance through the notes Ashutosh had stored in his phone.
She used Bluetooth connectivity to transfer the notes to her phone.
In the evening
when everyone went for tea beak, she gathered the passwords of everyone. She
also easily got hold of Satish’s password which he had stored in some file
folder in the desktop like Shanthi did. She saved the files to the shared
folder in the network location.
Later that day
when everyone had left, Vinay and Sana tried logging in with the various
passwords to check if any of their login identifier had certain access
permissions to the core system files. Vinay found both Ashutosh and Himesh had
the required access permissions and none of the remaining people had.
Vinay had seen
Ashutosh and Himesh standing together and talking about something many times
before. He had not bothered to ask them what they were discussing. Both of them
had become his close friends. But this act of stealing is too farfetched. He
would not tolerate this act and unless they repair the damage done, this would
become a thorn in their friendship. He had to collect solid evidence before
confronting them.
He checked the
file system, last modified dates and modified by attributes of files. He could
not find anything, not even a single trace that could show Ashutosh’s
involvement. He then checked through the same process using login ids for Himesh
and Satish. Since Satish was the support lead for CDSTP operations, he should
also be included in the suspect list thought Vinay.
When no one
was around, Vinay checked the pedestals of each person. He found only some old
documents and training materials. Nothing suspecting he thought.
“Did you get
any leads?” asked Sana while commuting in the bus.
“No. I don’t
think there would be any trace. If he has done it, then he would be good enough
to erase any trail as well,” said Vinay.
“You still
sure he has done it?” asked Sana.
“I don’t have
any trace to show. But this work, he is capable of doing it. Who else can do
Satish, Puneet? I don’t think so,” replied Vinay.
“What about
somebody from Dochamk Bank itself or somebody from support team?” asked Sana.
“It is
highly possible somebody from Dochamk Bank is involved. But I know the people
in the support team. They are mostly rookies just learning on the job,” said
Vinay.
“I have
noticed more closeness between Himesh and Ashutosh. I have seen them going out
after lunch to somewhere and discussing things in private. I have seen them
many times near Metro Plaza,” said Vinay.
“Ok. But we
need to check on Puneet and Satish as well. We won’t really know what is hiding
in where. I will check them out,” said Sana.
It was a Saturday.
Vinay and Sana were walking near Metro Plaza to have lunch in the food court. Vinay
saw Himesh standing outside the main entrance of the Octos Towers Tech Park.
After few minutes Ashutosh came and they both went inside the Tech Park. Vinay
told Sana he was going to follow them and told her to go home.
Vinay
immediately shadowed them. He made the entries in the security register and
showed his company ID card and went inside the Tech Park making sure they both
won’t notice him following them. He climbed the same shuttle bus Ashutosh and
Himesh climbed and seated far away from them. They got down at Tower 5.
Tower 5, the
center tower in the middle of the mini township hosted the Headquarters of PicoEMG.
Vinay stopped. He knew he could not get access in to the building and follow
Ashutosh and Himesh. Vinay backtracked.
Himesh and
Ashutosh were in a meeting with Ravi on the fortieth floor. Ravi worked as a
PicoEMG Executive. They were discussing about the CDSTP project.
On Monday, Sana
scanned through all the documents in the pedestals used by Puneet and Satish.
She found nothing unusual that aroused her suspicion. There were some cheque
books in each of their pedestals. Many people had accounts with Dochamk Bank
and possessed cheque books from Dochamk Bank.
She then
logged into the CDSTP back-end system and checked for any activity. The
deployment audit log file showed all the entries arranged by file name, modified
by and last modified date. There was one entry in the last line “File cftrnscr
modified by Puneet 03:34 PM”
Later Vinay
and Sana discussed their findings.
“What they are
doing in PicoEMG office? Does that mean somebody from PicoEMG is also involved
in this?” asked Sana.
“Not sure of
anything. But it looks like that. I have noticed them before in Octos Towers
Tech Park entrance. I thought they just went there to meet their friend or
somebody or eat something in one of the food courts there. But I didn’t expect
they are going to PicoEMG office. What business they have got there both
Ashutosh and Himesh?” said Vinay.
“This is all confusing.
Look at this file cftrnscr. Do you know about this file? And why Puneet
modified it?” asked Sana.
“It’s the code
for transaction screen dump. It will be invoked whenever a transaction fails or
hangs and this code will create a dump with all the details for doing analysis
later. What Puneet is doing in that file? What is he doing in CDSTP operations?
He is not in CDSTP maintenance team. He is working in GF project right?” said
Vinay.
“Let’s check
with him gently. Let’s not talk about funneling. We will check with him only
about this file and why he modified it. Just call him to your desk and check
when no one is around,” said Sana.
Vinay waited
for everyone to go for tea break. When Puneet was about to leave for tea, he
called out to him.
“Hi Puneet,
why you have modified this file?” asked Vinay.
“What file?”
asked Puneet.
“See here. It
says file cftrnscr modified by Puneet,” Vinay showed the PC screen to him.
“It says
modified by me. This is CDSTP project code right. I didn’t do anything. I
didn’t change anything there. I’m not working for CDSTP maintenance. There are
other people who may know my passwords. Ok I will send out an email to Support
team to remove access to my login id. Thanks for showing me this,” said Puneet.
Later Puneet
send out an email to the CDSTP Support team to remove access to his login id.
Vinay decided
to eliminate Puneet from his suspect list. Now he decided to confront Ashutosh
directly. He knew exactly at what time Ashutosh and Himesh would go to Octos
Towers. He decided to catch them right there.
Saturday
morning 11.30 AM, Vinay waited for the duo to come. Himesh was just coming out
of the main entrance of the Octos Towers Tech Park. He immediately rushed there
and met him near the two wheeler parking area.
“So what I
suspected all along is true then,” said Vinay.
Himesh was
surprised and became nervous. His eyes looked sideways from Vinay and searched
for someone.
“Not here.
This is not the right place to talk. Let’s move to my room,” said Ashutosh from
behind Vinay in a hushed tone.
Vinay turned
around and found Ashutosh.
“You, of all
people, involved in this!” shouted Vinay.
“What’s going
on? How long this is happening?” asked Vinay.
“Let’s go to
my house and discuss all day. We will be glad to explain you everything,” said
Ashutosh.
“You would
better or you both are going to be in trouble,” said Vinay.
They both went
to Ashutosh rented flat.
“I have
conclusive evidence to show you have done it,” said Vinay.
Ashutosh
became upset. His face was expressionless.
“May I know
what proof you have?” asked Ashutosh.
“I cannot show
it to you. You may tamper the evidence. Only you can do this. And only you can
also erase the trail. And I have spotted you in PicoEMG office many times. You
have logged in using Puneet’s login id and changed a file is it?” asked Vinay.
“Oh I see. So
that’s why you were checking that day asking me to login using Puneet’s login
id to check if I know Puneet’s password. So when did you become a detective?
You didn’t tell us about your career change?” asked Ashutosh.
“Remove
whatever you have done. Repair the damages. No one needs to know this has ever
happened,” said Vinay.
“I don’t know
what you are talking about,” said Ashutosh.
“Listen to me.
Tell me what you did. We will erase everything. No one can find out,” said
Vinay.
“Remove what?
Repair what?” asked Himesh.
“Oh come on
Himesh. Don’t act! You are involved in this. You know everything,” said Vinay.
“Seriously I
don’t understand what you are talking about,” said Ashutosh.
“Oh yeah. You
are stealing money from Dochamk Bank. You have put funneling code in to the
core transaction handler which siphons off money from some transactions. Don’t
tell me I don’t know. And now don’t start acting. I have got proof,” said
Vinay.
Both Ashutosh
and Himesh looked puzzled.
“Yeah sorry
can you please explain what you are talking about. I’m sorry to ask you the
same question again,” said Ashutosh.
These guys
were tough nut to crack thought Vinay. They were acting very well. He had lied
he got solid evidence while he still had none to show Ashutosh did it. He tried
his best to bring the truth out of Ashutosh’s mouth by persuading him. But it
was not working out.
“Ok. Ashutosh,
I will explain in detail. You have modified the core transaction handler in
CDSTP project to siphon off some amount from certain transactions and used
preproduction environment to process the siphoning transaction to avoid any
trace in production and used a secret queue to send to production outgoing
queue to send it to your own accounts in Dochamk Bank. Is it clear now?” asked
Vinay.
A smile formed
in Ashutosh’s face. Himesh laughed.
“This is what
will happen if anybody becomes a detective. Our new detective or should I say
IT detective is telling a story about something I still cannot understand,”
said Ashutosh.
“What story is
this Vinay? Very interesting,” said Himesh.
Vinay started
from the beginning from when Murail forwarded the emails and how he had found
money from some transaction were funneled and sent to other accounts within
Dochamk Bank.
Ashutosh and
Himesh sat relieved.
“I see. So
that’s why you thought I’m involved. Well the answer is no. I’m not involved in
this. Regarding this file changed using Puneet’s login id, first trace the IP
address. If it is static we will know whose PC was used. If it is not static,
check with the network team and from the logs find out the MAC address
corresponding to the dynamic IP address. Using that MAC address we can then
find which PC. Let’s hope we can find out the answer to this. It’s disturbing
this has happened,” said Ashutosh.
“Sorry for
confronting you like that. I don’t have clear evidence to prove who is
involved. I’m just eliminating people from my suspect list one by one. I lied
to you when I said I had evidence. I thought you will speak out,” said Vinay.
“Really I
don’t think I’m capable of doing any such thing. But talking business and
getting deals, that is another matter,” Ashutosh blinked at Himesh.
