Security lessons from Mossack Fonseca

Behind the scandal and headlines the ‘Panama Papers’ is a story about a data breach and some uncomfortable security home truths.

Security lessons from Mossack Fonseca

The so-called ‘Panama Papers’ made headlines around the world.  The hacked trove of leaked emails and documents lifted the lid on the financial machinations of some of the world’s most powerful people and turned Mossack Fonseca into the world’s most infamous Panamanian law firm.

The number of documents leaked is so vast, and the contents so explosive, we can expect the Panama Papers to keep our journalists, politicians, lawyers and law enforcement busy for years.

Lessons to be learnt from this data breach

Behind the scandals and the eye-catching headlines, the Panama Papers is also the story of an enormous, devastating corporate data breach – one described by Edward Snowden as the “biggest leak in the history of data journalism”. There are lessons to be learned for all of us.

Setting aside the nature of the hacked content, the method of the cyber attack itself begs two fundamental questions: how could it happen and how could it be so extensive?

How could such a breach happen?

It’s tempting to assume that such a breach involving so much sensitive information from an organisation with so much at stake would require the use of super-human skills or incredible technology.

Not a bit of it.

Cyber-security is sometimes brutally asymmetric and that point was illustrated perfectly by the assorted security researchers who poked and prodded the Panamanian company’s perimeter once the leak was revealed.

What they found was a litany of easily remedied, easily uncovered and easily exploited mistakes:

Mossack Fonseca’s Outlook Web Access portal, and likely the Exchange server behind it, hadn’t been updated since 2009. Worse still the server did not use TLS, meaning that all of its email communications were unencrypted and vulnerable to eavesdropping and man-in-the-middle attacks.

Mossack Fonseca’s client portal was even worse – it was running a version of the Drupal CMS that hadn’t been updated since 2013, which means that it had at least 23 remotely executable vulnerabilities. One, from 2014, was so bad that the Drupal Security team was urging users to “proceed under the assumption that every Drupal 7 website was compromised unless updated [within] 7 hours.“

Vunerable websites

The company’s website ran on an open CMS, WordPress, that was three months out of date and running a vulnerable version of the Revolution Slider plugin. The vulnerability, described as “trivially easy” to exploit, can be used by an attacker to gain a remote shell on the web server (a foothold into Fonseca’s system). That remote shell would have given an attacker all kinds of freedom and access and, thanks to some other plugins running on the system, login details for the company’s mail server.

We don’t know how Mossack Fonseca was breached or if any of the vulnerabilities found since the story broke played a part but we can say that any of those vulnerabilities could have. Each of them is a ‘Panama Papers’ waiting to happen and each of them was caused by nothing more than a failure to observe the basics.

How could it get so big?

Perhaps the most remarkable thing about the Mossack Fonseca breach is the scale of it. The whistleblower appears to have all but cleared out the company, making off with 2.6 terabytes of data in the form of 11.5 million documents revealing 40 years of company history. This is perhaps the largest exfiltration of data since the Sony, where the hackers were able to download feature length films undetected.

In the physical world, robbing a bank requires a getaway car.  Robbing Fort Knox would require a convoy of trucks. With physical things the time, cost and effort involved scales as the size of the job increases.

Cybercrime and perimeter defences

In the virtual world you can rob a bank or steal everything a company owns, no matter how large your loot.  Cost and risk does not increase at the same rate as the size of the breach.  There is higher ROI to exfiltrate as much as they can, and they are becoming increasingly skilful at avoiding detection – even at high volumes.

It’s why you can’t rely on perimeter defences alone to protect your network, why networks need to be sub-divided and why applications need to be attack-aware. Attackers who make it inside your walls need to be made to work hard for every step they take inside your network.  They need to be faced with detectors and tripwires at every turn.

According to the reports, the hackers at Mossak Fonseca sent their looted data to journalists as whistleblowers who wanted to uncover the sordid truth of tax avoidance.  Perhaps this is true.  Another plausible explanation is that Fonseca refused to pay the ransom the hackers demanded.  Or perhaps a ransom was paid, but the data released anyway to enable a safer getaway. We will never know – because in cybercrime the getaway car is never found..