Category: Cyber Security

The Law of Inevitability:
The Panama Papers

In April of 2016, the legal industry was rocked by a monumental computer breach. Unlike the Sony, HomeDepot, and Target hacks before it, which only affected one company, this breach exposed every one of Mossack Fonseca’s clients to intense public scrutiny. Their clientele – former and current politicians, athletes, banks, and business executives – were linked to fraud, sanctions avoidance, money laundering, and tax evasion schemes when 11.5 million documents were exfiltrated from the law firm’s servers.

Ramifications were immediate and obvious, beginning with the resignation of Iceland’s Prime Minister Sigmundur Gunnlaugsson, yet the end to this fallout remains illusive. The flood of government investigations is ongoing and new allegations emerge regularly; so far one of the few certainties regarding the hack is that law firms are now keenly aware that their computer systems house a treasure trove of confidential information – an attractive target for hackers. Also clear is that the penetration of Mossack Fonseca’s computer systems was a relatively easy breach to perpetrate and, more importantly, completely preventable.

It’s time to have a candid conversation about law firms and their computer security footprint.

How To Hack Mossack Fonseca In 3 Easy Steps

Mossack Fonseca was utterly deficient in their cyber security footprint. Their website was riddled with known and fixable vulnerabilities. Their web server was also not protected by a firewall and was on the same network as their mail servers. In April 2016, researchers found multiple avenues for access but one prevalent theory has emerged: outdated and unpatched software and knowingly insecure server access protocols gave hackers easy access to the firm’s most sensitive files.

At the risk of getting too deep in the weeds I will attempt to explain one such avenue for unauthorized access to the Mossack Fonseca systems. The graphic provided below will help you visualize how a hacker can move through the system to gain the type of access that results in the theft of 2.6 terabytes of attorney-client privileged data.

PanamaPapers

Step 1: WordPress Exploit

Mossack Fonseca had a commonly used plug-in on their website named Revolution Slider. That version of Revolution Slider was outdated and known to be vulnerable to exploitation. By using this exploit, a hacker is able to gain unauthorized and unrestricted access to WordPress, including the configuration and database files. These unencrypted files contain login and password information to send emails from the mail server.

Step 2: Use Information Gained From WordPress

Using the login credentials provided by WordPress, the hacker could have then accessed the email server and siphoned off 4.8 Million emails. Mossack Fonseca was using an old version of Outlook Web Access they last updated in 2009. Assuming the privilege level assigned to the credentials used to log in is all-access, any email could be retrieved from the system.

Step 3: Drupal Exploits

Like WordPress, Drupal can be used to create websites and act in the background as an online client access portal to their data. The older version of Drupal that Mossack Fonseca utilized had at least 23 vulnerabilities at the time of the hack and was best known for the version targeted in November 2014’s “Drupageddon” hack.

5 Easy Ways To Avoid Being The Next Mossack Fonseca

I’d like to believe that Mossack Fonseca is the most disturbing case of ineptitude in website security on the planet rather than a typical case study. Unfortunately, I fear there are more Mossack Fonseca’s out there than we realize or want to admit publicly in an effort to protect those easily penetrable data goldmines. There are some very easy steps to take that can mitigate your exposure risk:

  • Update Software

 

Patches are released for a reason and that reason is never cosmetic. They shore up security holes or functionality issues. That innocuous plug-in on your website looks great or may add functionality but if you don’t keep it current you are exposing yourself, your firm, and the clients it services to unnecessary risk.

  • Encryption and Hashing

 

There is no reason to forego encryption of confidential communications and files. None of the data from Mossack Fonseca had encryption of any kind. Microsoft and Adobe products include encryption and password protection tools to avoid unauthorized access. Most email providers use some level of encryption and should be included in any service level agreement.

  • Separation, Passwords And Access Restrictions

Passwords should be changed regularly and access to files, information, and systems should be limited to only those who need it. Restrictions on time and day can also be implemented. Update these access privilege credentials regularly to ensure access is only as needed. Also, consider keeping email servers and web servers on separate traffic routers to add an element of separation.

  • Protocols And Procedures

 

Mossack Fonseca was ill-prepared to manage the fallout of their breach, either for themselves or their clients. Having protocols and procedures in place before a breach happens is far better than making it up as you go in a high-stress situation.

  • Training And Refresher Trainings

 

Computer security best practices, particularly in fields requiring confidentiality and discretion like the legal industry, should be part of the new hire training curriculum and regularly given refresher trainings.

While these five best practices will not prevent all computer breaches, they could have prevented the Panama Papers or, at a minimum, made the hacker’s job infinitely harder. If you are interested in speaking with a security professional on how to shore up your cyber security footprint, KT Designs can put you in contact with one of our experts. Please contact us at 202.554.0272 or info@kt-designs.org.

 


The information in this article is sourced from the following organizations:

https://panamapapers.icij.org

https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/

http://www.wired.co.uk/article/panama-papers-mossack-fonseca-website-security-problems

KT Designs is a privately owned company that operates on the ideals of honesty, integrity and transparency. We are experienced in working on cases and projects of all sizes and in most jurisdictions, including internationally. We are devoted to the personal and intellectual growth of our employees and clients, and to facilitating continued learning in our audiences on the most complicated of topics. We consider our clients’ satisfaction and confidentiality above all else.

Personal Security in the Digital Age:
Navigating Machiavelli’s Playground

Technology is ever growing and evolving, bringing new and exciting advances into the modern world. Computers make our lives easier in innumerable daily activities, be it instantly paying bills online, buying the latest best seller on Amazon, looking up the closest movie theatre on the car’s GPS or searching for a dinner recipe on the refrigerator’s built-in touch screen. Of course, with these daily aides comes the ever-growing risk of our technology being used against us.

Media attention has shifted to the dangers of Internet connected devices as of late, giving the public its first clear look at what the world of cyber security handles. Nearly every week, a new announcement surfaces regarding banks or big-box retailers being targeted, personal information compromised or intimate photos leaked. With each new successful attack the need for stronger security becomes ever more evident. Most of this security is focused on the larger companies – Target needs to bolster its card security, Apple needs to take more precautions with its Cloud technology – but there are things that individuals can and must do to play their part as well.

Keeping your family and yourself safe in this ever-changing environment is no small feat. However, there are a number of steps you can take to shore up your personal cyber-security. Though you may not be able to prevent every attack, you can lower your risk, stop many and be prepared for the ones that do get through.

What can one person do? The good news is cyber-security starts with the individual.

As with any confrontation, it is imperative to know what you are up against. How much of your household technology is hackable? Which can be used against you if they become compromised? Any Internet-connected device is at risk of being infiltrated, from your baby monitor to your favorite gaming console. This doesn’t mean that you can’t use them, though – there are some simple things you can do to maintain your privacy.

Tips for Safeguarding Your Computer

Even the most basic security setups require that you keep your computer up to date. Updates are not only issued to better user end software but to patch discovered security flaws. Ignoring updates is a swift way to weaken many other security options.

Use proper password etiquette! Passwords should be a minimum of eight characters. Use upper and lower case letters, numbers and symbols, but avoid grouping the different types of characters together (for instance, Password123). Do not use the same password for multiple accounts, do not share your passwords with anyone and, if you have too many passwords to remember, store a handwritten copy in a safe access-controlled place. Avoid using the password save function your computer offers.

 

In addition, virus protection software allows you to react swiftly if something malicious does make its way onto your system. There are many to choose from, ranging from run-in-the-background to system wide control, so it’s important to do your research to determine the best choice for you.

Using Common Sense

Using common sense goes a long way in the digital world. You can avoid a lot of trouble by ignoring suspicious emails and avoiding untrusted sites. Some of the easiest ways to become the victim of a scam or virus is by clicking on random links, visiting suspicious websites, opening strange email attachments and falling for phishing scams.

Keep in mind that everything you put on social media is available to everyone, and likely to be accessible in some way even if you delete it. Knowing the difference between what should and should not be private is crucial; aside from not posting sensitive information, it’s not necessary to let everyone know where you are and what you are doing. Photos of you drinking with friends are more likely to cause future trouble than a day at the park with your dog.

The same goes for information you place in the Cloud. Regardless of what Cloud service you use, your data could be at risk. When it comes to important documents that you may want to have access to, such as birth and marriage certificates, social security cards and insurance documents, keep them physically or on an encrypted CD or device that is not accessible by the Internet. Though the Cloud is convenient, it is far from impenetrable; use it for photos you don’t mind others seeing, audiobook and music files, a clean back-up of your operating system and non-sensitive application files only.

Be aware of how many cameras you have in your home and with you on the go. With the average number of devices in each home these days, it isn’t strictly necessary for someone wishing to spy on you to bug anything – in many cases you do it for them. Miss Teen USA Cassidy Wolf found out the hard way exactly how such devices could be used against her when a perpetrator hijacked her computer, turned on her webcam and took images of her undressing in real-time without her knowledge. Obviously, be mindful of what is within view of capture-enabled devices.

Security-minded Online Banking

Banking is extremely easy in the modern age, and though banks have a number of security measures in place by default, it’s your job to put them to good use and implement a few of your own. As with any site, make sure your password follows the tips set out above. Legitimate employees of any company already have access to your account, so if anyone asks for your log in information, or directs you to do anything abnormal, it is likely a scam.

There are optional security measures your bank can put in place, such as security tokens. You can ask your bank about setting up a virtual fob, which generates an instant random code, to access your account. If hackers are able to access one of your accounts within a financial institution, they may be able to draw money from all of your accounts at that institution if these accounts are linked – as, for instance, through overdraft protection. For this reason, consider opening an unconnected account at a different bank in case of emergency.

What else can I do?

You don’t need to be an information security professional to understand the basics of your own security needs. Information is available and universities offer classes on the subject to the public online. Though many common sense choices can keep your information and privacy safe, the best way to protect sensitive information is by understanding its value.

Proper security starts at the individual level but does not end there. While it is true that companies and the government are late to the game, public awareness is finally leading to a significant and well-founded outcry. Some companies have started to answer this call. As this outcry increases with each cyber attack that makes headlines, the additional social pressure for privacy and security will require reexamination and action.


This article is based on the KT Designs’ white paper, “Privacy, Security and Mitigating Risk in the Digital Age: A ‘How To Guide’ for Navigating Machiavelli’s Playground for the individual.To access the whitepaper in its entirety for free, please visit the whitepaper section of our website: http://www.kt-designs.org/white-papers/

KT Designs is a privately owned company that operates on the ideals of honesty, integrity and transparency. We are experienced in working on cases and projects of all sizes and in most jurisdictions, including internationally. We are devoted to the personal and intellectual growth of our employees and clients, and to facilitating continued learning in our audiences on the most complicated of topics. We consider our clients’ satisfaction and confidentiality above all else.

Protecting Compromised Information

In the wake of the most recent disclosures of large-scale successful computer breaches of US government systems, we thought it prudent to include some information on what do to if you discover your identity or digital footprint has been compromised. Know exactly what needs to be protected and have a plan in place before something happens. This extends to information as well as physical assets.

General steps to take in the wake of a systems breach:

Detect, Isolate and Remediate

  • Isolate the affected system immediately to mitigate potential damage. Once contained, act to remediate the compromised systems.

Assessment

  • Assess other systems to ensure that containment was successful and no other areas were compromised by the breach.

Mitigation

  • Mitigate the consequences of said breach as quickly as possible. For an individual, this would include contacting your financial institutions and credit lending agencies. For companies, this could include enacting business continuity and disaster recovery protocols and procedures.

If you have ever applied for a security clearance from (or required a background check by) the US government, the following is some basic guidance for assisting you in mitigating your risks:

  • Put a block on your credit reports to prevent anyone from opening new accounts unless you are contacted first: http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
  • DO NOTrespond to e-mails or phone calls from anyone saying that they are from DHS, OPM, or DoD and are offering to help. Expect fraudulent phone calls.
  • Change all of your security questions on ALL of your bank and credit account information, make sure the security questions and answers are not provided by you in your security clearance information.
  • Close all accounts you are not using.
  • Request from your banks and credit card companies that they send you new cards with chip and pin.
  • Use the Freedom of information Act (FOIA) to request the information obtained by US DoD for the purpose of granting your clearance.
  • Await the OPM letter that will send you a pin number so you can log in and register for free credit monitoring and up to $1 million in coverage in case your identity is compromised and potentially affects your credit.

Remember, this information provided is only basic, though considerable time and effort on your part is required for one or more of these steps should you wish to pursue these risk mitigation efforts in protecting your compromised information.

If you are concerned that you have been compromised and wish to take further steps by getting in touch with a security professional, KT Designs can put you in contact with one of our experts. Please contact us at 202.554.0272 or info@kt-designs.org.

*Information provided by Kristin Thomas and Kalani Enos.