The Law of Inevitability:
The Panama Papers
In April of 2016, the legal industry was rocked by a monumental computer breach. Unlike the Sony, HomeDepot, and Target hacks before it, which only affected one company, this breach exposed every one of Mossack Fonseca’s clients to intense public scrutiny. Their clientele – former and current politicians, athletes, banks, and business executives – were linked to fraud, sanctions avoidance, money laundering, and tax evasion schemes when 11.5 million documents were exfiltrated from the law firm’s servers.
Ramifications were immediate and obvious, beginning with the resignation of Iceland’s Prime Minister Sigmundur Gunnlaugsson, yet the end to this fallout remains illusive. The flood of government investigations is ongoing and new allegations emerge regularly; so far one of the few certainties regarding the hack is that law firms are now keenly aware that their computer systems house a treasure trove of confidential information – an attractive target for hackers. Also clear is that the penetration of Mossack Fonseca’s computer systems was a relatively easy breach to perpetrate and, more importantly, completely preventable.
It’s time to have a candid conversation about law firms and their computer security footprint.
How To Hack Mossack Fonseca In 3 Easy Steps
Mossack Fonseca was utterly deficient in their cyber security footprint. Their website was riddled with known and fixable vulnerabilities. Their web server was also not protected by a firewall and was on the same network as their mail servers. In April 2016, researchers found multiple avenues for access but one prevalent theory has emerged: outdated and unpatched software and knowingly insecure server access protocols gave hackers easy access to the firm’s most sensitive files.
At the risk of getting too deep in the weeds I will attempt to explain one such avenue for unauthorized access to the Mossack Fonseca systems. The graphic provided below will help you visualize how a hacker can move through the system to gain the type of access that results in the theft of 2.6 terabytes of attorney-client privileged data.
Step 1: WordPress Exploit
Mossack Fonseca had a commonly used plug-in on their website named Revolution Slider. That version of Revolution Slider was outdated and known to be vulnerable to exploitation. By using this exploit, a hacker is able to gain unauthorized and unrestricted access to WordPress, including the configuration and database files. These unencrypted files contain login and password information to send emails from the mail server.
Step 2: Use Information Gained From WordPress
Using the login credentials provided by WordPress, the hacker could have then accessed the email server and siphoned off 4.8 Million emails. Mossack Fonseca was using an old version of Outlook Web Access they last updated in 2009. Assuming the privilege level assigned to the credentials used to log in is all-access, any email could be retrieved from the system.
Step 3: Drupal Exploits
Like WordPress, Drupal can be used to create websites and act in the background as an online client access portal to their data. The older version of Drupal that Mossack Fonseca utilized had at least 23 vulnerabilities at the time of the hack and was best known for the version targeted in November 2014’s “Drupageddon” hack.
5 Easy Ways To Avoid Being The Next Mossack Fonseca
I’d like to believe that Mossack Fonseca is the most disturbing case of ineptitude in website security on the planet rather than a typical case study. Unfortunately, I fear there are more Mossack Fonseca’s out there than we realize or want to admit publicly in an effort to protect those easily penetrable data goldmines. There are some very easy steps to take that can mitigate your exposure risk:
- Update Software
Patches are released for a reason and that reason is never cosmetic. They shore up security holes or functionality issues. That innocuous plug-in on your website looks great or may add functionality but if you don’t keep it current you are exposing yourself, your firm, and the clients it services to unnecessary risk.
- Encryption and Hashing
There is no reason to forego encryption of confidential communications and files. None of the data from Mossack Fonseca had encryption of any kind. Microsoft and Adobe products include encryption and password protection tools to avoid unauthorized access. Most email providers use some level of encryption and should be included in any service level agreement.
- Separation, Passwords And Access Restrictions
Passwords should be changed regularly and access to files, information, and systems should be limited to only those who need it. Restrictions on time and day can also be implemented. Update these access privilege credentials regularly to ensure access is only as needed. Also, consider keeping email servers and web servers on separate traffic routers to add an element of separation.
- Protocols And Procedures
Mossack Fonseca was ill-prepared to manage the fallout of their breach, either for themselves or their clients. Having protocols and procedures in place before a breach happens is far better than making it up as you go in a high-stress situation.
- Training And Refresher Trainings
Computer security best practices, particularly in fields requiring confidentiality and discretion like the legal industry, should be part of the new hire training curriculum and regularly given refresher trainings.
While these five best practices will not prevent all computer breaches, they could have prevented the Panama Papers or, at a minimum, made the hacker’s job infinitely harder. If you are interested in speaking with a security professional on how to shore up your cyber security footprint, KT Designs can put you in contact with one of our experts. Please contact us at 202.554.0272 or info@kt-designs.org.
The information in this article is sourced from the following organizations:
https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/
http://www.wired.co.uk/article/panama-papers-mossack-fonseca-website-security-problems
KT Designs is a privately owned company that operates on the ideals of honesty, integrity and transparency. We are experienced in working on cases and projects of all sizes and in most jurisdictions, including internationally. We are devoted to the personal and intellectual growth of our employees and clients, and to facilitating continued learning in our audiences on the most complicated of topics. We consider our clients’ satisfaction and confidentiality above all else.
The Use of Learning Theory in Litigation
“If one of our goals in jury trials is to send into a jury room a jury well equipped to render a fair and impartial verdict, then in my view, we are shortchanging all litigants if we are not providing our jurors with all the necessary aids and tools to enable them to perform the critical tasks we ask them to undertake.”
— Hon. Michael F. McKeon, Jury Trial Project in New York
The key to being successful in litigation is clear, concise, effective and persuasive communication. In effect, a lawyer is an educator – disseminating facts and evidence about a case to fact-finders. How those facts and evidence are presented to a jury, judge or panel can mean the difference between comprehension of said information and confusion, boredom and apathy. Properly educating the fact-finder on complex information without overwhelming them while effectively rebutting adverse counsel’s points are the litigators’ main objectives. During demonstrative development and argument preparation, it is important to understand how to distill and accurately represent case facts in a persuasive manner for maximum comprehension.
Bold research in the fields of neuroscience and brain imaging at the University of Birmingham, UK, has provided interesting new data that is applicable to the field of learning. Dr. Doe Kourtzi, Chair of Brain Imaging at UAB, explains, “What we have found is that learning from past experience actually rewires our brains so that we can categorize the things we are looking at, and respond appropriately to them in any context.” People learn, process, retain and recall information differently. The majority of learning theory experts agree that whether you are teaching a class of high school students or arguing your case in front of a jury, utilizing more than one teaching method increases the fact-finders’ level of comprehension.
US educationist Edgar Dale pioneered the “Cone of Experience” theory, holding that using various types of learning strategies increases comprehension and retention. Dale’s hypothesis incorporates different types of teaching methods, including utilizing symbolism, audio, imagery, video and direct participation. For litigators, Dale’s theory has practical applications in the courtroom. Over the past two decades, the method by which evidence is presented has changed. Law firms have taken a measured approach to embracing the use of technology in every stage of the litigation life cycle. Litigation graphics are now commonplace in courtrooms and are being included as early as the motions and pleadings phases, as opposed to limited graphics like the obligatory graph or chart during trial. This technology facilitates the litigator’s ability to persuasively present their evidence verbally while reinforcing their message with supplemental visual and auditory evidence.
Until deliberation, juries have a passive role in court proceedings, impartially considering the evidence presented and rendering a verdict based upon that evidence and the rule of law. Within the past few decades, courts have experimented with various changes to procedure; this has led to controversy because some procedures encourage jurors to take a more active role during the evidentiary presentation of trial or have the potential to distract jurors from listening to the evidence being presented. Two controversial procedures, allowing jurors to take notes and juror questions, are being tested at a measured pace in various jurisdictions across the country.
For many, taking notes assists in processing and retaining the information being presented and then facilitates the recall of that information. Allowing juries to take notes during the course of a trial has only developed over the past few decades. As this experimental procedure is implemented across the country, extensive studies continue to be conducted and relevant data collected. One study found that of jurors who were not permitted to take notes, 76% of jurors on civil trials and 50% of jurors on criminal cases communicated that they would prefer the opportunity to take notes in future trials.
 |
Another procedure being experimented with in courts is juror questions. According to the findings of the Arizona Filming Project, over 28% of juror questions gravitated towards clarifying factual information and over 61% of juror questions were evaluating questions focused on discrepancies in testimony or disputed facts being presented. |
How people best understand, internalize, and then retain information for later recollection varies. By utilizing multiple teaching methods in the courtroom, explaining evidence, assisting in processing information and facilitating memory retention and recall, courts assure that jurors are better prepared to carry out the duties with which they are charged.
This article is based on the KT Designs’ white paper “The Applicability of Learning Theory in Litigation.” To access the whitepaper in its entirety for free, please visit the whitepaper section of our website: http://www.kt-designs.org/white-papers/
KT Designs is a privately owned company that operates on the ideals of honesty, integrity and transparency. We are experienced in working on cases and projects of all sizes and in most jurisdictions, including internationally. We are devoted to the personal and intellectual growth of our employees and clients, and to facilitating continued learning in our audiences on the most complicated of topics. We consider our clients’ satisfaction and confidentiality above all else.