The Law of Inevitability:
The Panama Papers

In April of 2016, the legal industry was rocked by a monumental computer breach. Unlike the Sony, HomeDepot, and Target hacks before it, which only affected one company, this breach exposed every one of Mossack Fonseca’s clients to intense public scrutiny. Their clientele – former and current politicians, athletes, banks, and business executives – were linked to fraud, sanctions avoidance, money laundering, and tax evasion schemes when 11.5 million documents were exfiltrated from the law firm’s servers.

Ramifications were immediate and obvious, beginning with the resignation of Iceland’s Prime Minister Sigmundur Gunnlaugsson, yet the end to this fallout remains illusive. The flood of government investigations is ongoing and new allegations emerge regularly; so far one of the few certainties regarding the hack is that law firms are now keenly aware that their computer systems house a treasure trove of confidential information – an attractive target for hackers. Also clear is that the penetration of Mossack Fonseca’s computer systems was a relatively easy breach to perpetrate and, more importantly, completely preventable.

It’s time to have a candid conversation about law firms and their computer security footprint.

How To Hack Mossack Fonseca In 3 Easy Steps

Mossack Fonseca was utterly deficient in their cyber security footprint. Their website was riddled with known and fixable vulnerabilities. Their web server was also not protected by a firewall and was on the same network as their mail servers. In April 2016, researchers found multiple avenues for access but one prevalent theory has emerged: outdated and unpatched software and knowingly insecure server access protocols gave hackers easy access to the firm’s most sensitive files.

At the risk of getting too deep in the weeds I will attempt to explain one such avenue for unauthorized access to the Mossack Fonseca systems. The graphic provided below will help you visualize how a hacker can move through the system to gain the type of access that results in the theft of 2.6 terabytes of attorney-client privileged data.

Step 1: WordPress Exploit

Mossack Fonseca had a commonly used plug-in on their website named Revolution Slider. That version of Revolution Slider was outdated and known to be vulnerable to exploitation. By using this exploit, a hacker is able to gain unauthorized and unrestricted access to WordPress, including the configuration and database files. These unencrypted files contain login and password information to send emails from the mail server.

Step 2: Use Information Gained From WordPress

Using the login credentials provided by WordPress, the hacker could have then accessed the email server and siphoned off 4.8 Million emails. Mossack Fonseca was using an old version of Outlook Web Access they last updated in 2009. Assuming the privilege level assigned to the credentials used to log in is all-access, any email could be retrieved from the system.

Step 3: Drupal Exploits

Like WordPress, Drupal can be used to create websites and act in the background as an online client access portal to their data. The older version of Drupal that Mossack Fonseca utilized had at least 23 vulnerabilities at the time of the hack and was best known for the version targeted in November 2014’s “Drupageddon” hack.

5 Easy Ways To Avoid Being The Next Mossack Fonseca

I’d like to believe that Mossack Fonseca is the most disturbing case of ineptitude in website security on the planet rather than a typical case study. Unfortunately, I fear there are more Mossack Fonseca’s out there than we realize or want to admit publicly in an effort to protect those easily penetrable data goldmines. There are some very easy steps to take that can mitigate your exposure risk:

• Update Software

Patches are released for a reason and that reason is never cosmetic. They shore up security holes or functionality issues. That innocuous plug-in on your website looks great or may add functionality but if you don’t keep it current you are exposing yourself, your firm, and the clients it services to unnecessary risk.

• Encryption and Hashing

There is no reason to forego encryption of confidential communications and files. None of the data from Mossack Fonseca had encryption of any kind. Microsoft and Adobe products include encryption and password protection tools to avoid unauthorized access. Most email providers use some level of encryption and should be included in any service level agreement.

• Separation, Passwords And Access Restrictions

Passwords should be changed regularly and access to files, information, and systems should be limited to only those who need it. Restrictions on time and day can also be implemented. Update these access privilege credentials regularly to ensure access is only as needed. Also, consider keeping email servers and web servers on separate traffic routers to add an element of separation.

• Protocols And Procedures

Mossack Fonseca was ill-prepared to manage the fallout of their breach, either for themselves or their clients. Having protocols and procedures in place before a breach happens is far better than making it up as you go in a high-stress situation.

• Training And Refresher Trainings

Computer security best practices, particularly in fields requiring confidentiality and discretion like the legal industry, should be part of the new hire training curriculum and regularly given refresher trainings.

While these five best practices will not prevent all computer breaches, they could have prevented the Panama Papers or, at a minimum, made the hacker’s job infinitely harder. If you are interested in speaking with a security professional on how to shore up your cyber security footprint, KT Designs can put you in contact with one of our experts. Please contact us at 202.554.0272 or info@kt-designs.org.

The information in this article is sourced from the following organizations:

https://panamapapers.icij.org

https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/

http://www.wired.co.uk/article/panama-papers-mossack-fonseca-website-security-problems

KT Designs is a privately owned company that operates on the ideals of honesty, integrity and transparency. We are experienced in working on cases and projects of all sizes and in most jurisdictions, including internationally. We are devoted to the personal and intellectual growth of our employees and clients, and to facilitating continued learning in our audiences on the most complicated of topics. We consider our clients’ satisfaction and confidentiality above all else.