Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Panama Papers Breach Reveals Astonishingly Lax Network Security

    By
    Wayne Rash
    -
    April 7, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Panamanian Papers Breach 2

      My first reaction after reading accounts about the breach of a vast trove of financial and related information from the Panamanian law firm Mossack Fonseca was to channel John Le Carré and his famed Panamanian tailor/spy Harry Pendel.

      However, the reality is much less interesting. The story is actually about a company with third-rate security that gets exploited by a routine hack.

      While the details of the attack on Mossack Fonseca haven’t been fully revealed, and while there’s a great deal of hay being made by newspapers reporting details about prominent people who have offshore financial accounts, the really important story is about what was’’t in the breach. And no, I’m not talking about the puzzling lack of involvement by Americans. What’s clearly lacking is even the most basic attempt at protecting the firm’s client data.

      The firm’s founding partner, Ramon Fonseca, has revealed in an interview with Reuters that the attack that allowed hackers to make off with something over two terabytes of sensitive scans and images along with other information was an external hack. He said that this was not an inside job. That’s a surprising confession made only a couple of days after the hack was discovered and after the contents of the firm’s files were published far and wide in newspapers and on Websites.

      So what really happened? Security experts I’ve talked to tell me that Mossack Fonseca was almost certainly the victim of a spear-phishing attack, with an email that released malware that opened up access to the firm’s network. That would make Fonseca’s statement correct, since it doesn’t appear that an insider knowingly unleashed the malware or emailed the data to co-conspirators.

      But here’s where it gets tricky. Even if the attack came from outside, the information on who to target in the attack had to come from somewhere. The fact that the entire digital assets of the firm appear to have been laid bare would indicate that the target had to be someone very senior in the firm, or that the firm simply allowed any employee to look at anything on its servers. So where did the information on employees with privileged access come from?

      The chances are very good that the critical information came from inside the firm, perhaps unwittingly. The names of some of the lawyers at the firm can be found on the company’s Website with minimal effort. The names of the principals are public, but which of these people to attack? A list of partners with their email addresses could be all that was needed.

      Well placed emails were all that was required to carry out the recent spate of CEO spear-phishing attacks that have recently struck companies of all sizes. A senior person at a company gets an email with a plausible request for information that seems to be from someone they know.

      Panama Papers Breach Reveals Astonishingly Lax Network Security

      The executive provides the requested information and clicks. That’s all it takes.

      “It’s very easy because a lot of companies don’t have a lot of security awareness education programs on how to avoid being spear-phished,” said Tyler Cohen Wood, a security advisor at Inspired eLearning.

      Wood is a former Defense Intelligence Agency senior intelligence officer and cyber-deputy division chief, who has over 16 years working on security issues at the Department of Defense. She said that many breaches can be avoided with some fairly straightforward training in recognizing a spear-phishing attack.

      Unfortunately, it doesn’t really matter how access was gained because once inside the hackers had their way with the firm’s data. Apparently none of it was segmented, none seemed to have access restricted to specific people, none of it was encrypted and apparently nobody was paying attention to the network traffic. How else can you explain how over two terabytes of data was exfiltrated from the company’s network with no one noticing?

      The theft of so much data could have been enabled by what Wood calls an “unintentional insider,” which is someone who provides the critical information for penetrating a network without realizing that they are doing so. She said that such gaps in security can be reduced by appropriate training.

      But much of the blame at the firm goes beyond just training employees. Like Target before its breach, apparently there was nothing to prevent someone who had access to the network from getting anywhere on the network they wanted, including some highly sensitive areas that contained the private information of clients.

      Worse, there appears to have been nothing in the way of intrusion detection. How else can you explain the ability to move that much data out of a network without anyone noticing? Even if someone had walked into the law firm’s office with a portable hard drive and started copying, the process would have taken hours or days. If the breach was done remotely as the firm claims, it could have taken weeks to siphon off all that data.

      Regardless of how the perpetrators breached the network, the fact is that lax security practices at Mossack Fonseca must have played a role. Otherwise, even if hackers had managed to get in without assistance, they couldn’t have downloaded so much data.

      There are important lessons in the Mossack Fonseca breach, not the least of which is to pay more than lip service to security. Even if it’s not possible to eliminate all breaches, it’s still possible to limit the damage.

      Hopefully the firm will take steps to lock things down. And hopefully when all those Icelandic, Russian and Chinese leaders go looking for a private place to shelter the proceeds of their graft, they’ll check the service provider’s security before they do anything else.

      Avatar
      Wayne Rash
      Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and is Senior Columnist for eWEEK. He is the author of five books, including his most recent, "Politics on the Nets". Rash is a former Executive Editor of eWEEK and Ziff Davis Enterprise, and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center, and Editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×