The front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
The law firm at the centre of the Panama Papers hack has shown an "astonishing" disregard for security, according to one expert. Amongst other lapses, Mossack Fonseca has failed to update its Outlook Web Access login since 2009 and not updated its client login portal since 2013.
Mossack Fonseca's client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site's changelog.
On its main website Mossack Fonseca claims its Client Information Portal provides a "secure online account" allowing customers to access "corporate information anywhere and everywhere". The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal's backend can also be accessed by guessing the URL structure, a security researcher noted.
Mossack Fonseca's webmail system, which runs on Microsoft's Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca's site simply by guessing the URL. "It shows the way they configured the server and the way they configured the website is not within the best security practices," an anonymous source told WIRED. They continued to say that the method could be used by other people to access the data. "We're talking about a misconfigured server that enables directory listings."
Professor Alan Woodward, a computer security expert from Surrey University told WIRED that Mossack Fonseca's front end seemed "horribly" out of date. "I can't understand this," Woodward continued. "Take something like Outlook Web Access – if you keep your Exchange Server up to date this just comes along naturally. They seem to have been caught in a time warp. If I were a client of theirs I'd be very concerned that they were communicating using such outdated technology."
Mossack Fonseca's emails were also not encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol. "Given the business they're in, I find it quite surprising that they haven't thought about securing their emails better," Angela Sasse, professor of human-centred technology at University College London, told WIRED.
"I would regard TLS encryption as okay for a not very high risk organisation, if it is done properly and looked after. The awareness of the risk and how easily these services can be attacked seems to not have been there."
Precisely what vulnerability the attacker used is not known and Mossack Fonseca has said it is carrying out "an in-depth investigation with experts", while also taking "additional measures" to strengthen its systems. In a leaked email to customers Mossack Fonseca confirmed an "unauthorised breach" of its email servers. Company partner Ramon Fonseca has since said the leak was not "an inside job" and that the company had been hacked by servers based abroad. The company did not respond to requests for comment.
It also remains unclear who carried out the attacks. University of Kent senior computing lecturer Eerke Boiten told WIRED that the leak may in fact be the work of an insider. "We do know that it was a lot of data, and that it came out gradually," he said. "This points at an insider with enough access privileges to get to see all the data, but not enough privileges to be able to copy it all quickly to one disc."
Woodward disagreed, saying the vulnerabilities in Mossack Fonseca's systems made it "vulnerable to external scanning and exploitation". The attacker may even have been a nation state, he continued. "If I were a betting man I would place a two way bet between an external hacker who got lucky by probing, was shocked by what they saw and leaked it, and a nation state fed up with tax avoidance."
What little is known about the source of the leak comes from details published by German newspaper Suddeutsche Zeitung. Communicating via encrypted chat in late 2014, the source warned his or her life was "in danger" but that they had data from law firm Mossack Fonseca that they wanted to share. When asked how much data they had, the source replied "more than you have ever seen," according to the newspaper.
It took almost a year for all the data to arrive, with the source sending it in dribs and drabs. Dating back to the 1970s, the 11.5 million documents – the biggest leak in history – total 2.6 terabytes.
The Panama Papers detail 214,488 offshore entities related to public officials held by Mossack Fonseca. The leak includes emails, contracts, scanned documents and transcripts. Broken down by file type, the leak comprises 4.8 million emails, three million database files, 2.1 million PDFs, 1.1 million images, 320,166 text files and 2,242 files in other formats. All the files came organised in folders for the individual shell firms they related to. A full list of companies and people linked to the offshore entities will be published in May 2016.
Dr Daniel Dresner, a lecturer in cyber security at Manchester University's school of computer science, told WIRED that Mossack Fonseca's seemingly lax security protocols were not unusual amongst law firms. "There's always a feeling in the legal fraternity that whatever happens they'll be able to get off the wrap because they're clever legal people," he said. "People are now starting to realise that legal companies are a great target. When you think about the size of stuff that they're negotiating, who they're negotiating for and the number of different parties involved, the motivation is there for people who want a bit of insider information."
Dresner added that the poor data protection practices of some law firms offline had clearly been duplicated online. "Look at the back seat of the car of the average partner's BMW and I think you'd be quite shocked. These guys still take large bundles of papers around tied up with ribbons," he said. "I knew one law firm who, as part of their so-called governance, walked around the building in the summer to make sure papers hadn't blown out [the window]." "There are plenty of vectors," Dresner said when presented with a list of potential holes in Mossack Fonseca's systems. "But they've put a great big invitation out there with an RSVP on it."
This article was originally published by WIRED UK
