BreachExchange mailing list archives
The Panama Papers – could it happen to you
From: audrey () riskbasedsecurity com (Audrey McNeil)
Date: Thu, 14 Apr 2016 16:51:42 -0600
https://nakedsecurity.sophos.com/2016/04/12/the-panama-papers-could-it-happen-to-you/ Hereâs a good guess: a month ago, youâd never heard of a company called Mossack Fonseca. Hereâs another guess: you have now. You know theyâre a legal and trust services company, that theyâre headquartered in Panama, that they were founded in 1977, and that they recently suffered the mother of all data breaches. Actually, from what we now know, the company didnât so much suffer a data breach as endure one. According to a story by Forbes, the stolen data has been available to âmore than 400 journalistsâ for at least a year, and arrived in a series of âhumongous data troves that came in incrementally.â Apparently, 2.6TB of data was stolen in the breach, which would probably work out somewhere between 3,000,000 and 300,000,000 printed pages, assuming you could feed in the paper fast enough. No one did feed in any paper, of course: the stolen data was organised digitally in the cloud, where journalists with the right credentials, literally and figuratively, could access it. Printed or not, the breach has gone into history as The Panama Papers. Damage control Mossack Fonseca, as you can probably imagine, has published dozens of damage-control articles and FAQs, creating a special website called mossfonmedia.com for the purpose. As an almost amusingly ironic aside, if you try to visit this site securely using HTTPS, youâll get a web certificate error thanks to a self-signed certificate that expired more than a year ago: If you ignore the security warnings, just as Mossack Fonseca seems to have done in a more general way for the past year or two, youâll find plenty of reading material. But the only official comment weâve seen on the breach itself is this one, published by Mossack Fonseca shortly after the stolen data was first publicly used to name and shame some of the companyâs high-profile customers: "Unfortunately, we have been subject to an unauthorised breach of our email server. If you have not heard from us until now, that means we have reason to believe that your information was not compromised. We sincerely regret this event and have take all necessary measures to prevent this from happening again." Is this likely? With 2.6TB of stolen data, apparently including paperwork right back to 1977 when the company was founded, presumably now digitised and stored in some sort of content management system (CMS), itâs hard to imagine how an email server breach alone could have led to a compromise on this scale. If itâs unlikely, why try to blame what sounds like a single, limited breach? You might think that the obvious answer is that Mossack Fonseca is trying to hide something, but thatâs unlikely too. (From the size of the breach, there doesnât seem to be anything left to hide.) The problem with a truly enormous breach, especially if it took place right across your network over an extended period without anyone noticing that anything was wrong, is that you may never be able to figure out exactly what happened. After all, if you didnât notice at the time, you probably werenât collecting the sort of log data that would let you notice, so you wonât have the evidence you need to help you work backwards to the cause. And even if you do have log data, but you didnât keep your eye on it at the time, you may never know how accurate it is, because the crooks might have suppressed it at key moments, or tampered with it, or you might have been collecting the wrong stuff. What happened? We can still only guess what happened. We know from Mossack Fonsecaâs official statement that their email server was definitely hacked, so we can be sure that one of the companyâs critical externally-facing servers was insecure. Finding other security holes is unsurprising, and equally disappointing, but doesnât mean that any now-known holes were used, or even needed, for the thieves to get in. Nevertheless, as we suggested in a recent article, a compromised mail server, or even a single compromised email account, could have been enough of a crack in the defences to let crooks run rampant inside the network without any further hacking. Your email email server isnât the whole castle, but it probably contains the keys to the castle for any crook who cares to take the trouble to look. Passwords and password reset links, for example, are often sent by email; so are account details; contact details of IT staff who can help if you get stuck; handy organisational charts and internal phone directories; login information for newly created accounts; the results of security audits (a lot quicker than probing for vunerabilities yourself); and so on. All in all, the goose that lays the golden eggs of social engineering. Having said that, a company called WordFence recently looked at two other important parts of Mossack Fonsecaâs server infrastructure. The companyâs main website uses WordPress; according to WordFence, the WordPress setup included a buggy plugin that could be used to get unauthorised access. (Buggy WordPress plugins often get forgotten when the main WordPress installation gets patched, leaving the whole server at risk of a complete hack.) WordFence also noticed that Mossack Fonsecsaâs customer portal, where exactly the sort of data revealed in the breach was stored, was running a long-outdated version of Drupal. Indeed, the Drupal version noted by WordFence was 7.23, which predates by some distance the notorious Drupal 7.32 patch dating back to October 2014. The Drupal 7.32 patch was notorious because crooks almost immediately used the 7.32 update to figure out which holes had been patched using the patches as a sort-of instruction manual for how to break into as-yet-unpatched servers. According to Drupal, attacks using the newly-disclosed hole started âwithin hoursâ â a hard timeframe to beat, given that Drupal doesnât have an automatic updating process, and even the keenest sysdamins sometimes need to sleep. What to do? In articles of this sort, we usually finish off with list of tips you can try. This time, weâll just point out that, however the Panama Papers were actually breached, it looks as though Mossack Fonseca missed out on the very basics of server security, by not closing known holes that were already part of the crbercriminal armoury. So weâll leave you with the pithy words of Naked Securityâs Mark Stockley: The answer to, âWhat happened?â is, âWe donât know.â But theyâve got a vulnerable plugin that lets you open a root shell and their web server is on the same network as their email server, so it could be that. Same lesson as Sony Pictures: just do the stuff you know you should be doing. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160414/1866bd35/attachment-0001.html>
Current thread:
- The Panama Papers – could it happen to you Audrey McNeil (Apr 14)