How did the biggest document leak happen?

Before that, here’s what the whole ruckus is about. Simplified.

Little Frank gets 4 coins every week. He keeps all this allowance money in his room. Frank’s mother counts these coins occasionally.

One day, Little Frank decides that his mother shouldn’t know about his coins so he keeps some of it in neighbor Little Ralph’s house. Ralph’s mother doesn’t care about coins.

Eventually, all neighbor children think that it’s a good idea to keep secret coin at Little Ralph’s house. Soon, his room is full of coins.

Indusface Website Application Security

One-day Ralph’s brother finds out everything about the secret coins and tells the secret to all mothers. Mothers confront their children about whether they were stealing extra coins.

In this story, Frank and his friends are citizens of different countries who didn’t want their mothers, i.e., government to know about their wealth. Ralph’s brother, i.e., hackers made the whole saving and tax haven thing public.

So what happened?

An enormous 2.6-terabyte of data containing documents, transaction history, and other details were stolen from Panamanian law firm Mossack Fonseca. These documents unveil the extent of international corruption to evade tax and protect financial assets. Names of elite personalities from both politics, sports and movie industry surfaced in the leaks.

The International Consortium of Investigative Journalists released the leaked data connecting more than 21 tax havens, 50 countries, and offshore companies. However, it is believed that they’ve had help from hackers who knew how to find vulnerabilities in computers, on servers and applications.

Mossack Fonseca seems to specialize in helping people hide huge sums of money, they were not so great with the cybersecurity aspect though, it seems.

Insecure SSL Protocol- Prone to DROWN Vulnerability

The firm’s client portal has been found vulnerable to the DROWN vulnerability, which we had reported last month. It is a weakness in the SSL encryption protocol, which somehow uses the old, deprecated SSLv2 on servers.

While all modern day websites and servers run on TLS encryption protocol, a simple assessment can show when there is a weakness like DROWN or POODLE in the encryption technology.

SQL Injection and 25 Other Vulnerabilities

Taking forward the discussion on Mossack Fonseca’s client portal, the firm claims that it offers “secure online account” and access to account information to any part of the world. Clearly, it is one of the most important clients communication portals.

Shockingly, this portal was using the open source Drupal Content Management System, which was last updated two years back. Here are some interesting facts about the particular Drupal CMS version.

  • The outdated CMS version on the portal is vulnerable to SQL Injection. In one of our earlier SQLi posts, we have mentioned this critical vulnerability and how it is responsible for 97% of the data breaches across the world.
  • The version also allows crafted HTTP Host Header, which can then be used for Distributed Denial of Services attacks.
  • Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Brute Force Bypass were some of the other application layer vulnerabilities on the portal.

The issues just don’t end here. Security researchers have claimed that certain backend portions of the site were also accessible with simple commands that any high school hacker could have guessed. In fact, even the Microsoft’s Outlook at Mossack Fonseca was last updated seven years back in 2009. The emails were not even encrypted .

It was probably incredibly easy for hackers to get admin level privileges with such application and system level security standards.

Dealing with Sensitive Information

Mossack Fonseca probably deserved such a leak that was about manipulating taxes in more than 50 countries. However, we cannot simply do away with the fact that even such secret companies are not worried about security. Didn’t they ever think of getting the basic SSL and application security?

Other important fact is that the International Consortium of Investigative Journalists had it intentions clear. They didn’t want financial gains or power over something. They just wanted to unveil the level of international corruption, which in this particular Panama Paper leak is right.

But are other information enthusiasts so positive too? What will happen when huge companies dealing with financial transactions, military documents, and government plans fail to secure even at a basic level?

Application-layer security and high-grade SSL encryption are critical when the most number of data breaches and cyberattacks happen at these levels.

For businesses that do not understand appsec, OWASP Top 10, Hacking, and Business Impact: Business Manager Series is one of the better places to educate yourself on the topic.

Eventually, the points like security expert shortage, money, hiring-firing, and business priorities do crop. That is why you should have an extended security arm called Indusface AppTrana that takes over all your security issues with round-the-clock hacker monitoring and reporting.

Web Application Security