Before that, here’s what the whole ruckus is about. Simplified.
Little Frank gets 4 coins every week. He keeps all this allowance money in his room. Frank’s mother counts these coins occasionally.
One day, Little Frank decides that his mother shouldn’t know about his coins so he keeps some of it in neighbor Little Ralph’s house. Ralph’s mother doesn’t care about coins.
Eventually, all neighbor children think that it’s a good idea to keep secret coin at Little Ralph’s house. Soon, his room is full of coins.
One-day Ralph’s brother finds out everything about the secret coins and tells the secret to all mothers. Mothers confront their children about whether they were stealing extra coins.
In this story, Frank and his friends are citizens of different countries who didn’t want their mothers, i.e., government to know about their wealth. Ralph’s brother, i.e., hackers made the whole saving and tax haven thing public.
An enormous 2.6-terabyte of data containing documents, transaction history, and other details were stolen from Panamanian law firm Mossack Fonseca. These documents unveil the extent of international corruption to evade tax and protect financial assets. Names of elite personalities from both politics, sports and movie industry surfaced in the leaks.
The International Consortium of Investigative Journalists released the leaked data connecting more than 21 tax havens, 50 countries, and offshore companies. However, it is believed that they’ve had help from hackers who knew how to find vulnerabilities in computers, on servers and applications.
Mossack Fonseca seems to specialize in helping people hide huge sums of money, they were not so great with the cybersecurity aspect though, it seems.
The firm’s client portal has been found vulnerable to the DROWN vulnerability, which we had reported last month. It is a weakness in the SSL encryption protocol, which somehow uses the old, deprecated SSLv2 on servers.
While all modern day websites and servers run on TLS encryption protocol, a simple assessment can show when there is a weakness like DROWN or POODLE in the encryption technology.
Taking forward the discussion on Mossack Fonseca’s client portal, the firm claims that it offers “secure online account” and access to account information to any part of the world. Clearly, it is one of the most important clients communication portals.
Shockingly, this portal was using the open source Drupal Content Management System, which was last updated two years back. Here are some interesting facts about the particular Drupal CMS version.
The issues just don’t end here. Security researchers have claimed that certain backend portions of the site were also accessible with simple commands that any high school hacker could have guessed. In fact, even the Microsoft’s Outlook at Mossack Fonseca was last updated seven years back in 2009. The emails were not even encrypted .
It was probably incredibly easy for hackers to get admin level privileges with such application and system level security standards.
Mossack Fonseca probably deserved such a leak that was about manipulating taxes in more than 50 countries. However, we cannot simply do away with the fact that even such secret companies are not worried about security. Didn’t they ever think of getting the basic SSL and application security?
Other important fact is that the International Consortium of Investigative Journalists had it intentions clear. They didn’t want financial gains or power over something. They just wanted to unveil the level of international corruption, which in this particular Panama Paper leak is right.
But are other information enthusiasts so positive too? What will happen when huge companies dealing with financial transactions, military documents, and government plans fail to secure even at a basic level?
Application-layer security and high-grade SSL encryption are critical when the most number of data breaches and cyberattacks happen at these levels.
For businesses that do not understand appsec, OWASP Top 10, Hacking, and Business Impact: Business Manager Series is one of the better places to educate yourself on the topic.
Eventually, the points like security expert shortage, money, hiring-firing, and business priorities do crop. That is why you should have an extended security arm called Indusface AppTrana that takes over all your security issues with round-the-clock hacker monitoring and reporting.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.