The Panama Papers

A lesson in web security

April 2016

Earlier this month Mossack Fonseca, a Panama based law firm was allegedly hacked in one of the largest security breaches ever. An enormous 2.6 terabytes of documents were leaked, revealing the financial secrets of the world's billionaires and politicians. These are The Panama Papers.

It has resulted in the resignation of Iceland's Prime Minister and the implication of hundreds of others as investigative journalists dig through the 11.5 million documents.

On the whole the law firm's dealings have been found to be above-board, however the use of offshore tax entities and bank accounts are often used for less benign purposes. The hacking scandal has also revealed financial and political connections that had been kept secret.

Ramon Fonseca, a company partner, maintains that the firm was hacked by an international source. Naturally, many leading security firms (and no doubt hackers) were eager to investigate the validity of this claim.

Shockingly, it was found that Mossack Fonseca was simply not encrypting their emails. In fact, their Outlook Web Access software had seemingly not been updated since 2009.

They were also running an outdated version of Wordpress with the notorious Revolution Slider (also out of date), as well as an outdated version of Drupal CMS that had 25 known vulnerabilities.

Mossack Fonseca may have been the go-to law firm for offshore dealings, but clearly not for privacy. With such sensitive data, it's astonishing that their security measures were so lax. Web security is not optional in 2016 and is becoming more critical each year for businesses, both large and small.

Large companies are often hacked for their data or political reasons. Small companies are often hacked for their server power. If, for example, a hacker could hijack 1000 small servers, they would combine to produce some serious power to hack larger targets, relay spam or move documents - most of the time, without the knowledge of the business.

The 3 most common hack causes:

  1. Simple passwords
  2. Out of date software
  3. Bad software

1. Passwords need to be 12 characters with a mix of upper and lower case, numbers and symbols. No exceptions. Use https://lastpass.com/ (or similar) to remember them all. It's a pain, but it's the world we live in.

2. If you run Wordpress, Drupal, Joomla or other open source software, upgrade it every month. They're great software - powerful, flexible and cheap, but need to be kept up to date.

3. Open source software means that anyone can develop add-ons and plugins. Anyone. So do some research before you use a plugin. Try Googling the name of your plugin followed by 'hack', for example 'revolution slider hack'. Contact Forms 7 is another culprit. And again, these need to be kept up to date.

You don't need to be handling sensitive data to be a hack target. A small business hack can cost days in lost productivity. And, it can cost your whole business if you lose confidential client data.

It will be interesting to see how the Mossack Fonseca saga unfolds - Mossack Fonseca News