Topic: How is "Mossack Fonseca" aka "Offshore paradise" Hacked ?!

[Samker]

The staggering, Wikileaks-beating “Panama Papers” data exfiltration has been attributed to the breach of an email server last year.

The leak of documents from Panama-based, internationally-franchised firm Mossack Fonseca appears to confirm what has long been suspected but rarely proven: well-heeled politicians, businesses, investors, and criminals use haven-registered businesses to hide their wealth from the public and from taxmen.

Bloomberg says co-founder Ramon Fonseca told Panama's Channel 2 the leaked documents are authentic and were “obtained illegally by hackers”: http://www.bloomberg.com/news/articles/2016-04-03/german-paper-claim-huge-trove-of-data-on-offshore-accounts

According to The Spanish, the whistleblower (here in Spanish: http://www.elespanol.com/espana/20160403/114488656_0.html ) accessed the vast trove of documents by breaching Mossack Fonseca's email server, with the company sending a message to clients saying it's investigating how the breach happened, and explaining that it's taking “all necessary steps to prevent it happening again”.

The company added that it's engaged security consultants to close the horse-long-gone stable door.

Described as the biggest document leak ever, the International Consortium of Investigative Journalists (ICIJ), which is coordinating the drip-feed release of information from the leak, says there's 11.5 million documents and 2.6 TB of data.

The documents landed first at German outlet Sueddeutsche Zeitung last year, which worked with the ICIJ to coordinate their worldwide release.

The leak has exposed the offshore activities of hundreds of politicians and public figures around the world, naming Iceland's prime minister David Gunnlaugsson: https://panamapapers.icij.org/20160403-iceland-prime-minister.html , the late father of British PM David Cameron: https://panamapapers.icij.org/20160403-panama-papers-global-overview.html , Vladimir Putin, and many others: https://panamapapers.icij.org/20160403-putin-russia-offshore-network.html

So far, the ICIJ says, 140 politicians and public officials have been revealed as having offshore holdings, more than 214,000 organisations have been identified, along with many billions' worth of transactions.

Given the vagaries of defamation law, every outlet reporting on the breach including The Register is constrained to note that there are legitimate reasons for using such entities, including estate planning and inheritance rules, so it's unsound to assume that all Mossack Fonseca customers were breaking the law.

It's also feasible that not every individual or company named was fully aware of what was going on, since the ICIJ notes that banks were behind establishing most of the offshore entities.

To date, The Register hasn't seen a strong presence from the tech sector in the staged release of the documents, perhaps because the “Double Irish Dutch Sandwich” tactic favoured in this business works without hiding companies' links to their international associates: http://www.theregister.co.uk/2012/11/22/how_vendors_avoid_tax/

(ElReg)

[Samker]

The extraordinary leak of documents from law firm Mossack Fonseca that has spun a spotlight on the tax-avoiding efforts by the world's elite was likely the result of unpatched content management systems (CMSes).

A slew of stories this past week drawn from the 11.5 million documents and 2.6TB of data have seen the prime minister of Iceland resign, sparked calls for the resignation of UK prime minister David Cameron, and caused significant embarrassment to hundreds of others across the world.

The information was assumed to have come from a hacked email server – and that may still be true – but increasingly the evidence points to the fact that hackers found their way into the law firm's system through unpatched versions of the common WordPress and Drupal CMSes.

Mossack Fonseca has two main websites: its front-facing website, which runs on WordPress; and a customer portal for sharing sensitive information with customers, which runs Drupal.

Both of those sites were running outdated versions of the software and in both cases significant security holes existed that would have allowed hackers access.

WordPress

The main website's WordPress installation was three months out of date and one company, WordFence, has gone into an extensive rundown of what it believes was the entry point: an unpatched version of the Revolution Slider plugin – a plugin used to simplify website design: https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/

Security vulnerabilities would have allowed hackers to gain admin access on the web server, and the WordFence team notes that the law firm's mail server was hosted at the same IP address as the WordPress server.

In other words, hackers could have found their way into the system through Mossack Fonseca's website and then accessed its mail server, downloading all the emails.

Drupal

Another entry point, however, is the secure portal that the company ran where it enabled customers to log in and share details of their business dealings.

That site ran Drupal version 7.23 and, as every Drupal sysadmin would be all too aware, that version came before a nightmare security patch in version 7.32 which was so bad that security experts warned that if people had not patched their sites the same day the patch was released, they should assume they had been hacked and consider a fresh install.

That security warning was issued back in October 2014, and so Mossack Fonseca's "secure portal" was wide open to exploitation for over a year. It is possible that hackers could have downloaded all the files that have been leaked through that system.

Without seeing the actual documents provided to select groups of journalists across the world, it will be difficult to know exactly where the documents were pulled from, and the journalists themselves have said they do not intend to make those files readily available due to the extensive private details they include.

The lesson of course is patch, patch, PATCH. WordPress has made big strides in this area by allowing for automated security updates and one-click plugin updates. Drupal, however, still requires you to manually install updates, and updating the core Drupal software requires additional efforts that result in people putting off updates for months.

WordPress' superior system is thought to be one of the main reasons why its popularity has soared in the past few years, while Drupal's has fallen.

(ElReg)

[devnullius]

A rare salute by me for bugs everywhere!

 

[Samker]

A rare salute by me for bugs everywhere!

 

 

---

More information about PP case:

Grey hat security researchers have discovered new flaws in the systems of Panama leak firm Mossack Fonseca.

A self-styled “underground researcher” claims to have found a SQL injection flaw on one of the corporate systems of the Panamanian lawyers.

“They updated the new payment CMS, but forgot to lock the directory /onion/,” he said via the “1x0123” Twitter profile: https://twitter.com/1x0123/status/718760771887489024

Mossack Fonseca specialises in helping its clients to set up firms in tax havens such as the British Virgin Islands. The leak of its client information as part of the Panama Papers has created a huge political stink

The lawyers informed clients in early April that the leak to journalists has been traced back to a hack on its email server, rather than a whistleblower. Its apparent failure to adequately lock down its systems is surprising in the circumstances.

“It looks like MF [Mossack Fonseca] had really very low security level, [such] that hackers continue to hack them for fun,” a security intelligence source who notified us of the claimed vulnerability told El Reg.

In between flagging up security issues with Mossack Fonseca, the same hacker has been busy over the last week attacking major media outlets, such as the LA Times and New York Times, and offering to sell access to insecure systems at NASA, among other hi-jinks.

The same hacker (1x0123) contacted Edward Snowden, notifying him of some bugs on one of his projects: https://twitter.com/1x0123/status/717353827452784640
Snowden acknowledged the bug report on the Freedom of the Press Foundation website on Sunday: https://twitter.com/Snowden/status/719263028345192449

(Elreg)