background preloader

Mossack Fonseca security holes

Facebook Twitter

O Mossack Fonseca has failed to update its Outlook Web Access login since 2009, and not updated its client login portal since 2013.



o Mossack Fonseca's client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete, insecure SSL v2 protocol.

o The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site's changelog.

o The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands.

o Mossack Fonseca's webmail system, which runs on Microsoft's Outlook Web Access, was last updated in 2009.

o Its main site runs a version of WordPress that is three months out of date.

o A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca's site simply by guessing the URL.

o Mossack Fonseca's emails were also not encrypted.

o In a leaked email to customers Mossack Fonseca confirmed an "unauthorised breach" of its email servers. Company partner Ramon Fonsecahas since said the leak was not "an inside job" and that the company had been hacked by servers based abroad.

· Data Breach today Security holes at the heart of PP leak:

o They list some of the same as Wired UK, and also have links to pursue.

· Computer world explains the leak. Copy paste from there, includes:

o A representative of Mossack Fonseca has confirmed news reports saying the leak stems from an email hack. It's unclear how the email attack happened, but tests run by outside security researchers suggest Mossack Fonseca did not encrypt its emails with Transport Layer Security protocols.

» The security holes at the heart of the Panama Papers. James Temperton and Matt Burgess report: The front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.The law firm at the centre of the Panama Papers hack has shown an “astonishing” disregard for security, according to one expert.

» The security holes at the heart of the Panama Papers

Amongst other lapses, Mossack Fonseca has failed to update its Outlook Web Access login since 2009 and not updated its client login portal since 2013.Mossack Fonseca‘s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete, insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog. The ‘Panama Papers’ constitute the most significant law firm data breach yet – are the ‘London Papers’ next? Panama Papers : des WordPress et Drupal mal gérés à l'origine d'un piratage ? - Tech. Panamapapers.sueddeutsche. Over a year ago, an anonymous source contacted the Süddeutsche Zeitung (SZ) and submitted encrypted internal documents from Mossack Fonseca, a Panamanian law firm that sells anonymous offshore companies around the world.

panamapapers.sueddeutsche

These shell firms enable their owners to cover up their business dealings, no matter how shady. In the months that followed, the number of documents continued to grow far beyond the original leak. Ultimately, SZ acquired about 2.6 terabytes of data, making the leak the biggest that journalists had ever worked with. The source wanted neither financial compensation nor anything else in return, apart from a few security measures. The data provides rare insights into a world that can only exist in the shadows. Panama Papers: The security flaws at the heart of Mossack Fonseca. The front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.

Panama Papers: The security flaws at the heart of Mossack Fonseca

The law firm at the centre of the Panama Papers hack has shown an "astonishing" disregard for security, according to one expert. Amongst other lapses, Mossack Fonseca has failed to update its Outlook Web Access login since 2009 and not updated its client login portal since 2013. Mossack Fonseca's client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete, insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site's changelog.

On its main website Mossack Fonseca claims its Client Information Portal provides a "secure online account" allowing customers to access "corporate information anywhere and everywhere". "I would regard TLS encryption as okay for a not very high risk organisation, if it is done properly and looked after. Panama Papers a win for encryption backers. Privacy advocates are touting the so-called Panama Papers as a key example of how encryption can protect courageous whistleblowers and other vulnerable individuals.

Panama Papers a win for encryption backers

According to reporters and editors involved in the project, dozens of researchers and writers relied on anonymous chatting platforms and encrypted email to protect the whistleblower and keep under wraps leaked documents from Mossack Fonseca, a prominent Panamanian law firm that allegedly helped wealthy people stash fortunes from domestic tax laws. To this day, the leaker is not known, even by the journalists themselves.

“For many of these people who are coming forward, it’s a matter of life and death and they’re putting a lot on the line and putting themselves at risk essentially for the greater good,” said Neema Singh Guliani, a legislative counsel with the American Civil Liberties Union (ACLU). Obermayer declined, however, to detail the specific methods he employed. Following last year’s terror attacks in Paris, Sens.

Keeping your data safe - advice

‘Panama Papers’ - 6 Security Takeaways. Anti-Money Laundering (AML) , Compliance , Data Breach Encryption, Access Controls and Network Monitoring Remain Essential Mathew J.

‘Panama Papers’ - 6 Security Takeaways

Schwartz (euroinfosec) • April 5, 2016 0 Comments The fallout from the so-called "Panama Papers" leak continues. See Also: 2015 Breach Preparedness and Response Study: The Results So far, the leak of 11.5 million records - emails, databases, images - allegedly from Panama-based law firm Mossack Fonseca has led to difficult questions for politicians and public figures, including Russian President Vladimir Putin and the government of Pakistan.

From an information security standpoint, however, experts say the breach highlights how one law firm apparently failed to have the right defenses in place. Here are six security takeaways from the massive data leak: 1. The Panama Papers should be a wake-up call for all law firms, says Brian Honan, who heads Dublin-based information security consultancy BH Consulting. Why the Panama Papers are a good thing for hackers - and the rest of us. This week, the world has been attempting to make sense of the 11.5 million documents stolen from a law firm in Panama that has been allegedly been helping the rich and famous hide their money from the world’s tax men.

Why the Panama Papers are a good thing for hackers - and the rest of us

In little over 48 hours, it has already had its first major political scalp, with the resignation of Icelandic prime minister Sigmundur Gunnlaugsson. But there are others now feeling the pressure, including Ukrainian president Petro Poroshenko, Gianni Infantino, Fifa’s newly-elected top official, eight members of China’s politburo and nearly all of Vladimir Putin’s inner circle, and Vladimir himself.

Our best speaker lineup, ever. This year’s edition of TNW Conference in Amsterdam includes some of the biggest names in tech. The immediate impact of the leak, which was offered to newspapers more than a year ago is only just being felt. Panama Papers: Who is responsible for Mossack Fonseca email server leak? Mossack Fonseca, the Panama-based law firm at the centre of a global money scandal exposing how the world's rich hide their cash, has blamed the unprecedented leak of over 11 million customer records on a computer hack against an email server.

Panama Papers: Who is responsible for Mossack Fonseca email server leak?

Ramon Fonseca, one of the co-founders of Mossack Fonseca, told Panama's Channel 2 that, although authentic, the documents being poured over by global media outlets were 'obtained illegally by hackers'. Larger in scope than anything released by whistleblowing site WikiLeaks or former NSA-contractor Edward Snowden, the Panama Papers have implicated powerful figures, such as the king of Saudi Arabia, the prime ministers of Iceland and Pakistan and close aides of President Vladimir Putin in alleged financial misconduct. The client email "There was unauthorised access to our email server through which certain information was gleaned by outside parties," the email stated.

Panama Papers: Outgoing employees pose risk to firms, remind lawyers. 'Do you need to keep the employee in the business for six months when they could cause damage?

Panama Papers: Outgoing employees pose risk to firms, remind lawyers

' Risk specialists and senior lawyers have advised law firms to reduce the threat of whistleblowing employees in light of the Panama Papers attack last weekend. More than 11.5 million confidential files detailing tax havens held by the world's elite were leaked from Panamanian law firm Mossack Fonseca and obtained by investigative journalists. With 2.6 terabytes of carefully extracted data retrieved, the attack is widely thought to have come from an unknown whistleblower. Solicitor and managing director of Digital Law UK Peter Wright, who described the Panama Papers attacks as 'the law firm equivalent of Edward Snowden', said employees serving notice periods were a major risk to firms. Risk expert Frank Maher, a partner at Legal Risk LLP, similarly highlighted the ease at which data can be accessed. Employment perspective. Mossack Fonseca Breach - WordPress Revolution Slider Plugin Possible Cause. This entry was posted in General Security, WordPress Security on April 7, 2016 by mark 14 Replies Mossack Fonseca (MF), the Panamanian law firm at the center of the so called Panama Papers Breach may have been breached via a vulnerable version of Revolution Slider.

Mossack Fonseca Breach - WordPress Revolution Slider Plugin Possible Cause

The data breach has so far brought down the Prime Minister of Iceland and surrounded Russian President Putin and British Prime Minister David Cameron with controversy, among other famous public figures. It is the largest data breach to journalists in history, weighing in at 2.6 terabytes and 11.5 million documents. Forbes have reported that MF was giving their customers access to data via a web portal running a vulnerable version of Drupal. We performed an analysis on the MF website and have noted the following: The MF website runs WordPress and is currently running a version of Revolution Slider that is vulnerable to attack and will grant a remote attacker a shell on the web server. To summarize so far: Conclusion.

Forbes Welcome. Panama Papers breach was the result of lax security practices? - Help Net Security. News items based on the so-called “Panama Papers,” a set of 11.5 million documents leaked from the networks of Panama-based law firm Mossack Fonseca, keep popping up, but it’s still unknown who the person behind the leak is and how he or she managed to get ahold of the documents.

Panama Papers breach was the result of lax security practices? - Help Net Security

The leaked emails, PDF files, photos, excerpts of an internal company database cover a period from the 1970s to 2016. In total, 2.6 terabytes of data have been stolen from the company. That huge amount of data couldn’t have been exfiltrated in a short time, and one wonders how the company failed to spot the data going out. But maybe that astonishment is misplaced, as bit by bit details of the company’s poor security posture are coming out. What does Mossack Fonseca say? In a notification sent to its customers, Mossack Fonseca said that the hack happened on their email server. What do security experts say? “The firm ran its unencrypted emails through an outdated (2009) version of Microsoft’s Outlook Web Access.

#PanamaPapers : Mossack Fonseca une incroyable bourde. #PanamaPapers : le mail de panique de Mossack Fonseca. #PanamaPapers : la piste d'un piratage informatique évoquée.