Skip to content
Naked Security Naked Security

Panama Papers: “It was an email server attack”

The Panama Papers - big breach, big news...but how did it happen?

If you thought Chelsea Manning’s data leak was big, or the Snowden revelations, or some of the Sony breaches

…they’re all dwarfed, in quantity if not quality, by the “Panama Papers.”

The word Panama comes from the location of the legal firm that was breached, Mossack Fonseca, headquartered in Panama City; and Papers is a metaphor.

With an a estimated 2.6TB of stolen data in the breach, this was not a traditional break-and-enter, and the hacker or hackers behind it didn’t run off wth filing cabinets of printed material.

If you assume a generous allowance of 1MB of data per printed A4 page, 2.6TB comes out at 2,600,000 pages.

An A4 sheet, by definition, covers one-sixteenth of a square metre, and typical laser printer paper weighs 80 grams per square metre.

That’s 5 grams per page, or 13 tonnes for the paper version of the Panama Papers.

Lots of the media coverage you’ll have seen so far deals with the question, “Who’s been named in the Papers?”

You’d think that publishing those details would be off limits, given that the 13 tonnes of information about Mossack Fonseca’s customers was stolen, and everyone knows it was stolen…

…but the justification for writing about it seems to be that if you’ve ever made use of confidential (OK, secret) offshore banking, legal and taxation services, then you are, by implication, up to no good and therefore no longer deserve to have your privacy respected.

As a result, the stolen data is now as good as in the public domain.

What happened?

Here at Naked Security, we’re more interested in how the breach happened, and what we can learn from that part of the story, than in what we can conclude from information that was illegally acquired in the first place.

The problem is that, so far, we just don’t know how the hackers did it.

Given the scale of the breach, it certainly sounds as though there was more involved than just finding a password or tricking a user into opening a booby-trapped attachment.

Presumably, the hackers needed to get in, find their way around, figure out what data was stored where, work out how to access it, and then find a way to collect and exfiltrate it.

Mossack Fonseca has trotted out the truisms we often hear after a breach of this sort.

According to what looks like a screenshot posted on Twitter, Mossack Fonseca said, “Unfortunately, we have been subject to an unauthorized attack of our email server.”

The company also: promised it has taken “all necessary measures to prevent this from happening again,” stated that it is taking “additional measures to further strengthen [its] systems,” and claimed to be “in the process of an in-depth invesigation with experts.”

You’d swear that Mossack Fonseca read Naked Security’s What you sound like after a data breach, perhaps without realising it was a satirical article.

What to do?

An email breach may not sound like much on its own, but even if a crook manages to get hold of just one user’s password, that can be enough to get started.

After all, emails sent from an internal account have the apparent legitimacy of coming from inside, so the crook can make believable-sounding IT requests, such as asking for a password reset, and then intercept any helpful replies that come back.

Worse still, if a crook manages to breach the email server itself, he could end up harvesting all incoming and outgoing attachments, at least some of which will give away secrets that help him get further and further into the network.

If a crook has already breached your outermost defences and is poking around inside, he’s more likely to be noticed, and stopped, if you create a culture of security at work.

That means being honest and up front about cybersecurity with colleagues and customers alike, no matter what.

Sophos’s own IT Security Manager Ross McKerchar, has 6 tips on how to create that sort of culture.


Image of email icons courtesy of Shutterstock.

10 Comments

People storing passwords in their inboxes?

If you can intercept a password reset link before the real user sees it, then you can not only get control but also hide the fact that you just did so.

I’ll bet one balboa that it was an insider that either developed a sudden case or morality, nobody would pay their blackmail attempt, or felt they were in danger from knowing to much.

“…being honest and up front about cybersecurity with colleagues and customers alike, no matter what.”

That is presumably inconsistent with the predatory/sociopathic form of corporate culture that was present in the company in question.

I was also under the impression from multiple sources that it was an inside leak. I did see that they published it was a hack in their news release which caused me to wonder who was correct. Is the source for this in your article only the Fonseca press release or have other outlets confirmed it was an actual hack as opposed to a whistle blower?

Wired has published a lengthy story that implies that the leak happened piecemeal over a long period of time, but it’s still as clear as mud how many people were involved; how they got at the data; how they got it out; how long the actual breach took to achieve; how many databases, servers, accounts, baxckup devices and whatnot were drained of data…

A cursory reading of the Wired article does, indeed, seem to imply that it was an inside job. Yet Wired explicitly uses the words “unknown source,” which means Wired *can’t* tell you (rather than merely that it won’t) whether it was an inside job or an outside one.

And, to be precise, Mossack Fonseca has said nothing more than that it was “subject to an unauthorized breach of [its] mail server,” without saying what else was or wasn’t involved in 2.6TB flowing outwards.

For example, it could be insiders, outsiders or both; it could be a whistleblower who aimed to leak the data from inside; it could be activists who went after it systematically and hit the jackpot; it could be crooks who had a dig around and then decided their spoils were too hot to handle for financial reward and so leaked them; it could be all of those.

The only think we know so far is that we don’t know :-)

From what I gather this is more of a dump from the document management system. There are documents going back to 1977, long before email was around, and there is a database being used to search through the papers. Being an email administrator and the amount of crap that gets collected in email and how scattered it is I can’t see this being email.

The date of 1977 is when the company started, so if a document database was breached, it’s not surprising that the documents go back that far, assuming historical stuff had been scanned in for the record. So I agree that “our email server suffered unauthorised access” is unlikely, if not actually impossible, as a complete explanation.

Nevertheless (and this is the point I was trying to make), an email server breach that you don’t notice promptly is about much more than that. Email isn’t the castle but it’s likely to contain the keys to the castle…and, indeed, the keys to other people’s castles, too.

I’d like to add that as JD mentioned, this points out the true seriousness of lax IT security practices. You don’t just have to protect against current documents regarding future projects being stolen/compromised, getting access to the right internal credentials provides access to all corporate data that exists.

“The company also: promised it has taken “all necessary measures to prevent this from happening again,” stated that it is taking “additional measures to further strengthen [its] systems,” and claimed to be “in the process of an in-depth invesigation with experts.”

This quote shows a significant shortsightedness: when a law firm has just been breached for 39 years’ worth of client data, taking measures to prevent it from happening again isn’t all that useful. It won’t save the firm, nor protect their clients.

Speculating, it’s possible that the attack on their email server had nothing to do with the attacker getting in, but was the method the insider used to get all the data out — and because of how the server was set up, nobody noticed that over a 1 year period, 2.6TB of data was sent from there to points unknown. If this is the case,it shows the importance of flagging and investigating network and system anomalies and getting to the root cause.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?