Apart from being a haven for the offshore accounts of secretive billionaires, the Panamanian law firm Mossack Fonseca is also apparently a repository of security habits that were out of date over a decade ago. Although hiding uncountable billions of dollars from the world’s tax collectors is definitely a moral gray area, security professionals can definitely learn some lessons on what not to do, based on the firm’s woeful practices. More worryingly, however, Mossack Fonseca’s paper-thin security underscores a similar trend of shady companies protecting sensitive data with laughably out-of-date software.
It’s hard not to see irony in the fact that the world’s wealthiest individuals chose to hide their money with a firm whose security practices are on a par with that of an average public high school. Here’s just a few of the vulnerabilities that various security investigators have turned up:
- An Outlook Web Access Portal that was last updated in 2009.
- A client access portal that was last updated in 2013.
- An outdated Drupal CMS with 25 vulnerabilities.
- A WordPress implementation three months out-of-date.
- Unencrypted emails that eschewed the TLS security protocol.
The thought process here frankly defies logic. What happened here can’t be ascribed to mere negligence, but rather a fundamental lack of understanding as regards basic concepts in information security. While one would hope that lapses of this kind are singular, one-off events, evidence suggests that uniquely sensitive information like this is more poorly-defended than anyone might realize.
In Bad Company: More Organizations with Sensitive Information and Weak Data Center Security
Here’s another example: Hacking Team. You may remember the Hacking Team breach from the summer of 2015, when leaked documents revealed that the company provided surveillance software to Sudan, the Lebanese Army, and the FBI. The leaked information caused a considerable amount of embarrassment to all parties involved—and, by coincidence, helped to hasten the ongoing death of Flash—and was also revealed to have been protected by a security architecture that lacked competence. How bad was it? After all the leaked documents were sifted through, it turned out that one of the sysadmins passwords… was “Passw0rd.”
Lastly, we have VTech. VTech’s business isn’t as ethically murky as our other two examples—they sell cheap Android tablets to the children’s and educational market—but their security was definitely among the worst. A hacker was able to gain access to their corporate site using an extremely basic XSS attack, then gain root almost instantly. From there, he was able to gain access to data on 6.4 million children, including their names, their addresses, their parents’ names, their parents’ passwords, photographs of said children, and so on. Worst of all, their passwords were stored with the most rote encryption imaginable—an obsolete MD5 hash with no salting or stretching.
Lessons Learned
So, what can security professionals take from this? The facile conclusion is that shady companies probably have sub-par security due to the inherent fact of their shadiness. That’s not seeing the whole picture, however. Look a little deeper, and you’ll see an obvious imperative for more legitimate companies to shape up their data center security posture. Use modern encryption algorithms such as SHA-3 in conjunction with best practices. Sanitize your inputs. Patch your applications up to date. These are all good examples to set—but there’s one last observation to make, here.
We can’t know for sure the exact reasons why all three companies in the example above chose to underinvest in data center security, but it’s possible to see some similarities. Basically, it would have been difficult, if not impossible, to monetize the leaked data from these three attacks. The financial records of the world’s billionaires are a tempting target—but the Panama Papers didn’t contain the kind of information that would let hackers take advantage. The same goes for Hacking Team and VTech. So, here’s the lesson for security professionals:
The information you’re protecting is always valuable to bad actors.
Even if you’re not protecting credit card numbers, medical records, or payroll information, someone can take the information you’re protecting and turn it to your disadvantage. You can never assume that the information your enterprise holds will be harmless in the wrong hands. Someone can always use that data to make a point, embarrass your customers, or just prove that you’re bad at your job. Don’t be that company—contact Sentinel One today, and learn how to modernize your security with next-gen endpoint protection.