Scandalous security flaws at heart of Panama leak

Scandalous security flaws at heart of Panama leak

The political fallout from the Panama Papers scandal continues to reverberate around the globe as many high profile figures using offshore tax havens have been forced to defend their actions.

Amongst them, Prime Minister David Cameron, who was implicated when leaked files from offshore law firm Mossack Fonseca revealed that he profited from his late father’s fund, Blairmore, which did not pay tax in the UK.

But equally scandalous are the glaring security failures by the firm at the centre of this affair. Analysis conducted by experts in the days following the leak suggested that the front-end computer systems of Mossack Fonseca were outdated and riddled with security flaws.

In the words of one anonymous source who spoke to technology website wired.co.uk, the law firm had shown an “astonishing” disregard for security. Amongst the issues highlighted at Mossack Fonseca were:

  • A failure to update its Outlook Web Access login since 2009
  • The version of WordPress running on its main site was 3 months out of date
  • A failure updated its Drupal client portal since 2013
  • Vulnerability to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol

Who is managing your network security?

These failings underline the importance for businesses of all sizes and descriptions to constantly review and update the security of their IT systems.

“It shows the way they configured the server and the way they configured the website is not within the best security practices,” an anonymous source told wired.co.uk. They continued to say that the method could be used by other people to access the data. “We’re talking about a misconfigured server that enables directory listings.”

Alan Woodward, a computer security expert from Surrey University, added: “Take something like Outlook Web Access – if you keep your Exchange Server up to date this just comes along naturally. They seem to have been caught in a time warp. If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology.”

Furthermore, Mossack Fonseca’s emails were not encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol.

“Given the business they’re in, I find it quite surprising that they haven’t thought about securing their emails better,” Angela Sasse, professor of human-centred technology at University College London, commented.

To discuss your own network security policies or any other aspect of your business IT management, please contact us on the numbers below.

Leave a Comment