[BreachExchange] The Panama Papers Signal A New Kind of Cyber Attack

[Audrey McNeil]

http://fortune.com/2016/04/09/panama-papers-mossack-fonseca/

It’s like the modern-day Watergate.

As a trove of leaked documents dubbed the ‘Panamanian Papers’ ripple across
several nations, world leaders are feeling the heat. Russian President
Vladimir Putin has called the exposure of offshore bank accounts an
American plot, while Iceland named a new prime minister and British Prime
Minister David Cameron admitted that he profited from an offshore trust.
The Panama Papers represent the future of political scandal in the digital
age – from the initial hack down to the cloud technology used to analyze
the documents. Journalists Bob Woodward and Carl Bernstein, who famously
took down Richard Nixon, could hardly have imagined working with millions
of pages of confidential documents.

This generation’s Watergate will be conducted through shared folders and
chatrooms. Mossack Fonseca, the hacked law firm, embodies the cyber risk to
which many organizations have not yet woken up. Hackers are clearly after
more than just credit cards and social security numbers. The breach is at
once a glimpse into the brave new world of online leaks and a warning that
all organizations should assume any sensitive information to be a potential
target.

The Panama Papers is 1,500 times the size of Wikileaks’ 2010 disclosure,
and the largest leak journalists have ever worked with and one distinctly
belonging to the digital era. The sheer amount of data stolen could only
logistically happen through an online hack: 11.5 million files totaling 2.6
terabytes equates to loads of books requiring 2,600 pickup trucks! Modern
whistleblowers no longer have to sneak documents out of the office in a
manila folder. They can extract an entire database to comb through
remotely. The data dump of nearly every document from law firm Mossack
Fonseca from the past 40 years represents what one journalist calls the
Moore’s Law of Leaks, suggesting that disclosure sizes will grow at an
exponential rate analogous to that of computing power.

The complex technology and execution behind the Panama Paper’s
investigative operation would make any software architect proud. The
journalists handling the data employed the latest information technology
tools to download, share, and protect a huge database of sensitive
information – a feat many companies would be challenged to accomplish.
Initial outreach between whistleblower and journalist took place via
encrypted messages. The team stored the photos encrypted in the cloud while
journalists collaborated on findings in secure chat forums. Maligned by the
government as a tool enabling terrorism, the use of encryption throughout
this process validates claims of its application protecting privacy and
political dissent.

The anonymous whistle-blower’s actions certainly resonate with
anti-corruption principles, having revealed illegal and immoral activity
from politicians and other public figures. The episode also raises concerns
about privacy and the role of “hacktivism,” cyberattacks that are
politically or ideologically motivated. Publicly releasing the entire cache
of documents, as some have called for, calls into question the right to
privacy of Mossack Fonseca clients, especially those who may not have
committed illegal activity or do not hold public office. “Hacktivism”
inherently takes decision-making away from the legal system. What happens
when “hacktivists” act on behalf of principles or entities we consider
deplorable or dangerous? Should the abuse of privacy of the innocent be
considered unfortunate but necessary collateral damage? The Panama Papers
demonstrate a new power for whistle blowers. Their legacies will depend on
their judgment in wielding it.

Public figures are not the only ones now worried about their secrets.
Mosack Fonsecca essentially exposed all of its sensitive client
information, ruining its reputation for confidentiality. In the wake of
this failure, every company is likely reevaluating the security of data and
who they trust to store it.

It is tempting for organizations to view cybersecurity through a financial
lens: social security numbers and trade secrets are valuable to hackers,
but other data would not be worth their while to steal. Politically or
ideologically motivated hackers are the wild cards of this risk formula.
The Panama Papers theft forces organizations to assume that any sensitive
information is a potential target for hackers, and that attackers could be
driven by incentives other than purely financial. In other words,
security’s task expands from guarding “what we think they want” to “what we
do not want them to know.”

The greatest uncertainty lies with the data a company does not store
itself. Every organization has partners with which it shares sensitive
information. The average company exchanges data online with 1,555 partners,
and not every partner will satisfy the security requirements that a bank or
retailer requires. What makes matters worse is that one partner will often
serve multiple corporations. The hack of a single online photo vendor
affected customers of nearly all of the top North American drug store
brands.

Then there are partners who receive a high concentration of confidential
data. Mossack Fonseca stored a treasure trove of individuals’ financial
secrets. How many companies store stockpiles of corporate secrets? Whether
it is legal documents, intellectual property, or financial data, companies
deal with information that would prove very troublesome if it fell into the
wrong hands, like competitors or the public. As hackers’ methods and
motives grow more complex, they are targeting information beyond the
standard personally identifiable information (PII) that can be easily
monetized.

Exemplifying this trend, anonymous sources revealed several top US legal
firms suffered data breaches, with insiders suspecting hackers may have
been after information to prey on many organizations. Mossack Fonseca’s was
anything but an anomaly, as one senior partner reported, “Law firms are
being deluged with attempts to crack their systems.” If the Target breach
showed that hackers can use business partners to gain entry into
corporations, these attacks demonstrate that business partners themselves
now have information hackers want. In an unrelated incident, criminals
hacked newswire services targeting the unreleased financial information in
uploaded press releases.

How will the business landscape change in a world where organizations need
to worry not only about their own cybersecurity, but that of the company
sending out their press releases? Nearly half of companies do not evaluate
the risk of vendors before transferring them data, but change may be
underway. Law firms report facing more diligent scrutiny of their security
capabilities, but all industries should pay attention to the missteps of
Mossack Fonseca. The Panamanian firm employed outdated software with
critical vulnerabilities, including that for its customer portal.

While the motives behind political leaks can be hard to predict, attacks on
basic vulnerabilities are not. It will become harder for companies who
handle sensitive information to get away with poor security practices.

The Panama Papers incident points to a brave new world in which no
organization is a digital island. Every organization is at potential risk
from every one of the bridges that connects it to others, and a
cybersecurity lapse across any one of these bridges can become an
existential threat.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160411/5a4aa02b/attachment-0001.html>