Panama Papers Leak and Precautions Law firms should take

1Advocate Prashant Mali (www.prashantmali.com)

An expose by

Lawyers ! What to learn from the Panama Papers Leak Adv. Prashant Mali

The Background• Data breach at , a

Panamian law firm is being touted as the largest ever, in terms of the sheer volume of information leaked.• The leaked information allegedly details the

ways dozens of high-ranking politicians, their relatives or close associates in more than 50 countries, including U.K., France, Russia, China and India, have used offshore companies to hide income and avoid paying taxes.


The Numbers• Reportedly cover 11.5 million confidential

documents dating from 1970s to late 2015.• The 2.6 terabytes of leaked data

includes:4.8 million emails3 million database files2.2 million PDFs1.1 million images320,000 text documents


How did the Leak happen?

• The leak stems from an email hack

• An email server attack could have happened in multiple ways

• The firm’s client portal found vulnerable to the DROWN vulnerability, which was using the old, deprecated SSLv2 encryption protocol on servers


How did the Leak happen?• Portal was using the open source Drupal

Content Management System (CMS) which was outdated and not updated since two years. • This outdated CMS version on the portal was

vulnerable to SQL injection which generally, responsible for 97% of the data breaches across the world.• Other application layer vulnerabilities on the

portal were Cross Site Scripting, Cross Sight Request Forgery, and Brute Force Bypass, etc.


How did the Leak happen?• Security researchers have claimed that certain

backend portions of the site were also accessible with simple commands that any high school hacker could have guessed.

• Even the Microsoft’s Outlook at Mossack Fonseca was last updated seven years back in 2009.

• The emails were not even encrypted which made incredibly easy for hackers to get admin level privileges with such application and system level security standards


1. Injection• It happens when account login page does not

filter user inputs correctly. • Hackers can use commands to enter through this

and claim legitimate access. • Moreover, they can use anything from sign-in forms

to comments box and send commands to the server.• Business risk: Hackers have direct way of

interacting with the server • They can steal data, change it, delete it, deny access

and do much more! • In fact, injection attacks such as SQL Injection are

allegedly responsible for major data breaches at Ashley Madison and Sony 7Advocate Prashant Mali (www.prashantmali.com)

2. Broken Authentication & Session Management

• Negligence in customer accounts, password recovery and even sessions can lead to increased security risks• Essential to have high degree of control over

account log-in using unique user ID and password

• Business risk: Hackers are allowed to claim complete account access. • In severe cases, stolen database records are sold

to underground black market8Advocate Prashant Mali (www.prashantmali.com)

3. Cross-site Scripting• The most common vulnerability – with this weakness, attackers

could use web applications to send malicious script to a user’s browser• Poses threat to both, users and website

• Hackers basically intercept communication between server & browser to inject malicious codes at both ends.

• Cross-Site Scripting not only harms the website but also allows attacks to redirect users to any other URL• Business risk: Hackers can change the homepage of the website,

inject malware on the site• Usually leads to websites getting blocked by search engines and

browsers!9Advocate Prashant

Mali (www.prashantmali.com)

4. Insecure Direct Object References

• This vulnerability can be seen when we simply change a few numbers in URL and press enter and thereby allowed to access unprivileged data because the numbers were predictable• Multiple predictable patterns that will allow hackers

to get into database and access restricted data• Business risk: An attacker can access and expose

a lot of data• Security is compromised, although, he cannot make

many changes


5. Security Misconfiguration• Misconfigured security is a tough vulnerability to handle

as it takes into account all security lapses at every level of the application• Most system admins ignore changing their passwords or

even disabling ports and accounts they do not use anymore• Attackers look for such small lapses, combine them, and try

to make something big out of it

• Business risk: Can lead to complete loss of data through alteration, deletion and theft• Attackers can use one vulnerability after the other to access

the database


6. Sensitive Data Exposure• Data should be stored or transmitted only by

encrypting it with cryptographic algorithms• It ensures that even if the passwords or credit card

details are stolen, hackers cannot do anything with it• Critical to keep the data encrypted in such a way that

only authorized keys or algorithms unlock it

• Business risk: Loss of sensitive data, passwords, credit card information, addresses and bank statements• May have serious repercussions on credibility


7. Missing Function Level Access Control

• Admin function controls are the most important ones and should be restricted• Most companies do not bother reassuring that

only authorized accounts access privileged information.

• Business risk: Once the attacker gains admin access, he can change a lot things including application data and settings• Serious tangible and intangible consequences

and loss of credibility13Advocate Prashant Mali (www.prashantmali.com)

8. Cross-Site Request Forgery (CSRF)

• It is the case of malicious link hidden in an image on the random website that is visited by the customer• Fraudsters alter the URL for the customer to initiate a

command that the customer doesn’t even know about

• Business risk: There would be random requests, purchases, and money transfers• One could never be sure about its genuinity and

customers will gradually lose trust in the website14Advocate Prashant Mali (www.prashantmali.com)

9. Using Components with Known Vulnerabilities

• Sometimes application developers use open source projects with unknown loopholes like unknown application codes• Business risk: Unknown application codes

brings unknown risks• Cross-site scripting, injection risks and business

logic loopholes are just some of the examples• Such vulnerability brings data breach, access

control, defacements and theft risks


10. Invalidated Redirects and Forwards

• Customer is taken to a website which looks exactly like the one he wants, but, it is not the same! Fraudsters can get the information needed through it• Most websites don’t even know about such unauthorized

redirects that look genuine

• Customers should be more careful about phishing. However, its not possible for a customer to know whether he is redirected to a wrong website or not. Onus is on website owner!

• Business risk: Attackers can install malware or access user accounts with phishing• Customers lose trust in attacked website forever


Solutions for such Attacks• A complete web application security solution is needed – to detect,

protect and monitor various attacks• Total Application Security (TAS) is industry’s integrated web application

security and compliance solution• It helps organizations to detect application layer vulnerabilities accurately,

patch them instantly without any change in code, and continuously monitor for emerging threats and DDoS attacks to mitigate them

• TAS does this accurately with web application scanning (detect), patches them instantly with web application firewall (protect), and monitors traffic continuously for emerging threats and DDoS attacks (monitor)• Also includes 24x7 managed service support to perform pen testing, create

custom rules, and maintain zero false positives17Advocate Prashant Mali (www.prashantmali.com)

Ensure Data Security at your Law firm

• Up to now, the only entities that seemed concerned with data security were large corporations and health care organizations• With reports of security breaches making headline news on a weekly basis,

data security has become top-of-mind for every business and for every person who carries and uses a credit card

• The threat of a data breach attack is a risk for law firms, too

• The threat is reason enough to enact more stringent security policies, but there is another compelling reason: the security requirements of your own clients• Small law firms might think that they are not a target, but even they have

clients with desirable data. It could even be that your law firm is a much easier target than a corporate entity

• It’s a problem law firms cannot ignore, no matter their size18Advocate Prashant Mali (www.prashantmali.com)

19

What can Law firms of any size do to better manage Cyber security ?

Advocate Prashant Mali (www.prashantmali.com)

Control Chaos• If you need to make changes to security, the changes should be

implemented in a way that does not impede attorney’s abilities to perform work for clients. • Your firm should balance the need to protect client data and the need to access

it.

• Consider the remediation steps for preventing the Crypto-Locker virus. You can lock down the firm’s firewalls, desktops and email, but if done in an overly aggressive manner the changes could have potentially negative side effects such as users cannot upload to court websites; one-off application like those common for litigation, may fail; email scanning false positives caused missed email, etc.

• With planning, training, proper advance notification and staggering the change among users, the side effects can be minimized.


Prepare, Plan and Train• Disruptions in productivity can be avoided through careful technology

selection, planning and preparation.• These days, maintaining a current firewall is not enough protection. Select the

most appropriate security systems that provide the best mix of ease of use and security

• Implement new systems and procedures only after they are vetted and tested by a small group of users

• Prepare new users by giving them advance notice and creating a training plan that covers the topics in a language they understand.

• Security awareness training is designed to increase end user’s awareness of the firm’s security policies and potential threats to the firm, and to increase their willingness to adhere to the firm’s security requirements. • It is probably the most important step to preventing incidents, such as the

Crypto-Locker virus that has infected numerous law firms in the last few months.


You should plan to cover• Electronic communications• Incident reporting• Internet access• Mobile device security• Password policies• Remote access• Social media use• The firm’s Acceptable Use Policy• Visitor policies• Wireless access security


Verify Your Vendors• Your firm’s vendors must also follow proper

security protocols• Vendors, especially those hosting your data

in the cloud, need to pay particular attention to securing and protecting your data• Review every vendor’s commitment to

protecting your data, as well as their security certifications and policies


Monitor Your Systems• Every firm should employ top-notch antivirus, antispam, malware and

intrusion detection• Manage these critical systems to ensure that protection is active (e.g., not

disabled by the end users) and up to date

• Routinely check firewall logs. These will highlight the extent to which your users are under attack and make you aware of administrative access and changes to your firewall

• Periodically check the firewall configuration for unwanted changes.

• You also should manage and monitor user accounts and scan for user accounts that have not been accessed for a period of time, stale passwords and membership in administrative groups

• Every IT administrator has added users to high-level security groups, such as domain administrators, in order to test and troubleshoot issues only to accidentally leave them in groups where they do not belong.


Make System Entry Difficult

• Law firms of all sizes should be using two-factor authentication• Two-factor authentication requires two things from a

user before they are allowed to access a system: something the user has and something the user knows• The item the user has is a token, either a physical

token or an application on a smartphone• The thing the user knows is his password or PIN

• Together, these items provide a significant increase in the security of systems accessed remotely.


Prioritize Physical Security• Physical security is also important

• Server room doors and cabinets should be locked when possible

• You also may want to consider investing in an affordable security camera system that includes options for recording physical access.

• Stored data should be encrypted

• Consider implementing a clean-and-clear desk policy, which requires everyone to log off of their computers when not using them and to lock computers when they walk away

• The policy should extend to laptops and other data storage devices, which should be locked when the employee is not present

• No data, either printed or electronic, should be left unattended


Engage 3rd Party for Security Audits

• After you’ve determined your new policies, put new systems and protections in place and trained your end users, you should consider bringing in a third party• Someone not regularly involved with the firm’s day-

to-day IT needs to perform a security analysis

• An outside security expert will perform a top-down evaluation of your systems, security policies and practices, and will review physical access to the systems


Try to Break In

• A penetration test is the process of trying to break into a system in order to identify any vulnerability• A pen test has to be executed with care, because if it

is performed recklessly it can cause system or network damage through buffer overflows, Denial of Service (DoS) attacks and misconfiguration of systems

• Strive to repeat pen tests at least annually or with more frequency• If you change your firewall or other major systems

throughout the year, you should repeat a pen test28Advocate Prashant Mali (www.prashantmali.com)

Remediate Carefully• At the end of a security audit or pen test, you will

receive a remediation plan• The IT department should carefully review the

recommended changes before implementation to consider any possible adverse effects on other systems and end users

• Some believe that threats are irrelevant for small firms, but nothing could be further from the truth!• It is increasingly common for clients of law firms to

dictate security requirements, so all firms should make strengthening security policies a top priority


30

THANK YOUADV. PRASHANT MALI

Email: [email protected] site: www.prashantmali.com

Twitter : @CyberMahaGuru

Advocate Prashant Mali (www.prashantmali.com)