Doc29.html

DOC :29.txt

A massive leak from Panama City-based law firm Mossack Fonseca has exposed the tax dealings of scores of world leaders and celebrities
The front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.

The law firm at the centre of the Panama Papers hack has shown an "astonishing" disregard for security, according to one expert. Amongst other lapses, Mossack Fonseca has failed to update its Outlook Web Access login since 2009 and not updated its client login portal since 2013.

Mossack Fonseca's client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site's changelog.

On its main website Mossack Fonseca claims its Client Information Portal provides a "secure online account" allowing customers to access "corporate information anywhere and everywhere". The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal's backend can also be accessed by guessing the URL structure, a security researcher noted.

The company's client portal, which it boasts gives customers access to "corporate information anywhere and everywhere", runs on an outdated open source CMS with at least 25 vulnerabilities
Mossack Fonseca's webmail system, which runs on Microsoft's Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca's site simply by guessing the URL.

"It shows the way they configured the server and the way they configured the website is not within the best security practices," an anonymous source told WIRED. They continued to say that the method could be used by other people to access the data. "We're talking about a misconfigured server that enables directory listings."

"They seem to have been caught in a time warp. If I were a client of theirs I'd be very concerned that they were communicating using such outdated technology"
Alan Woodward, Surrey University
Professor Alan Woodward, a computer security expert from Surrey University told WIRED that Mossack Fonseca's front end seemed "horribly" out of date. "I can't understand this," Woodward continued. "Take something like Outlook Web Access – if you keep your Exchange Server up to date this just comes along naturally. They seem to have been caught in a time warp. If I were a client of theirs I'd be very concerned that they were communicating using such outdated technology."

Mossack Fonseca's emails were also not encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol. "Given the business they're in, I find it quite surprising that they haven't thought about securing their emails better," Angela Sasse, professor of human-centred technology at University College London, told WIRED.

Mossack Fonseca's Outlook Web Access has seemingly not been updated since 2009
"I would regard TLS encryption as okay for a not very high risk organisation, if it is done properly and looked after. The awareness of the risk and how easily these services can be attacked seems to not have been there."

Precisely what vulnerability the attacker used is not known and Mossack Fonseca has said it is carrying out "an in-depth investigation with experts", while also taking "additional measures" to strengthen its systems. In a leaked email to customers Mossack Fonseca confirmed an "unauthorised breach" of its email servers. Company partner Ramon Fonseca has since said the leak was not "an inside job" and that the company had been hacked by servers based abroad. The company di...

Top topics in this doc (% words in doc assigned to this topic)

	(29%)	security firm customers vulnerabilities version emails wired outdated told files ...
	(16%)	access email site portal drupal client web systems hack servers ...
	(15%)	fonseca mossack law million based easily people powerful terabytes partner ...

[Index]