Panama Papers: “It was an email server attack”

If you thought Chelsea Manning’s data leak was big, or the Snowden revelations, or some of the Sony breaches

…they’re all dwarfed, in quantity if not quality, by the “Panama Papers.”

The word Panama comes from the location of the legal firm that was breached, Mossack Fonseca, headquartered in Panama City; and Papers is a metaphor.

With an a estimated 2.6TB of stolen data in the breach, this was not a traditional break-and-enter, and the hacker or hackers behind it didn’t run off wth filing cabinets of printed material.

If you assume a generous allowance of 1MB of data per printed A4 page, 2.6TB comes out at 2,600,000 pages.

An A4 sheet, by definition, covers one-sixteenth of a square metre, and typical laser printer paper weighs 80 grams per square metre.

That’s 5 grams per page, or 13 tonnes for the paper version of the Panama Papers.

Lots of the media coverage you’ll have seen so far deals with the question, “Who’s been named in the Papers?”

You’d think that publishing those details would be off limits, given that the 13 tonnes of information about Mossack Fonseca’s customers was stolen, and everyone knows it was stolen…

…but the justification for writing about it seems to be that if you’ve ever made use of confidential (OK, secret) offshore banking, legal and taxation services, then you are, by implication, up to no good and therefore no longer deserve to have your privacy respected.

As a result, the stolen data is now as good as in the public domain.

What happened?

Here at Naked Security, we’re more interested in how the breach happened, and what we can learn from that part of the story, than in what we can conclude from information that was illegally acquired in the first place.

The problem is that, so far, we just don’t know how the hackers did it.

Given the scale of the breach, it certainly sounds as though there was more involved than just finding a password or tricking a user into opening a booby-trapped attachment.

Presumably, the hackers needed to get in, find their way around, figure out what data was stored where, work out how to access it, and then find a way to collect and exfiltrate it.

Mossack Fonseca has trotted out the truisms we often hear after a breach of this sort.

According to what looks like a screenshot posted on Twitter, Mossack Fonseca said, “Unfortunately, we have been subject to an unauthorized attack of our email server.”

The company also: promised it has taken “all necessary measures to prevent this from happening again,” stated that it is taking “additional measures to further strengthen [its] systems,” and claimed to be “in the process of an in-depth invesigation with experts.”

You’d swear that Mossack Fonseca read Naked Security’s What you sound like after a data breach, perhaps without realising it was a satirical article.

What to do?

An email breach may not sound like much on its own, but even if a crook manages to get hold of just one user’s password, that can be enough to get started.

After all, emails sent from an internal account have the apparent legitimacy of coming from inside, so the crook can make believable-sounding IT requests, such as asking for a password reset, and then intercept any helpful replies that come back.

Worse still, if a crook manages to breach the email server itself, he could end up harvesting all incoming and outgoing attachments, at least some of which will give away secrets that help him get further and further into the network.

If a crook has already breached your outermost defences and is poking around inside, he’s more likely to be noticed, and stopped, if you create a culture of security at work.

That means being honest and up front about cybersecurity with colleagues and customers alike, no matter what.

Sophos’s own IT Security Manager Ross McKerchar, has 6 tips on how to create that sort of culture.

Image of email icons courtesy of Shutterstock.