Familiar themes in latest breach reports
8 April 2016 | 0
As the storm around the leak of data from the shadowy Panamanian law firm Mossack Fonseca gathers pace, with bankers now following the resignation lead of the Icelandic prime minister, some details as to the nature of the attack have emerged.
According to The Register, the primary vector was a hacked email server. Various sources support this, with an outdated version of Outlook Web Access being the top suspect. Added to this are reports that unpatched versions of popular content management systems Drupal and WordPress are suspected as having been waypoints in the attack.
All of it adds up to chorus that is now all too familiar and all too common — organisations are still failing on the basics of security.
What has emerged from the Mossack Fonseca hack is an apparent treasure trove of shady dealings to launder and hide money around the world, with celebrities, well-known companies and various heads of state implicated.
Now if even one tenth of this turns out to be what it appears, then one would imagine that the head of IT for Mossack Fonseca, and not least whoever looks after the Panamanian office of this distributed franchise, would have thought that it would be worth keeping up to date with patching.
It has long been said that companies should get their employees to recite the company’s mission statement every day. This reminds them what their part in running the company does to achieve the goal of the statement. In this case, a law firm that helps people to avoid, or if the allegations are true, evade, tax, should really have had its information security priorities a little straighter than evidence shows.
To have allowed hackers to gain access to systems via an email server and then get around via unpatched CMS to exfiltrate gigabytes of data is unforgiveable for a sweet shop, let alone a firm of international lawyers working across multiple jurisdictions, navigating the complex waters of international finance and tax codes for some of the largest and most influential companies and clients in the world.
But it is an all too common issue that seems to be at the heart of the incident, followed as it was by news that hackers have potentially exposed the personal details of some 49 million Turkish citizens, including members of its cabinet.
Reports are emerging of hard-coded passwords as a possible egress vector in this case.
We here at TechPro and TechCentral have reported on many occasions, that organisations are still failing on security basics, as the Mossack Fonseca hack, Turkish case and others like Target show, it was basic things that let the hackers in.
Despite rises in reported incidents among Irish organisations, unpatched systems, out of date firewalls and basic security lapses such as poor password management, all conspire to leave holes open that allow, nay invite, hackers in.
The head of NSA’s hacking team, Rob Joyce, famously said that his group rarely needs to use a zero-day attack when they are looking to penetrate an organisation because there is usually some basic vulnerability there if you have the patience to look. This remains a stunning indictment of information security, here and everywhere.
The examples just keep coming. Law firms, government agencies, medical facilities and even information security firms have all fallen victim to simple techniques or exploits that should have been secured through basic information security practices.
This should be a warning for all to review, redress and redouble efforts to ensure that when it is your turn to own up to a breach, it is not for a basic failing that should not have been overlooked in the first place.