back to article SQL injection vuln found at Panama Papers firm Mossack Fonseca

Grey hat security researchers have discovered new flaws in the systems of Panama leak firm Mossack Fonseca. A self-styled “underground researcher” claims to have found a SQL injection flaw on one of the corporate systems of the Panamanian lawyers. “They updated the new payment CMS, but forgot to lock the directory /onion/,” …

  1. Anonymous Coward
    Anonymous Coward

    I was idly wondering ...

    given the sanitisation the release M-F papers show, if there's anyone targeting the ICJ (or whoever) looking for the unredacted versions ?

    1. NotBob

      Re: I was idly wondering ...

      Presumably some are at least looking to modify or destroy the rest of the records before they are released.

  2. lansalot

    So does that mean their Drupal installation is off the hook then?

    Either way, some very slack admins there..

    http://www.theregister.co.uk/2016/04/07/panama_papers_unpatched_wordpress_drupal/

    1. Anonymous Coward
      Anonymous Coward

      >So does that mean their Drupal installation is off the hook then?

      Nope - but they were also running a legion of vulnerable WP plugins until last week - as they were also using WP SMTP their mail server creds were easily available.

      WordFence pointed @ revolution slider as the entry point:

      http://webcache.googleusercontent.com/search?q=cache:http://mossfon.com/wp-content/plugins/revslider/release_log.txt

  3. tony2heads

    Onion?

    I thought it was Orion?

    1. Number6

      Re: Onion?

      Nah, The Onion is doing proper news now, ever since Real Life started producing better stories than they could invent.

      Or at least their stuff seems to be more believable than Real Life at the moment.

    2. Peter X

      Re: Onion?

      Onion?

      I thought it was Orion?

      Word-for-word, that's exactly what their admin said. Probably! :D

    3. commonsense
      Coat

      Re: Onion?

      Well it was a data leek after all.

  4. Erik4872

    Proof that most companies have no clue about security

    This is interesting because I assumed that law firms handling extremely sensitive offshore tax haven creations for the richest people in the world would be super-paranoid about security. But, it's not surprising -- every industry I've encountered that I've assumed is at least security-aware actually isn't.

    It's a good lesson though -- never put anything Internet-facing anywhere near your internal network. These days, it's easy to host the public stuff in a public cloud so you can control the entry points more closely. Also, relying on third-party plugins and frameworks for core development can be dangerous if your admins aren't being diligent about patching every component as soon as the patches appear. Just last week we saw the issue with the left_pad JavaScript function being pulled -- it goes to show you how many developers are relying directly on third parties for core functionality, and in some cases not even bothering to take a local copy of the dependencies!

    1. Anonymous Coward
      Anonymous Coward

      Re: Proof that most companies have no clue about security

      I earn a little cash on the side by tutoring a friend's kid. He's 2nd university in the UK. I'm a programmer not a teacher so i basically try and get him to understand the code assignments he gets, without doing them for him.

      So far c#, Java and PHP. Every single one showing crazy insecure coding and poor logic (in terms of defensive code that fails gracefully).

      Its got to the point where i have said to him "i can't tell you the right answer because it is so far from the basic code you were supplied that they will know an industry person answered it for you".

      ... TL:DR ... the next gen are rubbish.

      1. Roo

        Re: Proof that most companies have no clue about security

        "... TL:DR ... the next gen are rubbish."

        I suspect you'll find the previous generations have their fair share of rubbish too. MS-DOS, need I say more ? The thing is for every MS-DOS you'll find something decent, and of course software does sometimes improve.

        That said I'm pretty sure most 80s vintage software would rate as rubbish from a security standpoint. Times have changed, and the bar has been raised quite a lot. ;)

        1. Vic

          Re: Proof that most companies have no clue about security

          MS-DOS, need I say more ?

          MS-DOS is, at its core, really not that bad. It has all the rudiments of a decent multi-tasking OS.

          Sadly, it appears to have been "finished off" in a bit of a hurry, and there are some dreadful hacks that were never fixed. And that's where it got its reputation...

          Vic.

          1. Roo
            Windows

            Re: Proof that most companies have no clue about security

            "MS-DOS is, at its core, really not that bad. It has all the rudiments of a decent multi-tasking OS."

            I'll have to take your word on that, I couldn't see the rudiments because I couldn't see beyond all the missing stuff that could be found elsewhere in (older) OSes running on comparable hardware (such as OS-9, BSD / System III / Xenix, RSX-11M). I remember being very excited to have my first crack at MS-DOS on a proper business machine, having got past the basics I was left feeling somewhat underwhelmed, and I remained convinced that I must have missed something or needed to buy a bigger manual.

            The feeling was akin to one you might have if you were hoping for a bike for Xmas, but got a pair of socks instead - which I hasten to add would be welcome if they were good quality woollen ones, to help the miles glide by on a long walk. ;)

            1. Vic

              Re: Proof that most companies have no clue about security

              The feeling was akin to one you might have if you were hoping for a bike for Xmas, but got a pair of socks instead - which I hasten to add would be welcome if they were good quality woollen ones

              I know exactly what you mean.

              But the trouble with MS-DOS is that one sock is a good quality, nicely-made garment, but the other has no toe bit, and some of it is made of some nasty acrylic thread...

              Like I said - the original, reasonable design is quite clear if you look at the internals. But the implementation of that design was never finished, and a bunch of stuff was lashed up over the top of the unfinished project to produce what we all know and - errr - don't love.

              Vic.

      2. Vic

        Re: Proof that most companies have no clue about security

        TL:DR ... the next gen are rubbish.

        ITYM " the next gen are being taught rubbish".

        As were their predecessors. There's a lot of poor understanding in the heads of those who really ought to know better...

        Vic.

      3. Anonymous Coward
        Anonymous Coward

        Re: Proof that most companies have no clue about security

        The real problem the school/uni mindset never abandons most of them. While when studying you may be more concentrated on the things you're learning and the outcome (especially votes), and you throw away your work once done, that's not how it works when you become a professional, and your work may live and haunt you (and unluckily, others...) for years to come.

        I still see developers obsessed to make something work somehow - if and only if nothing bad happens, if it does, pray... but after all never goes wrong, in software, right? "It works on my machine with the same two bytes input over and over, thereby it will always work!"

        And every time you point out that's not the way and explain why, many of them get upset "hey, I have no years to code it, after all it works!" - until it fails in some "spectacular" way... usually then I'm called to clean the mess, and then they complain because I earn much more than them...

        It is true teaching should shift focus from just getting the job done to actually require to have it done the right way. But just checking some outputs is far more easier than actually looking at the whole code and identifying bad areas - if you're capable of that.

  5. Syntax Error

    Fonseca

    Should be in jail for the rest of their lives. They are the ultimate criminal lawyers.

    1. frank ly

      Re: Fonseca

      They haven't broken any laws. They helped their clients to take advantage of existing laws in their client's jurisdictions.

      1. Patras

        Ethically Challenged

        "They haven't broken any laws." = Legalese for Morally and/or Ethically wrong.

        Nietzsche wrote the law is not morality.

        My generation is all screwed up believing this legal shite determines what is right and wrong. Capitalism is also not morality but that...

        1. Anonymous Coward
          Anonymous Coward

          Re: believing this legal shite

          An evergreen argument, in the evergreen "A Man for All Seasons":

          William Roper: So, now you give the Devil the benefit of law!

          Sir Thomas More: Yes! What would you do? Cut a great road through the law to get after the Devil?

          William Roper: Yes, I'd cut down every law in England to do that!

          Sir Thomas More: Oh? And when the last law was down, and the Devil turned 'round on you, where would you hide, Roper, the laws all being flat? This country is planted thick with laws, from coast to coast, Man's laws, not God's! And if you cut them down, and you're just the man to do it, do you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake!

      2. Alan Brown Silver badge

        Re: Fonseca

        "They haven't broken any laws."

        In Panama.

        That's not necessarily the case elsewhere.

        1. frank ly

          @Syntax Error & Patras Re: Fonseca

          I'd hate to live in a country governed by your ideas about 'right' and 'wrong' or by your interpretation of what Nietzsche wrote. I much prefer laws that are written down for all to see and all to argue over.

          1. Patras

            Re: @Syntax Error & Patras Fonseca

            Only that man's law changes.

  6. kmac499

    Bandwidth ???

    Any one worked out how long it took to syphon all that data (rumoured to be around 2Tb) out of MF. Looks like Panama has better bandwidth options than we have..

    1. Ken Hagan Gold badge

      Re: Bandwidth ???

      Fair point. Two terabytes is about three weeks of maxing out a 10 Mbit/s connection. Doing it on the sly would require longer, or a fatter pipe, or MF's IT people being asleep at the wheel. What you wrote, though, was 2Tb and two terabits is something you could suck out in one night. Also, I imagine that these guys can afford a pipe the size of the nearby canal.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bandwidth ???

        The media has said that over the period of at least 6 months *more* data was handed to them. So, in theory, that is more than enough time to

        1) Choose a low bandwidth upload.

        2) Choose a time/place/connection that is not being checked (like the public wifi or the bosses "I need my own connection to watch Youtube at lunch" ipad).

        Though I assume only if someone else was already a constant bandwidth use, would this go unnoticed normally. As a constant upload would show as an additional load not being applied by the backup systems, the Skype calls etc. So I assume those in the IT either did not look to see if anything was uploading, or they could not see?

      2. Shoot Them Later

        Re: Bandwidth ???

        If it's mostly text, it would of course compress down pretty well. Depending on what sort of access I had to the target's servers, I might compress it locally and then transmit the compressed files. But when bragging about how much data I liberated, I would of course quote the uncompressed figure :)

      3. Vic

        Re: Bandwidth ???

        MF's IT people being asleep at the wheel

        Given what we keep seeing about their systems, I think that's pretty much assured...

        Vic.

    2. Anonymous Coward
      Anonymous Coward

      Re: Bandwidth ???

      I'm recycling keystrokes today.

      Normal service will be resumed as soon as I work out what normal is.

  7. Anonymous Coward
    Anonymous Coward

    Quite possibly a red herring

    If the whistleblower is an insider they would want to cover their tracks. Getting the investigators to look into a dozen red herrings will keep them away from the real source of the leak. Putting bugs into applications may also give some room for plausible deniability, assuming whoever leaked was an insider. That seems likely given the volume of data passing outside unnoticed.

    1. Anonymous Coward
      Anonymous Coward

      Re: Quite possibly a red herring

      Sometimes people do leave the door open.

    2. Anonymous Coward
      Anonymous Coward

      Re: Quite possibly a red herring

      I think it is the law firm itself and the government officials concerned who have more of a reason to make people believe it was hackers rather than an inside job. The fact that a hole was found in the law firm's systems in no way makes the likelihood of a hack any greater, but that's what the powers that be are trying to imply.

      If you had security specialists looking at anyone's systems you'd find something; no one has perfect security. If that one hole is all they've found, I'd wager they've got much better security than most organizations!

  8. phuzz Silver badge
    IT Angle

    While there's a lot of focus on Mossack Fonseca right now, they are said to be the fourth biggest firm specialising in "offshore banking".

    I'm guessing that the sysadmins at the top three have been under a lot of pressure this last few weeks, whether it's from outsiders trying to hack in, to their employers wanting them to guarantee that their systems are secure and that nobody is leaking anything (good luck guaranteeing that).

    Hope for their sakes they get paid well.

  9. PassiveSmoking

    Why does this keep happening? SQL injection is possibly the easiest security flaw to avoid.

    Don't get me wrong, this Panama leak has been nothing short of gut-bustingly hilarious. But how are we as a profession meant to be taken seriously when programmers keep making the same stupid elementary mistake over and over and over again?

  10. Patras

    Financial Times

    Panama is only one head of the tax haven Hydra "allowed firms such as Mossack Fonseca to flout its own weak official safeguards against financial crime. The client leaks point to links with drugs lords, Mafiosi, terrorists, arms companies and rogue states. The fact that Mossack Fonseca can state that it has never been accused or charged in connection with criminal wrongdoing shows that Panama’s financial regulators, police, judiciary and political system have been part of the system — corrupted or influenced by the lucrative flows from the dirty .....

  11. Anonymous Coward
    Anonymous Coward

    Seriously??

    Are you really thinking that 2.6 TB leaked over the internet, included obviously archived data.

    This has the smell of some admins scrambling to cover their complicity.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like