Monday, April 04, 2016

Mossack Fonseca Clients Awake To Find Themselves Adrift Offshore In A Leaky Boat

Today the executives of Panamanian-headquartered international legal and trust services firm Mossack Fonseca awoke to news that 11 million confidential documents spanning 40 years of the firms operation had been leaked to 107 media organisations in 78 countries. The documents purport to show how Mossack Fonseca has helped clients launder money, dodge sanctions and evade tax. Neither the identity of the leaker, nor the source material of documents itself have been publicly revealed. Instead, the source and his or her precise motivations remain secret, and we can expect a drip-feed of stories and revelations over the coming weeks and months as media organisations seek to maximise their commercial return from the 9-months of work we understand this investigation to have taken.

Putting to one side the moral and ethical arguments for and against the use of offshore tax havens, what do the Panama Papers tell us about the state of Information Security at Mossack Fonseca?

Back in 2010, we wrote about the US State Department leak of over a quarter of a million sensitive and secret cables spanning 35 years. We detailed ways in which an organisation, any organisation, can reduce the likelihood of sensitive confidential files (including personal and private information of its clients) escaping into the public domain. We described a framework that any organisation can use to reduce the likelihood of a catastrophic leak of company secret information. That article is here.

Let’s examine this latest leak, and consider whether or not Mossack Fonseca could have learned something from the events of 2010. We will take each consideration in our framework in-turn.

Recognise Where You Are Vulnerable
Given how little we know about who provided the confidential information and their motivations, it's hard to make many assumptions about whether or not the firm knew it was vulnerable to this particular person or the methods they may have used to steal information. The leak may have come from an insider, a longstanding employee, perhaps even a senior executive, he or she may have been acting alone or with help, and may even have been coerced into exfiltrating the documents by an as-yet unknown 3rd party. However given what little we do know it seems unlikely that the board of directors at Mossack Fonseca truly understood quite how vulnerable they were to such a leak. If they did then they would have done something about it.  According to public sources, the company has between 200 and 500 staff around the world, and 20 former members of staff. It is a relatively small firm where Information Security should have been a tractable problem. When considering your vulnerability to a leak, think about the following:

  • Where is confidential information kept in your organisation?
  • In how many different places can it currently be found?
  • Are multiple copies routinely created of confidential information?
  • How many different access methods are there to this information?
  • What size community of users have access to it?
  • What controls are there over who can access what, where, and when?

Know If You Are A Target
The company must have known it was a target, their entire industry relies on confidentiality and secrecy. With current and former politicians, powerful businessmen and celebrities as clients, that much should have been obvious. Political enemies, nation states, criminals, and blackmailers would all have liked to get their hands on their information. Mossack Fonseca should have been devoting significant effort to its Information Security programs.

"Some organisations attract leaks because they are repositories for particular confidential information, or because the information they hold is highly newsworthy, others find themselves subject to leaks because their employees sometimes struggle with difficult and conflicting concerns about the nature of their work. While your newsworthiness may fluctuate over time, certain sectors tend to experience a perennial popularity with leakers. If you are in the energy, pharmaceutical, government, or banking sectors, you should consider yourself a prime candidate for leakers at this time. Companies engaged in arms manufacture or doing any kind of business in troubled parts of the world are likewise a target. Are you an aggregator of sensitive information from several of the sources above? If you operate a law or consultancy firm, or other business where you are entrusted with sensitive information from clients in these industries or geographies, then you will be a target for leaks."
Diligence & Statutory Obligations (Compliance)
While offshore locations are often preferred because they are relatively light on controls and heavy on individual privacy protection, increasingly they are having compliance obligations forced upon them. Whether or not this leak lands Mossack Fonseca in violation of compliance will be academic if their clients desert them as a result of it.

Segment Your Data
Given that the information leaked covers such a long period of time (many decades) and appears to include files on a diverse range of clients from statesmen to self-help gurus, it appears that nobody at Mossack Fonseca was segmenting their data. It is as-if there was one huge shared drive, one Email system, and the whole lot was dumped out. Segmenting data helps to contain information security failures, losing one class of systems or documents does not expose the whole.

  • Segment by status: active client versus inactive/former clients.
  • Segment by “security level” of the information: secret, confidential, unclassified.
  • Segment by time: don’t keep files for completed projects with open client files.
  • Segment by user/group: litigation versus patent, analysts versus sales.

Although it can reduce staff productivity and increase cognitive load, encryption can be used to reinforce the segmentation process. Did Mossack Fonseca individually encrypt the most sensitive documents or indeed any document in their organisation? It seems unlikely. Encryption of individual documents, or individual client folders is another way of limiting widespread uncontrolled disclosure of confidential information. It is not difficult to imagine a regime of individual passwords for individual projects, clients, or business units.

The Human Element, Maturity & Common Sense

We may never learn who is behind the leak, or hear first hand exactly what motivated them. We may never know if they are a current or former employee, a state-level actor, or just a particularly thorough and successful activist. We don't know anything about the firm’s culture or leadership at this point. All these things make it hard to comment on whether or not there is anything the firm could have done to avert this situation. In most instances where a company has lost control of its confidential information, there are things that could have been done with respect to the human element, to significantly reduce the chance of such a disastrous disclosure.  Staff vetting, the establishment of an ethics committee, monitoring, and a strong internal audit function can all help reduce the likelihood of such a large and damaging loss of confidential information.

Handling A Leak
The story is only just beginning for Mossack Fonseca and their clients, thus far we haven't seen a response from them either publicly or have any idea what they are doing internally.  What is clear already though is that this story is far from over and that there will be a continuous drip-drip of disclosures over the next few weeks and months. It is interesting that rather than making the entire document archive available online, the media organisations involved are choosing to be very selective about who and what they choose to write about.

What Next?

As Information Security professionals we have probably learned as much as we can from this disclosure. We expect the majority of the disclosures to be politically-motivated in nature, with a focus on Russia, Syria, Zimbabwe, North Korea, and any of those “twitter revolution” countries that haven't quite come around to the wests way of thinking. We expect disclosures about leaders of EU member states with politicians whose views differ significantly to those of Germany and the US, such as the Visegrad group (Czech Republic, Hungary, Poland and Slovakia), and a sprinkling of celebrities, nobility, and more minor politicians or from countries that don't really matter very much. We expect the disclosures to almost entirely avoid large western corporations and the interests of those who own and operate them, which is interesting given that group probably makes up the majority of Mossack Fonseca’s clients.

360is are able to assist in improving your organisation’s Information Security posture, and in implementing the advice given in this article. While it may be impossible to guarantee that your confidential information will stay that way, you can significantly reduce the chances of the kind of widespread leak experienced by the Mossack Fonseca today, or the US State Department in December 2010. To speak to one of our consultants, visit our contact page and request a meeting.                                                                       

Monday, February 08, 2016

What does every UK Cyber Security startup need, that is worth more than gold?

It's not that I'm ungrateful George...
While compiling the next issue of Executive Intelligence, the Cyber Security briefing for UK decision makers, we came across an announcement from Chancellor George Osborne for a £250,000 programme to increase the rate of cyber security startup development in the UK. We aren't sure whether this announcement, made around the 27th January 2016 was something new or just an echo of a previous release from the 17th November last year, but we took the opportunity to study what was being announced more carefully this time.

The 'Cyber Safe' scheme, will offer advice and support to security startups, and will be open to applicants from March. The scheme is designed to increase the rate of new security startup development in the UK, identify new business ideas from the UK's leading security firms and provide support for security entrepreneurs.

While any assistance for startup and early stage technology companies in the UK is welcome, I'd argue that there are more directly beneficial things that could be done to stimulate and grow UK Cyber Security firms, things that would sustain such growth over 5 years, over 10, and beyond.

Startups, starting up, California style
It costs less than ever to move a software businesses from concept to prototype and on to minimum viable product. The UK is already arguably the best place in Europe to start a technology business. With professional social media, it is easy to connect with expertise and experience, to seek advice and assistance from those of us who have done it before in the UK market and abroad. While neither our climate nor the air quality around Silicon Roundabout is conducive to the kind of cafe-culture you'll find on Sand Hill road (come to think of it neither are the pavements) networking here is just as easy.
"Old Street is that way son"

Something less easy to achieve, and far more valuable to the Cyber Security entrepreneur, is the first customer. This is an area where UK Government has far to go.

According to a study last year by TechUK, only 20% of central government IT managers had "an appetite within their department to procure a higher percentage of technology services from SMEs". One can only imagine what percentage of them might be warm to startups. 5%? 2%? Zero?

The model that works in the US, is one where early stage companies can count on government in all its forms (military, intelligence, research, local, national, laboratories, and the rest) to be a customer of their service or product. That is the great thing about starting a Cyber Security firm in the US, long before specialist funding programs or affiliated venture firms appeared, someone, somewhere in US government was pretty much guaranteed to need your Cyber Security product, and to do business with a relatively small, relatively new, yes... relatively parochial firm who had cracked a tough problem. Contrast this with the TechUK study, or your own anecdotal experience.

"Present them with three options, two of which are,
on close inspection, exactly the same,
plus a third which is totally unacceptable.
I once attended a conference where a government procurement officer explained to the audience of his peers how they could carefully construct RFPs, RFIs, and tender documents for the specific purpose of excluding small firms, while staying within "SME friendly" guidelines issued by government. Never let it be said that the civil service is without ingenuity!

A pity, because government can be a great 1st customer and the benefits are not all one-way. The startup gets valuable feedback, real-life testing, requirements prioritisation, introduction to other potential early adopters, and (if all goes well) a reference customer, ignoring for one moment the financial benefit to the startup. The customer gets early access, the ability to shape the product to their needs, all the deployment assistance they could wish for, and more than likely the ability to cut the deal of a lifetime in terms of commercial arrangements.

But don't take my word for it, ask Black Duck, Aventail, Verid, Sanctum, E-Security, or any of the other successful Cyber Security companies that passed my desk at Fidelity Ventures looking for venture capital funding after the US government became an early customer.

Let's hope TechUK repeat their 2015 study this year and extend the survey to include attitudes to startups.

Wednesday, November 25, 2015

Social Engineering, Countering The Threat

Would You Buy A Used Monument From This Man?
"Count" Victor Lustig, con-man and Social Engineer, famously sold the Eiffel Tower. Twice.

Like accomplished Social Engineers of today, he was meticulous in his planning, thorough in his research, had an excellent understanding of human nature. He managed all of this without Google, FaceBook, Twitter, or his own printer back in 1925. Modern Social Engineers have it easy. What scams would Victor (real name Robert Miller) have to his name if he was around today? Which world leader, CEO, or politicians would be his victims?

360is have written a short guide to defending against modern social engineering attacks, and are now introducing our social engineering services to clients and partners by means of a presentation. If you are concerned that a modern day Lustig may find your organisation and its information assets easy prey, then we can help. Get in touch.

Social Engineering + Converged Communications = Bad For Security

John, I'm afraid I've got some very bad news for you.
We've recently learned that even the Director of the CIA can't keep hackers out of his e-mail. A teenager hacked into CIA Director John Brennan's AOL account. He says he did so by posing as a Verizon employee to other Verizon staff to get personal information about Brennan's account, as well as his bank card number and his AOL e-mail address. Then he called AOL and pretended to be Brennan. Armed with the information Verizon had just given him, he convinced AOL customer service to reset his password.

Brennan didn't have a bad password, he didn't e-mail it to anyone, he wasn't even tricked into entering it into a fake web page, the security failure here belonged to AOL and Verizon, and it wasn't even a technical failure at that. Now Brennan's e-mail is part of Wikileaks and a thousand articles.

Security experts including 360is have long since recommended 2 factor authentication systems for all of our clients, and yet still relatively few organisations have this kind of authentication. Their reasons? Cost, complexity, and (in)convenience. Over the last 20 years there have been a number of different companies attempting to tackle the three Cs, some of the more recent attempts make use of mobile devices and "soft tokens" on those devices, or they use instant messaging as a secure channel to convey some passcode or challenge/response.
Is there such a thing as too much convergence?

What if we are using multi-factor authentication, but thanks to the wonder of converged communications...all my factors converge upon 1 single device, normally a smartphone or tablet? What if that device were itself, compromised? Mobile devices can be cloned, rooted, or otherwise compromised just like any computer. How would that possibility change the level of trust you place in these kinds of multi-factor authentication? What if I am also trying to login to the secure service in question from that very same mobile device? If an attacker has my phone under his control, or has bamboozled me into doing something with it which help him, what happens to "defence in depth" and "fail safe"?

For these reasons, and because we don't think using 2 factor authentication should mean you have to trust a 3rd party organisation, we recommend keeping your factors as separate as possible for as long as possible. Talk to us if you want to harden your organisation against hackers, social engineers, and end users who sometimes make poor security choices.

Monday, October 19, 2015

High Performance, Low Latency, Hyper-Converged Computing

Recently 360is implemented several systems for clients who needed very high performance, within a stated budget, and had limited physical space and power to work with. For these clients we designed hyper-converged compute/storage units built from non-proprietary, commercial off the shelf components, supportable by their in-house IT team. Thanks to recent advances in storage technology it is now possible to obtain very high performance for a fraction of the cost of a traditional Server + SAN approach. Better still, these systems aren't subject to the vendor’s ideas of life-span (often artificially foreshortened), and can remain operational for 5, 10, or more years if required. You the customer, remains in control.
  • 70GB/sec streaming transfers, 4M IOPS, 4U of space, 5TB to 250TB raw capacity, 2.5PB per rack
  • 2GB/sec streaming transfers, 480TB raw capacity, 4U of space. 4.8PB per rack
  • 75% less power for a given performance level
  • 3X to 6X the performance when compared to similarly priced Server + SAN
  • On-site spares for instant access to replacement parts, forever
  • Scale-out capability with clustered filesystems like Lustre, GlusterFS, and Ceph
  • No chance the vendor can make the systems obsolete
If you are challenged to provide performance, either on-premise or in the cloud, then a hyper-converged system may be for you, and will certainly have a longer lifetime without vendor or service lock-in. For a fixed cost, a properly designed hyper-converged system will always deliver significantly more performance than Server/SAN systems. Let us know your constraints and we can give you an immediate indication of whether hyper-converged is for you.

About 360is
Our scientific approach to performance analysis and engineering has been proven in previous engagements. We work with top 5 Investment Banks, Telcos, and technology vendors. If you have an IT performance problem that is impacting your business, contact us to arrange a no-obligation meeting with one of our consultants.