Three important lessons crooked world leaders should learn from the Panama Papers
There is a person, somewhere on Planet Earth, who is making Edward Snowden look like a small time player when it comes to stealing and releasing explosive confidential information. On April 3, 2016, this person -- who remains unknown -- stole what eventually totaled 2.6 terabytes containing 11.5 million documents.
Those documents, now known by the name Panama Papers, were initially distributed to a German newspaper, Suddeutsche Zeitung, which then shared them with the International Consortium of Investigative Journalists, an organization of 190 journalists across 65 countries.
The material was explosive, containing the personal financial dealings of associates of Russia's Vladimir Putin, 11 other current or former world leaders, more than 100 other world politicians, and, the FIFA soccer league. CBS News has published a great summary of all of the world-shaking revelations.
Devil's advocate
Rather than marveling at the size of what has become history's largest data breach (because that's been done to death), I'm going to, instead, play the role of the cunning consigliere for a few moments.
For entertainment and edification, I'm going to let out an evil laugh, twist my mustache menacingly, and offer some wicked-but-wise advice to presidents and plutocrats -- especially the crooked ones who want to hide the billions they've stolen from their people.
So, my vile villains, you know you worry that your under-the-table dealings will wind up as headline news. The rest of this article will help you understand how to protect your repugnant interests, and not get caught up in the giant sucking sound that is made when previously hidden terabytes explode into the light.
To help illustrate these three lessons, we need to look at the company at the heart of the breach, Panamanian law firm Mossack Fonseca.
Lesson #1: Update your software
For the world's shrewdest corrupt and loathsome leaders, software updates are the new henchmen. You know how, in the old school days, you'd surround yourself with bodyguards and thugs to protect yourself from danger? Today, the meatspace men who hench are not enough. You need to update your software.
According to a rather excellent investigative report in Forbes, Mossack Fonseca is (or was) running a three year old version of Drupal, a content management system known to have major vulnerabilities. While the public-facing Internet security records differ from the investigative findings of white hat hackers on the exact particulars of the versioning, the simple fact is that three year old software should not be left running.
It's important to note, Dear Leaders, that vulnerabilities in one type of software, say content management systems, don't limit attacks to just those systems.
If a vulnerability exists, that creates a hole, a gap, a place to land a beachhead, where attackers can wheedle their way deeper and deeper into the system, until they find the incredibly incriminating information that might lead to the prosecution or beheading of you or some of your golf buddies.
By the way, it wasn't just Drupal that was out of date. There was a WordPress server that hadn't been updated since December 2014. I've already written about how vulnerable an unpatched WordPress server can be, and what can be done once a hacker gets inside.
Now, I know you have lackeys to do all this updating for you. If you work it out right, some of those unfortunates will show up in court (or in a ditch somewhere) so you don't have to. But remember this: it's ultimately going to be your head, so follow up and make sure those updates are done all the time.
Lesson #2: Look for central points of vulnerability
Now, Vlad, I know you're telling me you have nothing whatsoever to do with the Mossack Fonseca law firm, but your buddies clearly seem to.
Think about it this way. If you and your other sneaky, conniving, backstabbing, nation-plundering world leader pals want to launder some cash, it's going to go through a bunch of different players.
The whole gloriously useful reason for money laundering is that -- like using a Tor router to jump from place to place to place to obfuscate your originating IP address -- you're moving money and information through a bunch of different entities in order to hide it from the prying eyes of, you know, the people who trust you to lead them honestly.
So ask yourself this: have you looked at each of those laundromats, traced their connections, and assessed their digital vulnerabilities? Money-hiding sneaky-pants Sergei Roldugin (a violinist who is reputed to be Putin's best friend), Pakistan prime minister Nawaz Sharif, former Iraqi interim PM Ayad Allawi, Egypt strongman Hosni Mabarak's son Alaa, Sigmundur Davíð Gunnlaugsson (president of Iceland, you know, the country that has had so much financial chaos), and even Ian Cameron (UK Prime Minister David Cameron's tax-dodging daddy) all hid their dealings through a network of shell companies and back-room arrangements.
All of them, eventually, wound up doing business with that paragon of Panamanian legal practice, Mossack Fonseca. And we know how that turned out.
The lesson here is as simple as your attempts at obfuscation are complex. While you don't want anyone else to see where your secrets are stashed, you need to scrutinize every nook and cranny in your web. When you see one central clearinghouse where so many of your dastardly dealings are directed, take note. Because that brings us to Lesson #3...
Lesson #3: Take the time to verify your partners have cybersecurity best practices
You (or your soon to be headless geek squad henchmen) may not have time to personally vet every single crooked lawyer, lying but loyal relative, or duped delegate of dirty tricks that your secrets pass through. But when you find a central node, like Mossack Fonseca was for so many of these leaders, you need to make sure they're not data security dingbats.
Here's another example of how Mossack Fonseca might have gotten its terabytes deflowered. According to WIRED, Mossack Fonseca hasn't updated its Web portal to Outlook Web Access since 2009. WIRED's story is worth reading, because it details a virtual laundry list of vulnerabilities at Mossack Fonseca.
Which brings us to our last lesson. You are only as secure as your partners. If you're sharing super-scary secrets with someone you're doing business with, make sure they're not vulnerable to exploits. It's worth the time to do a full security audit of each of your partners in crime to make sure they, too, are using best practices.
Terminating thoughts for tyrannical titans
In conclusion, my dear tyrants, despots, dictators, oligarchs, and autocrats, it's time to step up and practice safe secrets. If you and your chums didn't get caught up in this latest fracas, you will soon if you're not careful.
Cybersecurity is no longer something you can just delegate to your anti-social, odd little Xbox-obsessed nephew. If you keep abdicating your technical responsibilities, he might wind up wearing the dark suit and funny hair of ultimate power instead of you.
These days, cybersecurity is at the core of all other security practices. So if you're going to be a successful dictator, you better get with the digital world and -- I'm shaking my finger at you reprovingly -- do your updates!
In all seriousness, these three lessons apply to the good guys, as well. Too many of us aren't as diligent as we need to be when it comes to best practices. Too much information in the wrong hands can be deadly.
By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.